Tech Support Forum banner
Cancel

Help, help, I'm being repressed! (popups and 'counterfeited software')

Jump to Latest Follow
Status
Not open for further replies.
1 - 20 of 20 Posts
W

· Registered
Joined
·
10 Posts
Discussion Starter · #1 ·
Problem 1: IE popups at random times.

Problem 2: Have a message that tells me I may be a victim of software counterfeiting, and that my version of Windows may not be genuine. I find this difficult to believe, as it was the version of Windows that came with my laptop, and I've never had this message in the four-odd years I've owned it.

HijackThis log:

-

Logfile of HijackThis v1.99.1
Scan saved at 3:22:33 PM, on 12/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [1c311103] rundll32.exe "C:\WINDOWS\system32\frwhnaxh.dll",b
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup151.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

-

Plea: Help? :grin:
 
T

· Registered
Joined
·
5,277 Posts
#2 ·
Hello and welcome to TSF


I apologise for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems,follow instructions below.

===================

You are using an outdated version of Hijackthis. Please uninstall from Add/Remove programs, and delete your current version.

Next, download HijackThis to your desktop

Alternate link

Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Do not post that log, instead, do this next:

=====================================================

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

==========================
Logs Required
C:\Deckard\System Scanner\main.txt
C:\Deckard\System Scanner\extra.txt<----Attached
 
W

· Registered
Joined
·
10 Posts
Discussion Starter · #3 ·
Hey, no problem! It must be crazy busy for you guys around this time of year; you have your own lives. :)

main.txt:

Deckard's System Scanner v20071014.68
Run by Windswept on 2007-12-10 15:00:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
51: 2007-12-10 23:00:58 UTC - RP552 - Deckard's System Scanner Restore Point
50: 2007-12-05 14:09:29 UTC - RP551 - System Checkpoint
49: 2007-12-01 23:45:43 UTC - RP550 - System Checkpoint
48: 2007-11-30 01:43:51 UTC - RP549 - System Checkpoint
47: 2007-11-28 23:39:43 UTC - RP548 - Last known good configuration


-- First Restore Point --
1: 2007-11-28 23:38:21 UTC - RP502 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 383 MiB (512 MiB recommended).
System Drive C: has 2.04 GiB (less than 15%) free.


-- HijackThis (run as Windswept.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:02:15 PM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Windswept\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Windswept.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DAF95B5-3BC8-40B7-A490-B8EED8C884AF} - C:\Program Files\Windows NT\qubofyrC:\WINDOWS\system32\j2\ppjup83122.exe.dll (file missing)
O2 - BHO: {62c54ec6-8b98-f708-6ff4-ad1eac0e71c5} - {5c17e0ca-e1da-4ff6-807f-89b86ce45c26} - C:\WINDOWS\system32\raskxrnl.dll (file missing)
O2 - BHO: (no name) - {898DBEB0-A407-4689-933D-9E84A832CA59} - C:\Program Files\Windows NT\qubofyrC:\DOCUME~1\WINDSW~1\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - (no file)
O2 - BHO: (no name) - {D33DF27F-52B4-4DC7-BF0C-E4AA4EADA098} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [1c311103] rundll32.exe "C:\WINDOWS\system32\frwhnaxh.dll",b
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup151.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 3941 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe,2
.js - JSFile - shell\open\command - "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1"
.txt - txtfile - shell\open\command - C:\WINDOWS\system32\NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 PenClass (Pen Class) - c:\windows\system32\drivers\penclass.sys <Not Verified; Wacom Technology Corporation; Wacom Pen Class Driver>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 TabletService - c:\windows\system32\tablet.exe <Not Verified; Wacom Technology, Corp.; Wacom Win32 Tablet Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell Wireless WLAN 1350 WLAN Mini-PCI Card
Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_00031028&REV_03\4&39A85202&0&10F0
Manufacturer: Broadcom
Name: Dell Wireless WLAN 1350 WLAN Mini-PCI Card
PNP Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_00031028&REV_03\4&39A85202&0&10F0
Service: BCM43XX


-- Files created between 2007-11-10 and 2007-12-10 -----------------------------

2007-12-10 14:57:15 0 d-------- C:\Program Files\Trend Micro
2007-11-28 15:57:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-28 15:37:52 425722 --ahs---- C:\WINDOWS\system32\cbcdd.ini2
2007-11-28 15:32:38 0 d-------- C:\WINDOWS\system32\m8
2007-11-28 15:32:36 0 d-------- C:\WINDOWS\system32\j2
2007-11-28 15:32:36 0 d-------- C:\WINDOWS\system32\d1
2007-11-28 15:31:51 0 d-------- C:\WINDOWS\system32\c1
2007-11-28 15:31:47 0 d-------- C:\WINDOWS\system32\rMa02yy


-- Find3M Report ---------------------------------------------------------------

2007-12-10 15:00:46 0 d-------- C:\Program Files\Trillian
2007-12-09 15:54:10 13721 --a------ C:\WINDOWS\system32\tablet.dat
2007-12-07 21:36:01 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-07 15:16:53 0 d-------- C:\Program Files\Viewpoint
2007-12-05 14:20:08 0 d-------- C:\Program Files\Symantec
2007-12-05 14:19:58 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-10-09 13:12:40 654 --a----c- C:\WINDOWS\eReg.dat
2007-09-12 10:52:44 53248 --a------ C:\WINDOWS\hg173.exe <Not Verified; ; hg173>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DAF95B5-3BC8-40B7-A490-B8EED8C884AF}]
C:\Program Files\Windows NT\qubofyrC:\WINDOWS\system32\j2\ppjup83122.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5c17e0ca-e1da-4ff6-807f-89b86ce45c26}]
C:\WINDOWS\system32\raskxrnl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{898DBEB0-A407-4689-933D-9E84A832CA59}]
C:\Program Files\Windows NT\qubofyrC:\DOCUME~1\WINDSW~1\LOCALS~1\Temp\CEMG555077.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D33DF27F-52B4-4DC7-BF0C-E4AA4EADA098}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [08/15/2003 09:38 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [08/15/2003 09:37 AM]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [05/27/2004 08:05 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 05:00 AM]
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 02:59 AM C:\WINDOWS\BCMSMMSG.exe]
"1c311103"="C:\WINDOWS\system32\frwhnaxh.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/23/2007 09:12 AM]

C:\Documents and Settings\Windswept\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 6:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 6:00:00 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddcbc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LVF.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LVF.lnk
backup=C:\WINDOWS\pss\LVF.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Windswept^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Windswept\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
C:\Program Files\Dell\AccessDirect\dadapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Genuine]
rundll32.exe "C:\WINDOWS\system32\xlgsbtml.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWBMOUSE]
C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWA7P_0001_N91M0809]
"C:\DOCUME~1\WINDSW~1\LOCALS~1\Temp\WinAntiVirusPro2007FreeInstall.exe" -nag

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WNSC]
C:\WINDOWS\System32\wnsintsu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}]
C:\DOCUME~1\WINDSW~1\LOCALS~1\Temp\TICHD003.exe CHD003


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afd84a30-f9a6-11d9-be71-806d6172696f}]
PlayWithPowerDVD\Command- "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" "%L"


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{969B3B70-8765-11D5-9809-0050BACBF861}]
rundll32.exe advpack.dll,LaunchINFSection C:\Program Files\CyberLink\MP3PowerEncoder\Cyber.inf,PerUserStub



-- End of Deckard's System Scanner: finished at 2007-12-10 15:03:27 ------------
 

Attachments

T

· Registered
Joined
·
5,277 Posts
#4 ·
Hello again windswept

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

============================

Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding.Its important that you follow this through until i give you the all clear,a lack of symptoms does not mean that you are clean.

=============================

P2P

P2P - I see you have P2P software BitTornado 0.3.7,BitTorrent 3.4.2 installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

==============================

Download ComboFix from Here or here

**Save it to your desktop**

Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

==============================

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

==============================
Logs Required
C:\Combofix.txt
Hijackthis log
 
W

· Registered
Joined
·
10 Posts
Discussion Starter · #5 ·
Oh, I haven't used bittorrent in forever, so I don't think that's really a problem. Could probably go ahead and delete it anyway, though...

ComboFix 07-12-09.1 - Windswept 2007-12-10 19:02:47.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.153 [GMT -8:00]
Running from: C:\Documents and Settings\Windswept\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\abW9
C:\Temp\abW9\tPho.log
C:\Temp\fse
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\c1
C:\WINDOWS\system32\d1
C:\WINDOWS\system32\f10WtR
C:\WINDOWS\system32\j2
C:\WINDOWS\system32\m8
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rMa02yy

.
((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.

2007-12-10 14:59 . 2007-12-10 14:59 <DIR> d-------- C:\Deckard
2007-12-10 14:57 . 2007-12-10 14:57 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-06 21:49 . 2007-12-07 21:49 832,935 ---hs---- C:\WINDOWS\SYSTEM32\hxanhwrf.ini
2007-12-05 21:47 . 2007-12-06 21:47 832,815 ---hs---- C:\WINDOWS\SYSTEM32\lphmjdmg.ini
2007-12-03 14:46 . 2007-12-04 17:01 794,040 ---hs---- C:\WINDOWS\SYSTEM32\pmnfuovc.ini
2007-12-02 10:43 . 2007-12-02 10:43 97 --a------ C:\WINDOWS\SYSTEM32\mcrh.tmp
2007-12-02 10:42 . 2007-12-02 10:42 793,664 ---hs---- C:\WINDOWS\SYSTEM32\ykcpyoxk.ini
2007-12-01 10:41 . 2007-12-01 10:41 793,784 ---hs---- C:\WINDOWS\SYSTEM32\qbfqxjew.ini
2007-11-30 06:01 . 2007-12-01 10:41 793,724 ---hs---- C:\WINDOWS\SYSTEM32\okkxomtk.ini
2007-11-29 06:01 . 2007-11-29 22:37 789,933 ---hs---- C:\WINDOWS\SYSTEM32\hvmbawns.ini
2007-11-28 15:57 . 2007-11-28 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-28 15:37 . 2007-12-07 22:42 425,722 --ahs---- C:\WINDOWS\SYSTEM32\cbcdd.ini2
2007-11-28 15:37 . 2007-12-07 22:42 425,622 --ahs---- C:\WINDOWS\SYSTEM32\cbcdd.ini
2007-11-28 15:31 . 2007-11-28 15:31 525,436 --a------ C:\temp\u900Y714.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 03:01 --------- d-----w C:\Program Files\Trillian
2007-12-08 05:36 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-07 23:16 --------- d-----w C:\Program Files\Viewpoint
2007-12-07 23:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-05 22:20 --------- d-----w C:\Program Files\Symantec
2007-12-05 22:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-12 18:52 53,248 ----a-w C:\WINDOWS\hg173.exe
2006-04-01 19:05 905 -c--a-w C:\Program Files\layout.bin
2006-04-01 19:05 512 -c--a-w C:\Program Files\data2.cab
2006-04-01 19:05 22,633 -c--a-w C:\Program Files\data1.hdr
2006-04-01 19:04 956,377 -c--a-w C:\Program Files\data1.cab
2006-04-01 19:04 500 -c--a-w C:\Program Files\setup.ini
2006-04-01 19:04 392,330 -c--a-w C:\Program Files\setup.boot
2006-04-01 19:04 186,838 -c--a-w C:\Program Files\setup.inx
2006-02-07 20:57 1,864 -c--a-w C:\Program Files\readme.txt
2004-01-22 01:39 292,711 -c--a-w C:\Program Files\setup.skin
2002-12-05 21:16 418,296 -c--a-w C:\Program Files\engine32.cab
2002-12-02 22:33 107,512 -c--a-w C:\Program Files\setup.exe
1999-07-07 00:00 6 -csh--r C:\WINDOWS\@[email protected]
2004-06-20 00:50 56 --sh--r C:\WINDOWS\SYSTEM32\3030672BD7.sys
2004-06-29 04:50 2,516 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DAF95B5-3BC8-40B7-A490-B8EED8C884AF}]
C:\Program Files\Windows NT\qubofyrC:\WINDOWS\system32\j2\ppjup83122.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5c17e0ca-e1da-4ff6-807f-89b86ce45c26}]
C:\WINDOWS\system32\raskxrnl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{898DBEB0-A407-4689-933D-9E84A832CA59}]
C:\Program Files\Windows NT\qubofyrC:\DOCUME~1\WINDSW~1\LOCALS~1\Temp\CEMG555077.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D33DF27F-52B4-4DC7-BF0C-E4AA4EADA098}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 09:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-08-15 09:38]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-08-15 09:37]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 20:05]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 02:59 C:\WINDOWS\BCMSMMSG.exe]
"1c311103"="C:\WINDOWS\system32\frwhnaxh.dll" []

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LVF.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LVF.lnk
backup=C:\WINDOWS\pss\LVF.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Windswept^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Windswept\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
2003-03-07 09:36 209800 --a--c--- C:\Program Files\Dell\AccessDirect\dadapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2003-08-13 07:27 28672 --a------ C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Genuine]
rundll32.exe C:\WINDOWS\system32\xlgsbtml.dll,realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWBMOUSE]
2002-05-24 04:54 357376 --a--c--- C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWA7P_0001_N91M0809]
C:\DOCUME~1\WINDSW~1\LOCALS~1\Temp\WinAntiVirusPro2007FreeInstall.exe -nag

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
C:\Program Files\Real\RealPlayer\realplay.exe /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 18:42 32768 --a--c--- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2003-11-19 14:48 32881 --a--c--- C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WNSC]
C:\WINDOWS\System32\wnsintsu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}]
C:\DOCUME~1\WINDSW~1\LOCALS~1\Temp\TICHD003.exe CHD003

R0 PenClass;Pen Class;C:\WINDOWS\system32\Drivers\PenClass.sys
S3 IR500;IR500;C:\WINDOWS\system32\DRIVERS\IR500.sys
S3 PortRst;PortRst;C:\WINDOWS\system32\DRIVERS\PortRst.sys
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{969B3B70-8765-11D5-9809-0050BACBF861}]
rundll32.exe advpack.dll,LaunchINFSection C:\Program Files\CyberLink\MP3PowerEncoder\Cyber.inf,PerUserStub
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\DOCUME~1\WINDSW~1\LOCALS~1\Temp\igbsvlec.dll
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-10 19:14:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-10 19:16:35 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-12-04 21:20
C:\ComboFix2.txt ... 2007-12-04 21:20
C:\ComboFix3.txt ... 2007-11-28 18:57
.
--- E O F ---


-------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:56 PM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DAF95B5-3BC8-40B7-A490-B8EED8C884AF} - C:\Program Files\Windows NT\qubofyrC:\WINDOWS\system32\j2\ppjup83122.exe.dll (file missing)
O2 - BHO: {62c54ec6-8b98-f708-6ff4-ad1eac0e71c5} - {5c17e0ca-e1da-4ff6-807f-89b86ce45c26} - C:\WINDOWS\system32\raskxrnl.dll (file missing)
O2 - BHO: (no name) - {898DBEB0-A407-4689-933D-9E84A832CA59} - C:\Program Files\Windows NT\qubofyrC:\DOCUME~1\WINDSW~1\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: (no name) - {D33DF27F-52B4-4DC7-BF0C-E4AA4EADA098} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [1c311103] rundll32.exe "C:\WINDOWS\system32\frwhnaxh.dll",b
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup151.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 4011 bytes
 
T

· Registered
Joined
·
5,277 Posts
#6 ·
Hello again windswept

Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding.

============================

Download ATF-Cleaner by Atribune to your desktop.

Do not run just yet,we will shortly

=============================

Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\SYSTEM32\hxanhwrf.ini
C:\WINDOWS\SYSTEM32\lphmjdmg.ini
C:\WINDOWS\SYSTEM32\pmnfuovc.ini
C:\WINDOWS\SYSTEM32\mcrh.tmp
C:\WINDOWS\SYSTEM32\ykcpyoxk.ini
C:\WINDOWS\SYSTEM32\qbfqxjew.ini
C:\WINDOWS\SYSTEM32\okkxomtk.ini
C:\WINDOWS\SYSTEM32\hvmbawns.ini
C:\WINDOWS\SYSTEM32\cbcdd.ini2
C:\WINDOWS\SYSTEM32\cbcdd.ini
C:\temp\u900Y714.exe

Folder::
C:\Program Files\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Program Files\Symantec
C:\Program Files\Common Files\Symantec Shared

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DAF95B5-3BC8-40B7-A490-B8EED8C884AF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5c17e0ca-e1da-4ff6-807f-89b86ce45c26}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{898DBEB0-A407-4689-933D-9E84A832CA59}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D33DF27F-52B4-4DC7-BF0C-E4AA4EADA098}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"1c311103"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWA7P_0001_N91M0809]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WNSC]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}]
Click to expand...
Save this as CFscript


Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

===============================

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you have Firefox installed:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you have Opera installed:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

=====================================

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on
    located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on
    then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Paste the Panda Scan report into your next reply.

===============================

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

===============================
Logs Required
C:\Combofix.txt
Panda scan report
 
W

· Registered
Joined
·
10 Posts
Discussion Starter · #7 ·
Erm, I realize this sounds stupid, but how do I make popups work in IE? I went to Tools>Popup Blocker>Turn off popup blocker, and turned off Avast, but it still isn't working...
 
T

· Registered
Joined
·
5,277 Posts
#10 · (Edited)
Try holding the CTRL, Shift or ALT keys while clicking a link to allow that window to open.If that fails try this scanner instead.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives[*]Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.
 
T

· Registered
Joined
·
5,277 Posts
#12 ·
Ok,lets forget about an online scan for the time being.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, we need to change the default settings.
  • In the Menu Bar, Go to Options>Change Settings.
  • Click on the Actions tab
  • Using the drop down menus, change each item under Objects and Malware to Report
  • Next, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'No to All' if it asks if you want to cure/move the file.
  • After the scan has completed, in the Dr.Web CureIt menu on top, click File and choose Save Report List
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Post the contents of the log from Dr.Web you saved previously in your next reply.

=============================================
Logs Required
C:\Combofix.txt
DrWeb.csv(scan report)
 
W

· Registered
Joined
·
10 Posts
Discussion Starter · #13 ·
Sorry it took so long!

ComboFix 07-12-09.1 - Windswept 2007-12-11 15:06:38.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.166 [GMT -8:00]
Running from: C:\Documents and Settings\Windswept\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Windswept\Desktop\CFscript.txt
* Created a new restore point

FILE
C:\temp\u900Y714.exe
C:\WINDOWS\SYSTEM32\cbcdd.ini
C:\WINDOWS\SYSTEM32\cbcdd.ini2
C:\WINDOWS\SYSTEM32\hvmbawns.ini
C:\WINDOWS\SYSTEM32\hxanhwrf.ini
C:\WINDOWS\SYSTEM32\lphmjdmg.ini
C:\WINDOWS\SYSTEM32\mcrh.tmp
C:\WINDOWS\SYSTEM32\okkxomtk.ini
C:\WINDOWS\SYSTEM32\pmnfuovc.ini
C:\WINDOWS\SYSTEM32\qbfqxjew.ini
C:\WINDOWS\SYSTEM32\ykcpyoxk.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Program Files\Common Files\Symantec Shared
C:\Program Files\Common Files\Symantec Shared\CCINST.DLL
C:\Program Files\Common Files\Symantec Shared\CCL40.DLL
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
C:\Program Files\Common Files\Symantec Shared\CCVRTRST.DLL
C:\Program Files\Common Files\Symantec Shared\DEFUTDCD.DLL
C:\Program Files\Common Files\Symantec Shared\RCALERT.DLL
C:\Program Files\Common Files\Symantec Shared\RCAPP.DLL
C:\Program Files\Common Files\Symantec Shared\RCEMLPXY.DLL
C:\Program Files\Common Files\Symantec Shared\RCERRDSP.DLL
C:\Program Files\Common Files\Symantec Shared\RCEVTMGR.DLL
C:\Program Files\Common Files\Symantec Shared\RCLGVIEW.DLL
C:\Program Files\Common Files\Symantec Shared\rcNMAIN.dll
C:\Program Files\Common Files\Symantec Shared\RCSETMGR.DLL
C:\Program Files\Common Files\Symantec Shared\SEVINST.EXE
C:\Program Files\Common Files\Symantec Shared\SPManifests\SYMEVNT.GRD
C:\Program Files\Common Files\Symantec Shared\SPManifests\SYMEVNT.SIG
C:\Program Files\Common Files\Symantec Shared\SPManifests\SYMEVNT.SPM
C:\Program Files\Symantec
C:\Program Files\Symantec\S32EVNT1.DLL
C:\Program Files\Symantec\SYMEVENT.CAT
C:\Program Files\Symantec\SYMEVENT.INF
C:\Program Files\Symantec\SYMEVENT.SYS
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Common\ViewpointService_.exe
C:\Program Files\Viewpoint\Viewpoint Toolbar\del874.tmp\del875.tmp
C:\temp\u900Y714.exe
C:\WINDOWS\SYSTEM32\cbcdd.ini
C:\WINDOWS\SYSTEM32\cbcdd.ini2
C:\WINDOWS\SYSTEM32\hvmbawns.ini
C:\WINDOWS\SYSTEM32\hxanhwrf.ini
C:\WINDOWS\SYSTEM32\lphmjdmg.ini
C:\WINDOWS\SYSTEM32\mcrh.tmp
C:\WINDOWS\SYSTEM32\okkxomtk.ini
C:\WINDOWS\SYSTEM32\pmnfuovc.ini
C:\WINDOWS\SYSTEM32\qbfqxjew.ini
C:\WINDOWS\SYSTEM32\ykcpyoxk.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.

2007-12-10 14:59 . 2007-12-10 14:59 <DIR> d-------- C:\Deckard
2007-12-10 14:57 . 2007-12-10 14:57 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-28 15:57 . 2007-11-28 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 06:31 --------- d-----w C:\Program Files\Trillian
2007-12-08 05:36 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-12 18:52 53,248 ----a-w C:\WINDOWS\hg173.exe
2006-04-01 19:05 905 -c--a-w C:\Program Files\layout.bin
2006-04-01 19:05 512 -c--a-w C:\Program Files\data2.cab
2006-04-01 19:05 22,633 -c--a-w C:\Program Files\data1.hdr
2006-04-01 19:04 956,377 -c--a-w C:\Program Files\data1.cab
2006-04-01 19:04 500 -c--a-w C:\Program Files\setup.ini
2006-04-01 19:04 392,330 -c--a-w C:\Program Files\setup.boot
2006-04-01 19:04 186,838 -c--a-w C:\Program Files\setup.inx
2006-02-07 20:57 1,864 -c--a-w C:\Program Files\readme.txt
2004-01-22 01:39 292,711 -c--a-w C:\Program Files\setup.skin
2002-12-05 21:16 418,296 -c--a-w C:\Program Files\engine32.cab
2002-12-02 22:33 107,512 -c--a-w C:\Program Files\setup.exe
1999-07-07 00:00 6 -csh--r C:\WINDOWS\@[email protected]
2004-06-20 00:50 56 --sh--r C:\WINDOWS\SYSTEM32\3030672BD7.sys
2004-06-29 04:50 2,516 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_19.15.28.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-06 02:39:59 68,924 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2007-12-11 16:01:20 68,924 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2007-12-06 02:39:59 418,062 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2007-12-11 16:01:21 418,062 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
- 2007-12-11 03:11:57 13,721 ----a-w C:\WINDOWS\SYSTEM32\tablet.dat
+ 2007-12-11 23:14:05 13,721 ----a-w C:\WINDOWS\SYSTEM32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 09:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-08-15 09:38]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-08-15 09:37]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 20:05]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 02:59 C:\WINDOWS\BCMSMMSG.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LVF.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LVF.lnk
backup=C:\WINDOWS\pss\LVF.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Windswept^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Windswept\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
2003-03-07 09:36 209800 --a--c--- C:\Program Files\Dell\AccessDirect\dadapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2003-08-13 07:27 28672 --a------ C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Genuine]
rundll32.exe C:\WINDOWS\system32\xlgsbtml.dll,realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWBMOUSE]
2002-05-24 04:54 357376 --a--c--- C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
C:\Program Files\Real\RealPlayer\realplay.exe /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 18:42 32768 --a--c--- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2003-11-19 14:48 32881 --a--c--- C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

R0 PenClass;Pen Class;C:\WINDOWS\system32\Drivers\PenClass.sys
S3 IR500;IR500;C:\WINDOWS\system32\DRIVERS\IR500.sys
S3 PortRst;PortRst;C:\WINDOWS\system32\DRIVERS\PortRst.sys
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{969B3B70-8765-11D5-9809-0050BACBF861}]
rundll32.exe advpack.dll,LaunchINFSection C:\Program Files\CyberLink\MP3PowerEncoder\Cyber.inf,PerUserStub
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\DOCUME~1\WINDSW~1\LOCALS~1\Temp\igbsvlec.dll
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 15:15:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-11 15:18:24 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-12-04 21:20
C:\ComboFix2.txt ... 2007-12-10 19:16
C:\ComboFix3.txt ... 2007-12-04 21:20
.
--- E O F ---

---
DrWeb scan:

mirc.exe;C:\sysreset;Program.mIRC.61;;
A0099871.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP528;Trojan.Click.4740;;
A0102373.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP548;Trojan.DownLoader.24715;;
A0102387.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP548;Trojan.DownLoader.origin;;
A0103886.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551;Trojan.DownLoader.24715;;
A0103887.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551;Trojan.Click.4740;;
A0103889.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551;Trojan.Virtumod.240;;
 
T

· Registered
Joined
·
5,277 Posts
#14 ·
Hello again

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs :

Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_04

Reboot when both have been removed

========================

Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\hg173.exe

FileLook::
C:\DOCUME~1\WINDSW~1\LOCALS~1\Temp\igbsvlec.dll
Click to expand...
Save this as CFscript


Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

========================

JAVA OUTDATED


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 U3.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6-windowsi586-p.exe to install the newest version.

========================

Since we have updated Java,lets try to run an online scan

=========================

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on
    located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on
    then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Paste the Panda Scan into your next reply.

===========================

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

===========================
Logs Required
C:\Combofix.txt
Panda scan report
Hijackthis log

An update on how your system is running.
 
W

· Registered
Joined
·
10 Posts
Discussion Starter · #15 ·
Here's the ComboFix log, but the online scan still wouldn't work.
The popups have stopped, but the notification of counterfeited software is still there.

ComboFix 07-12-09.1 - Windswept 2007-12-14 15:38:06.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.162 [GMT -8:00]
Running from: C:\Documents and Settings\Windswept\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Windswept\Desktop\CFscript.txt
* Created a new restore point

FILE
C:\WINDOWS\hg173.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\hg173.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-14 to 2007-12-14 )))))))))))))))))))))))))))))))
.

2007-12-12 19:04 . 2007-12-12 19:04 <DIR> d-------- C:\Documents and Settings\Windswept\DoctorWeb
2007-12-10 14:59 . 2007-12-10 14:59 <DIR> d-------- C:\Deckard
2007-12-10 14:57 . 2007-12-10 14:57 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-28 15:57 . 2007-11-28 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-14 23:14 --------- d-----w C:\Program Files\Java
2007-12-14 06:22 --------- d-----w C:\Program Files\Trillian
2007-12-08 05:36 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2006-04-01 19:05 905 -c--a-w C:\Program Files\layout.bin
2006-04-01 19:05 512 -c--a-w C:\Program Files\data2.cab
2006-04-01 19:05 22,633 -c--a-w C:\Program Files\data1.hdr
2006-04-01 19:04 956,377 -c--a-w C:\Program Files\data1.cab
2006-04-01 19:04 500 -c--a-w C:\Program Files\setup.ini
2006-04-01 19:04 392,330 -c--a-w C:\Program Files\setup.boot
2006-04-01 19:04 186,838 -c--a-w C:\Program Files\setup.inx
2006-02-07 20:57 1,864 -c--a-w C:\Program Files\readme.txt
2004-01-22 01:39 292,711 -c--a-w C:\Program Files\setup.skin
2002-12-05 21:16 418,296 -c--a-w C:\Program Files\engine32.cab
2002-12-02 22:33 107,512 -c--a-w C:\Program Files\setup.exe
1999-07-07 00:00 6 -csh--r C:\WINDOWS\@[email protected]
2004-06-20 00:50 56 --sh--r C:\WINDOWS\SYSTEM32\3030672BD7.sys
2004-06-29 04:50 2,516 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_19.15.28.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-29 22:35:13 1,287,680 ----a-w C:\WINDOWS\$hf_mig$\KB941568\SP2QFE\quartz.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941568\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941568\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\updspapi.dll
+ 2007-11-13 11:02:46 60,416 ----a-w C:\WINDOWS\$hf_mig$\KB942763\SP2QFE\tzchange.exe
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB942763\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB942763\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\updspapi.dll
+ 2007-11-14 07:18:03 450,560 ----a-w C:\WINDOWS\$hf_mig$\KB942840\SP2QFE\jscript.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB942840\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB942840\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB942840\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB942840\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB942840\update\updspapi.dll
+ 2007-11-13 08:47:45 20,480 ----a-w C:\WINDOWS\$hf_mig$\KB944653\SP2QFE\secdrv.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB944653\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB944653\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\updspapi.dll
- 2007-08-22 12:55:28 1,022,976 ----a-w C:\WINDOWS\SYSTEM32\browseui.dll
+ 2007-10-11 05:57:29 1,024,000 ----a-w C:\WINDOWS\SYSTEM32\browseui.dll
- 2007-08-22 12:55:29 151,040 ----a-w C:\WINDOWS\SYSTEM32\cdfview.dll
+ 2007-10-11 05:57:29 151,040 ----a-w C:\WINDOWS\SYSTEM32\cdfview.dll
- 2007-08-22 12:55:30 1,054,208 ----a-w C:\WINDOWS\SYSTEM32\danim.dll
+ 2007-10-11 05:57:30 1,054,208 ----a-w C:\WINDOWS\SYSTEM32\danim.dll
- 2007-08-22 12:55:28 1,022,976 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
+ 2007-10-11 05:57:29 1,024,000 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
- 2007-08-22 12:55:29 151,040 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
+ 2007-10-11 05:57:29 151,040 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
- 2007-08-22 12:55:30 1,054,208 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
+ 2007-10-11 05:57:30 1,054,208 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
- 2007-08-22 12:55:30 357,888 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
+ 2007-10-11 05:57:30 357,888 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
- 2007-08-22 12:55:31 205,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
+ 2007-10-11 05:57:30 205,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
- 2007-08-22 12:55:31 55,808 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
+ 2007-10-11 05:57:30 55,808 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
- 2007-08-21 10:19:39 18,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
+ 2007-10-10 10:48:23 18,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
- 2007-08-22 12:55:32 251,904 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
+ 2007-10-11 05:57:31 251,904 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
- 2007-08-22 12:55:32 96,256 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
+ 2007-10-11 05:57:31 96,256 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
- 2006-05-18 05:24:25 450,560 -c----w C:\WINDOWS\SYSTEM32\DLLCACHE\jscript.dll
+ 2007-11-14 07:26:56 450,560 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jscript.dll
- 2007-08-22 12:55:32 16,384 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2007-10-11 05:57:31 16,384 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
- 2007-08-22 12:55:36 3,064,832 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
+ 2007-10-30 09:55:21 3,065,856 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
- 2007-08-22 12:55:37 449,024 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
+ 2007-10-11 05:57:36 449,024 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
- 2007-08-22 12:55:37 146,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
+ 2007-10-11 05:57:36 146,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
- 2007-08-22 12:55:38 532,480 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
+ 2007-10-11 05:57:37 532,480 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
- 2007-08-22 12:55:38 39,424 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
+ 2007-10-11 05:57:37 39,424 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
+ 2007-10-29 22:43:03 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
- 2007-08-22 12:55:40 1,498,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
+ 2007-10-11 05:57:39 1,498,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
- 2007-08-22 12:55:41 474,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
+ 2007-10-11 05:57:40 474,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
- 2007-08-22 12:55:43 617,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
+ 2007-10-11 05:57:40 617,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
- 2007-08-22 12:55:44 665,600 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
+ 2007-10-11 05:57:41 666,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
- 2006-10-19 05:47:18 222,208 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
+ 2007-10-28 01:40:30 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
- 2007-08-22 12:55:30 357,888 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
+ 2007-10-11 05:57:30 357,888 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
- 2007-08-22 12:55:31 205,824 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
+ 2007-10-11 05:57:30 205,824 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
- 2007-08-22 12:55:31 55,808 ----a-w C:\WINDOWS\SYSTEM32\extmgr.dll
+ 2007-10-11 05:57:30 55,808 ----a-w C:\WINDOWS\SYSTEM32\extmgr.dll
- 2007-08-22 12:55:32 251,904 ----a-w C:\WINDOWS\SYSTEM32\iepeers.dll
+ 2007-10-11 05:57:31 251,904 ----a-w C:\WINDOWS\SYSTEM32\iepeers.dll
- 2007-08-22 12:55:32 96,256 ----a-w C:\WINDOWS\SYSTEM32\inseng.dll
+ 2007-10-11 05:57:31 96,256 ----a-w C:\WINDOWS\SYSTEM32\inseng.dll
- 2006-05-18 05:24:25 450,560 ----a-w C:\WINDOWS\SYSTEM32\jscript.dll
+ 2007-11-14 07:26:56 450,560 ----a-w C:\WINDOWS\SYSTEM32\jscript.dll
- 2007-08-22 12:55:32 16,384 ----a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
+ 2007-10-11 05:57:31 16,384 ----a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
- 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
+ 2007-12-02 23:00:05 18,684,536 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
- 2007-08-22 12:55:36 3,064,832 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
+ 2007-10-30 09:55:21 3,065,856 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
- 2007-08-22 12:55:37 449,024 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
+ 2007-10-11 05:57:36 449,024 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
- 2007-08-22 12:55:37 146,432 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
+ 2007-10-11 05:57:36 146,432 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
- 2007-08-22 12:55:38 532,480 ----a-w C:\WINDOWS\SYSTEM32\mstime.dll
+ 2007-10-11 05:57:37 532,480 ----a-w C:\WINDOWS\SYSTEM32\mstime.dll
- 2007-12-06 02:39:59 68,924 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2007-12-11 16:01:20 68,924 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2007-12-06 02:39:59 418,062 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2007-12-11 16:01:21 418,062 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
- 2007-08-22 12:55:38 39,424 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
+ 2007-10-11 05:57:37 39,424 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
- 2005-08-30 03:54:26 1,287,168 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
+ 2007-10-29 22:43:03 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
- 2007-08-22 12:55:40 1,498,112 ----a-w C:\WINDOWS\SYSTEM32\shdocvw.dll
+ 2007-10-11 05:57:39 1,498,112 ----a-w C:\WINDOWS\SYSTEM32\shdocvw.dll
- 2007-08-22 12:55:41 474,112 ----a-w C:\WINDOWS\SYSTEM32\shlwapi.dll
+ 2007-10-11 05:57:40 474,112 ----a-w C:\WINDOWS\SYSTEM32\shlwapi.dll
- 2007-12-11 03:11:57 13,721 ----a-w C:\WINDOWS\SYSTEM32\tablet.dat
+ 2007-12-14 23:44:32 13,721 ----a-w C:\WINDOWS\SYSTEM32\tablet.dat
- 2007-07-18 12:42:22 60,416 ------w C:\WINDOWS\SYSTEM32\tzchange.exe
+ 2007-11-13 11:31:11 60,416 ------w C:\WINDOWS\SYSTEM32\tzchange.exe
- 2007-08-22 12:55:43 617,984 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
+ 2007-10-11 05:57:40 617,984 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
- 2007-08-22 12:55:44 665,600 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
+ 2007-10-11 05:57:41 666,112 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
- 2006-10-19 05:47:18 222,208 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
+ 2007-10-28 01:40:30 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
- 2007-12-11 03:11:46 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_544.dat
+ 2007-12-14 23:44:21 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_544.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 09:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-08-15 09:38]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-08-15 09:37]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 20:05]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 02:59 C:\WINDOWS\BCMSMMSG.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LVF.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LVF.lnk
backup=C:\WINDOWS\pss\LVF.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Windswept^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Windswept\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
2003-03-07 09:36 209800 --a--c--- C:\Program Files\Dell\AccessDirect\dadapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2003-08-13 07:27 28672 --a------ C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Genuine]
rundll32.exe C:\WINDOWS\system32\xlgsbtml.dll,realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWBMOUSE]
2002-05-24 04:54 357376 --a--c--- C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
C:\Program Files\Real\RealPlayer\realplay.exe /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 18:42 32768 --a--c--- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

R0 PenClass;Pen Class;C:\WINDOWS\system32\Drivers\PenClass.sys
S3 IR500;IR500;C:\WINDOWS\system32\DRIVERS\IR500.sys
S3 PortRst;PortRst;C:\WINDOWS\system32\DRIVERS\PortRst.sys
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{969B3B70-8765-11D5-9809-0050BACBF861}]
rundll32.exe advpack.dll,LaunchINFSection C:\Program Files\CyberLink\MP3PowerEncoder\Cyber.inf,PerUserStub
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\DOCUME~1\WINDSW~1\LOCALS~1\Temp\igbsvlec.dll
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-14 15:45:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-14 15:49:13 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-12-04 21:20
C:\ComboFix2.txt ... 2007-12-11 15:18
C:\ComboFix3.txt ... 2007-12-10 19:16
.
--- E O F ---
 
T

· Registered
Joined
·
5,277 Posts
#16 ·
Hello again

Please go to: VirusTotal
  • In the middle of the page you'll find a "Browse" button.



    Click the "Browse" button and browse to this file in RED:

    C:\Documents and Settings\WINDSWEPT\LOCAL SETTINGS\Temp\igbsvlec.dll

  • Click "Open".
  • Then click the "Send File" button at the bottom of the VirusTotal page.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply.

======================

Have you tried to delete the counterfeited software icon,if not please delete it.

======================

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

======================
Logs Required
Results from VirusTotal
Hijackthis log
 
W

· Registered
Joined
·
10 Posts
Discussion Starter · #17 · (Edited)
Sorry again for the delay.

I searched for the file you said, but it isn't anywhere in the Temp folder or subfolders.

I tried to get rid of the validation notification, went to Microsoft's site and downloaded their WGA plugin, and they told me I successfully validated my Windows--but the icon remains there..
Also, I've now recieved a notification saying I'll no longer receive updates from Microsoft because I don't have validated software.
 
T

· Registered
Joined
·
5,277 Posts
#18 · (Edited)
1 - 20 of 20 Posts
Status
Not open for further replies.
About this Discussion
19 Replies
2 Participants
Last post:
TheBruce1
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top