Active Pop-ups, Internet Explore random closing and Sounds

Stan_22 · 06-27-2008, 02:46 PM

Hello Tech Support, hopefully I have followed the 5 steps before posting log instructions correctly.

A roughly about 4 days ago my computer started acting strange, running slow, pop-ups would appear and Internet Explorer would close on me without an error message or the computer would sometimes start making strange window sounds. When looking through msconfig start-up items I notice a weird sequence of numbers and letters (2c449ffc-81e4-99ab-1cf4-20a6203e3ffc) with the command C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\ {2c449ffc-81e4-99ab-1cf4-20a6203e3ffc}" I followed the path and deleted it the code but not the Rundll32.exe yet it still keep occurring I believe it was something called adsonmedia.

I started to following the 5 steps before posting a log and as I was removing all the programs I didn't use or felt was cracked I saw that my free space was not returning yet staying the same.

After installing SpyWareBlaster & Zonedout I noticed the pop-ups are still continuing but are coming up as Restricted Sites and just displays HTTP 404 Not Found.

After doing Deckards Scan the main.txt came up but the extra did not, but i did attach ActiveScan.txt. If anyone can help I would be grateful.

Deckard's System Scanner v20071014.68
Run by Windows User on 2008-06-27 16:28:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Windows User.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:29, on 2008-06-27
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\VW3y11hg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\Adobe\Director\SwDnld.exe
C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\setup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Windows User\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\WINDOW~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://officialhomepage.org/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 5594 bytes

-- Files created between 2008-05-27 and 2008-06-27 -----------------------------

2008-06-27 15:13:52 35842 --a------ C:\WINDOWS\system32\VW3y11hg.exe
2008-06-27 15:03:06 0 d-------- C:\Documents and Settings\Windows User\Application Data\Macromedia
2008-06-27 15:03:06 0 d-------- C:\Documents and Settings\Windows User\Application Data\Adobe
2008-06-27 15:02:59 0 d-------- C:\WINDOWS\LastGood
2008-06-27 11:30:40 0 d-------- C:\Program Files\Panda Security
2008-06-27 02:11:24 0 d-------- C:\Program Files\ZonedOut
2008-06-27 02:02:19 0 d-------- C:\Program Files\SpywareBlaster
2008-06-27 01:10:21 68096 --a------ C:\WINDOWS\zip.exe
2008-06-27 01:10:21 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-27 01:10:21 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-27 01:10:21 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-27 01:10:21 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-27 01:10:21 98816 --a------ C:\WINDOWS\sed.exe
2008-06-27 01:10:21 80412 --a------ C:\WINDOWS\grep.exe
2008-06-27 01:10:21 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-26 23:34:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-06-26 23:34:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-26 19:39:19 0 d-------- C:\Program Files\Trend Micro
2008-06-26 08:36:40 0 d-------- C:\Program Files\Lavasoft
2008-06-26 08:36:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-25 14:28:56 0 d-------- C:\WINDOWS\Prefetch
2008-06-25 14:09:03 0 d-------- C:\WINDOWS\system32\scripting
2008-06-25 14:09:00 0 d-------- C:\WINDOWS\l2schemas
2008-06-25 14:08:59 0 d-------- C:\WINDOWS\system32\en
2008-06-25 14:08:59 0 d-------- C:\WINDOWS\system32\bits
2008-06-23 21:20:41 0 d-------- C:\Documents and Settings\NetworkService\My Documents
2008-06-22 22:01:08 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2008-06-22 22:00:28 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-06-22 22:00:15 0 d---s---- C:\Documents and Settings\NetworkService\Favorites
2008-06-22 21:14:44 20480 --a------ C:\WINDOWS\system32\RS3u11dc.dll
2008-06-21 19:16:41 29760 --a------ C:\WINDOWS\system32\XJXAg3nw.exe

-- Find3M Report ---------------------------------------------------------------

2008-06-27 02:00:49 0 d-------- C:\Program Files\Common Files
2008-06-27 00:40:46 0 d-------- C:\Program Files\Macromedia
2008-06-27 00:40:46 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-27 00:38:58 0 d-------- C:\Program Files\Common Files\Macromedia
2008-06-25 14:10:07 0 d-------- C:\Program Files\Messenger
2008-06-25 14:08:58 0 d-------- C:\Program Files\Movie Maker
2008-06-25 14:02:05 0 d-------- C:\Program Files\Windows NT
2008-06-23 18:05:01 0 d-------- C:\Program Files\Java
2008-05-25 18:59:51 0 d-------- C:\Program Files\CeRegEditor
2008-05-18 14:27:20 0 d-------- C:\Program Files\TotalImageConverter
2008-05-17 00:56:10 0 d-------- C:\Documents and Settings\Windows User\Application Data\Softplicity
2008-04-29 22:17:06 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-29 10:36:31 0 d-------- C:\Program Files\Apple Software Update
2008-03-29 00:01:16 2528 --a----c- C:\Documents and Settings\Windows User\Application Data\$_hpcst$.hpc

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-05-13 15:30]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-05-13 15:29]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 14:44]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 14:43]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-11-01 14:51]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-11-01 14:47]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{650CA63D-4A01-4BF8-A608-9B1EBB36292E}"= C:\WINDOWS\system32\RS3u11dc.dll [2008-06-25 11:35 20480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
"C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cingular Communication Manager]
"C:\Program Files\Cingular\Communication Manager\CingularCCM.exe" -a

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
regsvr32 /s mqrt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]
"C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
"C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{6f2dd6f7-4270-64cf-b28a-158cfc4a21af}]
C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{2c449ffc-81e4-99ab-1cf4-20a6203e3ffc}.dll" DllStart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"bmwebcfg"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc

-- End of Deckard's System Scanner: finished at 2008-06-27 16:33:37 ------------

Stan_22 · 06-30-2008, 03:23 PM

Bump Please

forhockey · 06-30-2008, 10:38 PM

Hi Stan_22,

Sorry for the delay in looking into your log, as we are extremely busy in this section of the forums. If you still require assistance and are not seeking help elsewhere, then please carry out my instructions.

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

--------------------------------------------------------------

No AntiVirus Onboard

I see no evidence of an AntiVirus program on your system. This must be resolved. Here are three very good free Antivirus products which are available:

Select one of these, or another of your choice. Download, install, update definitions, and run a full system scan.

Note: You must only use 1 (one) AV at a time because if you have 2 or more AVs running at the same time, they will conflict with each other and make your security less reliable.

--------------------------------------------------------------

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

IMPORTANT: Make sure you install the Recovery Console before running ComboFix.

Reply back with the following:

C:\ComboFix.txt
New HiJackThis Log

Stan_22 · 07-01-2008, 11:42 AM

Thank you so much for helping I did everything as followed here is the ComboFix.txt and a new HijackThis Log

ComboFix 08-06-30.2 - Windows User 2008-07-01 11:43:27.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.481 [GMT -4:00]
Running from: C:\Documents and Settings\Windows User\Desktop\ComboF.exe
Command switches used :: C:\Documents and Settings\Windows User\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-07-01 11:22 . 2008-06-21 19:16 0 --a------ C:\WINDOWS\system32\XJXAg3nw.exe.a_a
2008-07-01 11:22 . 2008-06-22 22:11 0 --a------ C:\WINDOWS\system32\VW3y11hg.exe.a_a
2008-07-01 10:08 . 2008-07-01 10:08 <DIR> d-------- C:\Program Files\Avira
2008-07-01 10:08 . 2008-07-01 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-27 15:39 . 2008-06-27 15:39 <DIR> d-------- C:\Deckard
2008-06-27 11:30 . 2008-06-27 11:31 <DIR> d-------- C:\Program Files\Panda Security
2008-06-27 02:11 . 2008-06-27 02:12 <DIR> d-------- C:\Program Files\ZonedOut
2008-06-27 02:02 . 2008-06-27 02:02 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-26 19:39 . 2008-06-26 19:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-26 08:36 . 2008-06-26 08:36 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-26 08:36 . 2008-06-26 08:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-25 14:09 . 2008-06-25 14:09 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-25 14:09 . 2008-06-25 14:09 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-25 14:08 . 2008-06-25 14:08 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-25 14:08 . 2008-06-25 14:08 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-25 12:56 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-06-25 12:56 . 2008-04-13 20:12 53,248 --------- C:\WINDOWS\system32\tsgqec.dll
2008-06-25 12:56 . 2008-04-13 20:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll
2008-06-25 12:54 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\system32\mmcex.dll
2008-06-25 12:53 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2008-06-22 21:14 . 2008-06-25 11:35 20,480 --a------ C:\WINDOWS\system32\RS3u11dc.dll
2008-06-11 13:16 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 13:16 . 2008-05-08 10:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 15:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-27 05:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-27 04:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-27 04:40 --------- d-----w C:\Program Files\Macromedia
2008-06-27 04:38 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-06-23 22:05 --------- d-----w C:\Program Files\Java
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-25 22:59 --------- d-----w C:\Program Files\CeRegEditor
2008-05-18 18:27 --------- d-----w C:\Program Files\TotalImageConverter
2008-05-17 04:56 --------- d-----w C:\Documents and Settings\Windows User\Application Data\Softplicity
2008-05-14 12:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 09:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 09:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 09:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 00:10 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:43 9,728 ----a-w C:\WINDOWS\system32\comsdupd.exe
2008-04-13 18:43 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31 2,065,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14 76,800 ------w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-05-13 15:30 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-05-13 15:29 126976]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-11-01 14:51 995328]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-11-01 14:47 1101824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 20:12 169984]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{650CA63D-4A01-4BF8-A608-9B1EBB36292E}"= "C:\WINDOWS\system32\RS3u11dc.dll" [2008-06-25 11:35 20480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
--a------ 2007-06-15 19:43 22528 C:\Program Files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2004-10-08 14:43 688218 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2004-10-08 14:44 98394 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2007-12-03 14:21 3461120 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
--a------ 2008-04-13 20:11 177152 C:\WINDOWS\system32\mqrt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"bmwebcfg"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Logging]
"LogSuccessfulConnections"= 0 (0x0)
"LogDroppedPackets"= 0 (0x0)
"LogFileSize"= 0 (0x0)
"LogFilePath"=

S3 swmsflt;swmsflt;C:\WINDOWS\system32\drivers\swmsflt.sys [2007-09-04 12:20]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-13 14:56]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

*Newly Created Service* - ANTIVIRSCHEDULER
*Newly Created Service* - ANTIVIRSERVICE
*Newly Created Service* - AVGIO
*Newly Created Service* - AVGNTFLT
*Newly Created Service* - AVIPBB
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-26 23:27:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-01 04:39:10 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-27 13:00:01 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-07-01 14:24:40 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-07-01 15:00:05 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-30 16:00:10 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-30 17:00:10 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-30 18:00:10 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-30 19:00:10 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-30 20:00:10 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-30 21:00:10 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-30 22:00:10 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-07-01 05:00:10 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-30 23:00:10 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-07-01 00:00:10 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-07-01 01:00:10 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-07-01 02:00:10 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-07-01 03:00:10 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-07-01 04:41:11 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-07-01 05:00:10 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-07-01 06:00:10 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-29 07:00:10 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-27 08:00:10 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-07-01 06:00:10 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-27 09:00:10 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-27 10:00:10 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-27 11:00:10 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-27 12:00:10 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-27 13:00:10 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-07-01 14:00:10 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-07-01 15:00:05 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-30 16:00:10 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-30 17:00:10 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-30 18:00:10 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-29 07:00:02 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-30 19:00:10 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-30 20:00:10 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-30 21:00:10 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-30 22:00:10 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-30 23:00:10 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-07-01 00:00:10 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-07-01 01:00:10 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-07-01 02:00:10 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-07-01 03:00:10 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-27 08:00:01 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-27 09:00:01 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-27 10:00:01 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-27 11:00:01 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-27 12:00:01 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Adobe Reader Speed Launcher - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-Cingular Communication Manager - C:\Program Files\Cingular\Communication Manager\CingularCCM.exe
MSConfigStartUp-DAEMON Tools - C:\Program Files\DAEMON Tools\daemon.exe
MSConfigStartUp-McAfeeUpdaterUI - C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
MSConfigStartUp-MsnMsgr - C:\Program Files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-NeroFilterCheck - C:\WINDOWS\system32\NeroCheck.exe
MSConfigStartUp-Network Associates Error Reporting Service - C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
MSConfigStartUp-ShStatEXE - C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
MSConfigStartUp-Yahoo! Pager - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
MSConfigStartUp-{6f2dd6f7-4270-64cf-b28a-158cfc4a21af} - C:\WINDOWS\system32\{2c449ffc-81e4-99ab-1cf4-20a6203e3ffc}.dll
MSConfigStartUp-= - (no file)
MSConfigStartUp-Aim6 - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 11:46:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-07-01 11:49:53
ComboFix-quarantined-files.txt 2008-07-01 15:48:49

Pre-Run: 51,918,753,792 bytes free
Post-Run: 51,932,512,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

310 --- E O F --- 2008-06-23 16:27:17

here is the hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:38, on 2008-07-01
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis_199.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://officialhomepage.org/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 5997 bytes

forhockey · 07-01-2008, 12:17 PM

Hello Stan_22,

This is going to take a few posts to cleanup, so please stick with me until the end when I declare your machine is malware free.

Thanks

--------------------------------------------------------------

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

Viewpoint Manager <<<this is considered foistware instead of malware since it is installed without users approval, but doesn't spy or do anything "bad". Read this article: http://www.clickz.com/news/article.php/3561546

Additional info: http://vil.nai.com/vil/content/v_137262.htm

--------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
C:\WINDOWS\system32\XJXAg3nw.exe
C:\WINDOWS\system32\VW3y11hg.exe
C:\WINDOWS\system32\XJXAg3nw.exe.a_a
C:\WINDOWS\system32\VW3y11hg.exe.a_a
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
Folder::
C:\Documents and Settings\All Users\Application Data\Viewpoint

Save this as CFScript

Referring to the picture above, drag CFScript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------

Please go to: VirusTotal

On the page you'll find a "Browse" button.
Next to the browse button you'll see a box to enter text.
Please copy/paste the following in BOLD:

C:\WINDOWS\system32\RS3u11dc.dll
Then click the "Send File" button just below.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

If VirusTotal is busy, try the same at Jotti

--------------------------------------------------------------

Please reply back with the following:

C:\ComboFix.txt
Virus Total Results

Stan_22 · 07-01-2008, 12:46 PM

Here is the recent ComboFix.txt

ComboFix 08-06-30.2 - Windows User 2008-07-01 14:35:30.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.489 [GMT -4:00]
Running from: C:\Documents and Settings\Windows User\Desktop\ComboF.exe
Command switches used :: C:\Documents and Settings\Windows User\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\VW3y11hg.exe
C:\WINDOWS\system32\VW3y11hg.exe.a_a
C:\WINDOWS\system32\XJXAg3nw.exe
C:\WINDOWS\system32\XJXAg3nw.exe.a_a
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\WINDOWS\system32\VW3y11hg.exe.a_a
C:\WINDOWS\system32\XJXAg3nw.exe.a_a
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-07-01 10:08 . 2008-07-01 10:08 <DIR> d-------- C:\Program Files\Avira
2008-07-01 10:08 . 2008-07-01 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-27 15:39 . 2008-06-27 15:39 <DIR> d-------- C:\Deckard
2008-06-27 11:30 . 2008-06-27 11:31 <DIR> d-------- C:\Program Files\Panda Security
2008-06-27 02:11 . 2008-06-27 02:12 <DIR> d-------- C:\Program Files\ZonedOut
2008-06-27 02:02 . 2008-06-27 02:02 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-26 19:39 . 2008-06-26 19:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-26 08:36 . 2008-06-26 08:36 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-26 08:36 . 2008-06-26 08:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-25 14:09 . 2008-06-25 14:09 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-25 14:09 . 2008-06-25 14:09 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-25 14:08 . 2008-06-25 14:08 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-25 14:08 . 2008-06-25 14:08 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-25 12:56 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-06-25 12:56 . 2008-04-13 20:12 53,248 --------- C:\WINDOWS\system32\tsgqec.dll
2008-06-25 12:56 . 2008-04-13 20:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll
2008-06-25 12:54 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\system32\mmcex.dll
2008-06-25 12:53 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2008-06-22 21:14 . 2008-06-25 11:35 20,480 --a------ C:\WINDOWS\system32\RS3u11dc.dll
2008-06-11 13:16 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 13:16 . 2008-05-08 10:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 15:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-27 04:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-27 04:40 --------- d-----w C:\Program Files\Macromedia
2008-06-27 04:38 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-06-23 22:05 --------- d-----w C:\Program Files\Java
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-25 22:59 --------- d-----w C:\Program Files\CeRegEditor
2008-05-18 18:27 --------- d-----w C:\Program Files\TotalImageConverter
2008-05-17 04:56 --------- d-----w C:\Documents and Settings\Windows User\Application Data\Softplicity
2008-05-14 12:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 09:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 09:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 09:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 00:10 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:43 9,728 ----a-w C:\WINDOWS\system32\comsdupd.exe
2008-04-13 18:43 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31 2,065,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14 76,800 ------w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-05-13 15:30 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-05-13 15:29 126976]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-11-01 14:51 995328]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-11-01 14:47 1101824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 20:12 169984]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{650CA63D-4A01-4BF8-A608-9B1EBB36292E}"= "C:\WINDOWS\system32\RS3u11dc.dll" [2008-06-25 11:35 20480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
--a------ 2007-06-15 19:43 22528 C:\Program Files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2004-10-08 14:43 688218 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2004-10-08 14:44 98394 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2007-12-03 14:21 3461120 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
--a------ 2008-04-13 20:11 177152 C:\WINDOWS\system32\mqrt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"bmwebcfg"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Logging]
"LogSuccessfulConnections"= 0 (0x0)
"LogDroppedPackets"= 0 (0x0)
"LogFileSize"= 0 (0x0)
"LogFilePath"=

S3 swmsflt;swmsflt;C:\WINDOWS\system32\drivers\swmsflt.sys [2007-09-04 12:20]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-13 14:56]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

*Newly Created Service* - ANTIVIRSCHEDULER
*Newly Created Service* - ANTIVIRSERVICE
*Newly Created Service* - AVGIO
*Newly Created Service* - AVGNTFLT
*Newly Created Service* - AVIPBB
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-26 23:27:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-= - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 14:37:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-07-01 14:40:48
ComboFix-quarantined-files.txt 2008-07-01 18:39:44
ComboFix2.txt 2008-07-01 15:49:55

Pre-Run: 51,950,137,344 bytes free
Post-Run: 51,934,400,512 bytes free

301 --- E O F --- 2008-06-23 16:27:17

Here is VirusTotal Results

MD5: 818b3c875e87e92e764fee1e984df614
First received: 06.21.2008 17:48:22 (CET)
Date: 07.01.2008 15:10:09 (CET) [<1D]
Results: 4/33
Permalink: analisis/8645ddd4fbcea2dd4925e071ce6c9364

File BfBlNwwp.vll received on 07.01.2008 15:09:08 (CET)
Current status: finished

Result: 4/33 (12.12%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.7.1.0 2008.07.01 -
AntiVir 7.8.0.59 2008.07.01 -
Authentium 5.1.0.4 2008.07.01 -
Avast 4.8.1195.0 2008.06.30 -
AVG 7.5.0.516 2008.07.01 -
BitDefender 7.2 2008.07.01 -
CAT-QuickHeal 9.50 2008.06.30 -
ClamAV 0.93.1 2008.07.01 -
DrWeb 4.44.0.09170 2008.07.01 -
eSafe 7.0.17.0 2008.06.30 Suspicious File
eTrust-Vet 31.6.5917 2008.07.01 -
Ewido 4.0 2008.06.27 -
F-Prot 4.4.4.56 2008.07.01 -
F-Secure 7.60.13501.0 2008.07.01 -
Fortinet 3.14.0.0 2008.07.01 -
GData 2.0.7306.1023 2008.07.01 -
Ikarus T3.1.1.26.0 2008.07.01 -
Kaspersky 7.0.0.125 2008.07.01 -
McAfee 5328 2008.06.30 -
Microsoft 1.3704 2008.07.01 -
NOD32v2 3232 2008.07.01 -
Norman 5.80.02 2008.06.30 -
Panda 9.0.0.4 2008.07.01 Suspicious file
Prevx1 V2 2008.07.01 Cloaked Malware
Rising 20.51.12.00 2008.07.01 -
Sophos 4.30.0 2008.07.01 Mal/HckPk-E
Sunbelt 3.1.1509.1 2008.07.01 -
Symantec 10 2008.07.01 -
TheHacker 6.2.96.365 2008.07.01 -
TrendMicro 8.700.0.1004 2008.07.01 -
VBA32 3.12.6.8 2008.06.30 -
VirusBuster 4.5.11.0 2008.06.30 -
Webwasher-Gateway 6.6.2 2008.07.01 -
Additional information
File size: 20480 bytes
MD5...: 818b3c875e87e92e764fee1e984df614
SHA1..: 33cb84fa890c599a001d023b794f4cb4eb4712fd
SHA256: cbc260caadfa66bdac93188334c38dfe4c0f2eab9ec215ecb65584e68bf63b0f
SHA512: c662f5ea5b9bb17562faef07af469edb00764265c6d5d607f4efa98d5872984b
6cfe6c5d1d355f483a4849d45da71bb6888aaa0fdfc229f6769faec8a255db36
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000d082
timedatestamp.....: 0x48588964 (Wed Jun 18 04:04:52 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x9000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0xa000 0x4000 0x3400 7.87 347fab63e1126ae3c2ab779b134d90b5
.rsrc 0xe000 0x2000 0x1800 4.92 1ee8d9bca289f56f3a82bb4965923a07

( 10 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree
> ADVAPI32.dll: RegCloseKey
> ATL80.DLL: -
> MSVCR80.dll: free
> ole32.dll: CoCreateInstance
> OLEAUT32.dll: -
> SHELL32.dll: ShellExecuteA
> SHLWAPI.dll: StrStrA
> USER32.dll: wsprintfA
> WININET.dll: InternetOpenW

( 4 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer

Prevx info: http://info.prevx.com/aboutprogramte...488B00EF775A0B
packers (F-Prot): UPX

forhockey · 07-01-2008, 01:14 PM

Quote:

File BfBlNwwp.vll received on 07.01.2008 15:09:08 (CET)
Current status: finished

The above shows a different file from what was requested.

Please run a scan at VirusTotal on the following file:

C:\WINDOWS\system32\RS3u11dc.dll

Thanks

Stan_22 · 07-01-2008, 01:35 PM

Sorry I tired it again and got these results

File RS3u11dc.dll received on 07.01.2008 21:30:28 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 4/33 (12.13%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.7.2.0 2008.07.01 -
AntiVir 7.8.0.59 2008.07.01 -
Authentium 5.1.0.4 2008.07.01 -
Avast 4.8.1195.0 2008.06.30 -
AVG 7.5.0.516 2008.07.01 -
BitDefender 7.2 2008.07.01 -
CAT-QuickHeal 9.50 2008.06.30 -
ClamAV 0.93.1 2008.07.01 -
DrWeb 4.44.0.09170 2008.07.01 -
eSafe 7.0.17.0 2008.07.01 Suspicious File
eTrust-Vet 31.6.5917 2008.07.01 -
Ewido 4.0 2008.07.01 -
F-Prot 4.4.4.56 2008.07.01 -
F-Secure 7.60.13501.0 2008.07.01 -
Fortinet 3.14.0.0 2008.07.01 -
GData 2.0.7306.1023 2008.07.01 -
Ikarus T3.1.1.26.0 2008.07.01 -
Kaspersky 7.0.0.125 2008.07.01 -
McAfee 5329 2008.07.01 -
Microsoft 1.3704 2008.07.01 -
NOD32v2 3232 2008.07.01 -
Norman 5.80.02 2008.07.01 -
Panda 9.0.0.4 2008.07.01 Suspicious file
Prevx1 V2 2008.07.01 Cloaked Malware
Rising 20.51.12.00 2008.07.01 -
Sophos 4.30.0 2008.07.01 Mal/HckPk-E
Sunbelt 3.1.1509.1 2008.07.01 -
Symantec 10 2008.07.01 -
TheHacker 6.2.96.365 2008.07.01 -
TrendMicro 8.700.0.1004 2008.07.01 -
VBA32 3.12.6.8 2008.07.01 -
VirusBuster 4.5.11.0 2008.07.01 -
Webwasher-Gateway 6.6.2 2008.07.01 -
Additional information
File size: 20480 bytes
MD5...: 818b3c875e87e92e764fee1e984df614
SHA1..: 33cb84fa890c599a001d023b794f4cb4eb4712fd
SHA256: cbc260caadfa66bdac93188334c38dfe4c0f2eab9ec215ecb65584e68bf63b0f
SHA512: c662f5ea5b9bb17562faef07af469edb00764265c6d5d607f4efa98d5872984b
6cfe6c5d1d355f483a4849d45da71bb6888aaa0fdfc229f6769faec8a255db36
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000d082
timedatestamp.....: 0x48588964 (Wed Jun 18 04:04:52 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x9000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0xa000 0x4000 0x3400 7.87 347fab63e1126ae3c2ab779b134d90b5
.rsrc 0xe000 0x2000 0x1800 4.92 1ee8d9bca289f56f3a82bb4965923a07

( 10 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree
> ADVAPI32.dll: RegCloseKey
> ATL80.DLL: -
> MSVCR80.dll: free
> ole32.dll: CoCreateInstance
> OLEAUT32.dll: -
> SHELL32.dll: ShellExecuteA
> SHLWAPI.dll: StrStrA
> USER32.dll: wsprintfA
> WININET.dll: InternetOpenW

( 4 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer

Prevx info: http://info.prevx.com/aboutprogramte...488B00EF775A0B
packers (F-Prot): UPX

forhockey · 07-01-2008, 01:42 PM

Hi Stan_22,

That looks better :)

Please submit this file to: http://www.bleepingcomputer.com/subm....php?channel=4

C:\WINDOWS\system32\RS3u11dc.dll

Please include a link to this topic in the message.

Link:

Code:

http://www.techsupportforum.com/security-center/hijackthis-log-help/263737-active-pop-ups-internet-explore-random-closing-sounds.html#post1566932

-------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
"C:\WINDOWS\system32\RS3u11dc.dll"
) do (
del /a/f/q %%g >nul 2>&1
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
nircmd wait 7000
del %0

Save this as delete.bat Choose to "Save type as - All Files"
It should look like this:
Double click on delete.bat & allow it to run

------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------

Please reply back with the following:

Results from batch file
Kaspersky online scan results

Stan_22 · 07-01-2008, 05:23 PM

Finally finished the Kaspersky,Thank you for you help when I submitted the C:\WINDOWS\system32\RS3u11dc.dll as C:\WINDOWS\system32\RS3u11dc.dll.txt becuase when it asked me to replace an already existing file i did not know if i was suppose to so i didn't.

when i ran the batch file all it did was blink a command prompt and nothing else i did everything else as followed and this is the Kaspersk results.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, July 1, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 01, 2008 17:17:02
Records in database: 902137
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 85413
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:40:51

File name / Threat name / Threats count
C:\System Volume Information\_restore{9FAFDC56-83A6-44F4-A9B1-218120EDDA1E}\RP424\A0100805.exe Infected: not-a-virus:PSWTool.Win32.RAS.g 1

The selected area was scanned.

forhockey · 07-01-2008, 08:06 PM

Hi Stan_22,

Not a problem... Things are finally looking clear. Now we just have to get rid of that dll.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

KILLALL::

File::
C:\WINDOWS\system32\RS3u11dc.dll

Save this as CFScript

Referring to the picture above, drag CFScript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Stan_22 · 07-01-2008, 09:39 PM

No problem here is the ComboFix.txt you asked, also I've notice that Avira AntiVir Personal keeps popping up with it detecting TR/Crypt.ULPM.Gen in the computer and I keep deleting it.

ComboFix 08-06-30.2 - Windows User 2008-07-01 23:19:28.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.628 [GMT -4:00]
Running from: C:\Documents and Settings\Windows User\Desktop\ComboF.exe
Command switches used :: C:\Documents and Settings\Windows User\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\RS3u11dc.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\RS3u11dc.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-07-01 10:08 . 2008-07-01 10:08 <DIR> d-------- C:\Program Files\Avira
2008-07-01 10:08 . 2008-07-01 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-27 15:39 . 2008-06-27 15:39 <DIR> d-------- C:\Deckard
2008-06-27 11:30 . 2008-06-27 11:31 <DIR> d-------- C:\Program Files\Panda Security
2008-06-27 02:11 . 2008-06-27 02:12 <DIR> d-------- C:\Program Files\ZonedOut
2008-06-27 02:02 . 2008-06-27 02:02 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-26 19:39 . 2008-06-26 19:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-26 08:36 . 2008-06-26 08:36 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-26 08:36 . 2008-06-26 08:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-25 14:09 . 2008-06-25 14:09 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-25 14:09 . 2008-06-25 14:09 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-25 14:08 . 2008-06-25 14:08 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-25 14:08 . 2008-06-25 14:08 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-25 12:56 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-06-25 12:56 . 2008-04-13 20:12 53,248 --------- C:\WINDOWS\system32\tsgqec.dll
2008-06-25 12:56 . 2008-04-13 20:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll
2008-06-25 12:54 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\system32\mmcex.dll
2008-06-25 12:53 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2008-06-11 13:16 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 13:16 . 2008-05-08 10:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 15:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-27 04:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-27 04:40 --------- d-----w C:\Program Files\Macromedia
2008-06-27 04:38 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-06-23 22:05 --------- d-----w C:\Program Files\Java
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-25 22:59 --------- d-----w C:\Program Files\CeRegEditor
2008-05-18 18:27 --------- d-----w C:\Program Files\TotalImageConverter
2008-05-17 04:56 --------- d-----w C:\Documents and Settings\Windows User\Application Data\Softplicity
2008-05-14 12:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 34,816 ----a-w C:\WINDOWS\Help\sniffpol.dll
2008-04-14 00:12 33,280 ----a-w C:\WINDOWS\Help\sstub.dll
2008-04-14 00:12 32,866 ----a-w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 279,040 ----a-w C:\WINDOWS\Help\tshoot.dll
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 00:11 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 00:11 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 00:11 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 00:11 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 00:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-01_11.48.30.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-28 03:15:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-02 03:25:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-29 06:26:22 223,837 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-07-02 03:26:34 223,831 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-05-13 15:30 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-05-13 15:29 126976]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-11-01 14:51 995328]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-11-01 14:47 1101824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
--a------ 2007-06-15 19:43 22528 C:\Program Files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2004-10-08 14:43 688218 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2004-10-08 14:44 98394 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2007-12-03 14:21 3461120 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
--a------ 2008-04-13 20:11 177152 C:\WINDOWS\system32\mqrt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"bmwebcfg"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Logging]
"LogSuccessfulConnections"= 0 (0x0)
"LogDroppedPackets"= 0 (0x0)
"LogFileSize"= 0 (0x0)
"LogFilePath"=

S3 swmsflt;swmsflt;C:\WINDOWS\system32\drivers\swmsflt.sys [2007-09-04 12:20]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-13 14:56]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

*Newly Created Service* - SSMDRV
.
Contents of the 'Scheduled Tasks' folder
"2008-06-26 23:27:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{650CA63D-4A01-4BF8-A608-9B1EBB36292E} - C:\WINDOWS\system32\RS3u11dc.dll
MSConfigStartUp-= - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 23:28:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
.
**************************************************************************
.
Completion time: 2008-07-01 23:34:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-02 03:34:51
ComboFix2.txt 2008-07-01 18:40:49
ComboFix3.txt 2008-07-01 15:49:55

Pre-Run: 51,850,907,648 bytes free
Post-Run: 51,900,047,360 bytes free

189 --- E O F --- 2008-06-23 16:27:17

forhockey · 07-01-2008, 09:46 PM

Quote:

I've notice that Avira AntiVir Personal keeps popping up with it detecting TR/Crypt.ULPM.Gen in the computer and I keep deleting it.

Where is the location of this file that Avira AntiVir keeps reporting?

Did you have your Antivirus disabled while running ComboFix?

Stan_22 · 07-01-2008, 10:03 PM

It haven't popped up since my last post and when i did CFScript.txt Avira was running and not disabled

forhockey · 07-01-2008, 10:10 PM

Hi Stan_22,

Many Antivirus programs out there detect ComboFix as a virus, in which it is not, and flags it as a false positive. Therefore, there is nothing to worry about.

--------------------------------------

Well done, your logs are clean! There are just a few more things I would like you to do.

**Please disable your Antivirus before performing the following via right clicking on the toolbar icon **

The following procedure will clear out ComboFix.exe, as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

----------------------------------------------------------------

** Re-enable your Antivirus protection now **

----------------------------------------------------------------

Microsoft Updates

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Malware Prevention Tools

These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.

SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates.
IE-Spyad - Here is an installation guide -> http://www.techsupportforum.com/cont...ticles/63.html
MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites.
McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox.
SpywareGuard - real-time protection that detects and blocks spyware before it can execute.

Alternative Web Browsers

Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites.

Firefox

Opera

Firewalls

If you do not have a firewall, here are a few free ones available for personal use:

Understanding and Using Firewalls

Informational Reading

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

PC SAFETY AND SECURITY
How Did I Get Infected In The First Place?.
THE ANTI-SPYWARE TUTORIAL
STRONG PASSWORDS

Please respond to this thread one more time so we can mark this thread as resolved.

Stan_22 · 07-01-2008, 10:38 PM

Thank you I have downloaded SpywareGuard + SpywareBlaster and lastly Comodo Firewall Pro hopefully that will help stop this from happening again and i will read Informational Reading if there is nothing else required THANK YOU

forhockey · 07-05-2008, 02:27 PM

You're welcome. Safe surfing!

06-30-2008, 03:23 PM	#2 (permalink)
Stan_22 Registered User Join Date: Jun 2008 Location: Fort Lauderdale, FL Posts: 9 OS: Windows XP Service Pack 3	Re: Active Pop-ups, Internet Explore random closing and Sounds Bump Please

06-30-2008, 10:38 PM	#3 (permalink)
forhockey Analyst, Security Team Join Date: Sep 2006 Location: Ontario, Canada Posts: 2,948 OS: Windows 7 Ultimate	Re: Active Pop-ups, Internet Explore random closing and Sounds Hi Stan_22, Sorry for the delay in looking into your log, as we are extremely busy in this section of the forums. If you still require assistance and are not seeking help elsewhere, then please carry out my instructions. Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription. -------------------------------------------------------------- No AntiVirus Onboard I see no evidence of an AntiVirus program on your system. This must be resolved. Here are three very good free Antivirus products which are available: Avira Personal Edition Classic Avast! AVG Select one of these, or another of your choice. Download, install, update definitions, and run a full system scan. Note: You must only use 1 (one) AV at a time because if you have 2 or more AVs running at the same time, they will conflict with each other and make your security less reliable. -------------------------------------------------------------- Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix IMPORTANT: Make sure you install the Recovery Console before running ComboFix. Reply back with the following: C:\ComboFix.txt New HiJackThis Log __________________ Proud Member of ASAP Proud Member of UNITE Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum

07-01-2008, 11:42 AM	#4 (permalink)
Stan_22 Registered User Join Date: Jun 2008 Location: Fort Lauderdale, FL Posts: 9 OS: Windows XP Service Pack 3	Re: Active Pop-ups, Internet Explore random closing and Sounds Thank you so much for helping I did everything as followed here is the ComboFix.txt and a new HijackThis Log ComboFix 08-06-30.2 - Windows User 2008-07-01 11:43:27.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.481 [GMT -4:00] Running from: C:\Documents and Settings\Windows User\Desktop\ComboF.exe Command switches used :: C:\Documents and Settings\Windows User\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 ))))))))))))))))))))))))))))))) . 2008-07-01 11:22 . 2008-06-21 19:16 0 --a------ C:\WINDOWS\system32\XJXAg3nw.exe.a_a 2008-07-01 11:22 . 2008-06-22 22:11 0 --a------ C:\WINDOWS\system32\VW3y11hg.exe.a_a 2008-07-01 10:08 . 2008-07-01 10:08 <DIR> d-------- C:\Program Files\Avira 2008-07-01 10:08 . 2008-07-01 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-06-27 15:39 . 2008-06-27 15:39 <DIR> d-------- C:\Deckard 2008-06-27 11:30 . 2008-06-27 11:31 <DIR> d-------- C:\Program Files\Panda Security 2008-06-27 02:11 . 2008-06-27 02:12 <DIR> d-------- C:\Program Files\ZonedOut 2008-06-27 02:02 . 2008-06-27 02:02 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-06-26 19:39 . 2008-06-26 19:39 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-26 08:36 . 2008-06-26 08:36 <DIR> d-------- C:\Program Files\Lavasoft 2008-06-26 08:36 . 2008-06-26 08:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-25 14:09 . 2008-06-25 14:09 <DIR> d-------- C:\WINDOWS\system32\scripting 2008-06-25 14:09 . 2008-06-25 14:09 <DIR> d-------- C:\WINDOWS\l2schemas 2008-06-25 14:08 . 2008-06-25 14:08 <DIR> d-------- C:\WINDOWS\system32\en 2008-06-25 14:08 . 2008-06-25 14:08 <DIR> d-------- C:\WINDOWS\system32\bits 2008-06-25 12:56 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll 2008-06-25 12:56 . 2008-04-13 20:12 53,248 --------- C:\WINDOWS\system32\tsgqec.dll 2008-06-25 12:56 . 2008-04-13 20:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll 2008-06-25 12:54 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\system32\mmcex.dll 2008-06-25 12:53 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll 2008-06-22 21:14 . 2008-06-25 11:35 20,480 --a------ C:\WINDOWS\system32\RS3u11dc.dll 2008-06-11 13:16 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-11 13:16 . 2008-05-08 10:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-01 15:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-27 05:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-06-27 04:40 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-27 04:40 --------- d-----w C:\Program Files\Macromedia 2008-06-27 04:38 --------- d-----w C:\Program Files\Common Files\Macromedia 2008-06-23 22:05 --------- d-----w C:\Program Files\Java 2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys 2008-05-25 22:59 --------- d-----w C:\Program Files\CeRegEditor 2008-05-18 18:27 --------- d-----w C:\Program Files\TotalImageConverter 2008-05-17 04:56 --------- d-----w C:\Documents and Settings\Windows User\Application Data\Softplicity 2008-05-14 12:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll 2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-04-14 09:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll 2008-04-14 09:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe 2008-04-14 09:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll 2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin 2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe 2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll 2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll 2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll 2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll 2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll 2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll 2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll 2008-04-14 00:10 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll 2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys 2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe 2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys 2008-04-13 18:43 9,728 ----a-w C:\WINDOWS\system32\comsdupd.exe 2008-04-13 18:43 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe 2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll 2008-04-13 18:31 2,065,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe 2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll 2008-04-13 18:14 76,800 ------w C:\WINDOWS\system32\msshavmsg.dll 2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll 2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll 2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll 2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll 2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll 2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll 2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll 2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll 2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll 2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll 2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll 2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll 2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll 2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll 2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll 2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll 2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll 2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll 2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-05-13 15:30 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-05-13 15:29 126976] "BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-11-01 14:51 995328] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-11-01 14:47 1101824] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] "MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 20:12 169984] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{650CA63D-4A01-4BF8-A608-9B1EBB36292E}"= "C:\WINDOWS\system32\RS3u11dc.dll" [2008-06-25 11:35 20480] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager] --a------ 2007-06-15 19:43 22528 C:\Program Files\AT&T\Communication Manager\ATTCM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent] --a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] --a------ 2004-10-08 14:43 688218 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr] --a------ 2004-10-08 14:44 98394 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh] --a------ 2007-12-03 14:21 3461120 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert] --a------ 2008-04-13 20:11 177152 C:\WINDOWS\system32\mqrt.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WZCSVC"=2 (0x2) "WMPNetworkSvc"=3 (0x3) "Viewpoint Manager Service"=2 (0x2) "usnjsvc"=3 (0x3) "ose"=3 (0x3) "odserv"=3 (0x3) "MDM"=2 (0x2) "Macromedia Licensing Service"=3 (0x3) "iPod Service"=3 (0x3) "idsvc"=3 (0x3) "IDriverT"=3 (0x3) "FLEXnet Licensing Service"=3 (0x3) "Bonjour Service"=2 (0x2) "bmwebcfg"=2 (0x2) "Apple Mobile Device"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\BitLord\\BitLord.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\WINDOWS\\system32\\mqsvc.exe"= "C:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= "C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "C:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Logging] "LogSuccessfulConnections"= 0 (0x0) "LogDroppedPackets"= 0 (0x0) "LogFileSize"= 0 (0x0) "LogFilePath"= S3 swmsflt;swmsflt;C:\WINDOWS\system32\drivers\swmsflt.sys [2007-09-04 12:20] S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-13 14:56] S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [] Newly Created Service - ANTIVIRSCHEDULER Newly Created Service - ANTIVIRSERVICE Newly Created Service - AVGIO Newly Created Service - AVGNTFLT Newly Created Service - AVIPBB Newly Created Service - CATCHME . Contents of the 'Scheduled Tasks' folder "2008-06-26 23:27:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-07-01 04:39:10 C:\WINDOWS\Tasks\At1.job" - C:\WINDOWS\system32\XJXAg3nw.exe "2008-06-27 13:00:01 C:\WINDOWS\Tasks\At10.job" - C:\WINDOWS\system32\XJXAg3nw.exe "2008-07-01 14:24:40 C:\WINDOWS\Tasks\At11.job" - C:\WINDOWS\system32\XJXAg3nw.exe "2008-07-01 15:00:05 C:\WINDOWS\Tasks\At12.job" - C:\WINDOWS\system32\XJXAg3nw.exe "2008-06-30 16:00:10 C:\WINDOWS\Tasks\At13.job" - C:\WINDOWS\system32\XJXAg3nw.exe "2008-06-30 17:00:10 C:\WINDOWS\Tasks\At14.job" - C:\WINDOWS\system32\XJXAg3nw.exe "2008-06-30 18:00:10 C:\WINDOWS\Tasks\At15.job" - C:\WINDOWS\system32\XJXAg3nw.exe "2008-06-30 19:00:10 C:\WINDOWS\Tasks\At16.job" - C:\WINDOWS\system32\XJXAg3nw.exe "2008-06-30 20:00:10 C:\WINDOWS\Tasks\At17.job" - C:\WINDOWS\system32\XJXAg3nw.exe "2008-06-30 21:00:10 C:\WINDOWS\Tasks\At18.job" - C:\WINDOWS\system32\XJXAg3nw.exe "2008-06-30 22:00:10 C:\WINDOWS\Tasks\At19.job" - C:\WINDOWS\system32\XJXAg3nw.exe "2008-07-01 05:00:10 C:\WINDOWS\Tasks\At2.job" - C:\WINDOWS\system32\XJXAg3nw.exe "2008-06-30 23:00:10 C:\WINDOWS\Tasks\At20.job" - C:\WINDOWS\system32\XJXAg3nw.exe "2008-07-01 00:00:10 C:\WINDOWS\Tasks\At21.job" - C:\WINDOWS\system32\XJXAg3nw.exe "2008-07-01 01:00:10 C:\WINDOWS\Tasks\At22.job" - C:\WINDOWS\system32\XJXAg3nw.exe "2008-07-01 02:00:10 C:\WINDOWS\Tasks\At23.job" - C:\WINDOWS\system32\XJXAg3nw.exe "2008-07-01 03:00:10 C:\WINDOWS\Tasks\At24.job" - C:\WINDOWS\system32\XJXAg3nw.exe "2008-07-01 04:41:11 C:\WINDOWS\Tasks\At25.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-07-01 05:00:10 C:\WINDOWS\Tasks\At26.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-07-01 06:00:10 C:\WINDOWS\Tasks\At27.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-06-29 07:00:10 C:\WINDOWS\Tasks\At28.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-06-27 08:00:10 C:\WINDOWS\Tasks\At29.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-07-01 06:00:10 C:\WINDOWS\Tasks\At3.job" - C:\WINDOWS\system32\XJXAg3nw.exe "2008-06-27 09:00:10 C:\WINDOWS\Tasks\At30.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-06-27 10:00:10 C:\WINDOWS\Tasks\At31.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-06-27 11:00:10 C:\WINDOWS\Tasks\At32.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-06-27 12:00:10 C:\WINDOWS\Tasks\At33.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-06-27 13:00:10 C:\WINDOWS\Tasks\At34.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-07-01 14:00:10 C:\WINDOWS\Tasks\At35.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-07-01 15:00:05 C:\WINDOWS\Tasks\At36.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-06-30 16:00:10 C:\WINDOWS\Tasks\At37.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-06-30 17:00:10 C:\WINDOWS\Tasks\At38.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-06-30 18:00:10 C:\WINDOWS\Tasks\At39.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-06-29 07:00:02 C:\WINDOWS\Tasks\At4.job" - C:\WINDOWS\system32\XJXAg3nw.exe "2008-06-30 19:00:10 C:\WINDOWS\Tasks\At40.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-06-30 20:00:10 C:\WINDOWS\Tasks\At41.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-06-30 21:00:10 C:\WINDOWS\Tasks\At42.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-06-30 22:00:10 C:\WINDOWS\Tasks\At43.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-06-30 23:00:10 C:\WINDOWS\Tasks\At44.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-07-01 00:00:10 C:\WINDOWS\Tasks\At45.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-07-01 01:00:10 C:\WINDOWS\Tasks\At46.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-07-01 02:00:10 C:\WINDOWS\Tasks\At47.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-07-01 03:00:10 C:\WINDOWS\Tasks\At48.job" - C:\WINDOWS\system32\VW3y11hg.exe "2008-06-27 08:00:01 C:\WINDOWS\Tasks\At5.job" - C:\WINDOWS\system32\XJXAg3nw.exe "2008-06-27 09:00:01 C:\WINDOWS\Tasks\At6.job" - C:\WINDOWS\system32\XJXAg3nw.exe "2008-06-27 10:00:01 C:\WINDOWS\Tasks\At7.job" - C:\WINDOWS\system32\XJXAg3nw.exe "2008-06-27 11:00:01 C:\WINDOWS\Tasks\At8.job" - C:\WINDOWS\system32\XJXAg3nw.exe "2008-06-27 12:00:01 C:\WINDOWS\Tasks\At9.job" - C:\WINDOWS\system32\XJXAg3nw.exe . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-Adobe Reader Speed Launcher - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe MSConfigStartUp-Cingular Communication Manager - C:\Program Files\Cingular\Communication Manager\CingularCCM.exe MSConfigStartUp-DAEMON Tools - C:\Program Files\DAEMON Tools\daemon.exe MSConfigStartUp-McAfeeUpdaterUI - C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe MSConfigStartUp-MsnMsgr - C:\Program Files\MSN Messenger\msnmsgr.exe MSConfigStartUp-NeroFilterCheck - C:\WINDOWS\system32\NeroCheck.exe MSConfigStartUp-Network Associates Error Reporting Service - C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe MSConfigStartUp-ShStatEXE - C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE MSConfigStartUp-Yahoo! Pager - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe MSConfigStartUp-{6f2dd6f7-4270-64cf-b28a-158cfc4a21af} - C:\WINDOWS\system32\{2c449ffc-81e4-99ab-1cf4-20a6203e3ffc}.dll MSConfigStartUp-= - (no file) MSConfigStartUp-Aim6 - (no file) ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-01 11:46:44 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************ . Completion time: 2008-07-01 11:49:53 ComboFix-quarantined-files.txt 2008-07-01 15:48:49 Pre-Run: 51,918,753,792 bytes free Post-Run: 51,932,512,256 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 310 --- E O F --- 2008-06-23 16:27:17 here is the hijackthis.log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:38, on 2008-07-01 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\mqsvc.exe C:\WINDOWS\system32\mqtgsvc.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis_199.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://officialhomepage.org/home.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- End of file - 5997 bytes

07-01-2008, 12:46 PM	#6 (permalink)
Stan_22 Registered User Join Date: Jun 2008 Location: Fort Lauderdale, FL Posts: 9 OS: Windows XP Service Pack 3	Re: Active Pop-ups, Internet Explore random closing and Sounds Here is the recent ComboFix.txt ComboFix 08-06-30.2 - Windows User 2008-07-01 14:35:30.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.489 [GMT -4:00] Running from: C:\Documents and Settings\Windows User\Desktop\ComboF.exe Command switches used :: C:\Documents and Settings\Windows User\Desktop\CFScript.txt * Created a new restore point FILE :: C:\WINDOWS\system32\VW3y11hg.exe C:\WINDOWS\system32\VW3y11hg.exe.a_a C:\WINDOWS\system32\XJXAg3nw.exe C:\WINDOWS\system32\XJXAg3nw.exe.a_a C:\WINDOWS\Tasks\At1.job C:\WINDOWS\Tasks\At10.job C:\WINDOWS\Tasks\At11.job C:\WINDOWS\Tasks\At12.job C:\WINDOWS\Tasks\At13.job C:\WINDOWS\Tasks\At14.job C:\WINDOWS\Tasks\At15.job C:\WINDOWS\Tasks\At16.job C:\WINDOWS\Tasks\At17.job C:\WINDOWS\Tasks\At18.job C:\WINDOWS\Tasks\At19.job C:\WINDOWS\Tasks\At2.job C:\WINDOWS\Tasks\At20.job C:\WINDOWS\Tasks\At21.job C:\WINDOWS\Tasks\At22.job C:\WINDOWS\Tasks\At23.job C:\WINDOWS\Tasks\At24.job C:\WINDOWS\Tasks\At25.job C:\WINDOWS\Tasks\At26.job C:\WINDOWS\Tasks\At27.job C:\WINDOWS\Tasks\At28.job C:\WINDOWS\Tasks\At29.job C:\WINDOWS\Tasks\At3.job C:\WINDOWS\Tasks\At30.job C:\WINDOWS\Tasks\At31.job C:\WINDOWS\Tasks\At32.job C:\WINDOWS\Tasks\At33.job C:\WINDOWS\Tasks\At34.job C:\WINDOWS\Tasks\At35.job C:\WINDOWS\Tasks\At36.job C:\WINDOWS\Tasks\At37.job C:\WINDOWS\Tasks\At38.job C:\WINDOWS\Tasks\At39.job C:\WINDOWS\Tasks\At4.job C:\WINDOWS\Tasks\At40.job C:\WINDOWS\Tasks\At41.job C:\WINDOWS\Tasks\At42.job C:\WINDOWS\Tasks\At43.job C:\WINDOWS\Tasks\At44.job C:\WINDOWS\Tasks\At45.job C:\WINDOWS\Tasks\At46.job C:\WINDOWS\Tasks\At47.job C:\WINDOWS\Tasks\At48.job C:\WINDOWS\Tasks\At5.job C:\WINDOWS\Tasks\At6.job C:\WINDOWS\Tasks\At7.job C:\WINDOWS\Tasks\At8.job C:\WINDOWS\Tasks\At9.job . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Viewpoint C:\WINDOWS\system32\VW3y11hg.exe.a_a C:\WINDOWS\system32\XJXAg3nw.exe.a_a C:\WINDOWS\Tasks\At1.job C:\WINDOWS\Tasks\At10.job C:\WINDOWS\Tasks\At11.job C:\WINDOWS\Tasks\At12.job C:\WINDOWS\Tasks\At13.job C:\WINDOWS\Tasks\At14.job C:\WINDOWS\Tasks\At15.job C:\WINDOWS\Tasks\At16.job C:\WINDOWS\Tasks\At17.job C:\WINDOWS\Tasks\At18.job C:\WINDOWS\Tasks\At19.job C:\WINDOWS\Tasks\At2.job C:\WINDOWS\Tasks\At20.job C:\WINDOWS\Tasks\At21.job C:\WINDOWS\Tasks\At22.job C:\WINDOWS\Tasks\At23.job C:\WINDOWS\Tasks\At24.job C:\WINDOWS\Tasks\At25.job C:\WINDOWS\Tasks\At26.job C:\WINDOWS\Tasks\At27.job C:\WINDOWS\Tasks\At28.job C:\WINDOWS\Tasks\At29.job C:\WINDOWS\Tasks\At3.job C:\WINDOWS\Tasks\At30.job C:\WINDOWS\Tasks\At31.job C:\WINDOWS\Tasks\At32.job C:\WINDOWS\Tasks\At33.job C:\WINDOWS\Tasks\At34.job C:\WINDOWS\Tasks\At35.job C:\WINDOWS\Tasks\At36.job C:\WINDOWS\Tasks\At37.job C:\WINDOWS\Tasks\At38.job C:\WINDOWS\Tasks\At39.job C:\WINDOWS\Tasks\At4.job C:\WINDOWS\Tasks\At40.job C:\WINDOWS\Tasks\At41.job C:\WINDOWS\Tasks\At42.job C:\WINDOWS\Tasks\At43.job C:\WINDOWS\Tasks\At44.job C:\WINDOWS\Tasks\At45.job C:\WINDOWS\Tasks\At46.job C:\WINDOWS\Tasks\At47.job C:\WINDOWS\Tasks\At48.job C:\WINDOWS\Tasks\At5.job C:\WINDOWS\Tasks\At6.job C:\WINDOWS\Tasks\At7.job C:\WINDOWS\Tasks\At8.job C:\WINDOWS\Tasks\At9.job . ((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 ))))))))))))))))))))))))))))))) . 2008-07-01 10:08 . 2008-07-01 10:08 <DIR> d-------- C:\Program Files\Avira 2008-07-01 10:08 . 2008-07-01 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-06-27 15:39 . 2008-06-27 15:39 <DIR> d-------- C:\Deckard 2008-06-27 11:30 . 2008-06-27 11:31 <DIR> d-------- C:\Program Files\Panda Security 2008-06-27 02:11 . 2008-06-27 02:12 <DIR> d-------- C:\Program Files\ZonedOut 2008-06-27 02:02 . 2008-06-27 02:02 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-06-26 19:39 . 2008-06-26 19:39 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-26 08:36 . 2008-06-26 08:36 <DIR> d-------- C:\Program Files\Lavasoft 2008-06-26 08:36 . 2008-06-26 08:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-25 14:09 . 2008-06-25 14:09 <DIR> d-------- C:\WINDOWS\system32\scripting 2008-06-25 14:09 . 2008-06-25 14:09 <DIR> d-------- C:\WINDOWS\l2schemas 2008-06-25 14:08 . 2008-06-25 14:08 <DIR> d-------- C:\WINDOWS\system32\en 2008-06-25 14:08 . 2008-06-25 14:08 <DIR> d-------- C:\WINDOWS\system32\bits 2008-06-25 12:56 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll 2008-06-25 12:56 . 2008-04-13 20:12 53,248 --------- C:\WINDOWS\system32\tsgqec.dll 2008-06-25 12:56 . 2008-04-13 20:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll 2008-06-25 12:54 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\system32\mmcex.dll 2008-06-25 12:53 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll 2008-06-22 21:14 . 2008-06-25 11:35 20,480 --a------ C:\WINDOWS\system32\RS3u11dc.dll 2008-06-11 13:16 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-11 13:16 . 2008-05-08 10:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-01 15:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-27 04:40 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-27 04:40 --------- d-----w C:\Program Files\Macromedia 2008-06-27 04:38 --------- d-----w C:\Program Files\Common Files\Macromedia 2008-06-23 22:05 --------- d-----w C:\Program Files\Java 2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys 2008-05-25 22:59 --------- d-----w C:\Program Files\CeRegEditor 2008-05-18 18:27 --------- d-----w C:\Program Files\TotalImageConverter 2008-05-17 04:56 --------- d-----w C:\Documents and Settings\Windows User\Application Data\Softplicity 2008-05-14 12:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll 2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-04-14 09:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll 2008-04-14 09:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe 2008-04-14 09:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll 2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin 2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe 2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll 2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll 2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll 2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll 2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll 2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll 2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll 2008-04-14 00:10 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll 2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys 2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe 2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys 2008-04-13 18:43 9,728 ----a-w C:\WINDOWS\system32\comsdupd.exe 2008-04-13 18:43 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe 2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll 2008-04-13 18:31 2,065,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe 2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll 2008-04-13 18:14 76,800 ------w C:\WINDOWS\system32\msshavmsg.dll 2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll 2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll 2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll 2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll 2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll 2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll 2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll 2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll 2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll 2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll 2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll 2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll 2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll 2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll 2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll 2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll 2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll 2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll 2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-05-13 15:30 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-05-13 15:29 126976] "BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-11-01 14:51 995328] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-11-01 14:47 1101824] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] "MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 20:12 169984] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{650CA63D-4A01-4BF8-A608-9B1EBB36292E}"= "C:\WINDOWS\system32\RS3u11dc.dll" [2008-06-25 11:35 20480] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager] --a------ 2007-06-15 19:43 22528 C:\Program Files\AT&T\Communication Manager\ATTCM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent] --a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] --a------ 2004-10-08 14:43 688218 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr] --a------ 2004-10-08 14:44 98394 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh] --a------ 2007-12-03 14:21 3461120 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert] --a------ 2008-04-13 20:11 177152 C:\WINDOWS\system32\mqrt.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WZCSVC"=2 (0x2) "WMPNetworkSvc"=3 (0x3) "Viewpoint Manager Service"=2 (0x2) "usnjsvc"=3 (0x3) "ose"=3 (0x3) "odserv"=3 (0x3) "MDM"=2 (0x2) "Macromedia Licensing Service"=3 (0x3) "iPod Service"=3 (0x3) "idsvc"=3 (0x3) "IDriverT"=3 (0x3) "FLEXnet Licensing Service"=3 (0x3) "Bonjour Service"=2 (0x2) "bmwebcfg"=2 (0x2) "Apple Mobile Device"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\BitLord\\BitLord.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\WINDOWS\\system32\\mqsvc.exe"= "C:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= "C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "C:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Logging] "LogSuccessfulConnections"= 0 (0x0) "LogDroppedPackets"= 0 (0x0) "LogFileSize"= 0 (0x0) "LogFilePath"= S3 swmsflt;swmsflt;C:\WINDOWS\system32\drivers\swmsflt.sys [2007-09-04 12:20] S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-13 14:56] S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [] Newly Created Service - ANTIVIRSCHEDULER Newly Created Service - ANTIVIRSERVICE Newly Created Service - AVGIO Newly Created Service - AVGNTFLT Newly Created Service - AVIPBB Newly Created Service - CATCHME . Contents of the 'Scheduled Tasks' folder "2008-06-26 23:27:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-= - (no file) ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-01 14:37:56 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************ . Completion time: 2008-07-01 14:40:48 ComboFix-quarantined-files.txt 2008-07-01 18:39:44 ComboFix2.txt 2008-07-01 15:49:55 Pre-Run: 51,950,137,344 bytes free Post-Run: 51,934,400,512 bytes free 301 --- E O F --- 2008-06-23 16:27:17 Here is VirusTotal Results MD5: 818b3c875e87e92e764fee1e984df614 First received: 06.21.2008 17:48:22 (CET) Date: 07.01.2008 15:10:09 (CET) [<1D] Results: 4/33 Permalink: analisis/8645ddd4fbcea2dd4925e071ce6c9364 File BfBlNwwp.vll received on 07.01.2008 15:09:08 (CET) Current status: finished Result: 4/33 (12.12%) Compact Print results Antivirus Version Last Update Result AhnLab-V3 2008.7.1.0 2008.07.01 - AntiVir 7.8.0.59 2008.07.01 - Authentium 5.1.0.4 2008.07.01 - Avast 4.8.1195.0 2008.06.30 - AVG 7.5.0.516 2008.07.01 - BitDefender 7.2 2008.07.01 - CAT-QuickHeal 9.50 2008.06.30 - ClamAV 0.93.1 2008.07.01 - DrWeb 4.44.0.09170 2008.07.01 - eSafe 7.0.17.0 2008.06.30 Suspicious File eTrust-Vet 31.6.5917 2008.07.01 - Ewido 4.0 2008.06.27 - F-Prot 4.4.4.56 2008.07.01 - F-Secure 7.60.13501.0 2008.07.01 - Fortinet 3.14.0.0 2008.07.01 - GData 2.0.7306.1023 2008.07.01 - Ikarus T3.1.1.26.0 2008.07.01 - Kaspersky 7.0.0.125 2008.07.01 - McAfee 5328 2008.06.30 - Microsoft 1.3704 2008.07.01 - NOD32v2 3232 2008.07.01 - Norman 5.80.02 2008.06.30 - Panda 9.0.0.4 2008.07.01 Suspicious file Prevx1 V2 2008.07.01 Cloaked Malware Rising 20.51.12.00 2008.07.01 - Sophos 4.30.0 2008.07.01 Mal/HckPk-E Sunbelt 3.1.1509.1 2008.07.01 - Symantec 10 2008.07.01 - TheHacker 6.2.96.365 2008.07.01 - TrendMicro 8.700.0.1004 2008.07.01 - VBA32 3.12.6.8 2008.06.30 - VirusBuster 4.5.11.0 2008.06.30 - Webwasher-Gateway 6.6.2 2008.07.01 - Additional information File size: 20480 bytes MD5...: 818b3c875e87e92e764fee1e984df614 SHA1..: 33cb84fa890c599a001d023b794f4cb4eb4712fd SHA256: cbc260caadfa66bdac93188334c38dfe4c0f2eab9ec215ecb65584e68bf63b0f SHA512: c662f5ea5b9bb17562faef07af469edb00764265c6d5d607f4efa98d5872984b 6cfe6c5d1d355f483a4849d45da71bb6888aaa0fdfc229f6769faec8a255db36 PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1000d082 timedatestamp.....: 0x48588964 (Wed Jun 18 04:04:52 2008) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0x9000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0xa000 0x4000 0x3400 7.87 347fab63e1126ae3c2ab779b134d90b5 .rsrc 0xe000 0x2000 0x1800 4.92 1ee8d9bca289f56f3a82bb4965923a07 ( 10 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree > ADVAPI32.dll: RegCloseKey > ATL80.DLL: - > MSVCR80.dll: free > ole32.dll: CoCreateInstance > OLEAUT32.dll: - > SHELL32.dll: ShellExecuteA > SHLWAPI.dll: StrStrA > USER32.dll: wsprintfA > WININET.dll: InternetOpenW ( 4 exports ) DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer Prevx info: http://info.prevx.com/aboutprogramte...488B00EF775A0B packers (F-Prot): UPX Last edited by Stan_22; 07-01-2008 at 12:54 PM. Reason: additional information found upon link

07-01-2008, 01:35 PM	#8 (permalink)
Stan_22 Registered User Join Date: Jun 2008 Location: Fort Lauderdale, FL Posts: 9 OS: Windows XP Service Pack 3	Re: Active Pop-ups, Internet Explore random closing and Sounds Sorry I tired it again and got these results File RS3u11dc.dll received on 07.01.2008 21:30:28 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 4/33 (12.13%) Loading server information... Your file is queued in position: 1. Estimated start time is between 40 and 57 seconds. Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result AhnLab-V3 2008.7.2.0 2008.07.01 - AntiVir 7.8.0.59 2008.07.01 - Authentium 5.1.0.4 2008.07.01 - Avast 4.8.1195.0 2008.06.30 - AVG 7.5.0.516 2008.07.01 - BitDefender 7.2 2008.07.01 - CAT-QuickHeal 9.50 2008.06.30 - ClamAV 0.93.1 2008.07.01 - DrWeb 4.44.0.09170 2008.07.01 - eSafe 7.0.17.0 2008.07.01 Suspicious File eTrust-Vet 31.6.5917 2008.07.01 - Ewido 4.0 2008.07.01 - F-Prot 4.4.4.56 2008.07.01 - F-Secure 7.60.13501.0 2008.07.01 - Fortinet 3.14.0.0 2008.07.01 - GData 2.0.7306.1023 2008.07.01 - Ikarus T3.1.1.26.0 2008.07.01 - Kaspersky 7.0.0.125 2008.07.01 - McAfee 5329 2008.07.01 - Microsoft 1.3704 2008.07.01 - NOD32v2 3232 2008.07.01 - Norman 5.80.02 2008.07.01 - Panda 9.0.0.4 2008.07.01 Suspicious file Prevx1 V2 2008.07.01 Cloaked Malware Rising 20.51.12.00 2008.07.01 - Sophos 4.30.0 2008.07.01 Mal/HckPk-E Sunbelt 3.1.1509.1 2008.07.01 - Symantec 10 2008.07.01 - TheHacker 6.2.96.365 2008.07.01 - TrendMicro 8.700.0.1004 2008.07.01 - VBA32 3.12.6.8 2008.07.01 - VirusBuster 4.5.11.0 2008.07.01 - Webwasher-Gateway 6.6.2 2008.07.01 - Additional information File size: 20480 bytes MD5...: 818b3c875e87e92e764fee1e984df614 SHA1..: 33cb84fa890c599a001d023b794f4cb4eb4712fd SHA256: cbc260caadfa66bdac93188334c38dfe4c0f2eab9ec215ecb65584e68bf63b0f SHA512: c662f5ea5b9bb17562faef07af469edb00764265c6d5d607f4efa98d5872984b 6cfe6c5d1d355f483a4849d45da71bb6888aaa0fdfc229f6769faec8a255db36 PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1000d082 timedatestamp.....: 0x48588964 (Wed Jun 18 04:04:52 2008) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0x9000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0xa000 0x4000 0x3400 7.87 347fab63e1126ae3c2ab779b134d90b5 .rsrc 0xe000 0x2000 0x1800 4.92 1ee8d9bca289f56f3a82bb4965923a07 ( 10 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree > ADVAPI32.dll: RegCloseKey > ATL80.DLL: - > MSVCR80.dll: free > ole32.dll: CoCreateInstance > OLEAUT32.dll: - > SHELL32.dll: ShellExecuteA > SHLWAPI.dll: StrStrA > USER32.dll: wsprintfA > WININET.dll: InternetOpenW ( 4 exports ) DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer Prevx info: http://info.prevx.com/aboutprogramte...488B00EF775A0B packers (F-Prot): UPX

07-01-2008, 01:42 PM	#9 (permalink)
forhockey Analyst, Security Team Join Date: Sep 2006 Location: Ontario, Canada Posts: 2,948 OS: Windows 7 Ultimate	Re: Active Pop-ups, Internet Explore random closing and Sounds Hi Stan_22, That looks better :) Please submit this file to: http://www.bleepingcomputer.com/subm....php?channel=4 C:\WINDOWS\system32\RS3u11dc.dll Please include a link to this topic in the message. Link: Code: http://www.techsupportforum.com/security-center/hijackthis-log-help/263737-active-pop-ups-internet-explore-random-closing-sounds.html#post1566932 ------------------------------------- Open notepad and copy/paste the text in the quotebox below into it: Code: @echo off if exist "%temp%\log.txt" del "%temp%\log.txt" for %%g in ( "C:\WINDOWS\system32\RS3u11dc.dll" ) do ( del /a/f/q %%g >nul 2>&1 if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt" ) else echo.Deleted Successfully !! nircmd wait 7000 del %0 Save this as delete.bat Choose to "Save type as - All Files" It should look like this: Double click on delete.bat & allow it to run ------------------------------------------ Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan -------------------------------------------------------------- Please reply back with the following: Results from batch file Kaspersky online scan results __________________ Proud Member of ASAP Proud Member of UNITE Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum

07-01-2008, 05:23 PM	#10 (permalink)
Stan_22 Registered User Join Date: Jun 2008 Location: Fort Lauderdale, FL Posts: 9 OS: Windows XP Service Pack 3	Re: Active Pop-ups, Internet Explore random closing and Sounds Finally finished the Kaspersky,Thank you for you help when I submitted the C:\WINDOWS\system32\RS3u11dc.dll as C:\WINDOWS\system32\RS3u11dc.dll.txt becuase when it asked me to replace an already existing file i did not know if i was suppose to so i didn't. when i ran the batch file all it did was blink a command prompt and nothing else i did everything else as followed and this is the Kaspersk results. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Tuesday, July 1, 2008 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Tuesday, July 01, 2008 17:17:02 Records in database: 902137 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Files scanned: 85413 Threat name: 1 Infected objects: 1 Suspicious objects: 0 Duration of the scan: 02:40:51 File name / Threat name / Threats count C:\System Volume Information\_restore{9FAFDC56-83A6-44F4-A9B1-218120EDDA1E}\RP424\A0100805.exe Infected: not-a-virus:PSWTool.Win32.RAS.g 1 The selected area was scanned.

07-01-2008, 09:39 PM	#12 (permalink)
Stan_22 Registered User Join Date: Jun 2008 Location: Fort Lauderdale, FL Posts: 9 OS: Windows XP Service Pack 3	Re: Active Pop-ups, Internet Explore random closing and Sounds No problem here is the ComboFix.txt you asked, also I've notice that Avira AntiVir Personal keeps popping up with it detecting TR/Crypt.ULPM.Gen in the computer and I keep deleting it. ComboFix 08-06-30.2 - Windows User 2008-07-01 23:19:28.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.628 [GMT -4:00] Running from: C:\Documents and Settings\Windows User\Desktop\ComboF.exe Command switches used :: C:\Documents and Settings\Windows User\Desktop\CFScript.txt * Created a new restore point FILE :: C:\WINDOWS\system32\RS3u11dc.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\RS3u11dc.dll . ((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 ))))))))))))))))))))))))))))))) . 2008-07-01 10:08 . 2008-07-01 10:08 <DIR> d-------- C:\Program Files\Avira 2008-07-01 10:08 . 2008-07-01 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-06-27 15:39 . 2008-06-27 15:39 <DIR> d-------- C:\Deckard 2008-06-27 11:30 . 2008-06-27 11:31 <DIR> d-------- C:\Program Files\Panda Security 2008-06-27 02:11 . 2008-06-27 02:12 <DIR> d-------- C:\Program Files\ZonedOut 2008-06-27 02:02 . 2008-06-27 02:02 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-06-26 19:39 . 2008-06-26 19:39 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-26 08:36 . 2008-06-26 08:36 <DIR> d-------- C:\Program Files\Lavasoft 2008-06-26 08:36 . 2008-06-26 08:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-25 14:09 . 2008-06-25 14:09 <DIR> d-------- C:\WINDOWS\system32\scripting 2008-06-25 14:09 . 2008-06-25 14:09 <DIR> d-------- C:\WINDOWS\l2schemas 2008-06-25 14:08 . 2008-06-25 14:08 <DIR> d-------- C:\WINDOWS\system32\en 2008-06-25 14:08 . 2008-06-25 14:08 <DIR> d-------- C:\WINDOWS\system32\bits 2008-06-25 12:56 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll 2008-06-25 12:56 . 2008-04-13 20:12 53,248 --------- C:\WINDOWS\system32\tsgqec.dll 2008-06-25 12:56 . 2008-04-13 20:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll 2008-06-25 12:54 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\system32\mmcex.dll 2008-06-25 12:53 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll 2008-06-11 13:16 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-11 13:16 . 2008-05-08 10:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-01 15:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-27 04:40 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-27 04:40 --------- d-----w C:\Program Files\Macromedia 2008-06-27 04:38 --------- d-----w C:\Program Files\Common Files\Macromedia 2008-06-23 22:05 --------- d-----w C:\Program Files\Java 2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys 2008-05-25 22:59 --------- d-----w C:\Program Files\CeRegEditor 2008-05-18 18:27 --------- d-----w C:\Program Files\TotalImageConverter 2008-05-17 04:56 --------- d-----w C:\Documents and Settings\Windows User\Application Data\Softplicity 2008-05-14 12:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe 2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll 2008-04-14 00:12 34,816 ----a-w C:\WINDOWS\Help\sniffpol.dll 2008-04-14 00:12 33,280 ----a-w C:\WINDOWS\Help\sstub.dll 2008-04-14 00:12 32,866 ----a-w C:\WINDOWS\slrundll.exe 2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe 2008-04-14 00:12 279,040 ----a-w C:\WINDOWS\Help\tshoot.dll 2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe 2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe 2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe 2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll 2008-04-14 00:11 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll 2008-04-14 00:11 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll 2008-04-14 00:11 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll 2008-04-14 00:11 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll 2008-04-14 00:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll . ((((((((((((((((((((((((((((( snapshot@2008-07-01_11.48.30.81 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-28 03:15:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-07-02 03:25:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat - 2008-06-29 06:26:22 223,837 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin + 2008-07-02 03:26:34 223,831 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-05-13 15:30 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-05-13 15:29 126976] "BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-11-01 14:51 995328] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-11-01 14:47 1101824] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager] --a------ 2007-06-15 19:43 22528 C:\Program Files\AT&T\Communication Manager\ATTCM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent] --a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] --a------ 2004-10-08 14:43 688218 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr] --a------ 2004-10-08 14:44 98394 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh] --a------ 2007-12-03 14:21 3461120 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert] --a------ 2008-04-13 20:11 177152 C:\WINDOWS\system32\mqrt.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WZCSVC"=2 (0x2) "WMPNetworkSvc"=3 (0x3) "Viewpoint Manager Service"=2 (0x2) "usnjsvc"=3 (0x3) "ose"=3 (0x3) "odserv"=3 (0x3) "MDM"=2 (0x2) "Macromedia Licensing Service"=3 (0x3) "iPod Service"=3 (0x3) "idsvc"=3 (0x3) "IDriverT"=3 (0x3) "FLEXnet Licensing Service"=3 (0x3) "Bonjour Service"=2 (0x2) "bmwebcfg"=2 (0x2) "Apple Mobile Device"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\BitLord\\BitLord.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\WINDOWS\\system32\\mqsvc.exe"= "C:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= "C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "C:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Logging] "LogSuccessfulConnections"= 0 (0x0) "LogDroppedPackets"= 0 (0x0) "LogFileSize"= 0 (0x0) "LogFilePath"= S3 swmsflt;swmsflt;C:\WINDOWS\system32\drivers\swmsflt.sys [2007-09-04 12:20] S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-13 14:56] S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [] Newly Created Service - SSMDRV . Contents of the 'Scheduled Tasks' folder "2008-06-26 23:27:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . - - - - ORPHANS REMOVED - - - - ShellExecuteHooks-{650CA63D-4A01-4BF8-A608-9B1EBB36292E} - C:\WINDOWS\system32\RS3u11dc.dll MSConfigStartUp-= - (no file) ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-01 23:28:17 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\WINDOWS\system32\msdtc.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\mqsvc.exe C:\WINDOWS\system32\mqtgsvc.exe . ************************************************************************ . Completion time: 2008-07-01 23:34:57 - machine was rebooted ComboFix-quarantined-files.txt 2008-07-02 03:34:51 ComboFix2.txt 2008-07-01 18:40:49 ComboFix3.txt 2008-07-01 15:49:55 Pre-Run: 51,850,907,648 bytes free Post-Run: 51,900,047,360 bytes free 189 --- E O F --- 2008-06-23 16:27:17

07-01-2008, 10:03 PM	#14 (permalink)
Stan_22 Registered User Join Date: Jun 2008 Location: Fort Lauderdale, FL Posts: 9 OS: Windows XP Service Pack 3	Re: Active Pop-ups, Internet Explore random closing and Sounds It haven't popped up since my last post and when i did CFScript.txt Avira was running and not disabled

07-01-2008, 10:10 PM	#15 (permalink)
forhockey Analyst, Security Team Join Date: Sep 2006 Location: Ontario, Canada Posts: 2,948 OS: Windows 7 Ultimate	Re: Active Pop-ups, Internet Explore random closing and Sounds Hi Stan_22, Many Antivirus programs out there detect ComboFix as a virus, in which it is not, and flags it as a false positive. Therefore, there is nothing to worry about. -------------------------------------- Well done, your logs are clean! There are just a few more things I would like you to do. Please disable your Antivirus before performing the following via right clicking on the toolbar icon The following procedure will clear out ComboFix.exe, as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK: ComboFix /u ---------------------------------------------------------------- Re-enable your Antivirus protection now ---------------------------------------------------------------- Microsoft Updates It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection. Malware Prevention Tools These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources. SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates. IE-Spyad - Here is an installation guide -> http://www.techsupportforum.com/cont...ticles/63.html MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites. McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox. SpywareGuard - real-time protection that detects and blocks spyware before it can execute. Alternative Web Browsers Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites. Firefox Opera Firewalls If you do not have a firewall, here are a few free ones available for personal use: Understanding and Using Firewalls Comodo Firewall Pro ZoneAlarm OutPost Firewall Informational Reading In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles: PC SAFETY AND SECURITY How Did I Get Infected In The First Place?. THE ANTI-SPYWARE TUTORIAL STRONG PASSWORDS Please respond to this thread one more time so we can mark this thread as resolved. __________________ Proud Member of ASAP Proud Member of UNITE Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum

07-01-2008, 10:38 PM	#16 (permalink)
Stan_22 Registered User Join Date: Jun 2008 Location: Fort Lauderdale, FL Posts: 9 OS: Windows XP Service Pack 3	Re: Active Pop-ups, Internet Explore random closing and Sounds Thank you I have downloaded SpywareGuard + SpywareBlaster and lastly Comodo Firewall Pro hopefully that will help stop this from happening again and i will read Informational Reading if there is nothing else required THANK YOU

07-05-2008, 02:27 PM	#17 (permalink)
forhockey Analyst, Security Team Join Date: Sep 2006 Location: Ontario, Canada Posts: 2,948 OS: Windows 7 Ultimate	Re: Active Pop-ups, Internet Explore random closing and Sounds You're welcome. Safe surfing! __________________ Proud Member of ASAP Proud Member of UNITE Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum