Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hi, clueless girl needs help removing a trojan ! [RESOLVED]


  • This topic is locked This topic is locked

#1
CRKstar

CRKstar

    Member

  • Member
  • PipPip
  • 38 posts
Hey there.
I have AVG and it keeps saying that there is a threat detected yada yada yada
downloader.delf.ast

Where do i get started? I understand that Im supposed to do some sort of hijack this log? also, im weary of posting too much personal computer information..... how do i know im safe?
anyhoo, Im eager to have a clean computer again ^_^
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
CRKstar

CRKstar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Hey! THANK YOU so much for taking the time to help me with this ^_^ Here is the information you requested....
-X.




ComboFix 08-02-11.2 - Owner 2008-02-11 10:21:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.524 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\pjzfcdor.dat
C:\WINDOWS\system32\dskquouiw.dll
C:\WINDOWS\system32\dx8vbw.dll
C:\WINDOWS\Tasks.\At1.job
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SISIPVVD
-------\LEGACY_UVPWLNQX
-------\sisipvvd
-------\uvpwlnqx


((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-01-31 11:15 . 2008-01-31 11:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-30 21:35 . 2008-01-30 21:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-30 21:35 . 2008-01-30 21:35 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-23 10:37 . 2008-01-23 10:37 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-23 10:37 . 2008-01-23 10:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 10:36 . 2008-01-23 10:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-22 15:04 . 2008-01-22 15:04 <DIR> d-------- C:\WINDOWS\Sun
2008-01-20 18:49 . 2008-01-20 18:49 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-20 16:52 . 2008-02-11 09:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-20 16:52 . 2008-01-20 16:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-20 16:52 . 2008-01-20 16:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-20 16:52 . 2008-01-20 22:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-20 15:34 . 2008-01-20 15:34 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2008-01-20 15:34 . 2008-01-20 15:34 741,632 --a------ C:\WINDOWS\system32\srypdvyo.dat
2008-01-20 15:34 . 2008-01-20 15:34 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2008-01-20 15:34 . 2008-02-04 10:49 42,752 --a------ C:\WINDOWS\system32\yfwbhppi.dat
2008-01-20 15:34 . 2008-01-21 15:37 36,608 --a------ C:\WINDOWS\system32\xepdbcuc.dat
2008-01-20 15:34 . 2008-01-20 15:34 35,072 --a------ C:\WINDOWS\system32\mctjywbe.dat
2008-01-20 15:13 . 2008-01-20 15:13 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-20 15:07 . 2008-01-20 15:07 <DIR> d-------- C:\BCM_REL_4_100_15_5_WHQL
2008-01-18 00:24 . 2008-02-06 11:00 120,576 --a------ C:\WINDOWS\system32\kdnogtlr.dat
2008-01-18 00:18 . 2008-01-24 13:13 <DIR> d-------- C:\WINDOWS\system32\AppCert
2008-01-18 00:18 . 2004-08-04 11:00 85,504 --a------ C:\WINDOWS\system32\dskquouiw.dll.bak
2008-01-17 19:16 . 2008-01-17 20:54 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-01-17 15:06 . 2008-01-17 15:06 2 --a------ C:\WINDOWS\msoffice.ini
2008-01-17 09:55 . 2007-07-30 18:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-17 09:55 . 2007-07-30 18:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-17 09:55 . 2007-07-30 18:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-17 09:55 . 2007-07-30 18:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-17 09:55 . 2007-07-30 18:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-14 10:36 . 2008-01-14 10:36 268 --ah----- C:\sqmdata02.sqm
2008-01-14 10:36 . 2008-01-14 10:36 244 --ah----- C:\sqmnoopt02.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 00:23 2,570 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-01-21 00:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-21 00:07 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-20 23:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-01-18 08:55 --------- d-----w C:\Program Files\Google
2008-01-18 08:53 --------- d-----w C:\Program Files\HP
2008-01-18 08:53 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-18 08:43 --------- d-----w C:\Program Files\McAfee
2008-01-18 08:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-18 06:55 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-01-18 06:10 --------- d-----w C:\Program Files\BigFix
2008-01-18 06:07 --------- d-----w C:\Program Files\DeductionPro 2006
2008-01-18 03:23 --------- d-----w C:\Program Files\TaxCut06
2008-01-18 03:19 --------- d-----w C:\Program Files\Palm
2008-01-18 03:18 --------- d-----w C:\Program Files\Napster
2008-01-18 03:18 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-18 03:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-01-18 03:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\Professional
2008-01-18 03:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-18 03:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-17 23:08 --------- d-----w C:\Program Files\Pure Networks
2008-01-17 23:06 --------- d-----w C:\Program Files\Common Files\AOL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~3\wcescomm.exe" [2006-06-20 21:36 1207080]
"Uniblue RegistryBooster2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01 32768]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 07:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 07:47 688218]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-28 21:05 344064]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-07 20:55 176128]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-15 17:32 98304]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-20 16:52 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-20 16:52 219136]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
appsecdll REG_EXPAND_SZ C:\WINDOWS\system32\AppCert\wsil32.dll

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-01-24 23:26]

.
Contents of the 'Scheduled Tasks' folder
"2007-02-16 03:21:52 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 11:03:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
.
**************************************************************************
.
Completion time: 2008-02-11 11:05:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-11 19:05:21
.
2008-01-20 23:07:09 --- E O F ---
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\srypdvyo.dat
C:\WINDOWS\system32\yfwbhppi.dat
C:\WINDOWS\system32\xepdbcuc.dat
C:\WINDOWS\system32\mctjywbe.dat
C:\WINDOWS\system32\kdnogtlr.dat
C:\WINDOWS\system32\dskquouiw.dll.bak
C:\WINDOWS\system32\AppCert\wsil32.dll

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls]
"AppSecDll"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Also post a new HijackThis log
  • 0

#5
CRKstar

CRKstar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Hi. I hope I did this right.... It looks the same as the last one. :)


ComboFix 08-02-11.2 - Owner 2008-02-11 10:21:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.524 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\pjzfcdor.dat
C:\WINDOWS\system32\dskquouiw.dll
C:\WINDOWS\system32\dx8vbw.dll
C:\WINDOWS\Tasks.\At1.job
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SISIPVVD
-------\LEGACY_UVPWLNQX
-------\sisipvvd
-------\uvpwlnqx


((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-01-31 11:15 . 2008-01-31 11:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-30 21:35 . 2008-01-30 21:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-30 21:35 . 2008-01-30 21:35 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-23 10:37 . 2008-01-23 10:37 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-23 10:37 . 2008-01-23 10:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 10:36 . 2008-01-23 10:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-22 15:04 . 2008-01-22 15:04 <DIR> d-------- C:\WINDOWS\Sun
2008-01-20 18:49 . 2008-01-20 18:49 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-20 16:52 . 2008-02-11 09:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-20 16:52 . 2008-01-20 16:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-20 16:52 . 2008-01-20 16:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-20 16:52 . 2008-01-20 22:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-20 15:34 . 2008-01-20 15:34 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2008-01-20 15:34 . 2008-01-20 15:34 741,632 --a------ C:\WINDOWS\system32\srypdvyo.dat
2008-01-20 15:34 . 2008-01-20 15:34 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2008-01-20 15:34 . 2008-02-04 10:49 42,752 --a------ C:\WINDOWS\system32\yfwbhppi.dat
2008-01-20 15:34 . 2008-01-21 15:37 36,608 --a------ C:\WINDOWS\system32\xepdbcuc.dat
2008-01-20 15:34 . 2008-01-20 15:34 35,072 --a------ C:\WINDOWS\system32\mctjywbe.dat
2008-01-20 15:13 . 2008-01-20 15:13 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-20 15:07 . 2008-01-20 15:07 <DIR> d-------- C:\BCM_REL_4_100_15_5_WHQL
2008-01-18 00:24 . 2008-02-06 11:00 120,576 --a------ C:\WINDOWS\system32\kdnogtlr.dat
2008-01-18 00:18 . 2008-01-24 13:13 <DIR> d-------- C:\WINDOWS\system32\AppCert
2008-01-18 00:18 . 2004-08-04 11:00 85,504 --a------ C:\WINDOWS\system32\dskquouiw.dll.bak
2008-01-17 19:16 . 2008-01-17 20:54 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-01-17 15:06 . 2008-01-17 15:06 2 --a------ C:\WINDOWS\msoffice.ini
2008-01-17 09:55 . 2007-07-30 18:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-17 09:55 . 2007-07-30 18:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-17 09:55 . 2007-07-30 18:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-17 09:55 . 2007-07-30 18:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-17 09:55 . 2007-07-30 18:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-14 10:36 . 2008-01-14 10:36 268 --ah----- C:\sqmdata02.sqm
2008-01-14 10:36 . 2008-01-14 10:36 244 --ah----- C:\sqmnoopt02.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 00:23 2,570 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-01-21 00:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-21 00:07 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-20 23:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-01-18 08:55 --------- d-----w C:\Program Files\Google
2008-01-18 08:53 --------- d-----w C:\Program Files\HP
2008-01-18 08:53 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-18 08:43 --------- d-----w C:\Program Files\McAfee
2008-01-18 08:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-18 06:55 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-01-18 06:10 --------- d-----w C:\Program Files\BigFix
2008-01-18 06:07 --------- d-----w C:\Program Files\DeductionPro 2006
2008-01-18 03:23 --------- d-----w C:\Program Files\TaxCut06
2008-01-18 03:19 --------- d-----w C:\Program Files\Palm
2008-01-18 03:18 --------- d-----w C:\Program Files\Napster
2008-01-18 03:18 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-18 03:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-01-18 03:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\Professional
2008-01-18 03:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-18 03:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-17 23:08 --------- d-----w C:\Program Files\Pure Networks
2008-01-17 23:06 --------- d-----w C:\Program Files\Common Files\AOL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~3\wcescomm.exe" [2006-06-20 21:36 1207080]
"Uniblue RegistryBooster2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01 32768]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 07:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 07:47 688218]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-28 21:05 344064]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-07 20:55 176128]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-15 17:32 98304]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-20 16:52 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-20 16:52 219136]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
appsecdll REG_EXPAND_SZ C:\WINDOWS\system32\AppCert\wsil32.dll

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-01-24 23:26]

.
Contents of the 'Scheduled Tasks' folder
"2007-02-16 03:21:52 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 11:03:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
.
**************************************************************************
.
Completion time: 2008-02-11 11:05:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-11 19:05:21
.
2008-01-20 23:07:09 --- E O F ---
  • 0

#6
CRKstar

CRKstar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Oh, and another thing that is making my heart sink of worry is that when I run an AVG scan, it seems to stall at 133 objects.... it still appears to be running because it sounds like it and the timer is still going.... this is just awful. I just got this computer so Im super stressed :)
  • 0

#7
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Yes that is the wrong one, it should be called ComboFix(1) or something like that
  • 0

#8
CRKstar

CRKstar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
ComboFix 08-02-11.2 - Owner 2008-02-13 19:50:55.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.493 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://au.download.windowsupdate.cj+|C̛v+@J:NGD_DQ{zt һHG.X@ٟ[email protected]pWU Client Download S-1-5-18 `HT4?? 6VwoQZCDHMsC:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\eef5a36924cdf0c02598ccf96aa4f60887a49840
.
((((((((((((((((((((((((( Files Created from 2008-01-14 to 2008-02-14 )))))))))))))))))))))))))))))))
.

2008-02-13 19:52 . 2008-02-13 19:52 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-31 11:15 . 2008-01-31 11:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-23 10:37 . 2008-01-23 10:37 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-23 10:37 . 2008-01-23 10:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 10:36 . 2008-01-23 10:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-22 15:04 . 2008-01-22 15:04 <DIR> d-------- C:\WINDOWS\Sun
2008-01-20 18:49 . 2008-01-20 18:49 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-20 16:52 . 2008-02-11 23:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-20 16:52 . 2008-01-20 16:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-20 16:52 . 2008-01-20 16:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-20 16:52 . 2008-01-20 22:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-20 15:34 . 2008-01-20 15:34 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2008-01-20 15:34 . 2008-01-20 15:34 741,632 --a------ C:\WINDOWS\system32\srypdvyo.dat
2008-01-20 15:34 . 2008-01-20 15:34 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2008-01-20 15:34 . 2008-02-04 10:49 42,752 --a------ C:\WINDOWS\system32\yfwbhppi.dat
2008-01-20 15:34 . 2008-01-21 15:37 36,608 --a------ C:\WINDOWS\system32\xepdbcuc.dat
2008-01-20 15:34 . 2008-01-20 15:34 35,072 --a------ C:\WINDOWS\system32\mctjywbe.dat
2008-01-20 15:13 . 2008-01-20 15:13 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-18 00:24 . 2008-02-06 11:00 120,576 --a------ C:\WINDOWS\system32\kdnogtlr.dat
2008-01-18 00:18 . 2008-02-11 13:20 <DIR> d-------- C:\WINDOWS\system32\AppCert
2008-01-18 00:18 . 2004-08-04 11:00 85,504 --a------ C:\WINDOWS\system32\dskquouiw.dll.bak
2008-01-17 19:16 . 2008-01-17 20:54 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-01-17 15:06 . 2008-01-17 15:06 2 --a------ C:\WINDOWS\msoffice.ini
2008-01-17 09:55 . 2007-07-30 18:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-17 09:55 . 2007-07-30 18:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-17 09:55 . 2007-07-30 18:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-17 09:55 . 2007-07-30 18:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-17 09:55 . 2007-07-30 18:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-14 10:36 . 2008-01-14 10:36 268 --ah----- C:\sqmdata02.sqm
2008-01-14 10:36 . 2008-01-14 10:36 244 --ah----- C:\sqmnoopt02.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-12 07:23 2,570 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-01-21 00:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-21 00:07 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-20 23:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-01-18 08:55 --------- d-----w C:\Program Files\Google
2008-01-18 08:53 --------- d-----w C:\Program Files\HP
2008-01-18 08:53 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-18 08:43 --------- d-----w C:\Program Files\McAfee
2008-01-18 08:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-18 06:55 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-01-18 06:10 --------- d-----w C:\Program Files\BigFix
2008-01-18 06:07 --------- d-----w C:\Program Files\DeductionPro 2006
2008-01-18 03:23 --------- d-----w C:\Program Files\TaxCut06
2008-01-18 03:19 --------- d-----w C:\Program Files\Palm
2008-01-18 03:18 --------- d-----w C:\Program Files\Napster
2008-01-18 03:18 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-18 03:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-01-18 03:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\Professional
2008-01-18 03:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-18 03:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-17 23:08 --------- d-----w C:\Program Files\Pure Networks
2008-01-17 23:06 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-14 19:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~3\wcescomm.exe" [2006-06-20 21:36 1207080]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01 32768]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 07:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 07:47 688218]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-28 21:05 344064]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-07 20:55 176128]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-20 16:52 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-20 16:52 219136]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-15 17:32 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
appsecdll REG_EXPAND_SZ C:\WINDOWS\system32\AppCert\wsil32.dll

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-01-24 23:26]

.
Contents of the 'Scheduled Tasks' folder
"2007-02-16 03:21:52 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 19:54:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-02-13 19:55:22
ComboFix-quarantined-files.txt 2008-02-14 03:54:20
ComboFix2.txt 2008-02-11 19:05:55
.
2008-02-14 03:37:44 --- E O F ---



that's the log combofix opened up. give me a second to run a hijack log, i'll post it in a sec.

thanks a lot! let me know if this is right so far...
  • 0

#9
CRKstar

CRKstar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
just noticed a folder called QooBox that had a file called combofix(2) in it, thought i'd post it...







ComboFix 08-02-11.2 - Owner 2008-02-11 10:21:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.524 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\pjzfcdor.dat
C:\WINDOWS\system32\dskquouiw.dll
C:\WINDOWS\system32\dx8vbw.dll
C:\WINDOWS\Tasks.\At1.job
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SISIPVVD
-------\LEGACY_UVPWLNQX
-------\sisipvvd
-------\uvpwlnqx


((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-01-31 11:15 . 2008-01-31 11:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-30 21:35 . 2008-01-30 21:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-30 21:35 . 2008-01-30 21:35 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-23 10:37 . 2008-01-23 10:37 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-23 10:37 . 2008-01-23 10:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 10:36 . 2008-01-23 10:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-22 15:04 . 2008-01-22 15:04 <DIR> d-------- C:\WINDOWS\Sun
2008-01-20 18:49 . 2008-01-20 18:49 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-20 16:52 . 2008-02-11 09:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-20 16:52 . 2008-01-20 16:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-20 16:52 . 2008-01-20 16:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-20 16:52 . 2008-01-20 22:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-20 15:34 . 2008-01-20 15:34 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2008-01-20 15:34 . 2008-01-20 15:34 741,632 --a------ C:\WINDOWS\system32\srypdvyo.dat
2008-01-20 15:34 . 2008-01-20 15:34 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2008-01-20 15:34 . 2008-02-04 10:49 42,752 --a------ C:\WINDOWS\system32\yfwbhppi.dat
2008-01-20 15:34 . 2008-01-21 15:37 36,608 --a------ C:\WINDOWS\system32\xepdbcuc.dat
2008-01-20 15:34 . 2008-01-20 15:34 35,072 --a------ C:\WINDOWS\system32\mctjywbe.dat
2008-01-20 15:13 . 2008-01-20 15:13 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-20 15:07 . 2008-01-20 15:07 <DIR> d-------- C:\BCM_REL_4_100_15_5_WHQL
2008-01-18 00:24 . 2008-02-06 11:00 120,576 --a------ C:\WINDOWS\system32\kdnogtlr.dat
2008-01-18 00:18 . 2008-01-24 13:13 <DIR> d-------- C:\WINDOWS\system32\AppCert
2008-01-18 00:18 . 2004-08-04 11:00 85,504 --a------ C:\WINDOWS\system32\dskquouiw.dll.bak
2008-01-17 19:16 . 2008-01-17 20:54 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-01-17 15:06 . 2008-01-17 15:06 2 --a------ C:\WINDOWS\msoffice.ini
2008-01-17 09:55 . 2007-07-30 18:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-17 09:55 . 2007-07-30 18:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-17 09:55 . 2007-07-30 18:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-17 09:55 . 2007-07-30 18:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-17 09:55 . 2007-07-30 18:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-14 10:36 . 2008-01-14 10:36 268 --ah----- C:\sqmdata02.sqm
2008-01-14 10:36 . 2008-01-14 10:36 244 --ah----- C:\sqmnoopt02.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 00:23 2,570 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-01-21 00:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-21 00:07 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-20 23:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-01-18 08:55 --------- d-----w C:\Program Files\Google
2008-01-18 08:53 --------- d-----w C:\Program Files\HP
2008-01-18 08:53 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-18 08:43 --------- d-----w C:\Program Files\McAfee
2008-01-18 08:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-18 06:55 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-01-18 06:10 --------- d-----w C:\Program Files\BigFix
2008-01-18 06:07 --------- d-----w C:\Program Files\DeductionPro 2006
2008-01-18 03:23 --------- d-----w C:\Program Files\TaxCut06
2008-01-18 03:19 --------- d-----w C:\Program Files\Palm
2008-01-18 03:18 --------- d-----w C:\Program Files\Napster
2008-01-18 03:18 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-18 03:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-01-18 03:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\Professional
2008-01-18 03:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-18 03:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-17 23:08 --------- d-----w C:\Program Files\Pure Networks
2008-01-17 23:06 --------- d-----w C:\Program Files\Common Files\AOL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~3\wcescomm.exe" [2006-06-20 21:36 1207080]
"Uniblue RegistryBooster2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01 32768]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 07:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 07:47 688218]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-28 21:05 344064]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-07 20:55 176128]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-15 17:32 98304]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-20 16:52 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-20 16:52 219136]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
appsecdll REG_EXPAND_SZ C:\WINDOWS\system32\AppCert\wsil32.dll

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-01-24 23:26]

.
Contents of the 'Scheduled Tasks' folder
"2007-02-16 03:21:52 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 11:03:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
.
**************************************************************************
.
Completion time: 2008-02-11 11:05:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-11 19:05:21
.
2008-01-20 23:07:09 --- E O F ---
  • 0

#10
CRKstar

CRKstar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:05 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\HJTInstall.exe
C:\Documents and Settings\Owner\Desktop\HJTInstall.exe
C:\Documents and Settings\Owner\Desktop\HJTInstall.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trainweb...._praiswater.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6230 bytes







again, thanks a lot guys. here's the hijackthis log.
  • 0

Advertisements


#11
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.



Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#12
CRKstar

CRKstar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
main.txt:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-02-14 16:44:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-02-15 00:47:35 UTC - RP24 - Deckard's System Scanner Restore Point
2: 2008-02-14 08:12:43 UTC - RP23 - Software Distribution Service 3.0
1: 2008-02-11 18:22:25 UTC - RP22 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:53:29 PM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trainweb...._praiswater.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6017 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>

S3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)
S3 PalmUSBD - c:\windows\system32\drivers\palmusbd.sys (file missing)
S3 sscdbus (SAMSUNG USB Composite Device driver (WDM)) - c:\windows\system32\drivers\sscdbus.sys <Not Verified; MCCI; SAMSUNG USB Composite Device>
S3 sscdmdfl (SAMSUNG CDMA Modem Filter) - c:\windows\system32\drivers\sscdmdfl.sys <Not Verified; MCCI; SAMSUNG CDMA Modem Filter Driver>
S3 sscdmdm (SAMSUNG CDMA Modem Drivers) - c:\windows\system32\drivers\sscdmdm.sys <Not Verified; MCCI; SAMSUNG CDMA Modem>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Marvell Yukon 88E8036 PCI-E Fast Ethernet Controller
Device ID: PCI\VEN_11AB&DEV_4351&SUBSYS_0300107B&REV_10\4&2EA2911C&0&0030
Manufacturer: Marvell
Name: Marvell Yukon 88E8036 PCI-E Fast Ethernet Controller
PNP Device ID: PCI\VEN_11AB&DEV_4351&SUBSYS_0300107B&REV_10\4&2EA2911C&0&0030
Service: yukonwxp


-- Scheduled Tasks -------------------------------------------------------------

2007-02-15 19:21:52 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 3.job


-- Files created between 2008-01-14 and 2008-02-14 -----------------------------

2008-02-13 20:02:22 0 d-------- C:\Program Files\Trend Micro
2008-02-11 10:19:02 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-11 10:19:02 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-11 10:19:02 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-11 10:19:02 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-01-31 11:15:55 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-26 11:52:20 0 dr-h----- C:\$VAULT$.AVG
2008-01-23 10:37:37 0 d-------- C:\Program Files\Lavasoft
2008-01-23 10:37:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 10:36:53 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-22 15:04:40 0 d-------- C:\WINDOWS\Sun
2008-01-22 15:04:40 0 d-------- C:\Documents and Settings\Owner\Application Data\Sun
2008-01-20 18:49:33 1158 --a------ C:\WINDOWS\mozver.dat
2008-01-20 16:52:50 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-20 16:52:45 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-20 16:52:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-20 16:52:25 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-20 16:35:53 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2008-01-20 15:34:28 35072 --a------ C:\WINDOWS\system32\mctjywbe.dat
2008-01-20 15:34:28 246545 --a------ C:\WINDOWS\system32\libssl32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2008-01-20 15:34:28 1188375 --a------ C:\WINDOWS\system32\libeay32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2008-01-20 15:34:27 42752 --a------ C:\WINDOWS\system32\yfwbhppi.dat
2008-01-20 15:34:27 36608 --a------ C:\WINDOWS\system32\xepdbcuc.dat
2008-01-20 15:34:27 741632 --a------ C:\WINDOWS\system32\srypdvyo.dat
2008-01-20 15:13:08 0 d-------- C:\WINDOWS\system32\NtmsData
2008-01-18 00:47:23 0 d-------- C:\WINDOWS\pss
2008-01-18 00:24:43 120576 --a------ C:\WINDOWS\system32\kdnogtlr.dat
2008-01-18 00:18:11 0 d-------- C:\WINDOWS\system32\AppCert
2008-01-17 19:16:12 0 d-------- C:\WINDOWS\SxsCaPendDel


-- Find3M Report ---------------------------------------------------------------

2008-02-13 23:52:15 2874 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-01-23 10:36:53 0 d-------- C:\Program Files\Common Files
2008-01-20 16:07:37 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-01-18 00:55:48 0 d-------- C:\Program Files\Google
2008-01-18 00:53:05 0 d-------- C:\Program Files\HP
2008-01-18 00:53:05 0 d-------- C:\Program Files\Hewlett-Packard
2008-01-18 00:43:21 0 d-------- C:\Program Files\McAfee
2008-01-17 22:55:54 0 d-------- C:\Program Files\Windows Live Toolbar
2008-01-17 22:55:29 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-01-17 22:10:25 0 d-------- C:\Program Files\BigFix
2008-01-17 22:07:45 0 d-------- C:\Program Files\DeductionPro 2006
2008-01-17 19:23:31 0 d-------- C:\Program Files\TaxCut06
2008-01-17 19:19:02 0 d-------- C:\Program Files\Palm
2008-01-17 19:18:28 0 d-------- C:\Program Files\Common Files\InstallShield
2008-01-17 19:18:24 0 d-------- C:\Program Files\Napster
2008-01-17 19:16:13 0 d-------- C:\Documents and Settings\Owner\Application Data\Professional
2008-01-17 19:14:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-17 15:08:08 0 d-------- C:\Program Files\Pure Networks
2008-01-17 15:06:26 0 d-------- C:\Program Files\Common Files\AOL


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [01/12/2005 03:01 AM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [11/05/2004 07:47 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/05/2004 07:47 AM]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [04/28/2005 09:05 PM]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" []
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [07/07/2005 08:55 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/20/2008 04:52 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 11:00 AM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 03:45 PM]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~3\wcescomm.exe" [06/20/2006 09:36 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 9:05:26 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S




-- End of Deckard's System Scanner: finished at 2008-02-14 17:16:08 ------------



extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Turion™ 64 Mobile Technology ML-32
Percentage of Memory in Use: 34%
Physical Memory (total/avail): 958.23 MiB / 628.2 MiB
Pagefile Memory (total/avail): 2311.35 MiB / 2072.02 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1945.22 MiB

C: is Fixed (NTFS) - 86.31 GiB total, 75.22 GiB free.
D: is Fixed (FAT32) - 6.83 GiB total, 4.55 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - HTS421210H9AT00 - 93.16 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 86.31 GiB - C:
\PARTITION1 - Unknown - 6.84 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG 7.5.516 v7.5.516 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:*:Disabled:ActiveSync RAPI Manager"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SAM
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\SAM
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 36 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2402
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=SAM
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)


-- Add/Remove Programs ---------------------------------------------------------

-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Broadcom 802.11 Network Adapter --> C:\WINDOWS\system32\BCMWLU00.exe verbose
Browser Address Error Redirector --> regsvr32 /u /s "c:\windows\system32\BAE.dll"
Conexant AC-Link Audio --> C:\Program Files\CONEXANT\CNXT_AUDIO\HXFSETUP.EXE -U -Iqta0300a.INF
DVD Solution --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Gateway Download Assistant --> MsiExec.exe /I{A2A73632-BBAA-43EB-A337-ADF43F905A1C}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Microsoft ActiveSync 4.0 --> MsiExec.exe /I{B208806F-A231-4FA0-AB3F-5C1B8979223E}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Digital Image Library 9 - Blocker -->
Microsoft Digital Image Starter Edition 2006 --> "C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=TRIAL VERSION=11
Microsoft Digital Image Starter Edition 2006 Editor -->
Microsoft Digital Image Starter Edition 2006 Library -->
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 Trial --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Standard 2007 --> MsiExec.exe /X{91120000-0012-0000-0000-0000000FF1CE}
Microsoft Office Standard 2007 Trial --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall STANDARDR /dll OSETUP.DLL
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Software Update for Web Folders (English) 12 -->
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Power2Go 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Recovery Software Suite Gateway -->
Samsung SPH-i500 USB Driver and Tools -->
Samsung SPH-i500 USB Driver and Tools --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E3E70877-8E21-4696-8346-EAC61BE59A3E}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) -->
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378&SUBSYS_0300107B\HXFSETUP.EXE -U -Iqta0300m.inf
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A} /l1033
TIPCI -->
Update for Outlook 2007 Junk Email Filter (kb943597) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {A751F0DB-8476-4207-956E-20AEBBA4B1DA}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WebFldrs XP -->
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type2066 / Error
Event Submitted/Written: 02/13/2008 11:58:30 PM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 642835935.

Event Record #/Type2065 / Error
Event Submitted/Written: 02/13/2008 11:58:24 PM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 642835935.

Event Record #/Type2064 / Error
Event Submitted/Written: 02/13/2008 11:58:06 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application firefox.exe, version 1.8.20080.20121, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2063 / Error
Event Submitted/Written: 02/13/2008 11:57:58 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application firefox.exe, version 1.8.20080.20121, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2039 / Error
Event Submitted/Written: 02/11/2008 08:29:26 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 647298838.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type12990 / Warning
Event Submitted/Written: 02/14/2008 10:13:22 AM
Event ID/Source: 240 / Win32k
Event Description:
A request to suspend power was denied by winlogon.exe.

Event Record #/Type12843 / Warning
Event Submitted/Written: 02/13/2008 09:30:43 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 0014A593ECF4. The IP address being used is 169.254.9.71.

Event Record #/Type12829 / Warning
Event Submitted/Written: 02/13/2008 09:25:35 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 0014A593ECF4. The IP address being used is 169.254.9.71.

Event Record #/Type12815 / Warning
Event Submitted/Written: 02/13/2008 09:22:57 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0014A593ECF4. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type12814 / Warning
Event Submitted/Written: 02/13/2008 09:22:52 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0014A593ECF4. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.



-- End of Deckard's System Scanner: finished at 2008-02-14 17:16:08 ------------
  • 0

#13
CRKstar

CRKstar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Malwarebytes' Anti-Malware 1.03
Database version: 361

Scan type: Quick Scan
Objects scanned: 22760
Time elapsed: 6 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\AppCert\wsil32.dll (Trojan.Downloader) -> Unloaded module successfully.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\AppCert (Trojan.Downloader) -> Failed to delete.

Files Infected:
c:\WINDOWS\system32\AppCert\wsil32.dll (Trojan.Downloader) -> Failed to delete. (Delete on reboot).
C:\WINDOWS\system32\AppCert\ color (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AppCert\ font-size (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AppCert\ font-weight (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AppCert\filter.drv (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AppCert\hb13a.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AppCert\options.dat (Trojan.Downloader) -> Quarantined and deleted successfully.
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Delete this folder in bold

C:\WINDOWS\system32\AppCert



Now lets uninstall Combofix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
The above procedure will do the following:
  • Delete ComboFix and its associated files and folders.
  • Delete VundoFix backups, if present
  • Delete the C:\Deckard folder, if present
  • Delete the C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Kleins article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#15
CRKstar

CRKstar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Good morning. I think that the AppCert already deleted because I cannot find it and I do believe that after I rebooted, it was gone. My computer is running great again, I appreciate your help so much ^_^ I am already a firefox user and I am very pleased but I will be checking out the article on "how did i get infected" because I am at a loss as well!
Thank you again and I will tell all my friends about you guys!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP