Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

core.cache.dsk and other issues [RESOLVED]


  • This topic is locked This topic is locked

#1
bouncer72382

bouncer72382

    New Member

  • Member
  • Pip
  • 6 posts
Hello, I've been having some trouble with Smitfraud-C.CoreService on my company computer. Unfortunately my IT people have been swamped with projects and haven't had the time to help me out, but have cleared me to try to get help here. I've been using Spybot S&D but core.cache.dsk seems to always find its way back, along with other new items. As far as symptoms, the only majorly noticeable one is a pop-up every time I open a new web page in IE. The following is my HJT log, I also have logs from Spybot S&D, AVG, and SuperAnti Spyware.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:18 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TIREMOTE\wuser32.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\MVC4.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\mobsync.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Ripley Entertainment
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1201710059871
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ripleys.com
O17 - HKLM\Software\..\Telephony: DomainName = ripleys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ripleys.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ripleys.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = ripleys.com
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = ripleys.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Intuit Track-It! - C:\WINDOWS\TIREMOTE\wuser32.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 8884 bytes


Thank you for any help you can provide and for the service that you provide to the online community.
  • 0

Advertisements


#2
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello Bouncer72382,

I am Thunderbird1988 and I am going to remove your malwareproblems. If you have questions, feel free to ask. :)

We must disable the Real-Time Protection feature of Windows Defender for it may interfere with the changes we need to make.

To disable Real-Time Protection:
  • Go to "Tools" | "General Settings"
  • Scroll down to "Real-time protection options"
  • Uncheck "Turn on real-time protection (recommended)"
  • Remember to reactivate this feature when we have finished all our work.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thunderbird1988
  • 0

#3
bouncer72382

bouncer72382

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello Thunderbird1988, thank you for replying to my post, I greatly appreciate your help. My apologies for my late reply as I am out of my office Tuesdays and Thursdays. Here is the generated ComboFix log followed by a new HJT log:

ComboFix 08-02.05.3 - brogan 2008-02-06 10:36:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.525 [GMT -5:00]
Running from: \\hqmail01\redirected$\brogan\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\KBDCLASSS.sys
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr0.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr1.dat
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\KBDCLASSS.sys
C:\WINDOWS\system32\FTPx.dll
C:\WINDOWS\SYSTEM32\htbdwuca.ini
C:\WINDOWS\system32\megsphwa.dll
C:\WINDOWS\system32\pac.txt

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
hxxp://ww
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_KBDCLASSS
-------\KBDCLASSS


((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-06 10:39 . 2008-02-06 10:39 241,609 --a------ C:\catchme.zip
2008-02-01 16:51 . 2008-02-01 16:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-01 16:07 . 2008-02-01 16:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-01 15:48 . 2008-02-01 18:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-01 15:48 . 2008-02-01 15:48 <DIR> d-------- C:\Documents and Settings\brogan\Application Data\SUPERAntiSpyware.com
2008-02-01 15:48 . 2008-02-01 15:48 <DIR> d-------- C:\DOCUME~1\brogan\APPLIC~1\SUPERAntiSpyware.com
2008-02-01 15:48 . 2008-02-01 15:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2008-02-01 15:42 . 2008-02-01 15:42 <DIR> d-------- C:\Documents and Settings\brogan\Application Data\Grisoft
2008-02-01 15:42 . 2008-02-01 15:42 <DIR> d-------- C:\DOCUME~1\brogan\APPLIC~1\Grisoft
2008-02-01 15:42 . 2008-02-01 15:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
2008-02-01 15:42 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-02-01 13:00 . 2008-02-01 13:00 <DIR> d-------- C:\Program Files\MSBuild
2008-02-01 12:57 . 2008-02-01 13:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\XPSViewer
2008-02-01 12:57 . 2008-02-01 12:57 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-01 12:56 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\SYSTEM32\spmsg2.dll
2008-02-01 12:49 . 2008-02-01 12:49 22 --a------ C:\WINDOWS\SYSTEM32\ati64hl2.stb
2008-02-01 11:13 . 2008-02-01 11:13 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-02-01 11:12 . 2008-02-01 11:12 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-02-01 11:12 . 2006-10-04 09:06 1,197,294 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\sysmain.sdb
2008-02-01 11:12 . 2006-10-04 09:06 764,868 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\apph_sp.sdb
2008-02-01 11:12 . 2006-10-04 09:06 217,118 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\apphelp.sdb
2008-02-01 11:11 . 2008-02-01 11:11 <DIR> d-------- C:\e9e798f0b8b06b1227e9
2008-02-01 11:11 . 2008-02-01 11:12 <DIR> d-------- C:\ba520f75d8ff6a590c2a89
2008-02-01 11:10 . 2008-02-01 11:10 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-02-01 11:10 . 2008-02-01 11:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2008-02-01 11:08 . 2003-02-11 09:58 126,976 --a------ C:\WINDOWS\SYSTEM32\e1000msg.dll
2008-02-01 11:08 . 2003-07-11 10:58 121,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\e1000325.sys
2008-02-01 11:08 . 2003-07-11 12:15 118,784 --a------ C:\WINDOWS\SYSTEM32\Prounstl.exe
2008-02-01 11:08 . 2002-09-03 02:34 2,725 --a------ C:\WINDOWS\SYSTEM32\e1000325.din
2008-02-01 10:59 . 2006-11-13 01:02 288,768 --------- C:\WINDOWS\SYSTEM32\rhttpaa.dll
2008-02-01 10:59 . 2006-11-13 01:02 116,736 --------- C:\WINDOWS\SYSTEM32\aaclient.dll
2008-02-01 10:59 . 2006-11-13 01:02 36,352 --------- C:\WINDOWS\SYSTEM32\tsgqec.dll
2008-02-01 10:34 . 2008-02-01 10:34 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-30 18:15 . 2008-01-30 18:15 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-30 18:09 . 2007-07-09 08:09 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2008-01-30 17:58 . 2008-02-06 11:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-30 17:58 . 2008-01-30 17:58 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-30 17:43 . 2004-08-04 02:56 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2008-01-30 17:42 . 2008-01-30 17:42 <DIR> d-------- C:\WINDOWS\provisioning
2008-01-30 17:42 . 2008-01-30 17:42 <DIR> d-------- C:\WINDOWS\peernet
2008-01-30 17:40 . 2008-01-30 17:40 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-01-30 17:34 . 2008-01-30 17:34 <DIR> d-------- C:\WINDOWS\EHome
2008-01-30 17:27 . 2002-04-15 21:11 67,866 --------- C:\WINDOWS\SYSTEM32\DRIVERS\netwlan5.img
2008-01-30 17:27 . 2004-08-04 00:56 11,776 --------- C:\WINDOWS\SYSTEM32\spnpinst.exe
2008-01-30 17:27 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\SYSTEM32\secupd.sig
2008-01-30 17:27 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\SYSTEM32\secupd.dat
2008-01-30 16:54 . 2005-10-20 17:20 1,082,368 --a------ C:\WINDOWS\SYSTEM32\esent.dll
2008-01-30 14:00 . 2008-02-04 13:34 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-30 11:26 . 2008-02-01 13:01 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-30 11:26 . 2006-10-16 16:10 23,856 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2008-01-30 11:25 . 2008-01-30 11:25 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2008-01-30 11:24 . 2004-08-04 02:56 351,232 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2008-01-30 11:24 . 2004-08-04 02:56 18,944 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2008-01-30 11:24 . 2004-08-04 02:56 8,192 --------- C:\WINDOWS\SYSTEM32\bitsprx2.dll
2008-01-30 11:24 . 2004-08-04 02:56 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx3.dll
2008-01-30 11:21 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2008-01-30 11:21 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2008-01-30 11:21 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl
2008-01-30 11:21 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2008-01-30 11:21 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll.mui
2008-01-30 11:21 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2008-01-30 11:21 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl.mui
2008-01-30 11:21 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2008-01-30 11:21 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll.mui
2008-01-30 10:31 . 2008-01-30 10:31 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-01-30 10:31 . 2008-01-30 10:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2008-01-28 12:22 . 2008-01-28 12:22 <DIR> d-------- C:\Documents and Settings\brogan\Application Data\Uniblue
2008-01-28 12:22 . 2008-01-28 12:22 <DIR> d-------- C:\DOCUME~1\brogan\APPLIC~1\Uniblue
2008-01-25 16:18 . 2008-01-25 16:18 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-25 16:18 . 2008-02-01 15:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-25 16:18 . 2008-01-25 16:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2008-01-25 15:57 . 2008-01-25 16:17 21,364,592 --a------ C:\aaw2007.exe
2008-01-25 15:52 . 2008-01-25 15:52 <DIR> d---s---- C:\WINDOWS\SYSTEM32\Microsoft
2008-01-25 15:33 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\Process.exe
2008-01-25 15:32 . 2008-01-25 15:32 <DIR> d-a------ C:\Program Files\sysinternals
2008-01-25 14:58 . 2008-01-25 16:36 <DIR> d-------- C:\WINDOWS\SYSTEM32\wnis6
2008-01-25 14:58 . 2008-01-25 14:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\nip4
2008-01-25 14:58 . 2008-02-01 16:48 <DIR> d-------- C:\WINDOWS\SYSTEM32\nGpxx01
2008-01-25 14:58 . 2008-01-25 14:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\ets1
2008-01-25 14:58 . 2008-01-25 15:19 <DIR> d-------- C:\WINDOWS\SYSTEM32\comg9
2008-01-25 14:58 . 2008-01-25 14:58 <DIR> d-------- C:\Temp\gTiis19
2008-01-25 14:58 . 2008-01-25 14:58 <DIR> d-------- C:\Temp\cXzz9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 18:45 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-02-04 18:41 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-01 21:48 --------- d-----w C:\Program Files\Picasa
2008-01-30 20:14 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-01-30 15:25 --------- d-----w C:\Program Files\Trend Micro
2008-01-28 17:39 --------- d-----w C:\Program Files\Common Files\Real
2008-01-28 17:38 --------- d-----w C:\Program Files\Viewpoint
2008-01-28 17:38 --------- d-----w C:\Documents and Settings\brogan\Application Data\Viewpoint
2008-01-28 17:38 --------- d-----w C:\DOCUME~1\brogan\APPLIC~1\Viewpoint
2008-01-28 17:38 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2008-01-25 21:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-25 21:58 --------- d-----w C:\Program Files\MUSICMATCH
2008-01-07 15:59 --------- d-----w C:\Program Files\Winamp
2007-12-13 20:34 --------- d-----w C:\Program Files\Apple Software Update
2007-12-13 20:34 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-01-03 20:34 53,808 ----a-w C:\Documents and Settings\brogan\Application Data\GDIPFONTCACHEV1.DAT
2007-01-03 20:34 53,808 ----a-w C:\DOCUME~1\brogan\APPLIC~1\GDIPFONTCACHEV1.DAT
2006-07-18 19:41 53,808 ----a-w C:\Documents and Settings\scipio\Application Data\GDIPFONTCACHEV1.DAT
2005-08-11 14:35 1,302,528 ----a-w C:\Program Files\REX2004.exe
2005-03-22 22:56 53,416 ----a-w C:\Documents and Settings\meyer\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24 86016]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-25 00:00 126976]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52 339968]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 19:47 204800]
"LifeScape Media Detector"="C:\Program Files\Picasa\PicasaMediaDetector.exe" [2004-11-03 14:14 151552]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 02:56 143360]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01 110592]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01 110592]
"Track-It! Workstation Manager Service Monitor"="C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe" [2007-04-12 18:41 421888]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-12-11 18:31 710000]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 17:44 271672]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-12-20 10:16 37376]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe [2004-09-20 09:59:21 43520]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE [2006-07-11 16:08:54 135680]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=WorkstationScript.vbs

R2 TIRmtCtl;Track-It! Remote Control;C:\WINDOWS\TIREMOTE\wuser32.exe [2006-03-29 13:48]
R2 TIRmtSvc;Track-It! Workstation Manager;C:\WINDOWS\TIREMOTE\TIRemoteService.exe [2007-04-12 18:41]
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 13:53]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 11:27:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\WT64BD.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-06 11:34:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-06 16:33:59




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39, on 2008-02-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TIREMOTE\wuser32.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\WT64BD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1201710059871
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ripleys.com
O17 - HKLM\Software\..\Telephony: DomainName = ripleys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ripleys.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ripleys.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = ripleys.com
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = ripleys.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Intuit Track-It! - C:\WINDOWS\TIREMOTE\wuser32.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

--
End of file - 8359 bytes


Thank you again for all your help, and I look forward to hearing from you.
  • 0

#4
bouncer72382

bouncer72382

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Ok, apparently I thought I turned off TeaTimer but I guess I didn't. Pretty sure I have it off now though. Here's a new HJT log. Will I need to run ComboFix again, or does TeaTimer not interfere with it?

***EDIT***: Some good news! I just found out that my IT people finally took some time to install a Spyware/Grayware module into my Trend Micro OfficeScan. Also, I had forgotten to mention that after running ComboFix, Trend Micro OfficeScan did locate and clean two instances of "Freeloader_Smitfraud" during a real-time scan, both appear to have been in folders on my C drive (one in a folder named ComboFix, and one in a folder that appears to have been randomly named), the file was named "dumphive.cfexe". Also, following a manual scan it removed "TSPY_Bifrose" which appears to have been a trojan effecting three of my registry entries with some references to "wget". A new scan with Spybot S&D shows that my system is clean. IE seems to respond much faster now and I have not encountered a single pop-up. Should I assume that my system is now clean, or are there more steps that you suggest to take? Oh, also one more thing, I have noticed that my Windows clock and date display has changed format, it now shows time in a 24:00 format and the date year first. Was this editted by ComboFix, and how can I restore it? Thanks again Thunderbird1988!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58, on 2008-02-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TIREMOTE\wuser32.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\FEC97B.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1201710059871
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ripleys.com
O17 - HKLM\Software\..\Telephony: DomainName = ripleys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ripleys.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ripleys.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = ripleys.com
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = ripleys.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Intuit Track-It! - C:\WINDOWS\TIREMOTE\wuser32.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

--
End of file - 8738 bytes

Edited by bouncer72382, 06 February 2008 - 04:27 PM.

  • 0

#5
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello Bouncer72382,

It seems that Teatimer didn't interfered with Combofix.
Your Combofixlog revealed some other malwarefolders, I don't know if they all got cleaned up by your scanners, but I think best way to proceed is removing them.

Yes, the times have been reset by Combofix, we will set it back when the computer is cleaned.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Folder::

C:\WINDOWS\SYSTEM32\wnis6
C:\WINDOWS\SYSTEM32\nip4
C:\WINDOWS\SYSTEM32\nGpxx01
C:\WINDOWS\SYSTEM32\ets1
C:\WINDOWS\SYSTEM32\comg9
C:\Temp\gTiis19
C:\Temp\cXzz9



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Edited by Thunderbird1988, 07 February 2008 - 03:25 AM.

  • 0

#6
bouncer72382

bouncer72382

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello Thunderbird1988, and thanks again for your reply! After ComboFix ran it did not have the system reboot. Also upon ComboFix running Trend Micro OfficeScan found the same two instances of "Freeloader_Smitfraud" that I had previously mentioned. The following are my ComboFix log and HJT log:


ComboFix 08-02.05.3 - brogan 2008-02-08 10:42:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.527 [GMT -5:00]
Running from: \\hqmail01\redirected$\brogan\Desktop\ComboFix.exe
Command switches used :: \\hqmail01\redirected$\brogan\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr0.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr1.dat
C:\Temp\cXzz9
C:\Temp\gTiis19
C:\Temp\gTiis19\lTig.log
C:\WINDOWS\SYSTEM32\comg9
C:\WINDOWS\SYSTEM32\ets1
C:\WINDOWS\SYSTEM32\ets1\ovstadcom2.exe
C:\WINDOWS\SYSTEM32\nGpxx01
C:\WINDOWS\SYSTEM32\nip4
C:\WINDOWS\SYSTEM32\wnis6

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-06 10:39 . 2008-02-06 10:39 241,609 --a------ C:\catchme.zip
2008-02-01 16:51 . 2008-02-01 16:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-01 16:07 . 2008-02-01 16:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-01 15:48 . 2008-02-01 18:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-01 15:48 . 2008-02-01 15:48 <DIR> d-------- C:\Documents and Settings\brogan\Application Data\SUPERAntiSpyware.com
2008-02-01 15:48 . 2008-02-01 15:48 <DIR> d-------- C:\DOCUME~1\brogan\APPLIC~1\SUPERAntiSpyware.com
2008-02-01 15:48 . 2008-02-01 15:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2008-02-01 15:42 . 2008-02-01 15:42 <DIR> d-------- C:\Documents and Settings\brogan\Application Data\Grisoft
2008-02-01 15:42 . 2008-02-01 15:42 <DIR> d-------- C:\DOCUME~1\brogan\APPLIC~1\Grisoft
2008-02-01 15:42 . 2008-02-01 15:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
2008-02-01 15:42 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-02-01 13:00 . 2008-02-01 13:00 <DIR> d-------- C:\Program Files\MSBuild
2008-02-01 12:57 . 2008-02-01 13:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\XPSViewer
2008-02-01 12:57 . 2008-02-01 12:57 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-01 12:56 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\SYSTEM32\spmsg2.dll
2008-02-01 12:49 . 2008-02-01 12:49 22 --a------ C:\WINDOWS\SYSTEM32\ati64hl2.stb
2008-02-01 11:13 . 2008-02-01 11:13 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-02-01 11:12 . 2008-02-01 11:12 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-02-01 11:12 . 2006-10-04 09:06 1,197,294 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\sysmain.sdb
2008-02-01 11:12 . 2006-10-04 09:06 764,868 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\apph_sp.sdb
2008-02-01 11:12 . 2006-10-04 09:06 217,118 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\apphelp.sdb
2008-02-01 11:11 . 2008-02-01 11:11 <DIR> d-------- C:\e9e798f0b8b06b1227e9
2008-02-01 11:11 . 2008-02-01 11:12 <DIR> d-------- C:\ba520f75d8ff6a590c2a89
2008-02-01 11:10 . 2008-02-01 11:10 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-02-01 11:10 . 2008-02-01 11:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2008-02-01 11:08 . 2003-02-11 09:58 126,976 --a------ C:\WINDOWS\SYSTEM32\e1000msg.dll
2008-02-01 11:08 . 2003-07-11 10:58 121,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\e1000325.sys
2008-02-01 11:08 . 2003-07-11 12:15 118,784 --a------ C:\WINDOWS\SYSTEM32\Prounstl.exe
2008-02-01 11:08 . 2002-09-03 02:34 2,725 --a------ C:\WINDOWS\SYSTEM32\e1000325.din
2008-02-01 10:59 . 2006-11-13 01:02 288,768 --------- C:\WINDOWS\SYSTEM32\rhttpaa.dll
2008-02-01 10:59 . 2006-11-13 01:02 116,736 --------- C:\WINDOWS\SYSTEM32\aaclient.dll
2008-02-01 10:59 . 2006-11-13 01:02 36,352 --------- C:\WINDOWS\SYSTEM32\tsgqec.dll
2008-02-01 10:34 . 2008-02-01 10:34 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-30 18:15 . 2008-01-30 18:15 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-30 18:09 . 2007-07-09 08:09 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2008-01-30 17:58 . 2008-02-06 11:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-30 17:58 . 2008-01-30 17:58 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-30 17:43 . 2004-08-04 02:56 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2008-01-30 17:42 . 2008-01-30 17:42 <DIR> d-------- C:\WINDOWS\provisioning
2008-01-30 17:42 . 2008-01-30 17:42 <DIR> d-------- C:\WINDOWS\peernet
2008-01-30 17:40 . 2008-01-30 17:40 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-01-30 17:34 . 2008-01-30 17:34 <DIR> d-------- C:\WINDOWS\EHome
2008-01-30 17:27 . 2002-04-15 21:11 67,866 --------- C:\WINDOWS\SYSTEM32\DRIVERS\netwlan5.img
2008-01-30 17:27 . 2004-08-04 00:56 11,776 --------- C:\WINDOWS\SYSTEM32\spnpinst.exe
2008-01-30 17:27 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\SYSTEM32\secupd.sig
2008-01-30 17:27 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\SYSTEM32\secupd.dat
2008-01-30 16:54 . 2005-10-20 17:20 1,082,368 --a------ C:\WINDOWS\SYSTEM32\esent.dll
2008-01-30 14:00 . 2008-02-06 16:35 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-30 11:26 . 2008-02-01 13:01 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-30 11:26 . 2006-10-16 16:10 23,856 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2008-01-30 11:25 . 2008-01-30 11:25 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2008-01-30 11:24 . 2004-08-04 02:56 351,232 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2008-01-30 11:24 . 2004-08-04 02:56 18,944 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2008-01-30 11:24 . 2004-08-04 02:56 8,192 --------- C:\WINDOWS\SYSTEM32\bitsprx2.dll
2008-01-30 11:24 . 2004-08-04 02:56 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx3.dll
2008-01-30 11:21 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2008-01-30 11:21 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2008-01-30 11:21 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl
2008-01-30 11:21 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2008-01-30 11:21 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll.mui
2008-01-30 11:21 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2008-01-30 11:21 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl.mui
2008-01-30 11:21 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2008-01-30 11:21 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll.mui
2008-01-30 10:31 . 2008-01-30 10:31 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-01-30 10:31 . 2008-01-30 10:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2008-01-28 12:22 . 2008-01-28 12:22 <DIR> d-------- C:\Documents and Settings\brogan\Application Data\Uniblue
2008-01-28 12:22 . 2008-01-28 12:22 <DIR> d-------- C:\DOCUME~1\brogan\APPLIC~1\Uniblue
2008-01-25 16:18 . 2008-01-25 16:18 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-25 16:18 . 2008-02-01 15:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-25 16:18 . 2008-01-25 16:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2008-01-25 15:57 . 2008-01-25 16:17 21,364,592 --a------ C:\aaw2007.exe
2008-01-25 15:52 . 2008-01-25 15:52 <DIR> d---s---- C:\WINDOWS\SYSTEM32\Microsoft
2008-01-25 15:33 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\Process.exe
2008-01-25 15:32 . 2008-01-25 15:32 <DIR> d-a------ C:\Program Files\sysinternals

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 15:31 --------- d-----w C:\Program Files\MSN Messenger
2008-02-04 18:45 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-02-04 18:41 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-01 21:48 --------- d-----w C:\Program Files\Picasa
2008-01-30 20:14 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-01-30 15:25 --------- d-----w C:\Program Files\Trend Micro
2008-01-28 17:39 --------- d-----w C:\Program Files\Common Files\Real
2008-01-28 17:38 --------- d-----w C:\Program Files\Viewpoint
2008-01-28 17:38 --------- d-----w C:\Documents and Settings\brogan\Application Data\Viewpoint
2008-01-28 17:38 --------- d-----w C:\DOCUME~1\brogan\APPLIC~1\Viewpoint
2008-01-28 17:38 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2008-01-25 21:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-25 21:58 --------- d-----w C:\Program Files\MUSICMATCH
2008-01-07 15:59 --------- d-----w C:\Program Files\Winamp
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2007-12-13 20:34 --------- d-----w C:\Program Files\Apple Software Update
2007-12-13 20:34 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-01-03 20:34 53,808 ----a-w C:\Documents and Settings\brogan\Application Data\GDIPFONTCACHEV1.DAT
2007-01-03 20:34 53,808 ----a-w C:\DOCUME~1\brogan\APPLIC~1\GDIPFONTCACHEV1.DAT
2006-07-18 19:41 53,808 ----a-w C:\Documents and Settings\scipio\Application Data\GDIPFONTCACHEV1.DAT
2005-08-11 14:35 1,302,528 ----a-w C:\Program Files\REX2004.exe
2005-03-22 22:56 53,416 ----a-w C:\Documents and Settings\meyer\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24 86016]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-25 00:00 126976]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52 339968]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 19:47 204800]
"LifeScape Media Detector"="C:\Program Files\Picasa\PicasaMediaDetector.exe" [2004-11-03 14:14 151552]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 02:56 143360]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01 110592]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01 110592]
"Track-It! Workstation Manager Service Monitor"="C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe" [2007-04-12 18:41 421888]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-12-11 18:31 710000]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-12-20 10:16 37376]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe [2004-09-20 09:59:21 43520]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE [2006-07-11 16:08:54 135680]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=WorkstationScript.vbs

R2 TIRmtCtl;Track-It! Remote Control;C:\WINDOWS\TIREMOTE\wuser32.exe [2006-03-29 13:48]
R2 TIRmtSvc;Track-It! Workstation Manager;C:\WINDOWS\TIREMOTE\TIRemoteService.exe [2007-04-12 18:41]
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 13:53]

*Newly Created Service* - USNJSVC
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 10:44:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-08 10:45:36
ComboFix-quarantined-files.txt 2008-02-08 15:45:22
ComboFix2.txt 2008-02-06 16:34:03



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54, on 2008-02-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TIREMOTE\wuser32.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\TEMP\GG7C1D.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1201710059871
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ripleys.com
O17 - HKLM\Software\..\Telephony: DomainName = ripleys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ripleys.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ripleys.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = ripleys.com
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = ripleys.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Intuit Track-It! - C:\WINDOWS\TIREMOTE\wuser32.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

--
End of file - 8299 bytes



Thanks again for your help, have a great weekend!
  • 0

#7
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello bouncer72382,

The detection of Dumphive.cfexe is a False positive (A file/folder that is detected as a virus but actually is not) and is therefore nothing to worry about.
It's a part of Combofix.

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

  • When shown the disclaimer, Select "2"

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

After that please let me know if you experience any problems.

Thunderbird1988
  • 0

#8
bouncer72382

bouncer72382

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello, I just ran "ComboFix /u" and received a message that ComboFix was unistalled; however, I did not see a disclaimer and there was no option "2". I think some files from ComboFix's process are still around such as the "catchme" files and the log. Also, the clock settings do not appear to be restored. Ah.. but now I realize I did turn Defender's real-time protection back on after the last run of ComboFix and didn't turn it off for this.. >.< Would that have interfered with the uninstall?
  • 0

#9
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello bouncer72382

It is possible that the realtime protection has interfered. We will set the clock back manually.

You can fix your clock from Control Panel ->Regional and Language Options and then on the Regional Options tab click the Customize button then on the next form click the Time tab. Then change the Time format to what you want. It explains there what the lower case and upper case letters will do. Upper case H is giving you 24 hour clock settings.

Please delete Combofix.exe and C:\Qoobox if they are still available. You can also delete Catchme.

After you have deleted this. Please enable your real time protection again.

After that please tell me if you still experience any problems.

Thunderbird1988
  • 0

#10
bouncer72382

bouncer72382

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hey Thunderbird1988, I got my clock and date set back to normal and deleted the files that I know were associated with ComboFix. The Qoobox folder was already deleted. I haven't run any scans yet this morning, but I also haven't noticed any problems, and I had no problems removing those files. Thanks again for all your help, I greatly appreciate it.
  • 0

#11
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello bouncer72382,

Your computer is clean.

I would normally give you prevention tips. However, many if not all those tips are for personal computers, and I don't know too well about business software. I think your IT people know best how to protect the computer from getting infected in the future.

Thunderbird1988
  • 0

#12
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP