Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

help! dont know whats wrong [RESOLVED]


  • This topic is locked This topic is locked

#1
blakh

blakh

    Member

  • Member
  • PipPip
  • 21 posts
i have tried following what the stick says to do before posting a hijack this but my computer freezes before i can get through anything i have already attempted to make a thread 3 times but it has retarted before i could submit.
my family had a german exchange student and while she stayed with us she used my computer since then it has been in terrible shape
i amnt sure what is wrong but here is my hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:41 AM, on 1/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\QdrModule\QdrModule10.exe
C:\Program Files\QdrPack\QdrPack11.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\rundll32.exe
  • 0

Advertisements


#2
blakh

blakh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
sorry for not coping everything in the first one, here is another, this is after closing tasks though (dont know if it makes a differnce)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:34 AM, on 1/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\program files\valve\steam\steam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [QdrModule10] "C:\Program Files\QdrModule\QdrModule10.exe"
O4 - HKCU\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file://D:\CDVIEWER\CdViewer.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 5726 bytes
  • 0

#3
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,539 posts
Hi, blakh :)

Welcome.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" in your next reply..
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply along with a Hijackthis log.
  • Click Close to exit the program.

  • 0

#4
blakh

blakh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
ComboFix 08-01-10.2 - Anwar Huneidi 2008-01-11 2:27:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.247 [GMT -8:00]
Running from: C:\Documents and Settings\Anwar Huneidi\Desktop\ComboFix.exe
* Created a new restore point
.
The following files were disabled during the run:
C:\WINDOWS\system32\sockspy.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Anwar Huneidi\Application Data\macromedia\Flash Player\#SharedObjects\KCAQGE7A\www.broadcaster.com
C:\Documents and Settings\Anwar Huneidi\Application Data\macromedia\Flash Player\#SharedObjects\KCAQGE7A\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Anwar Huneidi\Application Data\macromedia\Flash Player\#SharedObjects\KCAQGE7A\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Anwar Huneidi\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Anwar Huneidi\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Anwar Huneidi\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Anwar Huneidi\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Anwar Huneidi\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-11 to 2008-01-11 )))))))))))))))))))))))))))))))
.

2008-01-11 02:26 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-10 01:11 . 2008-01-10 01:11 <DIR> d-------- C:\Program Files\CUE Splitter
2008-01-07 01:28 . 2008-01-07 01:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-02 03:17 . 2008-01-02 03:17 1,033 --a------ C:\Ugxu.exe
2008-01-02 03:17 . 2008-01-02 03:17 1,033 --a------ C:\iIbs.exe
2007-12-28 23:40 . 2007-12-28 23:40 <DIR> d-------- C:\Program Files\RcvSystem
2007-12-26 20:49 . 2007-12-26 20:49 <DIR> d-------- C:\Program Files\Comcast
2007-12-26 20:49 . 2007-12-26 20:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-12-26 20:49 . 2007-05-17 13:43 15,086 --a------ C:\WINDOWS\ComcastWebmail.ico
2007-12-26 20:46 . 2007-12-26 20:46 1,140 --a------ C:\net_save.dna
2007-12-26 20:45 . 2007-12-26 20:45 <DIR> d-------- C:\Program Files\support.com
2007-12-26 20:45 . 2007-12-26 20:45 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2007-12-23 23:32 . 2007-12-23 23:32 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-23 23:32 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-23 03:26 . 2007-12-23 03:26 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\DivX
2007-12-20 18:37 . 2008-01-10 13:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-20 18:37 . 2007-12-20 18:37 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 10:34 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-01-10 22:41 --------- d-----w C:\Documents and Settings\Anwar Huneidi\Application Data\Azureus
2008-01-09 23:03 --------- d-----w C:\Program Files\World of Warcraft
2007-12-25 07:36 --------- d-----w C:\Program Files\Azureus
2007-12-24 07:32 --------- d-----w C:\Program Files\Java
2007-12-11 23:14 --------- d-----w C:\Program Files\Winamp
2007-12-09 12:09 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-08 20:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-07 22:22 --------- d-----w C:\Program Files\iTunes
2007-12-07 22:21 --------- d-----w C:\Program Files\iPod
2007-12-07 22:18 --------- d-----w C:\Program Files\QuickTime
2007-11-25 12:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-25 12:05 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-11-25 06:22 --------- d-----w C:\Documents and Settings\Anwar Huneidi\Application Data\SUPERAntiSpyware.com
2007-11-25 06:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-24 21:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-24 21:46 --------- d-----w C:\Program Files\Microsoft Works
2007-11-24 21:45 --------- d-----w C:\Program Files\MSBuild
2007-11-24 05:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-20 12:11 --------- d-----w C:\Documents and Settings\Administrator.ANWAR\Application Data\Bitdefender
2007-11-17 03:08 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 07:25 8,454,584 ----a-w C:\winamp55_full_emusic-7plus_en-us.exe
2007-10-31 21:03 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-01-19 09:57 92,064 -c--a-w C:\Documents and Settings\Anwar Huneidi\mqdmmdm.sys
2007-01-19 09:57 9,232 -c--a-w C:\Documents and Settings\Anwar Huneidi\mqdmmdfl.sys
2007-01-19 09:57 79,328 -c--a-w C:\Documents and Settings\Anwar Huneidi\mqdmserd.sys
2007-01-19 09:57 66,656 -c--a-w C:\Documents and Settings\Anwar Huneidi\mqdmbus.sys
2007-01-19 09:57 6,208 -c--a-w C:\Documents and Settings\Anwar Huneidi\mqdmcmnt.sys
2007-01-19 09:57 5,936 -c--a-w C:\Documents and Settings\Anwar Huneidi\mqdmwhnt.sys
2007-01-19 09:57 4,048 -c--a-w C:\Documents and Settings\Anwar Huneidi\mqdmcr.sys
2007-01-19 09:57 25,600 -c--a-w C:\Documents and Settings\Anwar Huneidi\usbsermptxp.sys
2007-01-19 09:57 22,768 -c--a-w C:\Documents and Settings\Anwar Huneidi\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{875A1348-7674-42aa-ADAC-B4F36A004A2D}]
C:\Program Files\QdrDrive\QdrDrive8.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35 67112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-04-14 02:24 69632]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 04:00 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-06 21:06 5181440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Anwar Huneidi^Start Menu^Programs^Startup^Anapod Manager.lnk]
path=C:\Documents and Settings\Anwar Huneidi\Start Menu\Programs\Startup\Anapod Manager.lnk
backup=C:\WINDOWS\pss\Anapod Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-11-16 19:04 139264 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2007-04-19 14:21 198184 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-03-06 21:06 5181440 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-01-19 23:09 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule10]
C:\Program Files\QdrModule\QdrModule10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack11]
C:\Program Files\QdrPack\QdrPack11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-11-30 13:12 1266936 c:\program files\valve\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-10-09 21:28 36352 C:\Program Files\Winamp\winampa.exe

R1 bdftdif;BitDefender Firewall TDI Filter;C:\Program Files\Common Files\Softwin\BitDefender Firewall\bdftdif.sys [2007-02-15 08:41]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2007-02-15 07:41]
R3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2001-08-17 12:12]
S3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-08-12 09:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0d30784-8a7f-11dc-8c79-000d87bc707c}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F3E5D49A-C1F4-FFD8-651F-7DED939481DF}]
C:\WINDOWS: .exe
.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 20:46:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-01 19:20:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 02:34:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\sockspy.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\sockspy.dll
.
Completion time: 2008-01-11 2:35:00
ComboFix-quarantined-files.txt 2008-01-11 10:34:33
.
2007-12-22 11:04:17 --- E O F ---



----------------------------------------------------------------------------------------------------------



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/11/2008 at 03:37 AM

Application Version : 3.9.1008

Core Rules Database Version : 3349
Trace Rules Database Version: 1349

Scan type : Complete Scan
Total Scan Time : 00:57:50

Memory items scanned : 437
Memory threats detected : 0
Registry items scanned : 5393
Registry threats detected : 10
File items scanned : 35688
File threats detected : 78

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{875A1348-7674-42aa-ADAC-B4F36A004A2D}
HKCR\CLSID\{875A1348-7674-42AA-ADAC-B4F36A004A2D}
HKCR\CLSID\{875A1348-7674-42AA-ADAC-B4F36A004A2D}
HKCR\CLSID\{875A1348-7674-42AA-ADAC-B4F36A004A2D}#AppID
HKCR\CLSID\{875A1348-7674-42AA-ADAC-B4F36A004A2D}\InprocServer32
HKCR\CLSID\{875A1348-7674-42AA-ADAC-B4F36A004A2D}\InprocServer32#ThreadingModel
HKCR\CLSID\{875A1348-7674-42AA-ADAC-B4F36A004A2D}\ProgID
HKCR\CLSID\{875A1348-7674-42AA-ADAC-B4F36A004A2D}\TypeLib
HKCR\CLSID\{875A1348-7674-42AA-ADAC-B4F36A004A2D}\VersionIndependentProgID
C:\PROGRAM FILES\QDRDRIVE\QDRDRIVE8.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{875A1348-7674-42aa-ADAC-B4F36A004A2D}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{32F4080D-E1F0-402B-8442-7BC3795FE35E}\RP288\A0285452.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected]e[2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][3].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][1].txt
C:\Documents and Settings\Anwar Huneidi\Cookies\anwar [email protected][2].txt

Adware.Vundo-Variant/Small
C:\SYSTEM VOLUME INFORMATION\_RESTORE{32F4080D-E1F0-402B-8442-7BC3795FE35E}\RP254\A0216086.DLL




----------------------------------------------------------------------------------------------------------------------



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:12:14 AM, on 1/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file://D:\CDVIEWER\CdViewer.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 4949 bytes



think i did everything right, well let me know what to do next
thanks

Edited by blakh, 11 January 2008 - 06:17 AM.

  • 0

#5
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,539 posts
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

Suspect::
C:\Ugxu.exe
C:\iIbs.exe
C:\net_save.dna

Folder::
C:\Program Files\QdrDrive
C:\Program Files\QdrPack

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{875A1348-7674-42aa-ADAC-B4F36A004A2D}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule10]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack11]


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply along witha Hijackthis log.

Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip. Please submit this file to:

http://www.bleepingc...e.php?channel=4


Please include a link to this topic in the message.
  • 0

#6
blakh

blakh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
ComboFix 08-01-10.2 - Anwar Huneidi 2008-01-11 23:48:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.532 [GMT -8:00]
Running from: C:\Documents and Settings\Anwar Huneidi\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Anwar Huneidi\Desktop\CFScript.txt
* Created a new restore point
.
The following files were disabled during the run:
C:\WINDOWS\system32\sockspy.dll


((((((((((((((((((((((((( Files Created from 2007-12-12 to 2008-01-12 )))))))))))))))))))))))))))))))
.

2008-01-11 02:26 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-10 01:11 . 2008-01-10 01:11 <DIR> d-------- C:\Program Files\CUE Splitter
2008-01-07 01:28 . 2008-01-07 01:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-02 03:17 . 2008-01-02 03:17 1,033 --a------ C:\Ugxu.exe
2008-01-02 03:17 . 2008-01-02 03:17 1,033 --a------ C:\iIbs.exe
2007-12-28 23:40 . 2007-12-28 23:40 <DIR> d-------- C:\Program Files\RcvSystem
2007-12-26 20:49 . 2007-12-26 20:49 <DIR> d-------- C:\Program Files\Comcast
2007-12-26 20:49 . 2007-12-26 20:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-12-26 20:49 . 2007-05-17 13:43 15,086 --a------ C:\WINDOWS\ComcastWebmail.ico
2007-12-26 20:46 . 2007-12-26 20:46 1,140 --a------ C:\net_save.dna
2007-12-26 20:45 . 2007-12-26 20:45 <DIR> d-------- C:\Program Files\support.com
2007-12-26 20:45 . 2007-12-26 20:45 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2007-12-23 23:32 . 2007-12-23 23:32 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-23 23:32 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-23 03:26 . 2007-12-23 03:26 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\DivX
2007-12-20 18:37 . 2008-01-10 13:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-20 18:37 . 2007-12-20 18:37 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 07:47 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-01-11 23:49 --------- d-----w C:\Documents and Settings\Anwar Huneidi\Application Data\Azureus
2008-01-11 12:10 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-01-11 10:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-09 23:03 --------- d-----w C:\Program Files\World of Warcraft
2007-12-25 07:36 --------- d-----w C:\Program Files\Azureus
2007-12-24 07:32 --------- d-----w C:\Program Files\Java
2007-12-11 23:14 --------- d-----w C:\Program Files\Winamp
2007-12-09 12:09 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-08 20:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-07 22:22 --------- d-----w C:\Program Files\iTunes
2007-12-07 22:21 --------- d-----w C:\Program Files\iPod
2007-12-07 22:18 --------- d-----w C:\Program Files\QuickTime
2007-11-25 06:22 --------- d-----w C:\Documents and Settings\Anwar Huneidi\Application Data\SUPERAntiSpyware.com
2007-11-25 06:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-24 21:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-24 21:46 --------- d-----w C:\Program Files\Microsoft Works
2007-11-24 21:45 --------- d-----w C:\Program Files\MSBuild
2007-11-24 05:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-20 12:11 --------- d-----w C:\Documents and Settings\Administrator.ANWAR\Application Data\Bitdefender
2007-11-17 03:08 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 07:25 8,454,584 ----a-w C:\winamp55_full_emusic-7plus_en-us.exe
2007-10-31 21:03 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-01-19 09:57 92,064 -c--a-w C:\Documents and Settings\Anwar Huneidi\mqdmmdm.sys
2007-01-19 09:57 9,232 -c--a-w C:\Documents and Settings\Anwar Huneidi\mqdmmdfl.sys
2007-01-19 09:57 79,328 -c--a-w C:\Documents and Settings\Anwar Huneidi\mqdmserd.sys
2007-01-19 09:57 66,656 -c--a-w C:\Documents and Settings\Anwar Huneidi\mqdmbus.sys
2007-01-19 09:57 6,208 -c--a-w C:\Documents and Settings\Anwar Huneidi\mqdmcmnt.sys
2007-01-19 09:57 5,936 -c--a-w C:\Documents and Settings\Anwar Huneidi\mqdmwhnt.sys
2007-01-19 09:57 4,048 -c--a-w C:\Documents and Settings\Anwar Huneidi\mqdmcr.sys
2007-01-19 09:57 25,600 -c--a-w C:\Documents and Settings\Anwar Huneidi\usbsermptxp.sys
2007-01-19 09:57 22,768 -c--a-w C:\Documents and Settings\Anwar Huneidi\usbsermpt.sys
.

((((((((((((((((((((((((((((( [email protected]_ 2.34.12.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-11 10:27:09 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-12 07:47:22 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-11 10:27:09 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-12 07:47:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-11 10:27:09 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-12 07:47:22 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-11 10:27:09 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-12 07:47:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-11 10:27:10 5,210,112 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-12 07:47:23 5,210,112 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-11 10:27:10 143,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-12 07:47:23 143,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-11 10:36:36 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2008-01-11 10:36:36 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-01-11 10:36:36 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35 67112]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-04-14 02:24 69632]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 04:00 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-06 21:06 5181440]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Anwar Huneidi^Start Menu^Programs^Startup^Anapod Manager.lnk]
path=C:\Documents and Settings\Anwar Huneidi\Start Menu\Programs\Startup\Anapod Manager.lnk
backup=C:\WINDOWS\pss\Anapod Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-11-16 19:04 139264 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2007-04-19 14:21 198184 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-03-06 21:06 5181440 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-01-19 23:09 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-11-30 13:12 1266936 c:\program files\valve\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-10-09 21:28 36352 C:\Program Files\Winamp\winampa.exe

R1 bdftdif;BitDefender Firewall TDI Filter;C:\Program Files\Common Files\Softwin\BitDefender Firewall\bdftdif.sys [2007-02-15 08:41]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2007-02-15 07:41]
R3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2001-08-17 12:12]
S3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-08-12 09:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0d30784-8a7f-11dc-8c79-000d87bc707c}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F3E5D49A-C1F4-FFD8-651F-7DED939481DF}]
C:\WINDOWS: .exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 20:46:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-01 19:20:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 23:52:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-11 23:53:00
ComboFix-quarantined-files.txt 2008-01-12 07:52:38
ComboFix2.txt 2008-01-11 10:35:01
.
2007-12-22 11:04:17 --- E O F ---



--------------------------------------------------------------------------------------------------------




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:24 AM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file://D:\CDVIEWER\CdViewer.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 4954 bytes


threw in a hijack this just incase you needed it, and one more thing
a question out of my curousity when i submited the file to beelping computer what do they do with it/ why do they need it?
  • 0

#7
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,539 posts
Hi, blakh :)

When we collect files, these are checked against various scanners and submitted to Antivirus developers.

Here are the results on yours:

File iIbs.exe received on 12.27.2007 03:14:17 (CET)
Current status: finished
Result: 1/32 (3.12%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - Generic.Malware
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
MD5: 2c9815aa2d9c9ca93a26c76ee3a0b65c
SHA1: a9def257cc9cfc3965b710101716803b9818dba4
SHA256:

ff767d679a2d22add230f73a2a59206a55e4bad53370ab096d0feed93b96d756
SHA512:

eae0753d12fc089da02c0f5a472659337e52a98e76666f84edd784db7fc33b72

11b182eb03c43511e10264b421683f4070f26b954f22c9a4045859411f4c9ca2

File Ugxu.exe received on 12.27.2007 03:14:17 (CET)
Current status: finished
Result: 1/32 (3.12%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - Generic.Malware
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
MD5: 2c9815aa2d9c9ca93a26c76ee3a0b65c
SHA1: a9def257cc9cfc3965b710101716803b9818dba4
SHA256:

ff767d679a2d22add230f73a2a59206a55e4bad53370ab096d0feed93b96d756
SHA512:

eae0753d12fc089da02c0f5a472659337e52a98e76666f84edd784db7fc33b72

11b182eb03c43511e10264b421683f4070f26b954f22c9a4045859411f4c9ca2

File net_save.dna received on 01.12.2008 21:45:06 (CET)
Result: 0/32 (0%)

Antivirus Version Last Update Result
AhnLab-V3 2008.1.12.10 2008.01.11 -
AntiVir 7.6.0.46 2008.01.11 -
Authentium 4.93.8 2008.01.12 -
Avast 4.7.1098.0 2008.01.12 -
AVG 7.5.0.516 2008.01.12 -
BitDefender 7.2 2008.01.12 -
CAT-QuickHeal 9.00 2008.01.12 -
ClamAV 0.91.2 2008.01.11 -
DrWeb 4.44.0.09170 2008.01.12 -
eSafe 7.0.15.0 2008.01.10 -
eTrust-Vet 31.3.5451 2008.01.11 -
Ewido 4.0 2008.01.12 -
FileAdvisor 1 2008.01.12 -
Fortinet 3.14.0.0 2008.01.12 -
F-Prot 4.4.2.54 2008.01.11 -
F-Secure 6.70.13030.0 2008.01.12 -
Ikarus T3.1.1.20 2008.01.12 -
Kaspersky 7.0.0.125 2008.01.12 -
McAfee 5205 2008.01.11 -
Microsoft 1.3109 2008.01.12 -
NOD32v2 2786 2008.01.12 -
Norman 5.80.02 2008.01.11 -
Panda 9.0.0.4 2008.01.12 -
Prevx1 V2 2008.01.12 -
Rising 20.26.52.00 2008.01.12 -
Sophos 4.24.0 2008.01.12 -
Sunbelt 2.2.907.0 2008.01.12 -
Symantec 10 2008.01.12 -
TheHacker 6.2.9.186 2008.01.11 -
VBA32 3.12.2.5 2008.01.12 -
VirusBuster 4.3.26:9 2008.01.12 -
Webwasher-Gateway 6.6.2 2008.01.12 -
Additional information
File size: 1140 bytes
MD5: 31770b319cb0de25873db4a0c61ca8ec
SHA1: 492a24cd45c65d1ef23ca596a6cf93714186bc9f
PEiD: -
packers: UTF-8
packers: UTF-8

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

File::
C:\Ugxu.exe
C:\iIbs.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F3E5D49A-C1F4-FFD8-651F-7DED939481DF}]


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

Test the computer and let me know how is it doing.
  • 0

#8
blakh

blakh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
ComboFix 08-01-10.2 - Anwar Huneidi 2008-01-12 15:27:26.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.585 [GMT -8:00]
Running from: C:\Documents and Settings\Anwar Huneidi\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Anwar Huneidi\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\iIbs.exe
C:\Ugxu.exe
.
The following files were disabled during the run:
C:\WINDOWS\system32\sockspy.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\iIbs.exe
C:\Ugxu.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-12 to 2008-01-12 )))))))))))))))))))))))))))))))
.

2008-01-11 02:26 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-10 01:11 . 2008-01-10 01:11 <DIR> d-------- C:\Program Files\CUE Splitter
2008-01-07 01:28 . 2008-01-07 01:28 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-28 23:40 . 2007-12-28 23:40 <DIR> d-------- C:\Program Files\RcvSystem
2007-12-26 20:49 . 2007-12-26 20:49 <DIR> d-------- C:\Program Files\Comcast
2007-12-26 20:49 . 2007-12-26 20:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-12-26 20:49 . 2007-05-17 13:43 15,086 --a------ C:\WINDOWS\ComcastWebmail.ico
2007-12-26 20:46 . 2007-12-26 20:46 1,140 --a------ C:\net_save.dna
2007-12-26 20:45 . 2007-12-26 20:45 <DIR> d-------- C:\Program Files\support.com
2007-12-26 20:45 . 2007-12-26 20:45 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2007-12-23 23:32 . 2007-12-23 23:32 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-23 23:32 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-23 03:26 . 2007-12-23 03:26 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 23:29 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-01-12 22:21 --------- d-----w C:\Documents and Settings\Anwar Huneidi\Application Data\Azureus
2008-01-11 12:10 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-01-11 10:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-09 23:03 --------- d-----w C:\Program Files\World of Warcraft
2007-12-25 07:36 --------- d-----w C:\Program Files\Azureus
2007-12-24 07:32 --------- d-----w C:\Program Files\Java
2007-12-11 23:14 --------- d-----w C:\Program Files\Winamp
2007-12-09 12:09 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-08 20:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-07 22:22 --------- d-----w C:\Program Files\iTunes
2007-12-07 22:21 --------- d-----w C:\Program Files\iPod
2007-12-07 22:18 --------- d-----w C:\Program Files\QuickTime
2007-11-25 06:22 --------- d-----w C:\Documents and Settings\Anwar Huneidi\Application Data\SUPERAntiSpyware.com
2007-11-25 06:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-24 21:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-24 21:46 --------- d-----w C:\Program Files\Microsoft Works
2007-11-24 21:45 --------- d-----w C:\Program Files\MSBuild
2007-11-24 05:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-20 12:11 --------- d-----w C:\Documents and Settings\Administrator.ANWAR\Application Data\Bitdefender
2007-11-17 03:08 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 07:25 8,454,584 ----a-w C:\winamp55_full_emusic-7plus_en-us.exe
2007-10-31 21:03 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-01-19 09:57 92,064 -c--a-w C:\Documents and Settings\Anwar Huneidi\mqdmmdm.sys
2007-01-19 09:57 9,232 -c--a-w C:\Documents and Settings\Anwar Huneidi\mqdmmdfl.sys
2007-01-19 09:57 79,328 -c--a-w C:\Documents and Settings\Anwar Huneidi\mqdmserd.sys
2007-01-19 09:57 66,656 -c--a-w C:\Documents and Settings\Anwar Huneidi\mqdmbus.sys
2007-01-19 09:57 6,208 -c--a-w C:\Documents and Settings\Anwar Huneidi\mqdmcmnt.sys
2007-01-19 09:57 5,936 -c--a-w C:\Documents and Settings\Anwar Huneidi\mqdmwhnt.sys
2007-01-19 09:57 4,048 -c--a-w C:\Documents and Settings\Anwar Huneidi\mqdmcr.sys
2007-01-19 09:57 25,600 -c--a-w C:\Documents and Settings\Anwar Huneidi\usbsermptxp.sys
2007-01-19 09:57 22,768 -c--a-w C:\Documents and Settings\Anwar Huneidi\usbsermpt.sys
.

((((((((((((((((((((((((((((( [email protected]_ 2.34.12.84 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-30 16:53:32 360,832 ----a-w C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941644\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941644\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941644\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941644\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941644\update\updspapi.dll
+ 2007-11-07 09:50:47 727,040 ----a-w C:\WINDOWS\$hf_mig$\KB943485\SP2QFE\lsasrv.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB943485\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB943485\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\updspapi.dll
- 2008-01-11 10:27:09 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-12 23:27:17 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-11 10:27:09 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-12 23:27:18 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-11 10:27:09 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-12 23:27:18 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-11 10:27:09 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-12 23:27:18 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-11 10:27:10 5,210,112 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-12 23:27:19 5,210,112 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-11 10:27:10 143,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-12 23:27:19 143,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-11 10:36:36 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2008-01-11 10:36:36 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-01-11 10:36:36 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2006-08-17 12:28:27 721,920 -c--a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
+ 2007-11-07 09:26:56 721,920 -c--a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
- 2006-04-20 11:51:50 359,808 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2007-10-30 17:20:55 360,064 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2006-04-20 11:51:50 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
+ 2007-10-30 17:20:55 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
- 2007-12-02 23:00:05 18,684,536 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-01-02 18:21:36 17,642,616 ----a-w C:\WINDOWS\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35 67112]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-04-14 02:24 69632]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 04:00 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-06 21:06 5181440]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Anwar Huneidi^Start Menu^Programs^Startup^Anapod Manager.lnk]
path=C:\Documents and Settings\Anwar Huneidi\Start Menu\Programs\Startup\Anapod Manager.lnk
backup=C:\WINDOWS\pss\Anapod Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-11-16 19:04 139264 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2007-04-19 14:21 198184 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-03-06 21:06 5181440 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-01-19 23:09 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-11-30 13:12 1266936 c:\program files\valve\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-10-09 21:28 36352 C:\Program Files\Winamp\winampa.exe

R1 bdftdif;BitDefender Firewall TDI Filter;C:\Program Files\Common Files\Softwin\BitDefender Firewall\bdftdif.sys [2007-02-15 08:41]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2007-02-15 07:41]
R3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2001-08-17 12:12]
S3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-08-12 09:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0d30784-8a7f-11dc-8c79-000d87bc707c}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 20:46:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-01 19:20:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 15:32:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-12 15:33:26
ComboFix-quarantined-files.txt 2008-01-12 23:33:05
ComboFix2.txt 2008-01-12 07:53:01
ComboFix3.txt 2008-01-11 10:35:01
.
2008-01-12 11:02:05 --- E O F ---



----------------------------------------------------------------------------------------------------------



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:48:19 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file://D:\CDVIEWER\CdViewer.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 4867 bytes


and i will let you know how its running real soon here.
thanks for the help :)
  • 0

#9
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,539 posts
Will wait for your reply. :)
  • 0

#10
blakh

blakh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
it is still freezing up and restarting itself :)

start up is the worst. before i had any problems it would start up fine, and quick
now i get a bunch of stuff opening that wasn't before, and half the time it freezes and restarts.
(this was occurring before you started helping me also)

Edited by blakh, 13 January 2008 - 12:50 AM.

  • 0

#11
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,539 posts

it is still freezing up and restarting itself :)

start up is the worst. before i had any problems it would start up fine, and quick
now i get a bunch of stuff opening that wasn't before, and half the time it freezes and restarts.
(this was occurring before you started helping me also)

Hi, blakh :)

You need to be more specific. (bunch of stuff opening)

Lets take a deeper look:

Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
    • In the Processes group click All
    • In the Win32 Services group click ALL
    • In the Driver Services group click All
    • In the Registry group click All
    • In the Files Created Within group click 60 days Make sure Non-Microsoft only is UNCHECKED
    • In the Files Modified Within group select 30 days Make sure Non-Microsoft only is UNCHECKED
    • In the File String Search group select Non Microsoft
    • In the Additional scans sections please press select All and uncheck non-microsoft only
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).
  • 0

#12
blakh

blakh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
sorry for taking so long i have been so busy with school this week =/
and thanks again for helping :)

Attached Files


  • 0

#13
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,539 posts
Hi, blakh :)

There is nothing wrong in that log.

Here are some routine maintenance practices that you should do on a regular basis to keep your machine running efficiently. Hopefully going through these steps will solve the problems you are having with the pc being slow:

Disk Cleanup:

http://www.theelderg...nup_utility.htm

Defrag your HD:

http://artsweb.bham....rag-win2kxp.htm

Run chkdsk:

To use Chkdsk, click Start and My Computer. Right-click the hard drive you want to check, and click Properties. Select the Tools tab and click Check Now. Check both boxes. Click Start. You'll get a message that the computer must be rebooted to run a complete check. Click Yes and reboot. Chkdsk will take awhile, so run it when you don't need to use the computer for something else.

Remove unnecessary Programs

Go to the Add/Remove programs option and remove all your security programs, except for Bitdefender.

Remove unnecessary startups

This should be done through the System Configuration Utility. Go to Start > Run and type in msconfig.
Click OK or hit the Enter key.

Click on the "Startup" tab and remove the check by the items that you have determined are unnecessary. Click "Apply" then "Close"

You will be prompted to restart. Go ahead and restart.

Upon restart you will be confronted with a dialogue box warning about running in selective startup. Just ignore that message and put a check in the box by "Don't show me this message or launch the System Configuration Utility when Windows starts" and click "OK". You will not be bothered by the message again.

Keep in mind that some entries will be re-enabled in the startups each time you use that particular program. Therefore, you will have to find the option in that programs preferences that says something like "Load with Windows" or "Run when Windows Starts" and disable that option.

Go here for info on msconfig:

Pacs Portal

You can look up the startups at the following links to help determine what is needed and what is not:

ComputerCops
BleepingComputer
Answers That Work
Windows Startup

For services look at this link:

http://www.theelderg...vices_guide.htm

Keep me posted.
  • 0

#14
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,539 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP