Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Bugs and worms and Malware...Oh my [RESOLVED]


  • This topic is locked This topic is locked

#1
Cygnus

Cygnus

    Member

  • Member
  • PipPip
  • 78 posts
My biggest problem is Windows Explorer not always loading on startup. I have also had issues with spyware and adware. I run spybot S&S, AdAware SE Spyware Doctor and Registry Doctor frequently. Most of it is harmless enough, but I get this virtumonde.dll that shuts my system down when I try to clean it with Spybot. Nasty lil bugger from what I read about it and it's propensity for not wanting to be deleted.
I stay away from IE as much as possible and use Firefox as my browser. I also have Zone Alarm running as my firewall.

I am trying to learn more about the internal functioning of PCs and I am sure there are more than a few things that need to be fixed in here. My laptop is a Dell and did not come with an OS disc as it is stored in a partition of the HDD so an OS repair is not possible.

Can anyone decipher this and tell me what can help my system?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:00 PM, on 2/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wudfhost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [a8143fe2] rundll32.exe "C:\WINDOWS\system32\ijhxhbgo.dll",b
O4 - HKLM\..\Run: [BMab270c7e] Rundll32.exe "C:\WINDOWS\system32\uteyotgs.dll",s
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitmapEx - {F756A28D-DCD5-46be-BCAB-17C088D07227} - C:\Program Files\BitmapEx\BITMAPEX.EXE
O9 - Extra 'Tools' menuitem: &BitmapEx - {F756A28D-DCD5-46be-BCAB-17C088D07227} - C:\Program Files\BitmapEx\BITMAPEX.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FFF028D-7030-41F6-B65F-A95C49D738C9}: NameServer = 155.149.34.4
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Mrtmancfp - American Megatrends Inc. - (no file)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8455 bytes
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Please uninstall Zonealarm since you already have Trendmicro Internet Security installed which already contains a firewall.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#3
Cygnus

Cygnus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
Thanks "Mickey",

I am working on it now.... But I seem to have neglected the fact that my OS is Windows XP Media center Edition version 2002 w/ service pack 2 and I do not see a link for that.... Will using regular home edition work?


Well judging by the result of the Combofix log, I am gonna guess the "creating the recovery console" part did not work.

Here is the combofix log:

ComboFix 08-02-13.2 - BassMan 2008-02-13 19:24:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1476 [GMT -5:00]
Running from: C:\Documents and Settings\BassMan\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\icroso~1
C:\Program Files\Movie Maker\hokeqobij4444.dll
C:\Program Files\Movie Maker\hokeqobij83122.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\xOe
C:\Temp\xOe\tOasF.log
C:\WINDOWS\adaway.lic
C:\WINDOWS\b104.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\b1
C:\WINDOWS\system32\bbc1
C:\WINDOWS\system32\bbc1\bsasven2.exe
C:\WINDOWS\system32\bcesuapu.dll
C:\WINDOWS\system32\bdfvlrga.dll
C:\WINDOWS\system32\cvwyutvu.ini
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\egptagbn.dll
C:\WINDOWS\system32\eqxoqebi.dll
C:\WINDOWS\system32\ethbhvax.ini
C:\WINDOWS\system32\ftnfenag.dll
C:\WINDOWS\system32\hdikumlu.dll
C:\WINDOWS\system32\ilookqaf.ini
C:\WINDOWS\system32\ilrihbae.dll
C:\WINDOWS\system32\jvxjkiaf.ini
C:\WINDOWS\system32\kcxwlcqk.ini
C:\WINDOWS\system32\ktgikqmy.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\meawnavr.dll
C:\WINDOWS\system32\mqcdbnux.dll
C:\WINDOWS\system32\mwamxylw.ini
C:\WINDOWS\system32\nqeoiwkx.dll
C:\WINDOWS\system32\oihcvdep.dll
C:\WINDOWS\system32\oxiehxmt.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qsoierjt.dll
C:\WINDOWS\system32\snrdrchx.ini
C:\WINDOWS\system32\ss1
C:\WINDOWS\system32\tbgtdkao.dll
C:\WINDOWS\system32\uffyuirg.ini
C:\WINDOWS\system32\ugopbdty.dll
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\system32\vMW02a\vMW02a1065.exe
C:\WINDOWS\system32\xelshjmh.dll
C:\WINDOWS\system32\xyhpndda.dll
C:\WINDOWS\system32\ycjblgkt.ini
C:\WINDOWS\system32\yjjkdpjg.dll
C:\WINDOWS\system32\yrrakukr.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_SFSYNC02
-------\sfsync02


((((((((((((((((((((((((( Files Created from 2008-01-14 to 2008-02-14 )))))))))))))))))))))))))))))))
.

2008-02-11 18:58 . 2008-02-11 18:58 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-11 18:13 . 2008-02-11 18:57 <DIR> d-------- C:\VundoFix Backups
2008-02-11 14:13 . 2008-02-11 14:14 <DIR> d-------- C:\Program Files\Sexy Poker 5
2008-02-11 10:06 . 2008-02-11 10:06 <DIR> d-------- C:\Documents and Settings\BassMan\Application Data\Magic Match
2008-02-08 11:28 . 2008-02-13 14:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-08 11:28 . 2008-02-08 11:28 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-07 16:36 . 2008-02-07 16:36 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-02-07 14:02 . 2005-02-01 14:20 5,760,056 --a------ C:\WINDOWS\Darkstar.bmp
2008-02-07 13:47 . 2008-02-07 13:47 3,932,214 --a------ C:\WINDOWS\AW_XenoMorph1280.bmp
2008-02-07 13:40 . 2003-02-26 22:27 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2008-02-06 05:52 . 2008-02-06 05:52 <DIR> d-------- C:\Program Files\Kristanix
2008-01-18 16:09 . 2008-01-24 21:50 <DIR> d-------- C:\Program Files\Adware Away
2008-01-18 14:06 . 2008-02-05 14:26 147 --a------ C:\WINDOWS\BMab270c7e.xml
2008-01-18 14:06 . 2008-02-11 18:11 22 --a------ C:\WINDOWS\pskt.ini
2008-01-17 07:23 . 2008-01-18 07:26 354 ---hs---- C:\WINDOWS\system32\kenevtyh.ini
2008-01-15 08:59 . 2008-01-15 08:59 <DIR> d-------- C:\Program Files\Lexmark_HostCD
2008-01-15 08:59 . 2004-01-12 01:02 307,200 --a------ C:\WINDOWS\system32\lexlog.dll
2008-01-15 08:59 . 2008-01-15 08:59 1,699 --a------ C:\WINDOWS\system32\LexFiles.ulf
2008-01-15 08:59 . 2008-02-13 15:50 1,044 --a------ C:\WINDOWS\system32\LexFiles.usr
2008-01-15 08:58 . 2008-01-15 08:58 1,084 --a------ C:\WINDOWS\LMAAP2DD.ini
2008-01-15 08:54 . 2008-01-15 08:54 <DIR> d-------- C:\lexmark

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 15:04 --------- d-----w C:\Program Files\PopCap Games
2008-02-04 17:08 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-23 13:06 --------- d-----w C:\Program Files\FED LOG
2008-01-20 16:42 --------- d-----w C:\Program Files\America Online 9.0
2008-01-16 21:32 --------- d-----w C:\Documents and Settings\BassMan\Application Data\U3
2008-01-13 12:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-13 12:50 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-12 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-01-12 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\PopCapv1004
2008-01-11 12:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2008-01-10 17:33 --------- d-----w C:\Documents and Settings\BassMan\Application Data\Pirateville
2008-01-10 17:15 --------- d-----w C:\Program Files\Shockwave.com
2008-01-07 11:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\MumboJumbo
2008-01-07 11:34 --------- d-----w C:\Program Files\Oberon Media
2008-01-04 11:56 --------- d-----w C:\Documents and Settings\BassMan\Application Data\iWin
2008-01-03 02:07 --------- d-----w C:\Program Files\Enigma Software Group
2008-01-02 03:30 --------- d-----w C:\Program Files\Java
2008-01-01 01:09 --------- d-----w C:\Program Files\Eltima Software
2007-12-29 15:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-28 19:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-12-23 20:56 --------- d-----w C:\Program Files\Apoint
2007-12-23 20:55 --------- d-----w C:\Program Files\BitmapEx
2007-12-19 01:12 --------- d-----w C:\Program Files\XP Smoker
2007-10-25 09:19 10 -c--a-w C:\Program Files\.autoreg
2006-11-17 17:08 251 -c--a-w C:\Program Files\wt3d.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 19:39 176201]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-10-12 10:06 1695504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 17:33 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 15:59 385024]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 22:05 344064]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 11:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 17:30 823362]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 13:07 496752]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 04:33 122941]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-10-12 10:06 1695504]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 23:37:56 217194]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-05-16 17:39:25 113664]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-12 15:03:38 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoInstrumentation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^BassMan^Start Menu^Programs^Startup^Neverwinter Nights Registration.lnk]
backup=C:\WINDOWS\pss\Neverwinter Nights Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a--c--- 2006-01-12 15:17 168448 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-06-28 09:14 270648 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MOD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a--c--- 2006-01-12 15:07 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Fax"=2 (0x2)
"UStorage Server Service"=2 (0x2)

R2 PDFILTER;PDFILTER;C:\PROGRA~1\Dekart\PRIVAT~1\PDFILTER.SYS [2005-12-20 12:17]
R2 PDRJNDL;PDRJNDL;C:\PROGRA~1\Dekart\PRIVAT~1\PDRJNDL.SYS [2004-03-19 10:17]
R2 PRVDISK;PRVDISK;C:\PROGRA~1\Dekart\PRIVAT~1\PRVDISK.SYS [2005-10-02 15:25]
R2 ssoftnt4;ssoftnt4;C:\WINDOWS\system32\Drivers\ssoftnt4.sys [2004-05-21 01:30]
S3 gel90xne;gel90xne;C:\DOCUME~1\BassMan\LOCALS~1\Temp\gel90xne.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c524a00-e242-11db-911a-00038a000015}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d02e4686-eaf1-11da-8f07-00038a000015}]
\Shell\AutoRun\command - E:\LinksysConnectPC.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 19:35:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Apoint\Apntex.exe
.
**************************************************************************
.
Completion time: 2008-02-13 19:39:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-14 00:38:59
.
2008-02-13 21:35:39 --- E O F ---





and the HijackThis log:






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:00 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - blank (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitmapEx - {F756A28D-DCD5-46be-BCAB-17C088D07227} - C:\Program Files\BitmapEx\BITMAPEX.EXE
O9 - Extra 'Tools' menuitem: &BitmapEx - {F756A28D-DCD5-46be-BCAB-17C088D07227} - C:\Program Files\BitmapEx\BITMAPEX.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FFF028D-7030-41F6-B65F-A95C49D738C9}: NameServer = 155.149.34.4
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Mrtmancfp - American Megatrends Inc. - (no file)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8760 bytes



Hope you can do something with it. I hated losing ZoneAlarm. It seemed to catch and block attempts to get into my system then TrendMicro did not.....

Oh yeah.... I found your page on the removal of the virtumonde virus and used the program to remove it. Got rid of a LOT of .dll's and the virtumonde.
Noticed an improvement in D/L speed!
I went from 60-90 minutes for a 95mb file to 25-30 minutes.

Edited by Cygnus, 13 February 2008 - 06:50 PM.

  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\BMab270c7e.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\kenevtyh.ini

Folder::
C:\VundoFix Backups

Driver::
gel90xne

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

By the way, did you install this Sexy Poker 5 ?
  • 0

#5
Cygnus

Cygnus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
Hi back...

Yes I installed Sexy Poker 5. It is a pleasant time passer, nice eye candy. Is there something wrong with it?

Anyways here are the logs:





ComboFix 08-02-13.2 - BassMan 2008-02-14 7:58:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1332 [GMT -5:00]
Running from: C:\Documents and Settings\BassMan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\BassMan\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\BMab270c7e.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\kenevtyh.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\agebaitd.dll.bad
C:\VundoFix Backups\agipqhny.dll.bad
C:\VundoFix Backups\akraswfl.dll.bad
C:\VundoFix Backups\begxuqne.dll.bad
C:\VundoFix Backups\bmjmhrsq.dll.bad
C:\VundoFix Backups\bppugxjg.dll.bad
C:\VundoFix Backups\bshxcvol.dll.bad
C:\VundoFix Backups\bybjxbbl.dll.bad
C:\VundoFix Backups\corhubew.dll.bad
C:\VundoFix Backups\dahcatfk.dll.bad
C:\VundoFix Backups\dvbmbvvj.dll.bad
C:\VundoFix Backups\efeovoxv.dll.bad
C:\VundoFix Backups\emlrlsfk.ini.bad
C:\VundoFix Backups\emqlhxnm.dll.bad
C:\VundoFix Backups\feiehced.dll.bad
C:\VundoFix Backups\frxpeoxs.dll.bad
C:\VundoFix Backups\ftkcpcxa.dll.bad
C:\VundoFix Backups\ftnastur.dll.bad
C:\VundoFix Backups\gdttgmuw.dll.bad
C:\VundoFix Backups\grpasapa.dll.bad
C:\VundoFix Backups\hgcvskgd.dll.bad
C:\VundoFix Backups\hxjiqgly.dll.bad
C:\VundoFix Backups\ibteuotf.dll.bad
C:\VundoFix Backups\idltwepx.dll.bad
C:\VundoFix Backups\ihstougj.dll.bad
C:\VundoFix Backups\ijhxhbgo.dll.bad
C:\VundoFix Backups\inioorre.dll.bad
C:\VundoFix Backups\inptlrqu.dll.bad
C:\VundoFix Backups\joopqwto.dll.bad
C:\VundoFix Backups\jpicibsv.dll.bad
C:\VundoFix Backups\kfslrlme.dll.bad
C:\VundoFix Backups\kfwbqnau.dll.bad
C:\VundoFix Backups\kjwqwgnu.dll.bad
C:\VundoFix Backups\kmnhdsbv.dll.bad
C:\VundoFix Backups\kqclwxck.dll.bad
C:\VundoFix Backups\lwdhldhh.dll.bad
C:\VundoFix Backups\mrkwaevl.dll.bad
C:\VundoFix Backups\mrnpywhs.dll.bad
C:\VundoFix Backups\nuvciftp.dll.bad
C:\VundoFix Backups\oaumbpun.dll.bad
C:\VundoFix Backups\oayjhoxp.dll.bad
C:\VundoFix Backups\ogbhxhji.ini.bad
C:\VundoFix Backups\oslctimh.dll.bad
C:\VundoFix Backups\peqsgsrn.dll.bad
C:\VundoFix Backups\prssmeay.dll.bad
C:\VundoFix Backups\qakqplse.dll.bad
C:\VundoFix Backups\qbwyxyoo.dll.bad
C:\VundoFix Backups\qdscuwqc.dll.bad
C:\VundoFix Backups\qfefjmqr.dll.bad
C:\VundoFix Backups\qkcbykcl.dll.bad
C:\VundoFix Backups\qqstv.bak1.bad
C:\VundoFix Backups\qqstv.bak2.bad
C:\VundoFix Backups\qqstv.ini.bad
C:\VundoFix Backups\qqstv.ini2.bad
C:\VundoFix Backups\rqpuyxtp.dll.bad
C:\VundoFix Backups\rutsantf.ini.bad
C:\VundoFix Backups\sdfohmgg.dll.bad
C:\VundoFix Backups\sipqhnej.dll.bad
C:\VundoFix Backups\sjaykvol.dll.bad
C:\VundoFix Backups\swhnumps.dll.bad
C:\VundoFix Backups\tgbetkkn.dll.bad
C:\VundoFix Backups\tifhxxmm.dll.bad
C:\VundoFix Backups\udvvkako.dll.bad
C:\VundoFix Backups\ueecxobd.dll.bad
C:\VundoFix Backups\uhfdrcgb.dll.bad
C:\VundoFix Backups\ulgpswfv.dll.bad
C:\VundoFix Backups\uprtkrkl.dll.bad
C:\VundoFix Backups\uteyotgs.dll.bad
C:\VundoFix Backups\vbxufxdt.dll.bad
C:\VundoFix Backups\vtsqq.dll.bad
C:\VundoFix Backups\vxswvpas.dll.bad
C:\VundoFix Backups\whhaxmvg.dll.bad
C:\VundoFix Backups\wjbbcvxf.dll.bad
C:\VundoFix Backups\wshqmsgp.dll.bad
C:\VundoFix Backups\xhriygck.dll.bad
C:\VundoFix Backups\xjqwmovd.dll.bad
C:\VundoFix Backups\xknwleyx.dll.bad
C:\VundoFix Backups\xomjpxtc.dll.bad
C:\VundoFix Backups\ynhprmvw.dll.bad
C:\VundoFix Backups\ytuevlwt.dll.bad
C:\VundoFix Backups\yxoybfxh.dll.bad
C:\WINDOWS\BMab270c7e.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\kenevtyh.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_GEL90XNE
-------\gel90xne


((((((((((((((((((((((((( Files Created from 2008-01-14 to 2008-02-14 )))))))))))))))))))))))))))))))
.

2008-02-11 18:58 . 2008-02-11 18:58 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-11 14:13 . 2008-02-11 14:14 <DIR> d-------- C:\Program Files\Sexy Poker 5
2008-02-11 10:06 . 2008-02-11 10:06 <DIR> d-------- C:\Documents and Settings\BassMan\Application Data\Magic Match
2008-02-08 11:28 . 2008-02-13 14:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-08 11:28 . 2008-02-08 11:28 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-07 16:36 . 2008-02-07 16:36 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-02-07 13:40 . 2003-02-26 22:27 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2008-02-06 05:52 . 2008-02-06 05:52 <DIR> d-------- C:\Program Files\Kristanix
2008-01-18 16:09 . 2008-01-24 21:50 <DIR> d-------- C:\Program Files\Adware Away
2008-01-15 08:59 . 2008-01-15 08:59 <DIR> d-------- C:\Program Files\Lexmark_HostCD
2008-01-15 08:59 . 2004-01-12 01:02 307,200 --a------ C:\WINDOWS\system32\lexlog.dll
2008-01-15 08:59 . 2008-01-15 08:59 1,699 --a------ C:\WINDOWS\system32\LexFiles.ulf
2008-01-15 08:59 . 2008-02-13 15:50 1,044 --a------ C:\WINDOWS\system32\LexFiles.usr
2008-01-15 08:58 . 2008-01-15 08:58 1,084 --a------ C:\WINDOWS\LMAAP2DD.ini
2008-01-15 08:54 . 2008-01-15 08:54 <DIR> d-------- C:\lexmark

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 15:04 --------- d-----w C:\Program Files\PopCap Games
2008-02-04 17:08 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-23 13:06 --------- d-----w C:\Program Files\FED LOG
2008-01-20 16:42 --------- d-----w C:\Program Files\America Online 9.0
2008-01-16 21:32 --------- d-----w C:\Documents and Settings\BassMan\Application Data\U3
2008-01-13 12:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-13 12:50 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-12 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-01-12 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\PopCapv1004
2008-01-11 12:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2008-01-10 17:33 --------- d-----w C:\Documents and Settings\BassMan\Application Data\Pirateville
2008-01-10 17:15 --------- d-----w C:\Program Files\Shockwave.com
2008-01-07 11:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\MumboJumbo
2008-01-07 11:34 --------- d-----w C:\Program Files\Oberon Media
2008-01-04 11:56 --------- d-----w C:\Documents and Settings\BassMan\Application Data\iWin
2008-01-03 02:07 --------- d-----w C:\Program Files\Enigma Software Group
2008-01-02 03:30 --------- d-----w C:\Program Files\Java
2008-01-01 01:09 --------- d-----w C:\Program Files\Eltima Software
2007-12-29 15:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-28 19:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-12-23 20:56 --------- d-----w C:\Program Files\Apoint
2007-12-23 20:55 --------- d-----w C:\Program Files\BitmapEx
2007-12-19 01:12 --------- d-----w C:\Program Files\XP Smoker
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-10-25 09:19 10 -c--a-w C:\Program Files\.autoreg
2006-11-17 17:08 251 -c--a-w C:\Program Files\wt3d.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 19:39 176201]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-10-12 10:06 1695504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 17:33 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 15:59 385024]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 22:05 344064]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 11:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 17:30 823362]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 13:07 496752]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 04:33 122941]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-10-12 10:06 1695504]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 23:37:56 217194]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-05-16 17:39:25 113664]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-12 15:03:38 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoInstrumentation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^BassMan^Start Menu^Programs^Startup^Neverwinter Nights Registration.lnk]
backup=C:\WINDOWS\pss\Neverwinter Nights Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a--c--- 2006-01-12 15:17 168448 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-06-28 09:14 270648 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MOD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a--c--- 2006-01-12 15:07 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Fax"=2 (0x2)
"UStorage Server Service"=2 (0x2)

R2 PDFILTER;PDFILTER;C:\PROGRA~1\Dekart\PRIVAT~1\PDFILTER.SYS [2005-12-20 12:17]
R2 PDRJNDL;PDRJNDL;C:\PROGRA~1\Dekart\PRIVAT~1\PDRJNDL.SYS [2004-03-19 10:17]
R2 PRVDISK;PRVDISK;C:\PROGRA~1\Dekart\PRIVAT~1\PRVDISK.SYS [2005-10-02 15:25]
R2 ssoftnt4;ssoftnt4;C:\WINDOWS\system32\Drivers\ssoftnt4.sys [2004-05-21 01:30]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c524a00-e242-11db-911a-00038a000015}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d02e4686-eaf1-11da-8f07-00038a000015}]
\Shell\AutoRun\command - E:\LinksysConnectPC.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-14 08:03:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccVScan.exe
.
**************************************************************************
.
Completion time: 2008-02-14 8:06:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-14 13:05:55
ComboFix2.txt 2008-02-14 00:39:04
.
2008-02-14 01:02:36 --- E O F ---










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:45 AM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitmapEx - {F756A28D-DCD5-46be-BCAB-17C088D07227} - C:\Program Files\BitmapEx\BITMAPEX.EXE
O9 - Extra 'Tools' menuitem: &BitmapEx - {F756A28D-DCD5-46be-BCAB-17C088D07227} - C:\Program Files\BitmapEx\BITMAPEX.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FFF028D-7030-41F6-B65F-A95C49D738C9}: NameServer = 155.149.34.4
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Mrtmancfp - American Megatrends Inc. - (no file)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7969 bytes
  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Yes I installed Sexy Poker 5. It is a pleasant time passer, nice eye candy. Is there something wrong with it?

Nothing wrong with it, but I wanted to be sure you installed it. This since some malware also installs Pokergames. :)

one more thing..

Go to next site:
http://www.virustota.../en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\drivers\mrxdav.sys

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.
  • 0

#7
Cygnus

Cygnus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
Hi,

I tried to line it up to be easier to read.... but the BB had other ideas

File mrxdav.sys received on 02.14.2008 15:19:52 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)

Antivirus Version Last Update Result
AhnLab-V3 2008.2.15.10 2008.02.14 -
AntiVir 7.6.0.65 2008.02.14 -
Authentium 4.93.8 2008.02.14 -
Avast 4.7.1098.0 2008.02.14 -
AVG 7.5.0.516 2008.02.14 -
BitDefender 7.2 2008.02.14 -
CAT-QuickHeal None 2008.02.13 -
ClamAV 0.92.1 2008.02.14 -
DrWeb 4.44.0.09170 2008.02.14 -
eSafe 7.0.15.0 2008.02.13 -
eTrust-Vet 31.3.5536 2008.02.14 -
Ewido 4.0 2008.02.14 -
FileAdvisor 1 2008.02.14 -
Fortinet 3.14.0.0 2008.02.14 -
F-Prot 4.4.2.54 2008.02.13 -
F-Secure 6.70.13260.0 2008.02.14 -
Ikarus T3.1.1.20 2008.02.14 -
Kaspersky 7.0.0.125 2008.02.14 -
McAfee 5229 2008.02.13 -
Microsoft 1.3204 2008.02.14 -
NOD32v2 2874 2008.02.14 -
Norman 5.80.02 2008.02.13 -
Panda 9.0.0.4 2008.02.14 -
Prevx1 V2 2008.02.14 -
Rising 20.31.30.00 2008.02.14 -
Sophos 4.26.0 2008.02.14 -
Sunbelt 2.2.907.0 2008.02.14 -
Symantec 10 2008.02.14 -
TheHacker 6.2.9.219 2008.02.13 -
VBA32 3.12.6.1 2008.02.14 -
VirusBuster 4.3.26:9 2008.02.14 -
Webwasher-Gateway 6.6.2 2008.02.14 -

Additional information
File size: 179584 bytes
MD5: 29414447eb5bde2f8397dc965dbb3156
SHA1: 62ab850629d64a18429da562c7897afcc03b6917
PEiD: -
packers: PE_Patch

Edited by Cygnus, 14 February 2008 - 08:42 AM.

  • 0

#8
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

This looks OK :)

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
  • 0

#9
Cygnus

Cygnus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
Hey,

So far so good! D/L time on large files is faster, have not had any problems with windows explorer not loading, memory hog programs (particularly Acrobat Professional) load WAY faster now and have not had any pop-ups. I have not had the chance to really put it through the paces but things are looking great! I cannot get my DVD player to autoload though and when I insert flash drives they do not auto open anymore either. A few other quirks that are more of how I personalized my system have to be redone but all-in-all nothing major. Thanks for the help.

Based on what you saw and did, what would you say was the problems and how did you fix them. Perhaps I can be more on the lookout for problems in the future if I know what to look for.

Edited by Cygnus, 15 February 2008 - 06:48 AM.

  • 0

#10
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

I cannot get my DVD player to autoload though and when I insert flash drives they do not auto open anymore either.

This is a "Security fix" Combofix made. This because many infections exploit the Windows autorun functionality > result > all removable media get infected as well > result > if this infected removable media (for example flash drive) is used on other computers, they will be infected too. That's why Combofix disabled autorun as a security measure.

If you want to enable autorun again:

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveAutoRun"=dword:00000000
"NoDriveTypeAutoRun"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveAutoRun"=dword:00000000
"NoDriveTypeAutoRun"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)


Based on what you saw and did, what would you say was the problems and how did you fix them. Perhaps I can be more on the lookout for problems in the future if I know what to look for.

You were dealing with many different infections. But it came with one bundled installer. Most probably you visited a questionable site (cracksite/warezsite) or downloaded "software" via P2P, where the exe was actually a malware installer. In such cases, when you run it, it will download more malware from different resources and install it on your system.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Edited by miekiemoes, 15 February 2008 - 08:00 AM.

  • 0

Advertisements


#11
Cygnus

Cygnus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
The Seconia site provided me some good info. I have a lot of programs and sometimes it is difficult to remember to check for updates on all of them.

I had been getting this from TrendMicro before but had not seen it since we started the cleaning and it popped back up today.

What do you make of this?



C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP469\A0113837.exe

Virus name: CRCK_WINXP.B

Scan action result: Denied Access.

  • 0

#12
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

What was found was only a leftover present in your System restore points.
To get rid of it,
Flush your system restore points:
To do this, you have to disable systemrestore and enable it afterwards again.
(note: this will delete all your system restore points and malware that were present in it).

How to disable system restore in XP <= click me for instructions with screenshots
After you disabled System Restore.... Reboot.. and after rebooting, enable it again, so a new systemrestorepoint will be made. A clean one now! :)
  • 0

#13
Cygnus

Cygnus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
Way Cool! Many thanks again.

Where did you learn all this stuff?
  • 0

#14
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
You're most welcome... :)
  • 0

#15
Cygnus

Cygnus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
Hi,

Put her to the test yesterday with great results. Only one instance where explorer showed loaded in the task manager but no icons or windows bar. Ended the program and restarted it and the icons and bar came back. Not all the programs loaded though, like Spyware Doctor, but that was done manually. I guess all the "stress tests" I was putting her through got her. Do you think you could look at my wifes desktop, or should I start a new thread for that one?

Cheers!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP