Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

IE Redirect / Trojan? [RESOLVED]


  • This topic is locked This topic is locked

#1
pewee

pewee

    Member

  • Member
  • PipPip
  • 49 posts
I have a laptop that is running Win XP. It had the 'Red Biohazard' wallpaper virus on it. I cleaned that with Malware Bytes and Super Antispyware. I ran a HJT and DSS.
Here are the logs:
HJT-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:27:10, on 8/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: QXK Olive - {DBEF65C0-913F-49C4-82FD-7EB478B30FB5} - C:\WINDOWS\wnlmdakqsrg.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKUS\S-1-5-21-908492956-2679298287-554786398-1005\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O4 - HKUS\S-1-5-21-908492956-2679298287-554786398-1005\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent (User '?')
O4 - HKUS\S-1-5-21-908492956-2679298287-554786398-1005\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" (User '?')
O4 - HKUS\S-1-5-21-908492956-2679298287-554786398-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-908492956-2679298287-554786398-1005\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe (User '?')
O4 - HKUS\S-1-5-21-908492956-2679298287-554786398-1005\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\S-1-5-21-908492956-2679298287-554786398-1005\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker...IL/PhPSetup.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c8.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movi.../altpmtscab.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: tfnslopk - {26E58626-39F8-4E4F-BFD5-84AB40C7A72A} - C:\WINDOWS\tfnslopk.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9636 bytes

DSS-
Deckard's System Scanner v20071014.68
Run by Candy on 2008-08-07 08:48:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 495 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-07 08:49:25
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDANTSRV.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HookUpFinder\hookupfinder.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\MarkAny\ContentSafer\MaAgent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sony\SonicStage\SSAAD.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
D:\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsof...search.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: (no name) - {18417486-220A-4F8E-8190-4E9C08CB0D15} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {401F7A17-0E47-4F50-9F65-9EF2C176E666} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {49C03043-39EE-4CBF-8FA9-D1EEFBD50A34} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {4A25D449-2BAA-4426-A992-D18CA70CF5A9} - C:\WINDOWS\system32\tzm.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7C902F78-5FF1-4A20-A89C-F072E811F939} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {819D0A6D-1AFF-49E4-B0C3-03349B1F3AC8} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {8251C34F-BFEC-46A5-9330-706F0531DA14} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {89658AFA-5D60-474C-B94B-E4B1D1681500} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {9006DCAF-FC1E-4A71-92D9-CAC45EBA3D94} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {9C148EE5-3AF6-43F7-9317-0F743E480636} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NAVShExt.dll
O2 - BHO: QXK Olive - {DBEF65C0-913F-49C4-82FD-7EB478B30FB5} - C:\WINDOWS\wnlmdakqsrg.dll
O2 - BHO: (no name) - {DE1E8E8F-9AD3-4BA3-A3EA-6B2C5EFD703E} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {E15F0656-969A-4C56-9EC4-8E2A4494DDCA} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {E2A071A7-A4B8-496D-BE15-B62B5F7BE6FF} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {E6410C9F-6195-4B55-A4C0-440CBA6BF155} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {FE3DDC41-B10B-4BB6-ACA1-CD557B02B129} - C:\Program Files\CSBB\CSBB.dll (file missing)
O3 - Toolbar: bgrqfetx - {0448CEDF-E4D9-49B6-A3CF-1D7AA90C0177} - C:\WINDOWS\bgrqfetx.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: CallWave.lnk = ?
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} () - http://dl.filekicker...IL/PhPSetup.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} () - http://static.windup...e/bridge-c8.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} () - http://download.movi.../altpmtscab.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_03) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O21 - SSODL: tfnslopk - {26E58626-39F8-4E4F-BFD5-84AB40C7A72A} - C:\WINDOWS\tfnslopk.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: Privacy Protection -

--
End of file - 10942 bytes

-- Files created between 2008-07-07 and 2008-08-07 -----------------------------

2008-08-06 14:30:00 0 d-------- C:\Documents and Settings\Candy\Application Data\TmpRecentIcons
2008-08-06 14:28:42 368640 --a------ C:\WINDOWS\wnlmdakqsrg.dll
2008-08-06 14:28:42 200704 --a------ C:\WINDOWS\tfnslopk.dll
2008-08-06 14:28:42 86016 --a------ C:\WINDOWS\lnvegaow.exe
2008-08-06 14:28:42 139264 --a------ C:\WINDOWS\eoam.exe
2008-08-06 14:28:42 188416 --a------ C:\WINDOWS\bgrqfetx.dll
2008-07-12 18:31:01 0 d-------- C:\Documents and Settings\Candy\Application Data\FunWebProducts


-- Find3M Report ---------------------------------------------------------------

2008-08-07 08:25:58 0 d-------- C:\Program Files\CallWave
2008-07-20 18:44:43 0 d-------- C:\Program Files\Napster
2008-07-12 18:28:48 0 d-------- C:\Program Files\MSN Messenger
2008-06-10 15:10:06 0 d-------- C:\Documents and Settings\Candy\Application Data\Dvd bore
2008-06-10 15:08:32 0 d-------- C:\Program Files\hbinst
2008-06-10 15:08:25 0 d-------- C:\Program Files\Nkgxtn
2008-06-10 15:08:01 0 d-------- C:\Program Files\MBKWBar
2008-06-10 10:47:12 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-10 10:26:00 2972 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-09 23:14:03 0 d-------- C:\Program Files\Norton AntiVirus
2008-06-07 14:06:56 0 d-------- C:\Program Files\Yahoo!
2008-06-07 14:04:33 0 d-------- C:\Program Files\Google
2008-06-07 12:25:18 0 d-------- C:\Documents and Settings\Candy\Application Data\Malwarebytes


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18417486-220A-4F8E-8190-4E9C08CB0D15}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{401F7A17-0E47-4F50-9F65-9EF2C176E666}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49C03043-39EE-4CBF-8FA9-D1EEFBD50A34}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A25D449-2BAA-4426-A992-D18CA70CF5A9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C902F78-5FF1-4A20-A89C-F072E811F939}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{819D0A6D-1AFF-49E4-B0C3-03349B1F3AC8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8251C34F-BFEC-46A5-9330-706F0531DA14}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89658AFA-5D60-474C-B94B-E4B1D1681500}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9006DCAF-FC1E-4A71-92D9-CAC45EBA3D94}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C148EE5-3AF6-43F7-9317-0F743E480636}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBEF65C0-913F-49C4-82FD-7EB478B30FB5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DE1E8E8F-9AD3-4BA3-A3EA-6B2C5EFD703E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E15F0656-969A-4C56-9EC4-8E2A4494DDCA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2A071A7-A4B8-496D-BE15-B62B5F7BE6FF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6410C9F-6195-4B55-A4C0-440CBA6BF155}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE3DDC41-B10B-4BB6-ACA1-CD557B02B129}]
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservicesonce
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices
HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce
MySpaceIM REG_SZ C:\Program Files\MySpace\IM\MySpaceIM.exe
!d;
"HideStartupScripts"=0 (0x0)
!d;
"DisableTaskMgr"=0 (0x0)
HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run
HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run

Written by Bobbi Flekman 2006 ©
GeneralFlags REG_DWORD 0 (0x0)
RestoredStateInfo REG_BINARY 180000000000000000000000f4010000f401000001000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [11/23/2004 04:51 PM 192512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"tfnslopk"= {26E58626-39F8-4E4F-BFD5-84AB40C7A72A} - C:\WINDOWS\tfnslopk.dll [08/06/2008 12:13 PM 200704]

REGEDIT4
"OldUserinit"="C:\\WINDOWS\\system32\\userinit.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions]
"ProcessGroupPolicy"="ProcessGroupPolicy"
00
"MaxNoGPOListChangesInterval"=dword:000003c0
00
"RequiresSuccessfulRegistry"=dword:00000001
74,61,6c,6c,65,72,2c,41,70,70,6c,69,63,61,74,69,6f,6e,29,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify]
"Logoff"="ChainWlxLogoffEvent"
"Logoff"="CryptnetWlxLogoffEvent"
"Asynchronous"=dword:00000001
"Unlock"="WinlogonUnlockEvent"
"Asynchronous"=dword:00000001
"Logoff"="SchedEventLogOff"
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
"Asynchronous"=dword:00000001
"Disconnect"="TSEventDisconnect"
"EulaAccepted"=dword:00000001
96,14,00,00,00,21,12,a4,d6,50,85,1a,42,a3,32,92,12,68,49,05,be,b5,dc,08,f3
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\SCLogon]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\SpecialAccounts]
"ASPNET"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Credentials]
!d;s/.*t//;s/
[hkey.*/n
Asynchronous REG_DWORD 0 (0x0)
!d;s/.*t//;s/
[hkey.*/n
Asynchronous REG_DWORD 0 (0x0)
!d;s/.*t//;s/
[hkey.*/n
DLLName REG_SZ cscdll.dll
!d;s/.*t//;s/
[hkey.*/n
!d;s/.*t//;s/
[hkey.*/n
DLLName REG_SZ wlnotify.dll
!d;s/.*t//;s/
[hkey.*/n
Asynchronous REG_DWORD 0 (0x0)
!d;s/.*t//;s/
[hkey.*/n
Logoff REG_SZ WLEventLogoff
!d;s/.*t//;s/
[hkey.*/n
DLLName REG_SZ WlNotify.dll
!d;s/.*t//;s/
[hkey.*/n
Asynchronous REG_DWORD 0 (0x0)
!d;s/.*t//;s/
[hkey.*/n
Logon REG_SZ WLEventLogon
!d;s/.*t//;s/
[hkey.*/n
DLLName REG_SZ wlnotify.dll

Written by Bobbi Flekman 2006 ©
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
ApplicationGoo REG_BINARY 140200001002000000020000900434000000560053005f00560045005200530049004f004e005f00
49004e0046004f0000000000bd04effe00000100000007000b000000000007000b0000003f0000000
20000000400010001000000000000000000000000000000440000000100560061007200460069006c
00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f0
06e00000000000904e404f0030000010053007400720069006e006700460069006c00650049006e00
66006f000000cc03000001003000340030003900300034004500340000004a001900010043006f006
d006d0065006e007400730000004300720079007300740061006c002000530051004c002000440065
007300690067006e0065007200200037002e0030000000000088003400010043006f006d007000610
06e0079004e0061006d006500000000005300650061006700610074006500200053006f0066007400
7700610072006500200049006e0066006f0072006d006100740069006f006e0020004d0061006e006
100670065006d0065006e0074002000470072006f00750070002c00200049006e0063002e000000ae
00450001004c006500670061006c0043006f007000790072006900670068007400000043006f00700
07900720069006700680074002000280063002900200031003900390031002d003100390039001000
000000000000
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
DisableHeapLookAside REG_SZ 1
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
ApplicationGoo REG_BINARY 5409000054020000000200008c0334000000560053005f00560045005200530049004f004e005f00
49004e0046004f0000000000bd04effe000001000200a8112e0400000200a8112e0400003f0000002
00000000400000001000000000000000000000000000000ec020000010053007400720069006e0067
00460069006c00650049006e0066006f000000c802000001003000300030003000300034006200300
0000038001000010043006f006d006d0065006e007400730000004f007200690067006e0061006c00
2000560065007200730069006f006e00000042001100010043006f006d00700061006e0079004e006
1006d006500000000005300410050002000410047002c002000570061006c006c0064006f00720066
00000000005a0019000100460069006c0065004400650073006300720069007000740069006f006e0
0000000005300410050002000460072006f006e00740065006e006400200066006f00720020005700
69006e0064006f0077007300000000003c000e000100460069006c006500560065007200730069006
f006e000000000034003500320030002e0032002e0030002e00310030003700300000003200090001
0049006e007400650072006e0061006c004e0061006d0065000000460045005700460052004f004e0
05400000000007a002b0001004c006500670061006c0043006f007000790072006900670068000200
000000000000010000004c0000003cfd0600040000000000000065050000020000000300000000000
100530065007200760069006300650020005000610063006b00200033000000230054020000000200
008c0334000000560053005f00560045005200530049004f004e005f0049004e0046004f000000000
0bd04effe0000010003009e112604000003009e11260400003f000000200000000400000001000000
000000000000000000000000ec020000010053007400720069006e006700460069006c00650049006
e0066006f000000c8020000010030003000300030003000340062003000000038001000010043006f
006d006d0065006e007400730000004f007200690067006e0061006c0020005600650072007300690
06f006e00000042001100010043006f006d00700061006e0079004e0061006d006500000000005300
410050002000410047002c002000570061006c006c0064006f0072006600000000005a00190001004
60069006c0065004400650073006300720069007000740069006f006e000000000053004100500020
00460072006f006e00740065006e006400200066006f0072002000570069006e0064006f007700730
0000000003c000e000100460069006c006500560065007200730069006f006e000000000034003500
310030002e0033002e0030002e003100300036003200000032000900010049006e007400650072006
e0061006c004e0061006d0065000000460045005700460052004f004e005400000000007a002b0001
004c006500670061006c0043006f007000790072006900670068000200000000000000010000004c0
000003cfd060004000000000000006505000002000000030000000000010053006500720076006900
6300650020005000610063006b0020003300000023005402000000020000200334000000560053005
f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100000004
00f003000000000400f00300003f00000000000000040001000100000000000000000000000000000
07e020000010053007400720069006e006700460069006c00650049006e0066006f0000005a020000
01003000340030003900300034004500340000002e000700010043006f006d00700061006e0079004
e0061006d00650000000000530041005000200041004700000000005a0019000100460069006c0065
004400650073006300720069007000740069006f006e00000000005300410050002000460072006f0
06e00740065006e006400200066006f0072002000570069006e0064006f0077007300000000003600
0b000100460069006c006500560065007200730069006f006e000000000034002e0030002e0030002
e003100300030003800000000002c000600010049006e007400650072006e0061006c004e0061006d
0065000000460052004f004e00540000005e001d0001004c006500670061006c0043006f007000790
072006900670068007400000043006f0070007900720069006700680074002000a900200031003900
390033002d0031003900390037002000530041005000200041004700000000002800000001004c006
500670061006c0054007200610064000200000000000000010000004c0000003cfd06000400000000
000000650500000200000003000000000001005300650072007600690063006500200050006100630
06b0020003300000023005402000000020000180334000000560053005f0056004500520053004900
4f004e005f0049004e0046004f0000000000bd04effe0000010000000400dd03000000000400dd030
0003f0000000000000004000100010000000000000000000000000000007802000001005300740072
0069006e006700460069006c00650049006e0066006f0000005402000001003000340030003900300
034004500340000002e000700010043006f006d00700061006e0079004e0061006d00650000000000
530041005000200041004700000000005a0019000100460069006c006500440065007300630072006
9007000740069006f006e00000000005300410050002000460072006f006e00740065006e00640020
0066006f0072002000570069006e0064006f00770073000000000034000a000100460069006c00650
0560065007200730069006f006e000000000034002e0030002e0030002e0039003800390000002c00
0600010049006e007400650072006e0061006c004e0061006d0065000000460052004f004e0054000
0005e001d0001004c006500670061006c0043006f007000790072006900670068007400000043006f
0070007900720069006700680074002000a900200031003900390033002d003100390039003700200
0530041005000200041004700000000002800000001004c006500670061006c005400720061006400
65006d000200000000000000010000004c0000003cfd0600040000000000000065050000020000000
300000000000100530065007200760069006300650020005000610063006b002000330000002300
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
ApplicationGoo REG_BINARY 5802000054020000000200006c0734000000560053005f00560045005200530049004f004e005f00
49004e0046004f0000000000bd04effe00000100050005000700a807050005000700a8073f0000000
00000000400040001000000000000000000000000000000cc060000010053007400720069006e0067
00460069006c00650049006e0066006f0000005403000001003000340030003900300034004200300
0000018000000010043006f006d006d0065006e007400730000004c001600010043006f006d007000
61006e0079004e0061006d006500000000004d006900630072006f0073006f0066007400200043006
f00720070006f0072006100740069006f006e000000680020000100460069006c0065004400650073
006300720069007000740069006f006e00000000004d006900630072006f0073006f0066007400200
0450078006300680061006e0067006500200053006500720076006500720020005300650074007500
7000000036000b000100460069006c006500560065007200730069006f006e000000000035002e003
5002e0031003900360030002e003700000000002c000600010049006e007400650072006e0061006c
004e0061006d00650000005300650074007500700000009c003c0001004c006500670061006c00430
06f007000790072006900670068007400000043006f00700079007200690067006800740020000200
000000000000010000004c0000003cfd0600050000000000000065050000020000000300000002000
000530065007200760069006300650020005000610063006b002000340000002300
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
ApplicationGoo REG_BINARY 580200005402000000020000440234000000560053005f00560045005200530049004f004e005f00
49004e0046004f0000000000bd04effe00000100010001000c000000010001000c000000000000000
00000000400000001000000000000000000000000000000440000000000560061007200460069006c
00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f0
06e00000000000904b004a4010000010053007400720069006e006700460069006c00650049006e00
66006f00000080010000010030003400300039003000340042003000000040002000010043006f006
d00700061006e0079004e0061006d00650000000000440065004c006f0072006d00650020004d0061
007000700069006e0067000000440022000100500072006f0064007500630074004e0061006d00650
0000000005200650067002000280044004c0069006200620079005c006d0073006600290000000000
340014000100460069006c006500560065007200730069006f006e000000000031002e00300031002
e0030003000310032000000380014000100500072006f006400750063007400560065007200730069
006f006e00000031002e00300031002e003000300031003200000034001200010049006e007400650
072006e0061006c004e0061006d00650000004d004e00470052004500470033003200000000000200
000000000000010000004c0000003cfd0600040000000000000065050000020000000300000000000
100530065007200760069006300650020005000610063006b002000330000002300
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
GlobalFlag REG_SZ 0x00200000
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
GlobalFlag REG_SZ 0x00200000
DisableHeapLookAside REG_SZ 1
DisableHeapLookAside REG_SZ 1
ApplicationGoo REG_BINARY 140200001002000000020000b40234000000560053005f00560045005200530049004f004e005f00
49004e0046004f0000000000bd04effe00000100350007000000000035000700000000003f0000000
0000000040000000100000000000000000000000000000012020000010053007400720069006e0067
00460069006c00650049006e0066006f000000ee01000001003000340030003900300034006200300
0000042001100010043006f006d00700061006e0079004e0061006d00650000000000500065006f00
70006c00650053006f00660074002c00200049006e0063002e0000000000280000000100460069006
c0065004400650073006300720069007000740069006f006e00000000002a0005000100460069006c
006500560065007200730069006f006e000000000037002e0035003300000000009c003c0001004c0
06500670061006c0043006f007000790072006900670068007400000043006f007000790072006900
6700680074002000a900200031003900380038002d0031003900390038002000500065006f0070006
c00650053006f00660074002c00200049006e0063002e002000200041006c006c0020005200690067
0068007400730020005200650073006500720076006500640000003c000a0001004f0072006900670
069006e0061006c00460069006c0065006e0061006d00650000007000730064006d0074002e001000
000000000000
DisableHeapLookAside REG_SZ 1
DisableHeapLookAside REG_SZ 1
CheckAppHelp REG_DWORD 1 (0x1)
ApplicationGoo REG_BINARY 000700005402000000020000840734000000560053005f00560045005200530049004f004e005f00
49004e0046004f0000000000bd04effe00000100050005000700a807050005000700a8073f0000000
00000000400040001000000000000000000000000000000e4060000010053007400720069006e0067
00460069006c00650049006e0066006f0000006003000001003000340030003900300034004200300
0000018000000010043006f006d006d0065006e007400730000004c001600010043006f006d007000
61006e0079004e0061006d006500000000004d006900630072006f0073006f0066007400200043006
f00720070006f0072006100740069006f006e000000680020000100460069006c0065004400650073
006300720069007000740069006f006e00000000004d006900630072006f0073006f0066007400200
0450078006300680061006e0067006500200053006500720076006500720020005300650074007500
7000000036000b000100460069006c006500560065007200730069006f006e000000000035002e003
5002e0031003900360030002e003700000000002c000600010049006e007400650072006e0061006c
004e0061006d00650000005300650074007500700000009e003d0001004c006500670061006c00430
06f007000790072006900670068007400000043006f00700079007200690067006800740020000200
000000000000010000004c0000003cfd0600050000000000000065050000020000000000000000000
000530065007200760069006300650020005000610063006b00200033000000240054020000000200
00a40834000000560053005f00560045005200530049004f004e005f0049004e0046004f000000000
0bd04effe00000100050005000700a807050005000700a8073f000000000000000400040001000000
00000000000000000000000004080000010053007400720069006e006700460069006c00650049006
e0066006f000000f0030000010030003400300039003000340042003000000018000000010043006f
006d006d0065006e007400730000004c001600010043006f006d00700061006e0079004e0061006d0
06500000000004d006900630072006f0073006f0066007400200043006f00720070006f0072006100
740069006f006e000000680020000100460069006c006500440065007300630072006900700074006
9006f006e00000000004d006900630072006f0073006f00660074002000450078006300680061006e
00670065002000530065007200760065007200200053006500740075007000000036000b000100460
069006c006500560065007200730069006f006e000000000035002e0035002e003100390036003000
2e003700000000002c000600010049006e007400650072006e0061006c004e0061006d00650000005
30065007400750070000000a600410001004c006500670061006c0043006f00700079007200690067
0068007400000043006f00700079007200690067006800740020000200000000000000010000004c0
000003cfd060005000000000000006505000002000000000000000000000053006500720076006900
6300650020005000610063006b0020003300000024005402000000020000180434000000560053005
f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100050005
000700a807050005000700a8073f00000000000000040004000100000000000000000000000000000
078030000010053007400720069006e006700460069006c00650049006e0066006f00000054030000
010030003400300039003000340042003000000018000000010043006f006d006d0065006e0074007
30000004c001600010043006f006d00700061006e0079004e0061006d006500000000004d00690063
0072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e000000680
020000100460069006c0065004400650073006300720069007000740069006f006e00000000004d00
6900630072006f0073006f00660074002000450078006300680061006e00670065002000530065007
200760065007200200053006500740075007000000036000b000100460069006c0065005600650072
00730069006f006e000000000035002e0035002e0031003900360030002e003700000000002c00060
0010049006e007400650072006e0061006c004e0061006d0065000000530065007400750070000000
9a003b0001004c006500670061006c0043006f007000790072006900670068007400000043006f007
00079007200690067006800740020000200000000000000010000004c0000003cfd06000500000000
000000650500000200000000000000000000005300650072007600690063006500200050006100630
06b002000330000002400
ApplicationGoo REG_BINARY 140200001002000000020000040334000000560053005f00560045005200530049004f004e005f00
49004e0046004f0000000000bd04effe000001001c0008000000000000000800000000003f0000000
0000000040000000100000000000000000000000000000064020000010053007400720069006e0067
00460069006c00650049006e0066006f0000004002000001003000340030003900300034006200300
0000044001200010043006f006d00700061006e0079004e0061006d0065000000000043006f007200
65006c00200043006f00720070006f0072006100740069006f006e0000004e0013000100460069006
c0065004400650073006300720069007000740069006f006e000000000043006f00720065006c0020
00530065007400750070002000570069007a00610072006400000000002c0006000100460069006c0
06500560065007200730069006f006e000000000038002e0030003200380000004600130001004900
6e007400650072006e0061006c004e0061006d006500000043006f00720065006c002000530065007
400750070002000570069007a00610072006400000000006c00240001004c006500670061006c0043
006f007000790072006900670068007400000043006f0070007900720069006700680074002000a90
0200031003900390037002c00200043006f00720065006c00200043006f00720070006f0072000800
000000000000
ApplicationGoo REG_BINARY 140200001002000000020000380334000000560053005f00560045005200530049004f004e005f00
49004e0046004f0000000000bd04effe0000010002000a0001000a0002000a0001000a00000000000
0000000040001000100000000000000000000000000000098020000010053007400720069006e0067
00460069006c00650049006e0066006f0000007402000001003000340030003900300034004500340
000004a001500010043006f006d00700061006e0079004e0061006d00650000000000530079006d00
61006e00740065006300200043006f00720070006f0072006100740069006f006e000000000060001
c000100460069006c0065004400650073006300720069007000740069006f006e0000000000530079
006d0061006e007400650063002000530079006d006500760065006e007400200049006e007300740
061006c006c0065007200000034000a000100460069006c006500560065007200730069006f006e00
00000000310030002e0032002e00310030002e003100000030000800010049006e007400650072006
e0061006c004e0061006d006500000053004500560049004e005300540000007e002d0001004c0065
00670061006c0043006f007000790072006900670068007400000043006f007000790072006900670
06800740020002800430029002000530079006d0061006e00740065006300200043006f0072000100
000000000000
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
DisableHeapLookAside REG_SZ 1
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
DisableHeapLookAside REG_SZ 1
CheckAppHelp REG_DWORD 1 (0x1)
ApplicationGoo REG_BINARY 1402000010020000000200007c0334000000560053005f00560045005200530049004f004e005f00
49004e0046004f0000000000bd04effe00000100000001000900260000000100090026003f0000000
00000000400000001000000000000000000000000000000dc020000010053007400720069006e0067
00460069006c00650049006e0066006f000000b802000001003000340030003900300034006200300
0000066002700010043006f006d006d0065006e0074007300000042007500730069006e0065007300
7300200049006e00740065006c006c006900670065006e006300650020006f006e002000450076006
5007200790020004400650073006b0074006f0070000000000048001400010043006f006d00700061
006e0079004e0061006d0065000000000043006f0067006e006f007300200049006e0063006f00720
070006f0072006100740065006400000060001c000100460069006c00650044006500730063007200
69007000740069006f006e000000000043006f0067006e006f0073002000470065006e00650072006
9006300200049006e007300740061006c006c006100740069006f006e00000038000c000100460069
006c006500560065007200730069006f006e000000000031002c00200030002c002000330038002c0
020003900000030000800010049006e007400650072006e0061006c004e0061006d00650000000100
000000000000
GlobalFlag REG_SZ 0x000010F0
ApplicationGoo REG_BINARY 140200001002000000020000a40234000000560053005f00560045005200530049004f004e005f00
49004e0046004f0000000000bd04effe00000100000001000100000000000100010000003f0000000
0000000010001000100000000000000000000000000000004020000010053007400720069006e0067
00460069006c00650049006e0066006f000000e001000001003000340030003900300034004500340
0000020000000010043006f006d00700061006e0079004e0061006d00650000000000580018000100
460069006c0065004400650073006300720069007000740069006f006e000000000049004e0053005
40041004c004c0020004d004600430020004100700070006c00690063006100740069006f006e0000
00300008000100460069006c006500560065007200730069006f006e000000000031002e0030002e0
0300030003100000030000800010049006e007400650072006e0061006c004e0061006d0065000000
49004e005300540041004c004c0000002400000001004c006500670061006c0043006f00700079007
200690067006800740000002800000001004c006500670061006c00540072006100640065006d0061
0072006b0073000000000040000c0001004f0072006900670069006e0061006c00460069006c00650
06e0061006d006500000049004e005300540041004c004c002e004500580045000000300008000800
000000000000
"Notification Packages scecli

Written by Bobbi Flekman 2006 ©
Error: Key: software\microsoft\windows\currentversion\group policy\state does not exist!

Written by Bobbi Flekman 2006 ©
SecurityProviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SaslProfiles
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\WDigest

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\File system]
@="Driver Group"

[hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\RpcSs]
@="Service"

[hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\vgasave.sys]
@="Driver"

[hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder

!d;s/t.*t/=/;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk
location REG_SZ Common Startup
command REG_SZ C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpohmr08.exe
item REG_SZ hp psc 1000 series
!d;s/t.*t/=/;s/hkey.*/[&]/;/]/{x;p;x;}
path REG_SZ C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
!d;s/t.*t/=/;s/hkey.*/[&]/;/]/{x;p;x;}
backup REG_SZ C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

!d;s/t.*t/=/;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk
location REG_SZ Common Startup
command REG_SZ C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpotdd01.exe
item REG_SZ hpoddt01.exe
!d;s/t.*t/=/;s/hkey.*/[&]/;/]/{x;p;x;}
path REG_SZ C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
!d;s/t.*t/=/;s/hkey.*/[&]/;/]/{x;p;x;}
backup REG_SZ C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

!d;s/t.*t/=/;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Internet Answering Machine.lnk
location REG_SZ Common Startup
command REG_SZ C:\PROGRA~1\CallWave\IAM.exe -start
item REG_SZ Internet Answering Machine
!d;s/t.*t/=/;s/hkey.*/[&]/;/]/{x;p;x;}
path REG_SZ C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Internet Answering Machine.lnk
!d;s/t.*t/=/;s/hkey.*/[&]/;/]/{x;p;x;}
backup REG_SZ C:\WINDOWS\pss\Internet Answering Machine.lnkCommon Startup

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ
hkey REG_SZ HKLM
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ 000StTHK
hkey REG_SZ HKLM
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ 000StTHK.exe
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ 00THotkey
hkey REG_SZ HKLM
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ C:\WINDOWS\System32\00THotkey.exe
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ AGRSMMSG
hkey REG_SZ HKLM
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ AGRSMMSG.exe
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ Apoint
hkey REG_SZ HKLM
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ C:\Program Files\Apoint2K\Apoint.exe
inimapping REG_SZ 0
  • 0

Advertisements


#2
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

  • Go Here and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.

Please download this file XPSP2_netsvcs.zip
Extract the contents to your desktop. A file XPSP2_netsvcs.reg should be present. Please double click on the file and allow it to merge with your registry.

Reboot your PC.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

Edited by Mike, 14 August 2008 - 12:15 PM.

  • 0

#3
pewee

pewee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Hi Mike, thanks for your reply.

I will try to get a fresh report for you because I did a couple other scans and it seems to have removed the virus. Now I have alot of missing files and I didn't do the recovery program so I am trying to get a copy of XP Home to do a reinstall.

I know shame on me. :)
  • 0

#4
pewee

pewee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:30:38, on 8/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-21-908492956-2679298287-554786398-1005\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O4 - HKUS\S-1-5-21-908492956-2679298287-554786398-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-908492956-2679298287-554786398-1005\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe (User '?')
O4 - HKUS\S-1-5-21-908492956-2679298287-554786398-1005\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker...IL/PhPSetup.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movi.../altpmtscab.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8919 bytes
  • 0

#5
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there :)

Just to get us on the same page...

1. Did you do a repair install?
2. Did you do the NetSvc Fix or the ComboFix step?

Now,

Open notepad by going to START > RUN and type notepad.exe in the box that appears. In the window that pops up please copy and paste the following

@ECHO off
sc stop ISEXEng
sc delete ISEXEng
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /V netsvcs> looksee.txt
start notepad looksee.txt
del %0


In Notepad click on the "File" menu > Save As... Under "File name" type fix.bat and Change "Save as type" to All Files, save it to a place you will remember.

Posted Image

Double click on fix.bat. Looksee.txt will appear, please post the contents here.

Then,

Did you install PokerStars and Poker.com? If not please uninstall them and fix the upcomming entries in red.

Please open HijackThis again and choose "Do a system scan only". Please put a check next to each of the following entries (if still present):

O2 - BHO: (no name) - SOFTWARE - (no file)
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker...IL/PhPSetup.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movi.../altpmtscab.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)


Now please close all open windows except HJT and press "Fix checked".

Afterwards,

Please run ComboFix as instructed previously.

Post back with the logs.
  • 0

#6
pewee

pewee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
netsvcs REG_MULTI_SZ 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0wscsvc\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN\0\0

I ran the first 2 programs you told me to run and the computer seems to be working properly now. Not sure what is going on.

Combofix is what I ran earlier which cleared the virus issue.

I am going to remove the poker programs and do the HJT next. I'll post when it's finished.

Mike do you want me to still run Combofix? I have removed the poker programs and HJT has came up clean of those.

Edited by pewee, 14 August 2008 - 03:18 PM.

  • 0

#7
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

Go to start > then run. In the box that appears copy and paste this: C:\combofix.txt

Post the contents of that log along with a new Hijack This log please.

I will post back tomorrow as it is bedtime here :)
  • 0

#8
pewee

pewee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Here is the Combofix from this morning:
ComboFix 08-08-11.01 - Candy 2008-08-13 15:40:33.3 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Candy\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 )))))))))))))))))))))))))))))))
.

2008-08-12 13:30 . 2008-08-11 03:44 <DIR> d-------- C:\SDFix
2008-08-11 20:15 . 2008-08-11 20:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-08-07 16:42 . 2008-08-07 16:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-07 15:28 . 2008-08-07 15:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-07 15:27 . 2008-08-11 09:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-07 15:27 . 2008-08-07 15:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-07 15:27 . 2008-08-07 15:27 <DIR> d-------- C:\Documents and Settings\Candy\Application Data\SUPERAntiSpyware.com
2008-08-07 13:21 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-08-07 13:21 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-08-07 13:21 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-08-07 13:21 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-08-07 13:21 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-08-07 13:21 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-08-07 13:21 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-08-07 13:21 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-08-07 12:20 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 19:31 --------- d-----w C:\Program Files\CallWave
2008-08-11 16:03 --------- d-----w C:\Program Files\MSN Messenger
2008-08-11 13:22 --------- d-----w C:\Program Files\fsupport
2008-08-07 19:31 --------- d-----w C:\Program Files\Norton AntiVirus
2008-08-07 19:31 --------- d-----w C:\Program Files\Napster
2008-08-07 17:23 2,752 ----a-w C:\WINDOWS\system32\tmp.reg
2008-08-07 16:21 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 00:07 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2005-05-12 02:06 42 ----a-w C:\Documents and Settings\Candy\Application Data\tvmuknwrd.dll
2004-12-18 17:57 0 ---ha-w C:\Documents and Settings\Candy\hpothb07.dat
2003-08-27 21:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
2003-04-29 20:00 32 --sha-w C:\WINDOWS\{1AECDE68-1081-45C8-9BEA-C9481A24AD53}.dat
2003-04-29 20:00 32 --sha-w C:\WINDOWS\system32\{DDCA5DCC-AA28-48CB-B6F3-DEF1BA15A743}.dat
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((( snapshot_2008-08-12_20.55.25.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-09 15:14:31 53,634 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-13 12:23:18 53,634 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-09 15:14:31 381,930 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-13 12:23:18 381,930 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 14:08 4670968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 14:43 472632]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-01-11 21:45 4898816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51 257088]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-30 09:37 185632]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-02-23 16:32 126976]
"MAAgent"="C:\Program Files\MarkAny\ContentSafer\MAAgent.exe" [2007-01-30 20:36 57344]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [2008-08-07 15:31 0]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-01-11 21:45 4898816]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= "C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL" [2004-11-23 16:51 192512]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Internet Answering Machine.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Internet Answering Machine.lnk
backup=C:\WINDOWS\pss\Internet Answering Machine.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bart Station]
C:\Program Files\ISP50\BIN\PPCOLink -STATION [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]
--a------ 2003-04-15 23:01 258048 C:\WINDOWS\system32\00THotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2002-12-25 17:38 159744 C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2002-12-13 15:47 54512 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
--a------ 2002-12-13 15:47 58616 C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
--a------ 2002-08-20 13:29 40960 C:\WINDOWS\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-04-07 03:07 114688 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-04-07 03:19 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--a------ 2003-01-02 20:16 172032 C:\Program Files\ltmoh\ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2004-05-28 18:22 4882432 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]
--a------ 2003-01-17 23:26 458752 C:\Program Files\Toshiba\ConfigFree\NDSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
--a------ 2002-10-17 16:21 159744 C:\TOSHIBA\Ivp\ISM\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PmProxy]
--a------ 2003-02-28 22:54 40960 C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-09-30 09:38 214296 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
-ra------ 2003-08-27 17:20 94208 C:\WINDOWS\SM1bg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
--a------ 2003-01-21 21:00 126976 C:\Program Files\Toshiba\TouchED\TouchED.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TSysSMon]
--a------ 2003-02-25 20:03 49152 c:\TOSHIBA\SysStability\TSysSMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
--a------ 2001-06-23 23:28 24576 C:\WINDOWS\system32\000StTHK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2003-04-18 14:20 88363 C:\WINDOWS\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
--a------ 2001-08-03 20:08 73728 C:\WINDOWS\system32\TFNF5.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tpwrtray]
--a------ 2002-12-10 13:49 237568 C:\WINDOWS\system32\TPWRTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\muzapp.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\Program Files\\CallWave\\IAM.exe"=

R2 ISEXEng;ISEXEng;C:\WINDOWS\System32\angelex.exe []
R3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;C:\WINDOWS\system32\DRIVERS\cben5.sys [2001-08-17 08:13]
R3 wlags48b;Wireless LAN PCCard Driver;C:\WINDOWS\system32\DRIVERS\wlags48b.sys [2002-06-28 19:29]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-07 C:\WINDOWS\Tasks\ADAB310F91B8A80B.job
- c:\progra~1\dvdbor~1\USER DRAW PROC.exe []

2007-12-26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]

2005-07-10 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1065242033.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 03:52]

2008-07-19 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
- C:\PROGRA~1\NORTON~1\NAVW32.exe [2008-08-07 15:31]

2003-09-25 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 12:04]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Candy\Application Data\Mozilla\Firefox\Profiles\9p9irjz1.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 15:44:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-13 15:47:19
ComboFix-quarantined-files.txt 2008-08-13 19:46:55
ComboFix2.txt 2008-08-13 00:56:52
ComboFix3.txt 2008-06-10 13:45:31

Pre-Run: 25,976,164,352 bytes free
Post-Run: 25,964,433,408 bytes free

190 --- E O F --- 2008-08-07 00:24:35

The latest HJT report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:02:32, on 8/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker...IL/PhPSetup.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movi.../altpmtscab.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8179 bytes

Also you will notice the clock never went back to standard format. It's stuck on military.

Edited by pewee, 14 August 2008 - 08:04 PM.

  • 0

#9
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

We will fix your clock later.

Please attach this log C:\qoobox\ComboFix-quarantined-files.txt
To attach a file, do the following:* Click Add Reply
* Under the reply panel is the Attachments Panel
* Browse for the attachment file you want to upload, then click the green Upload button
* Once it has uploaded, click the Manage Current Attachments drop down box
* Click on Posted Image to insert the attachment into your post

Then,

Delete your copy of ComboFix.

Please go here to install the recovery console and for a guide on using combofix.
Please note: Installing the Recovery Console plays a vital part in making this process of cleaning your computer safe, don't overlook this!

Now please download combofix from here or here. It is important that you save this file to your desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a Hijack This log in your next reply.

A quick heads up, if you click on combofix's window when it's running, you may cause it to stall.

Edited by Mike, 15 August 2008 - 04:14 AM.

  • 0

#10
pewee

pewee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Hi Mike, sorry for the delay. I have been swamped at work and not able to even check my emails. I am heading home so I will do this once I'm home and post the results.

Thanks
  • 0

Advertisements


#11
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Don't worry :)

I monitor this thread for 10 days from the latest post.

I'll wait on your reply.
  • 0

#12
pewee

pewee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Attached File  ComboFix_quarantined_files.txt   6.84KB   143 downloads
  • 0

#13
pewee

pewee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:24:28, on 8/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker...IL/PhPSetup.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movi.../altpmtscab.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8218 bytes


ComboFix 08-06-09.7 - Candy 2008-06-10 9:29:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.197 [GMT -4:00]
Running from: C:\Documents and Settings\Candy\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Candy\Application Data\AXPDefender
C:\Documents and Settings\Candy\Application Data\Microsoft\Internet Explorer\Quick Launch\AXPDefender.lnk
C:\Documents and Settings\Candy\Local Settings\Temporary Internet Files\temp.dmf
C:\Documents and Settings\Candy\Local Settings\Temporary Internet Files\Tvm.log
C:\Program Files\newdotnet
C:\Program Files\newdotnet\nncore.dll
C:\Program Files\newdotnet\nnrun.exe
C:\Program Files\newdotnet\readme.html
C:\Program Files\newdotnet\uninstall.exe
C:\Program Files\popcorn Terms.html
C:\WINDOWS\Downloaded Program Files\hotbar.inf
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\NDNuninstall7_22.exe
C:\WINDOWS\NDNuninstall7_48.exe
C:\WINDOWS\sasent.dll
C:\WINDOWS\system32\drivers\Winye27.sys
C:\WINDOWS\system32\hykdmini.ini
C:\WINDOWS\system32\rkisbcbv.ini
C:\WINDOWS\system32\WinCtrl32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_MSUPDATE
-------\Legacy_NNSERV
-------\Legacy_WINYE27
-------\Service_msupdate
-------\Service_NNServ
-------\Service_Winye27


((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 )))))))))))))))))))))))))))))))
.

2008-06-09 20:56 . 2008-06-09 20:56 <DIR> d-------- C:\Deckard
2008-06-07 17:05 . 2008-06-10 09:36 52,736 --a------ C:\WINDOWS\system32\blphc3vtj0epa1.scr
2008-06-07 14:44 . 2008-06-07 14:57 3,156 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-07 14:27 . 2008-06-07 14:27 <DIR> d-------- C:\VundoFix Backups
2008-06-07 14:11 . 2008-06-07 15:13 <DIR> d-------- C:\Documents and Settings\Candy\.housecall6.6
2008-06-07 12:25 . 2008-06-07 12:25 <DIR> d-------- C:\Documents and Settings\Candy\Application Data\Malwarebytes
2008-06-07 10:40 . 2008-06-07 12:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-07 10:40 . 2008-06-07 10:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-07 10:40 . 2008-06-07 10:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-07 10:40 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-07 10:40 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-06 08:17 . 2003-04-29 15:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-06 08:17 . 2003-05-14 14:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2008-06-06 08:17 . 2003-04-29 15:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-06-06 08:17 . 2003-04-29 14:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Drag'n Drop CD+DVD
2008-06-06 08:17 . 2008-06-06 08:17 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-04 20:31 . 2008-06-04 20:31 <DIR> d-------- C:\Documents and Settings\Candy\Application Data\shc5vtj0epa1
2008-06-04 20:28 . 2008-06-04 20:28 92,160 --a------ C:\WINDOWS\system32\lphc3vtj0epa1.exe
2008-06-04 20:28 . 2008-06-10 09:36 90,838 --a------ C:\WINDOWS\system32\phc3vtj0epa1.bmp
2008-05-26 20:52 . 2008-05-26 20:52 <DIR> d-------- C:\Program Files\Windows Media Connect 2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 13:36 --------- d-----w C:\Program Files\CallWave
2008-06-10 03:14 --------- d-----w C:\Program Files\Norton AntiVirus
2008-06-07 18:06 --------- d-----w C:\Program Files\Yahoo!
2008-06-07 18:04 --------- d-----w C:\Program Files\Google
2008-06-07 17:59 --------- d-----w C:\Program Files\MBKWBar
2008-05-21 01:31 --------- d--h--w C:\Documents and Settings\Candy\Application Data\Move Networks
2008-05-10 16:06 --------- d-----w C:\Documents and Settings\Candy\Application Data\PhotoParade
2008-04-24 01:49 --------- d-----w C:\Documents and Settings\Candy\Application Data\Documents and Settings
2005-05-12 02:06 42 ----a-w C:\Documents and Settings\Candy\Application Data\tvmuknwrd.dll
2005-04-03 04:28 353,851 ----a-w C:\Documents and Settings\Candy\Application Data\tvmknwrd.dll
2004-12-18 17:57 0 ---ha-w C:\Documents and Settings\Candy\hpothb07.dat
2003-08-27 21:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
2005-11-05 23:22 232,349 --sh--r C:\WINDOWS\f1tlarb.sys
2003-04-29 20:00 32 --sha-w C:\WINDOWS\{1AECDE68-1081-45C8-9BEA-C9481A24AD53}.dat
2005-11-13 23:58 211,348 --sh--r C:\WINDOWS\system32\16k0z.exe
2005-11-05 23:22 612,066 --sh--r C:\WINDOWS\system32\7xf2inu.dll
2005-11-05 23:22 309,754 --sh--r C:\WINDOWS\system32\f1tlarb.sys
2005-11-05 23:22 166,423 --sh--r C:\WINDOWS\system32\plivib6.exe
2003-04-29 20:00 32 --sha-w C:\WINDOWS\system32\{DDCA5DCC-AA28-48CB-B6F3-DEF1BA15A743}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00855933-F2CA-4D03-913C-BA6AF2D20D49}]
2005-05-12 07:47 135680 --a------ C:\Program Files\z16roskn\z16roskn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{134F95DD-1F11-4BE7-BD49-715BEB12F8EB}]
2005-05-12 07:47 135680 --a------ C:\Program Files\z16roskn\z16roskn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18417486-220A-4F8E-8190-4E9C08CB0D15}]
C:\Program Files\CSBB\CSBB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1AB08EBF-917D-4DA5-B753-9C9E99F6F82E}]
2005-05-12 07:47 135680 --a------ C:\Program Files\z16roskn\z16roskn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{230EDB2E-D555-46F3-B434-F746AADBB37E}]
2005-05-12 07:47 135680 --a------ C:\Program Files\z16roskn\z16roskn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2909C652-7E5F-41F1-915C-DE62390381B7}]
2005-05-12 07:47 135680 --a------ C:\Program Files\z16roskn\z16roskn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2BBAECC3-6C41-486B-BF8F-88B6290F3F60}]
2005-05-12 07:47 135680 --a------ C:\Program Files\z16roskn\z16roskn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37B0A6A0-FC0D-4ACC-9939-EF7CC35E084D}]
2005-05-12 07:47 135680 --a------ C:\Program Files\z16roskn\z16roskn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3F820870-E549-4728-B391-397E47B82DA1}]
2005-05-12 07:47 135680 --a------ C:\Program Files\z16roskn\z16roskn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{401F7A17-0E47-4F50-9F65-9EF2C176E666}]
C:\Program Files\CSBB\CSBB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4548BEED-6968-4849-9434-003BD236D591}]
2005-05-12 07:47 135680 --a------ C:\Program Files\z16roskn\z16roskn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49C03043-39EE-4CBF-8FA9-D1EEFBD50A34}]
C:\Program Files\CSBB\CSBB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A25D449-2BAA-4426-A992-D18CA70CF5A9}]
C:\WINDOWS\system32\tzm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{533246BC-F554-41CB-BCE3-E682CA36E43D}]
2005-05-12 07:47 135680 --a------ C:\Program Files\z16roskn\z16roskn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6086F842-66F5-4700-936F-FD1AC3B88E68}]
2005-05-12 07:47 135680 --a------ C:\Program Files\z16roskn\z16roskn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C902F78-5FF1-4A20-A89C-F072E811F939}]
C:\Program Files\CSBB\CSBB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{819D0A6D-1AFF-49E4-B0C3-03349B1F3AC8}]
C:\Program Files\CSBB\CSBB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8251C34F-BFEC-46A5-9330-706F0531DA14}]
C:\Program Files\CSBB\CSBB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89658AFA-5D60-474C-B94B-E4B1D1681500}]
C:\Program Files\CSBB\CSBB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C930571-B657-49E8-871F-DC6589E3CBE7}]
2005-05-12 07:47 135680 --a------ C:\Program Files\z16roskn\z16roskn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9006DCAF-FC1E-4A71-92D9-CAC45EBA3D94}]
C:\Program Files\CSBB\CSBB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93D7A4BE-9DFA-4E04-AAF4-65F48EBDD42A}]
2005-05-12 07:47 135680 --a------ C:\Program Files\z16roskn\z16roskn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95E4AFD9-4F86-4E7D-9104-068EEE0E9614}]
2005-05-12 07:47 135680 --a------ C:\Program Files\z16roskn\z16roskn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A5A5F23-B4AD-4323-9C4D-E55C4120E1CC}]
2005-05-12 07:47 135680 --a------ C:\Program Files\z16roskn\z16roskn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C148EE5-3AF6-43F7-9317-0F743E480636}]
C:\Program Files\CSBB\CSBB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B425796A-D395-4CDE-A985-2DE2ECC83957}]
2005-05-12 07:47 135680 --a------ C:\Program Files\z16roskn\z16roskn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7191A3A-51BB-4122-882F-2962B178DB57}]
2005-05-12 07:47 135680 --a------ C:\Program Files\z16roskn\z16roskn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B952ADBC-AC73-4FAC-A4FE-E9C169352C62}]
2005-05-12 07:47 135680 --a------ C:\Program Files\z16roskn\z16roskn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE5500D7-96BC-4455-8D89-EF80C00A4483}]
2005-05-12 07:47 135680 --a------ C:\Program Files\z16roskn\z16roskn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D36763E2-E97E-42BF-ABEB-ED2675D0FBE4}]
2005-05-12 07:47 135680 --a------ C:\Program Files\z16roskn\z16roskn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DE1E8E8F-9AD3-4BA3-A3EA-6B2C5EFD703E}]
C:\Program Files\CSBB\CSBB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E15F0656-969A-4C56-9EC4-8E2A4494DDCA}]
C:\Program Files\CSBB\CSBB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2A071A7-A4B8-496D-BE15-B62B5F7BE6FF}]
C:\Program Files\CSBB\CSBB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6410C9F-6195-4B55-A4C0-440CBA6BF155}]
C:\Program Files\CSBB\CSBB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF914DE2-23AA-4743-9CC0-0E5B8A9D098F}]
2005-05-12 07:47 135680 --a------ C:\Program Files\z16roskn\z16roskn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FA8B79BA-1BE9-4D31-89D7-8312E7AE160F}]
2005-05-12 07:47 135680 --a------ C:\Program Files\z16roskn\z16roskn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE3DDC41-B10B-4BB6-ACA1-CD557B02B129}]
C:\Program Files\CSBB\CSBB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE6D51F3-CE99-4741-BA5F-A9DD581D40CF}]
2005-05-12 07:47 135680 --a------ C:\Program Files\z16roskn\z16roskn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2004-05-28 18:22 4882432]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 14:08 4670968]
"License Manager"="C:\Program Files\License_Manager\license_manager.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 22:01 68856]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 14:43 472632]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-01-11 21:45 4898816]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600]
"WhenUSave"="C:\Program Files\Save\Save.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"Ujlisy"="C:\Program Files\Nkgxtn\Koftw.exe" [2005-08-19 21:32 37512]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"HookUpFinder"="C:\Program Files\HookUpFinder\HookUpFinder.Exe" [2006-03-07 14:38 221184]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51 257088]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-30 09:37 185632]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-02-23 16:32 126976]
"MAAgent"="C:\Program Files\MarkAny\ContentSafer\MAAgent.exe" [2007-01-30 20:36 57344]
"lphc3vtj0epa1"="C:\WINDOWS\system32\lphc3vtj0epa1.exe" [2008-06-04 20:28 92160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-01-11 21:45 4898816]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Internet Answering Machine.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Internet Answering Machine.lnk
backup=C:\WINDOWS\pss\Internet Answering Machine.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
--a------ 2001-06-23 23:28 24576 C:\WINDOWS\system32\000StTHK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]
--a------ 2003-04-15 23:01 258048 C:\WINDOWS\System32\00THotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2003-04-18 14:20 88363 C:\WINDOWS\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2002-12-25 17:38 159744 C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bart Station]
C:\Program Files\ISP50\BIN\PPCOLink -STATION

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CashBack]
C:\Program Files\CashBack\bin\cashback.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2002-12-13 15:47 54512 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
--a------ 2002-12-13 15:47 58616 C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker0]
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
--a------ 2002-08-20 13:29 40960 C:\WINDOWS\System32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hotbar]
C:\Program Files\Hotbar\bin\4.6.1.0\Hbinst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-04-07 03:07 114688 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-04-07 03:19 155648 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--a------ 2003-01-02 20:16 172032 C:\Program Files\ltmoh\Ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]
c:\docume~1\candy\locals~1\temp\msbb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2004-05-28 18:22 4882432 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NaviSearch]
C:\Program Files\NaviSearch\bin\nls.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]
--a------ 2003-01-17 23:26 458752 C:\Program Files\Toshiba\ConfigFree\NDSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pifmgr]
--a------ 2005-01-29 18:38 54663 C:\WINDOWS\System32\pifmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
--a------ 2002-10-17 16:21 159744 C:\toshiba\ivp\ism\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PmProxy]
--a------ 2003-02-28 22:54 40960 C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rckajmyvyvudp]
C:\WINDOWS\System32\laesbpfl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-09-30 09:38 214296 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\requester]
--a------ 2005-01-02 12:29 27648 C:\WINDOWS\System32\requester.10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\satmat]
C:\WINDOWS\satmat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
-ra------ 2003-08-27 17:20 94208 C:\WINDOWS\SM1BG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
--a------ 2001-08-03 20:08 73728 C:\WINDOWS\system32\TFNF5.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TickSlow]
--a------ 2005-01-10 23:28 244819 C:\DOCUME~1\Candy\APPLIC~1\DVDBOR~1\Dent setup seek.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
--a------ 2003-01-21 21:00 126976 C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tpwrtray]
--a------ 2002-12-10 13:49 237568 C:\WINDOWS\system32\TPWRTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TSysSMon]
--a------ 2003-02-25 20:03 49152 c:\toshiba\sysstability\tsyssmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherOnTray]
C:\Program Files\Hotbar\bin\4.5.1.0\WeatherOnTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\z16roskn]
C:\Program Files\z16roskn\z16roskn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zzuq]
C:\PROGRA~1\COMMON~1\zzuq\zzuqm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\muzapp.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\Program Files\\CallWave\\IAM.exe"=

R3 wlags48b;Wireless LAN PCCard Driver;C:\WINDOWS\system32\DRIVERS\wlags48b.sys [2002-06-28 19:29]
S2 ISEXEng;ISEXEng;C:\WINDOWS\System32\angelex.exe []
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;C:\WINDOWS\system32\DRIVERS\cben5.sys [2001-08-17 08:13]
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-06-05 16:04]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-10 02:00:02 C:\WINDOWS\Tasks\ADAB310F91B8A80B.job"
- c:\progra~1\dvdbor~1\USER DRAW PROC.exe
"2007-12-26 11:48:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2005-07-10 19:47:19 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1065242033.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-04-19 01:27:21 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2003-09-25 01:40:22 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 09:36:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\drivers\CDANTSRV.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-06-10 9:45:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-10 13:45:25

Pre-Run: 26,278,539,264 bytes free
Post-Run: 26,263,552,000 bytes free

332 --- E O F --- 2008-05-28 00:45:00
  • 0

#14
pewee

pewee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Not sure why it says Recovery Console is not installed. I did install it.
  • 0

#15
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

The rootkit infection you had is gone, so thats good news :)

We still have a lot of stuff to clean up though so I'll need to ask you to stick with me for a bit!

Please go to start > control panel > add or remove programs and uninstall:

MBKWBar
CSBB
HookUpFinder
HotBar
CashBack
Ebates_MoeMoneyMaker
NaviSearch


Then,

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • Click NO when it asks you if you want to scan for malware!

Next,

Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo...an-t207866.html
File::
C:\WINDOWS\system32\blphc3vtj0epa1.scr
C:\WINDOWS\system32\lphc3vtj0epa1.exe
C:\WINDOWS\system32\phc3vtj0epa1.bmp
C:\Documents and Settings\Candy\Application Data\tvmuknwrd.dll
C:\Documents and Settings\Candy\Application Data\tvmknwrd.dll
c:\docume~1\candy\locals~1\temp\msbb.exe
C:\WINDOWS\System32\requester.10.exe
C:\WINDOWS\satmat.exe
C:\DOCUME~1\Candy\APPLIC~1\DVDBOR~1\Dent setup seek.exe

Folder::
C:\Program Files\MBKWBar
C:\Documents and Settings\Candy\Application Data\shc5vtj0epa1
C:\Program Files\CSBB
C:\Program Files\HookUpFinder
C:\Program Files\Nkgxtn
C:\PROGRA~1\COMMON~1\zzuq
C:\Program Files\Hotbar
C:\Program Files\CashBack
C:\Program Files\Ebates_MoeMoneyMaker
C:\Program Files\NaviSearch

Driver::
ISEXEng

Suspect::[1]
C:\WINDOWS\{1AECDE68-1081-45C8-9BEA-C9481A24AD53}.dat
C:\WINDOWS\system32\16k0z.exe
C:\WINDOWS\system32\7xf2inu.dll
C:\WINDOWS\system32\f1tlarb.sys
C:\WINDOWS\system32\plivib6.exe
C:\WINDOWS\system32\{DDCA5DCC-AA28-48CB-B6F3-DEF1BA15A743}.dat
C:\WINDOWS\f1tlarb.sys

Collect::[1]
C:\Program Files\z16roskn
C:\WINDOWS\system32\tzm.dll
C:\WINDOWS\System32\pifmgr.exe
C:\WINDOWS\System32\laesbpfl.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00855933-F2CA-4D03-913C-BA6AF2D20D49}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{134F95DD-1F11-4BE7-BD49-715BEB12F8EB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18417486-220A-4F8E-8190-4E9C08CB0D15}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1AB08EBF-917D-4DA5-B753-9C9E99F6F82E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{230EDB2E-D555-46F3-B434-F746AADBB37E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2909C652-7E5F-41F1-915C-DE62390381B7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2BBAECC3-6C41-486B-BF8F-88B6290F3F60}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37B0A6A0-FC0D-4ACC-9939-EF7CC35E084D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3F820870-E549-4728-B391-397E47B82DA1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{401F7A17-0E47-4F50-9F65-9EF2C176E666}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4548BEED-6968-4849-9434-003BD236D591}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49C03043-39EE-4CBF-8FA9-D1EEFBD50A34}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A25D449-2BAA-4426-A992-D18CA70CF5A9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{533246BC-F554-41CB-BCE3-E682CA36E43D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6086F842-66F5-4700-936F-FD1AC3B88E68}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C902F78-5FF1-4A20-A89C-F072E811F939}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{819D0A6D-1AFF-49E4-B0C3-03349B1F3AC8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8251C34F-BFEC-46A5-9330-706F0531DA14}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89658AFA-5D60-474C-B94B-E4B1D1681500}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C930571-B657-49E8-871F-DC6589E3CBE7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9006DCAF-FC1E-4A71-92D9-CAC45EBA3D94}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93D7A4BE-9DFA-4E04-AAF4-65F48EBDD42A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95E4AFD9-4F86-4E7D-9104-068EEE0E9614}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A5A5F23-B4AD-4323-9C4D-E55C4120E1CC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C148EE5-3AF6-43F7-9317-0F743E480636}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B425796A-D395-4CDE-A985-2DE2ECC83957}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7191A3A-51BB-4122-882F-2962B178DB57}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B952ADBC-AC73-4FAC-A4FE-E9C169352C62}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE5500D7-96BC-4455-8D89-EF80C00A4483}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D36763E2-E97E-42BF-ABEB-ED2675D0FBE4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DE1E8E8F-9AD3-4BA3-A3EA-6B2C5EFD703E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E15F0656-969A-4C56-9EC4-8E2A4494DDCA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2A071A7-A4B8-496D-BE15-B62B5F7BE6FF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6410C9F-6195-4B55-A4C0-440CBA6BF155}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF914DE2-23AA-4743-9CC0-0E5B8A9D098F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FA8B79BA-1BE9-4D31-89D7-8312E7AE160F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE3DDC41-B10B-4BB6-ACA1-CD557B02B129}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE6D51F3-CE99-4741-BA5F-A9DD581D40CF}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WhenUSave"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ujlisy"=-
"HookUpFinder"=-
"lphc3vtj0epa1"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=-
"NoDispScrSavPage"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CashBack]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker0]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hotbar]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NaviSearch]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pifmgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rckajmyvyvudp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\requester]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\satmat]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TickSlow]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherOnTray]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\z16roskn]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zzuq]


Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP