Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Want to ask a question, reply to a topic, or remove all advertising? It's easy, fast and free. Join today!
Spyware, virus, trojan, fake security or privacy alerts? Please start with our malware cleaning guide.
     
2 Pages V   1 2 >  
 Closed TopicStart new topic
DOS windows flashed, and now I have frequent popups while on the inter
nosrevia
post Jun 9 2008, 08:13 PM
Post #1


Member
**
Posts: 47
From: Texas
OS: XP
I think I have a virus on my PC. A few MS-DOS windows flashed by and then I got a few pop-ups. I recently was helped on this site by Rorschach112 with my Laptop, but it has since been resolved, I hope that doesnt interfere with this topic. Thanks in advance for your help.

UPDATE: Sorry bout the double post. I do in fact have a virus, and I believe it's the same one that was on my laptop, "Cool Web Search". It had slowed my comp down so much, I didn't know whether or not my topic had posted.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:06:56 PM, on 6/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Documents and Settings\Owner\lsass.exe
C:\WINDOWS\system32\vntiho18\vntiho182328.exe
C:\WINDOWS\444.470
c:\windows\system32\rwwnw64d.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\system32\scntskdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\17PHolmes1000106.exe
C:\WINDOWS\17PHolmes1188.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Road Runner High Speed Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: gooochi browser optimizer - {2e9529cf-0b99-6830-e305-a7a051b7e8ea} - C:\WINDOWS\system32\{3d37944e-eb60-4228-179a-3fb4647c7afd}.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ActivationManager module - {86A44EF7-78FC-4e18-A564-B18F806F7F56} - C:\Program Files\ActivationManager\ActivationManager.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [AutoTBar] c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Owner\lsass.exe
O4 - HKLM\..\Run: [{77-74-43-39-DW}] c:\windows\system32\rwwnw64d.exe DWramFF
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\scntskdm.exe DWramFF
O4 - HKLM\..\Run: [{a1c260bc-f732-7860-f137-a0d0bee31075}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{3d37944e-eb60-4228-179a-3fb4647c7afd}.dll" DllStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\scntskdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: bdsripcab - https://media.bdsrealtime.com/components/bdsripcab.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} (GameHouse Games Player) - http://www.gamehouse.com/games/gamehouse/ghplayer.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.gamehouse.com/games/zylom/zylomplayer.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.gamehouse.com/games/beje2/popcaploader.cab
O20 - Winlogon Notify: geBqRjjg - C:\WINDOWS\SYSTEM32\geBqRjjg.dll
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470.exe (file missing)

--
End of file - 10291 bytes

This post has been edited by nosrevia: Jun 9 2008, 09:18 PM
Go to the top of the page
 
+Quote Post
Mike
post Jun 13 2008, 01:36 PM
Post #2


Malware Monger
Group Icon
Posts: 2,736
OS: XP Professional SP3
Hi there nosrevia,

Sorry for the delay, as you can see we get tons of logs each day and it's hard to keep up.


I am currently reviewing your log and will post back soon.

Please take note of the following points.
  • Please keep in mind that there may be a time difference between us, If you are not in the GMT +1 time zone, than you can expect a slight delay.
  • Please do not run any tools other than what I request of you to run. Some of the tools we will use are very powerful, and using them without the required knowledge could cause more damage and prove to be more troublesome than the problem you are currently facing.
  • If at any time you have a doubt about what you are to do, please stop there and ask. No question is considered dumb here at GeeksToGo!.

Thanks,

Mike thumbsup.gif
Go to the top of the page
 
+Quote Post
Mike
post Jun 13 2008, 01:52 PM
Post #3


Malware Monger
Group Icon
Posts: 2,736
OS: XP Professional SP3
Hi again smile.gif

You collected alot of baddies didn't you haha.

Please follow my instructions in the order they were given, if you come across something you don't understand or don't feel comfortable doing, don't hesitate to ask and I will get you sorted out thumbsup.gif
If you cannot complete a step in my instructions, please skip it and continue with the rest of my instructions and tell me in your next reply which one you were having trouble with.

Very Important!

You have a backdoor trojan installed on your computer.
Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Step 1. Running SDFix

First off go to start, control panel, then add or remove programs and uninstall:
PartyPoker <-- If you installed it yourself you don't need to uninstall it.
gooochi browser optimizer

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).


Step 2. Combofix

Please go here to install the recovery console and for a guide on using combofix.
Please note: Installing the Recovery Console plays a vital part in making this process of cleaning your computer safe, please don't overlook this!

Now please download combofix from here or here. It is important that you save this file to your desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a Hijack This log in your next reply.

A quick heads up, if you click on combofix's window when it's running, you may cause it to stall.

In your next reply

Please post the log from SDFix.
Please post the log from ComboFix.
Please post the log from Hijack This (AFTER running the above programs.)

If the logs are to big to fit in one reply please spread them out over multiple replies.
Go to the top of the page
 
+Quote Post
nosrevia
post Jun 14 2008, 12:03 PM
Post #4


Member
**
Posts: 47
From: Texas
OS: XP
Thanks for your help Mike! I will try to follow your instructions to a "T". Below are the three logs you requested.

SDFix: Version 1.192
Run by Owner on Sat 06/14/2008 at 12:22 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\ssqNhife.dll - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Temp\vtmp2\ktnv33.log - Deleted
C:\WINDOWS\system32\vntiho18\vntiho182328.exe - Deleted
C:\Documents and Settings\Owner\lsass.exe - Deleted
C:\Documents and Settings\Owner\services.exe - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\megavid.cdt - Deleted
C:\WINDOWS\muotr.so - Deleted
C:\WINDOWS\rundll32.vbe - Deleted
C:\WINDOWS\system32\hljwugsf.bin - Deleted
C:\WINDOWS\system32\pac.txt - Deleted



Folder C:\Temp\1cb - Removed
Folder C:\Temp\vtmp2 - Removed
Folder C:\WINDOWS\system32\vntiho18 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 12:31:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120%"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"="C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe:*:Disabled:BackWeb-137903"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"="C:\\Program Files\\Pando Networks\\Pando\\pando.exe:*:Enabled:pando"
"C:\\Documents and Settings\\Owner\\Desktop\\New Folder (5)\\MySpaceMP3Gopher.exe"="C:\\Documents and Settings\\Owner\\Desktop\\New Folder (5)\\MySpaceMP3Gopher.exe:*:Enabled:MySpace MP3 Gopher XLT Application"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"="C:\\Program Files\\Orbitdownloader\\orbitnet.exe:*:Enabled:P2P service of Orbit Downloader"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 23 Mar 2005 196 A.SHR --- "C:\BOOT.BAK"
Wed 3 May 2006 163,328 A.SHR --- "C:\WINDOWS\system32\flvDX.dll"
Wed 21 Feb 2007 31,232 A.SHR --- "C:\WINDOWS\system32\msfDX.dll"
Mon 31 Jul 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 12 Jun 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.key.bak"
Sun 26 Jun 2005 616,448 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygwin1.dll"
Tue 21 Jun 2005 45,568 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygz.dll"
Sun 20 May 2007 72,704 ..SHR --- "C:\Program Files\eRightSoft\SUPER\Setup.exe"
Sat 7 Feb 2004 5,294,080 A..H. --- "C:\hp\patches\42WW1REC\src\App00153.exe"
Sat 7 Feb 2004 452,096 A..H. --- "C:\hp\patches\42WW1REC\src\App00292.exe"
Sat 7 Feb 2004 444,416 A..H. --- "C:\hp\patches\42WW1REC\src\App00491.exe"
Sat 7 Feb 2004 1,838,592 A..H. --- "C:\hp\patches\42WW1REC\src\App02995.exe"
Sat 7 Feb 2004 492,544 A..H. --- "C:\hp\patches\42WW1REC\src\App04827.exe"
Sat 7 Feb 2004 1,401,856 A..H. --- "C:\hp\patches\42WW1REC\src\App05447.exe"
Sat 7 Feb 2004 440,320 A..H. --- "C:\hp\patches\42WW1REC\src\App05705.exe"
Sat 7 Feb 2004 462,848 A..H. --- "C:\hp\patches\42WW1REC\src\App09961.exe"
Sat 7 Feb 2004 15,596,032 A..H. --- "C:\hp\patches\42WW1REC\src\App14604.exe"
Sat 7 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\App16827.exe"
Sat 7 Feb 2004 3,668,992 A..H. --- "C:\hp\patches\42WW1REC\src\App17421.exe"
Tue 10 Feb 2004 696,832 A..H. --- "C:\hp\patches\42WW1REC\src\App18716.exe"
Sat 7 Feb 2004 423,936 A..H. --- "C:\hp\patches\42WW1REC\src\App19169.exe"
Sat 7 Feb 2004 1,157,632 A..H. --- "C:\hp\patches\42WW1REC\src\App19718.exe"
Tue 10 Feb 2004 995,328 A..H. --- "C:\hp\patches\42WW1REC\src\App19895.exe"
Sat 7 Feb 2004 453,632 A..H. --- "C:\hp\patches\42WW1REC\src\App23281.exe"
Sat 7 Feb 2004 453,632 A..H. --- "C:\hp\patches\42WW1REC\src\App24464.exe"
Sat 7 Feb 2004 2,251,776 A..H. --- "C:\hp\patches\42WW1REC\src\App26962.exe"
Sat 7 Feb 2004 481,792 A..H. --- "C:\hp\patches\42WW1REC\src\App29358.exe"
Sat 7 Feb 2004 12,426,752 A..H. --- "C:\hp\patches\42WW1REC\src\App32391.exe"
Sat 7 Feb 2004 12,426,752 A..H. --- "C:\hp\patches\42WW1REC\src\App99990.exe"
Sat 7 Feb 2004 15,596,032 A..H. --- "C:\hp\patches\42WW1REC\src\App99992.exe"
Sat 7 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\App99993.exe"
Sat 7 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\xApp14604.exe"
Tue 4 Jun 2002 84,992 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll"
Tue 4 Jun 2002 44,032 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll"
Mon 9 Dec 2002 73,766 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll"
Mon 9 Dec 2002 65,575 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll"
Sun 9 Jun 2002 36,864 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll"
Tue 4 Jun 2002 20,480 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll"
Mon 9 Dec 2002 102,437 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll"
Mon 9 Dec 2002 176,165 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll"
Mon 9 Dec 2002 208,935 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll"
Mon 9 Dec 2002 217,127 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll"
Sun 9 Jun 2002 40,448 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll"
Sat 3 Nov 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll"
Tue 10 Apr 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll"
Fri 20 Feb 2004 232,960 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll"
Sun 9 Jun 2002 525,824 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll"
Mon 9 Dec 2002 245,805 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll"
Mon 9 Dec 2002 45,093 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll"
Mon 9 Dec 2002 98,341 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll"
Mon 9 Dec 2002 94,247 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll"
Mon 9 Dec 2002 90,151 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll"
Mon 9 Dec 2002 102,439 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll"
Sun 9 Jun 2002 49,152 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT11.tmp"

Finished!

This post has been edited by nosrevia: Jun 14 2008, 12:23 PM
Go to the top of the page
 
+Quote Post
nosrevia
post Jun 14 2008, 12:04 PM
Post #5


Member
**
Posts: 47
From: Texas
OS: XP
ComboFix 08-06-12.2 - Owner 2008-06-14 13:08:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.134 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\nsv
C:\Documents and Settings\All Users\Application Data\nsv\cache\264.dfn
C:\Documents and Settings\All Users\Application Data\nsv\cache\281.dfn
C:\Documents and Settings\All Users\Application Data\nsv\cache\284.dfn
C:\Documents and Settings\All Users\Application Data\nsv\wmv0104.dbd
C:\Documents and Settings\All Users\Application Data\nsv\wmv0106.ddx
C:\Documents and Settings\All Users\Application Data\nsv\wmv0204.ddx
C:\Documents and Settings\All Users\Application Data\nsv\wmv0315.ddx
C:\Documents and Settings\All Users\Application Data\nsv\wmv0412.ddx
C:\Documents and Settings\All Users\Application Data\nsv\wmv0504.ddx
C:\Documents and Settings\All Users\Application Data\nsv\wmv0904.ddx
C:\Documents and Settings\All Users\Application Data\nsv\wmv1125.ddx
C:\Documents and Settings\All Users\Application Data\nsv\wmv1204.ddx
C:\Documents and Settings\All Users\Application Data\nsv\wmv1215.dbd
C:\Documents and Settings\All Users\Application Data\nsv\wmv1909.ddx
C:\Documents and Settings\All Users\Application Data\nsv\wmv1920.dbd
C:\Documents and Settings\All Users\Application Data\nsv\wmv2007.dbd
C:\Documents and Settings\All Users\Application Data\picsvr
C:\Documents and Settings\All Users\Application Data\picsvr\picsvr.inf
C:\Documents and Settings\Owner\Start Menu\Programs\SpyShredder
C:\Documents and Settings\Owner\Start Menu\Programs\SpyShredder\SpyShredder.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\SpyShredder\Uninstall.lnk
C:\lswmv.ini
C:\Program Files\ActivationManager
C:\Program Files\ActivationManager\ActivationManager.dll
C:\Program Files\ActivationManager\Uninstall.exe
C:\WINDOWS\444.470
C:\WINDOWS\BM4794470a.xml
C:\WINDOWS\Downloaded Program Files\setup.dll
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\mainms.vpi
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\BbadKkkj.ini
C:\WINDOWS\system32\BbadKkkj.ini2
C:\WINDOWS\system32\cicnypto.dll
C:\WINDOWS\system32\dcJkQqss.ini2
C:\WINDOWS\system32\dkcxomqj.ini
C:\WINDOWS\system32\dqthrksx.ini
C:\WINDOWS\system32\fmpoyrbu.dll
C:\WINDOWS\system32\geBqRjjg.dll
C:\WINDOWS\system32\jkkKdabB.dll
C:\WINDOWS\system32\jqmoxckd.dll
C:\WINDOWS\system32\llyhimdg.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlJYpMcY.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\popxdobc.dll
C:\WINDOWS\system32\puducgjo.dll
C:\WINDOWS\system32\qWDNnUvw.ini
C:\WINDOWS\system32\qWDNnUvw.ini2
C:\WINDOWS\system32\tuvUmJCt.dll
C:\WINDOWS\system32\udhqpyft.exe
C:\WINDOWS\system32\UwDJRqru.ini2
C:\WINDOWS\system32\xskrhtqd.dll
C:\windows\xpupdate.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-14 13:04 . 2008-06-14 13:04 <DIR> d-------- C:\Program Files\SpyShredder
2008-06-14 13:04 . 2008-06-14 13:04 28,672 --a------ C:\a
2008-06-14 12:16 . 2008-06-14 12:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-14 12:09 . 2008-06-14 12:37 <DIR> d-------- C:\SDFix
2008-06-13 18:38 . 2008-06-13 18:38 299,520 --a------ C:\WINDOWS\system32\wvUnNDWq.dll
2008-06-13 18:33 . 2008-06-13 18:33 <DIR> d-------- C:\WINDOWS\system32\netrax18
2008-06-13 18:33 . 2008-06-13 18:33 <DIR> d-------- C:\temp\itmp4
2008-06-10 21:40 . 2008-06-10 21:40 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-09 21:29 . 2004-01-20 22:21 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z.005\Application Data\Sonic
2008-06-09 21:29 . 2004-01-21 04:52 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z.005\Application Data\interMute
2008-06-09 21:29 . 2008-06-09 21:36 <DIR> d---s---- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z.005
2008-06-09 21:07 . 2008-06-09 21:07 278,528 --a------ C:\WINDOWS\system32\urqRJDwU(2).dll
2008-06-07 21:25 . 2008-06-07 21:25 32,768 --a------ C:\WINDOWS\system32\netrax18\netrax182328.exe
2008-06-06 12:16 . 2008-06-06 12:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-06 11:42 . 2008-06-06 11:42 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z.004\WINDOWS
2008-06-06 11:42 . 2008-06-06 11:42 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z.004\Application Data\Symantec
2008-06-06 11:42 . 2008-06-06 11:42 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z.004\Application Data\SampleView
2008-06-06 11:41 . 2008-06-06 11:41 <DIR> d-------- C:\Program Files\McAfee.com
2008-06-06 11:19 . 2004-01-20 22:21 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z.004\Application Data\Sonic
2008-06-06 11:19 . 2004-01-21 04:52 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z.004\Application Data\interMute
2008-06-06 11:19 . 2008-06-06 11:23 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z.004
2008-06-05 22:42 . 2008-06-05 22:42 413 --a------ C:\190.bat
2008-06-04 21:40 . 2004-01-20 22:21 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z.003\Application Data\Sonic
2008-06-04 21:40 . 2004-01-21 04:52 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z.003\Application Data\interMute
2008-06-04 21:40 . 2008-06-04 21:42 <DIR> d---s---- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z.003
2008-06-04 15:09 . 2004-01-20 22:21 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z.002\Application Data\Sonic
2008-06-04 15:09 . 2004-01-21 04:52 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z.002\Application Data\interMute
2008-06-04 15:08 . 2008-06-04 21:57 <DIR> d---s---- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z.002
2008-06-04 00:17 . 2004-01-20 22:21 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z.001\Application Data\Sonic
2008-06-04 00:17 . 2004-01-21 04:52 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z.001\Application Data\interMute
2008-06-04 00:17 . 2008-06-04 22:04 <DIR> d---s---- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z.001
2008-06-03 21:13 . 2008-06-04 22:04 <DIR> d-------- C:\Program Files\ESET(2)
2008-06-03 19:49 . 2004-01-20 22:21 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z.000\Application Data\Sonic
2008-06-03 19:49 . 2004-01-21 04:52 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z.000\Application Data\interMute
2008-06-03 19:49 . 2008-06-04 22:09 <DIR> d---s---- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z.000
2008-06-03 19:07 . 2004-01-20 22:21 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z\Application Data\Sonic
2008-06-03 19:07 . 2004-01-21 04:52 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z\Application Data\interMute
2008-06-03 19:07 . 2008-06-04 22:11 <DIR> d---s---- C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z
2008-06-03 17:18 . 2008-06-03 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Eset
2008-06-03 15:13 . 2008-06-06 11:37 <DIR> d-------- C:\Program Files\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-11 20:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-06-06 16:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-05-26 19:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 06:38 --------- d-----w C:\Program Files\CCleaner
2008-05-08 06:10 --------- d-----r C:\Program Files\mIRC
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-03 19:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSN6
2008-05-03 13:57 --------- d-----w C:\Program Files\MSN Messenger
2008-05-03 13:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN Messenger 5.0.0544
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 11:01 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-07 19:21 102,656 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-02-01 23:01 87,608 ----a-w C:\Documents and Settings\Owner\Application Data\inst.exe
2008-02-01 23:01 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2005-03-22 21:30 59 -c--a-w C:\Documents and Settings\Owner\Application Data\Sskcwrd.dll
2004-12-12 01:22 230,187 -c--a-w C:\Documents and Settings\Owner\Application Data\Sskknwrd.dll
2004-12-03 00:47 35 -c--a-w C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll
2004-11-13 21:54 230,237 -c--a-w C:\Documents and Settings\Owner\Application Data\tvmknwrd.dll
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 -csha-r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8B6B4B2-FC4A-4D33-9213-4C6537479CB2}]
2008-06-13 18:38 299520 --a------ C:\WINDOWS\system32\wvUnNDWq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 22:00 200704]
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 06:23 49152]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-21 06:15 483328]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 11:01 110592]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2003-11-03 19:50 221184]
"VTTimer"="VTTimer.exe" [2004-10-22 12:53 53248 C:\WINDOWS\system32\VTTimer.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 18:57 81920]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-10-29 14:17 135168]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2003-12-18 02:31 118784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 19:18 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 13:49 163840]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 23:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 19:29 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 13:05 212992]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-02-07 02:03 114741]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 18:00 1005096]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2006-01-17 13:03 53248]
"AutoTBar"="c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 01:56 53760 C:\WINDOWS\system32\narrator.exe]

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
AutoTBar.exe [2003-11-14 21:44:40 32768]

C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z.004\Start Menu\Programs\Startup\
AutoTBar.exe [2003-11-14 21:44:40 32768]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2004-01-20 22:59:55 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-10-04 17:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0008a777-a119-11dc-aae8-000ea69bf967}]
\Shell\Auto\command - L:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b367e44e-b58d-11dc-ab13-000ea69bf967}]
\Shell\Auto\command - L:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b367e44f-b58d-11dc-ab13-000ea69bf967}]
\Shell\Auto\command - M:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c4953671-cecf-11dc-ab46-000ea69bf967}]
\Shell\Auto\command - L:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c4953672-cecf-11dc-ab46-000ea69bf967}]
\Shell\Auto\command - M:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1f65d3b-f442-11dc-ab9f-000ea69bf967}]
\Shell\AutoRun\command - L:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - L:\system\viewer\FlipVideoforPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de5e1c5c-f977-11dc-aba8-000ea69bf967}]
\Shell\Auto\command - L:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 13:14:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
.
**************************************************************************
.
Completion time: 2008-06-14 13:22:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-14 18:22:19

Pre-Run: 2,327,310,336 bytes free
Post-Run: 2,827,235,328 bytes free

243 --- E O F --- 2008-06-11 02:42:18


This post has been edited by nosrevia: Jun 14 2008, 12:22 PM
Go to the top of the page
 
+Quote Post
nosrevia
post Jun 14 2008, 01:02 PM
Post #6


Member
**
Posts: 47
From: Texas
OS: XP
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:26 PM, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [AutoTBar] c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE
O4 - HKLM\..\Run: [44a77496] rundll32.exe "C:\WINDOWS\system32\nqhostsv.dll",b
O4 - HKLM\..\Run: [BM4794470a] Rundll32.exe "C:\WINDOWS\system32\hkbcqmym.dll",s
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: bdsripcab - https://media.bdsrealtime.com/components/bdsripcab.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} (GameHouse Games Player) - http://www.gamehouse.com/games/gamehouse/ghplayer.cab
O16 - DPF: {7545D8C8-F53C-4E2F-8FA0-D248EF4A6E61} - http://scanner.vav-scanner.com/setup/setup.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B4A78D29-52B1-4A7B-BAC0-1471BEDF9836} - http://xscanner.shredderscan.com/setup/webinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.gamehouse.com/games/zylom/zylomplayer.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.gamehouse.com/games/beje2/popcaploader.cab
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

--
End of file - 8660 bytes