Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

My hijack this log


  • Please log in to reply

#1
dvea

dvea

    Member

  • Member
  • PipPip
  • 53 posts
I keep getting trojan virus warnings and BHO warnings and registry change attempts. I ran all the steps prior to this hijack this post. I will also piost my panda scan log and my super anti spyware log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:06 PM, on 2/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\lxctcoms.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\rxjddnvj.exe,
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {0a9f9196-a6cc-4dce-8d31-8d65b64cd44c} - (no file)
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {87b009e5-bc67-470c-bb3b-b0151bc4224b} - (no file)
O2 - BHO: (no name) - {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} - (no file)
O2 - BHO: (no name) - {A5317F8A-D2F4-4737-AB5F-D68E5C8046DB} - (no file)
O2 - BHO: (no name) - {AE21AE1A-4578-425D-B749-E1E9E23FD869} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {C554D4EB-2EA0-4BF3-8861-DCC266E1A8CF} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {f914fa32-5956-455b-9d5c-a295f950474b} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [8A8C8C9295928F94] 797B7B8184817E.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3
D1DC7E4638E8323A15806F97BDE4417E6FD967002BA754E2C2832213329D26033AAC
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.8\webbuying.exe
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [1BeGfKSVOf] rundll32.exe "C:\WINDOWS\mlslsfmx.dll",DllCleanServer
O4 - HKUS\S-1-5-18\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.marsd.k12...lient/wfica.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.ai...AIM.9.5.1.8.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O20 - AppInit_DLLs: C:\WINDOWS\system32\cru629.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: LogCrypt - C:\WINDOWS\SYSTEM32\LogCrypt.dll
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxct_device - - C:\WINDOWS\System32\lxctcoms.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\System32\windows (file missing)
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8019 bytes

Panda-


Incident Status Location

Virus:Trj/Agent.IAB Disinfected Operating system
Potentially unwanted tool:application/activitymon Not disinfected c:\program files\amsys
Adware:adware/adsincontext Not disinfected Windows Registry
Adware:adware/activshopper Not disinfected Windows Registry
Adware:adware/adblaster Not disinfected Windows Registry
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\veary\Cookies\[email protected][1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\veary\Cookies\[email protected][2].txt
Virus:Trj/Downloader.SGU Disinfected C:\irjl.exe
Virus:Bck/Gaobot.QFI Disinfected C:\ltxblm.exe
Spyware:Spyware/7r7t Not disinfected C:\Temp\tOncha0119.exe
Virus:Trj/Downloader.SGU Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C5TW3FRF\nwabo[1].txt
Virus:Bck/Gaobot.QFI Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C5TW3FRF\sgxllcqhhy[1].htm
Possible Virus. Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\R0Q7F67U\loader[1].exe
Virus:Trj/Agent.IAB Disinfected C:\WINDOWS\system32\LogCrypt.dll
Virus:Trj/Downloader.PLF Disinfected C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
Super Anti Spyware scan log-
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/15/2008 at 08:11 PM

Application Version : 3.9.1008

Core Rules Database Version : 3403
Trace Rules Database Version: 1395

Scan type : Complete Scan
Total Scan Time : 01:23:53

Memory items scanned : 417
Memory threats detected : 3
Registry items scanned : 3806
Registry threats detected : 268
File items scanned : 29259
File threats detected : 104

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\JKKJHFG.DLL
C:\WINDOWS\SYSTEM32\JKKJHFG.DLL
HKLM\Software\Classes\CLSID\{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}
HKCR\CLSID\{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}
HKCR\CLSID\{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}\InprocServer32
HKCR\CLSID\{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}\InprocServer32#ThreadingModel
HKCR\CLSID\{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}\TreatAs
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\jkkjhfg
HKCR\CLSID\{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}
C:\WINDOWS\SYSTEM32\AWTQQRP.DLL

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\JKHFC.DLL
C:\WINDOWS\SYSTEM32\JKHFC.DLL
HKLM\Software\Classes\CLSID\{3C492E2A-8763-43C6-9C16-01ED5BC9118F}
HKCR\CLSID\{3C492E2A-8763-43C6-9C16-01ED5BC9118F}
HKCR\CLSID\{3C492E2A-8763-43C6-9C16-01ED5BC9118F}\InprocServer32
HKCR\CLSID\{3C492E2A-8763-43C6-9C16-01ED5BC9118F}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3C492E2A-8763-43C6-9C16-01ED5BC9118F}

Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\GTIAOEFR.DLL
C:\WINDOWS\SYSTEM32\GTIAOEFR.DLL
HKLM\Software\Classes\CLSID\{53a00b66-7158-452a-9867-ed1c6f01e331}
HKCR\CLSID\{53A00B66-7158-452A-9867-ED1C6F01E331}
HKCR\CLSID\{53A00B66-7158-452A-9867-ED1C6F01E331}\InprocServer32
HKCR\CLSID\{53A00B66-7158-452A-9867-ED1C6F01E331}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\RTLTWPFD.DLL
HKLM\Software\Classes\CLSID\{7cda5b0d-78cd-451c-8300-942c402d8b05}
HKCR\CLSID\{7CDA5B0D-78CD-451C-8300-942C402D8B05}
HKCR\CLSID\{7CDA5B0D-78CD-451C-8300-942C402D8B05}\InprocServer32
HKCR\CLSID\{7CDA5B0D-78CD-451C-8300-942C402D8B05}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\XPVGBTQC.DLL
HKLM\Software\Classes\CLSID\{87b009e5-bc67-470c-bb3b-b0151bc4224b}
HKCR\CLSID\{87B009E5-BC67-470C-BB3B-B0151BC4224B}
HKCR\CLSID\{87B009E5-BC67-470C-BB3B-B0151BC4224B}\InprocServer32
HKCR\CLSID\{87B009E5-BC67-470C-BB3B-B0151BC4224B}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\NMSVDKEG.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{87b009e5-bc67-470c-bb3b-b0151bc4224b}
C:\WINDOWS\SYSTEM32\IFQVKLUT.DLL
C:\WINDOWS\SYSTEM32\WGNIOELW.DLL

Adware.WebBuying Assistant
HKLM\Software\Classes\CLSID\{03b05850-7d3c-429a-9a5f-ae54954a8adb}
HKCR\CLSID\{03B05850-7D3C-429A-9A5F-AE54954A8ADB}
HKCR\CLSID\{03B05850-7D3C-429A-9A5F-AE54954A8ADB}\InprocServer32
HKCR\CLSID\{03B05850-7D3C-429A-9A5F-AE54954A8ADB}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\QQAXBVR.DLL
HKLM\Software\Classes\CLSID\{0446fcac-18f3-406a-9bcc-6619542cc54e}
HKCR\CLSID\{0446FCAC-18F3-406A-9BCC-6619542CC54E}
HKCR\CLSID\{0446FCAC-18F3-406A-9BCC-6619542CC54E}\InprocServer32
HKCR\CLSID\{0446FCAC-18F3-406A-9BCC-6619542CC54E}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{092a2fc0-7cc5-4749-a0f1-4f213a5e59eb}
HKCR\CLSID\{092A2FC0-7CC5-4749-A0F1-4F213A5E59EB}
HKCR\CLSID\{092A2FC0-7CC5-4749-A0F1-4F213A5E59EB}\InprocServer32
HKCR\CLSID\{092A2FC0-7CC5-4749-A0F1-4F213A5E59EB}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{0a9f9196-a6cc-4dce-8d31-8d65b64cd44c}
HKCR\CLSID\{0A9F9196-A6CC-4DCE-8D31-8D65B64CD44C}
HKCR\CLSID\{0A9F9196-A6CC-4DCE-8D31-8D65B64CD44C}\InprocServer32
HKCR\CLSID\{0A9F9196-A6CC-4DCE-8D31-8D65B64CD44C}\InprocServer32#ThreadingModel
HKCR\CLSID\{0A9F9196-A6CC-4DCE-8D31-8D65B64CD44C}\TreatAs
HKLM\Software\Classes\CLSID\{0dbc23d5-fc6e-48b3-a3dd-dab15fdc2bb8}
HKCR\CLSID\{0DBC23D5-FC6E-48B3-A3DD-DAB15FDC2BB8}
HKCR\CLSID\{0DBC23D5-FC6E-48B3-A3DD-DAB15FDC2BB8}\InprocServer32
HKCR\CLSID\{0DBC23D5-FC6E-48B3-A3DD-DAB15FDC2BB8}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{0de56038-626c-4974-aa1d-35e56394c597}
HKCR\CLSID\{0DE56038-626C-4974-AA1D-35E56394C597}
HKCR\CLSID\{0DE56038-626C-4974-AA1D-35E56394C597}\InprocServer32
HKCR\CLSID\{0DE56038-626C-4974-AA1D-35E56394C597}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{21933629-007f-4304-8fb0-3cd82a4e9302}
HKCR\CLSID\{21933629-007F-4304-8FB0-3CD82A4E9302}
HKCR\CLSID\{21933629-007F-4304-8FB0-3CD82A4E9302}\InprocServer32
HKCR\CLSID\{21933629-007F-4304-8FB0-3CD82A4E9302}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{26ee1448-b34d-4e29-8364-7cd431e7c5f2}
HKCR\CLSID\{26EE1448-B34D-4E29-8364-7CD431E7C5F2}
HKCR\CLSID\{26EE1448-B34D-4E29-8364-7CD431E7C5F2}\InprocServer32
HKCR\CLSID\{26EE1448-B34D-4E29-8364-7CD431E7C5F2}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{27c3ec9f-aef7-42c1-95dc-0d1b80bb5575}
HKCR\CLSID\{27C3EC9F-AEF7-42C1-95DC-0D1B80BB5575}
HKCR\CLSID\{27C3EC9F-AEF7-42C1-95DC-0D1B80BB5575}\InprocServer32
HKCR\CLSID\{27C3EC9F-AEF7-42C1-95DC-0D1B80BB5575}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{2f23003d-817c-4b0a-a518-960b96e4de2f}
HKCR\CLSID\{2F23003D-817C-4B0A-A518-960B96E4DE2F}
HKCR\CLSID\{2F23003D-817C-4B0A-A518-960B96E4DE2F}\InprocServer32
HKCR\CLSID\{2F23003D-817C-4B0A-A518-960B96E4DE2F}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{36c93b36-45c0-42dc-b7a2-4aa28be26e82}
HKCR\CLSID\{36C93B36-45C0-42DC-B7A2-4AA28BE26E82}
HKCR\CLSID\{36C93B36-45C0-42DC-B7A2-4AA28BE26E82}\InprocServer32
HKCR\CLSID\{36C93B36-45C0-42DC-B7A2-4AA28BE26E82}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{393d2cb2-08f4-4e4b-91d7-620ed6cdfd7c}
HKCR\CLSID\{393D2CB2-08F4-4E4B-91D7-620ED6CDFD7C}
HKCR\CLSID\{393D2CB2-08F4-4E4B-91D7-620ED6CDFD7C}\InprocServer32
HKCR\CLSID\{393D2CB2-08F4-4E4B-91D7-620ED6CDFD7C}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{3de2d618-f6b9-463b-80a6-af29bc965b08}
HKCR\CLSID\{3DE2D618-F6B9-463B-80A6-AF29BC965B08}
HKCR\CLSID\{3DE2D618-F6B9-463B-80A6-AF29BC965B08}\InprocServer32
HKCR\CLSID\{3DE2D618-F6B9-463B-80A6-AF29BC965B08}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{45abb64b-fefd-43dd-b853-2cc1c89b8d3b}
HKCR\CLSID\{45ABB64B-FEFD-43DD-B853-2CC1C89B8D3B}
HKCR\CLSID\{45ABB64B-FEFD-43DD-B853-2CC1C89B8D3B}\InprocServer32
HKCR\CLSID\{45ABB64B-FEFD-43DD-B853-2CC1C89B8D3B}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{4a28bc46-16f7-4331-9d46-a4f6f33f6547}
HKCR\CLSID\{4A28BC46-16F7-4331-9D46-A4F6F33F6547}
HKCR\CLSID\{4A28BC46-16F7-4331-9D46-A4F6F33F6547}\InprocServer32
HKCR\CLSID\{4A28BC46-16F7-4331-9D46-A4F6F33F6547}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{5434b2ed-bee4-4182-ab01-052a14516c43}
HKCR\CLSID\{5434B2ED-BEE4-4182-AB01-052A14516C43}
HKCR\CLSID\{5434B2ED-BEE4-4182-AB01-052A14516C43}\InprocServer32
HKCR\CLSID\{5434B2ED-BEE4-4182-AB01-052A14516C43}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{54527d4c-afdb-4f24-abdd-12053820db7b}
HKCR\CLSID\{54527D4C-AFDB-4F24-ABDD-12053820DB7B}
HKCR\CLSID\{54527D4C-AFDB-4F24-ABDD-12053820DB7B}\InprocServer32
HKCR\CLSID\{54527D4C-AFDB-4F24-ABDD-12053820DB7B}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{562881b9-e869-4794-990f-918d01e6986d}
HKCR\CLSID\{562881B9-E869-4794-990F-918D01E6986D}
HKCR\CLSID\{562881B9-E869-4794-990F-918D01E6986D}\InprocServer32
HKCR\CLSID\{562881B9-E869-4794-990F-918D01E6986D}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{5f9669aa-4d07-4e03-a043-270b994c398f}
HKCR\CLSID\{5F9669AA-4D07-4E03-A043-270B994C398F}
HKCR\CLSID\{5F9669AA-4D07-4E03-A043-270B994C398F}\InprocServer32
HKCR\CLSID\{5F9669AA-4D07-4E03-A043-270B994C398F}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{6237652d-190e-4835-9c51-beb2066b56e9}
HKCR\CLSID\{6237652D-190E-4835-9C51-BEB2066B56E9}
HKCR\CLSID\{6237652D-190E-4835-9C51-BEB2066B56E9}\InprocServer32
HKCR\CLSID\{6237652D-190E-4835-9C51-BEB2066B56E9}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{68b6f86d-77ab-4425-907a-89751587df5b}
HKCR\CLSID\{68B6F86D-77AB-4425-907A-89751587DF5B}
HKCR\CLSID\{68B6F86D-77AB-4425-907A-89751587DF5B}\InprocServer32
HKCR\CLSID\{68B6F86D-77AB-4425-907A-89751587DF5B}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{6929c6ed-562e-4abd-8962-ae6a4e11e2b7}
HKCR\CLSID\{6929C6ED-562E-4ABD-8962-AE6A4E11E2B7}
HKCR\CLSID\{6929C6ED-562E-4ABD-8962-AE6A4E11E2B7}\InprocServer32
HKCR\CLSID\{6929C6ED-562E-4ABD-8962-AE6A4E11E2B7}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{6c019127-ad65-4da2-9d3c-1ebbaf96de33}
HKCR\CLSID\{6C019127-AD65-4DA2-9D3C-1EBBAF96DE33}
HKCR\CLSID\{6C019127-AD65-4DA2-9D3C-1EBBAF96DE33}\InprocServer32
HKCR\CLSID\{6C019127-AD65-4DA2-9D3C-1EBBAF96DE33}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{78f3418c-1bb9-42d5-b62d-bbe36920f0c9}
HKCR\CLSID\{78F3418C-1BB9-42D5-B62D-BBE36920F0C9}
HKCR\CLSID\{78F3418C-1BB9-42D5-B62D-BBE36920F0C9}\InprocServer32
HKCR\CLSID\{78F3418C-1BB9-42D5-B62D-BBE36920F0C9}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{7bb6524d-9570-4974-ab5d-b73c9e6a3beb}
HKCR\CLSID\{7BB6524D-9570-4974-AB5D-B73C9E6A3BEB}
HKCR\CLSID\{7BB6524D-9570-4974-AB5D-B73C9E6A3BEB}\InprocServer32
HKCR\CLSID\{7BB6524D-9570-4974-AB5D-B73C9E6A3BEB}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{7f24f203-2976-439d-8c42-c5a1fdc41ddf}
HKCR\CLSID\{7F24F203-2976-439D-8C42-C5A1FDC41DDF}
HKCR\CLSID\{7F24F203-2976-439D-8C42-C5A1FDC41DDF}\InprocServer32
HKCR\CLSID\{7F24F203-2976-439D-8C42-C5A1FDC41DDF}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{82d533d6-d3a4-465c-bb6f-1b742dbccf28}
HKCR\CLSID\{82D533D6-D3A4-465C-BB6F-1B742DBCCF28}
HKCR\CLSID\{82D533D6-D3A4-465C-BB6F-1B742DBCCF28}\InprocServer32
HKCR\CLSID\{82D533D6-D3A4-465C-BB6F-1B742DBCCF28}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{838d0440-b66a-4dc6-bff7-bf7b156ecf6d}
HKCR\CLSID\{838D0440-B66A-4DC6-BFF7-BF7B156ECF6D}
HKCR\CLSID\{838D0440-B66A-4DC6-BFF7-BF7B156ECF6D}\InprocServer32
HKCR\CLSID\{838D0440-B66A-4DC6-BFF7-BF7B156ECF6D}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{838dd578-1f7b-4e93-aa09-a9c3916e3f43}
HKCR\CLSID\{838DD578-1F7B-4E93-AA09-A9C3916E3F43}
HKCR\CLSID\{838DD578-1F7B-4E93-AA09-A9C3916E3F43}\InprocServer32
HKCR\CLSID\{838DD578-1F7B-4E93-AA09-A9C3916E3F43}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{9813b168-5ae2-4726-831a-56a578e849fe}
HKCR\CLSID\{9813B168-5AE2-4726-831A-56A578E849FE}
HKCR\CLSID\{9813B168-5AE2-4726-831A-56A578E849FE}\InprocServer32
HKCR\CLSID\{9813B168-5AE2-4726-831A-56A578E849FE}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{99f5f64f-7443-4f29-b22b-c88119fb995e}
HKCR\CLSID\{99F5F64F-7443-4F29-B22B-C88119FB995E}
HKCR\CLSID\{99F5F64F-7443-4F29-B22B-C88119FB995E}\InprocServer32
HKCR\CLSID\{99F5F64F-7443-4F29-B22B-C88119FB995E}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{9cbb64d4-ecd7-426f-ac75-528d60d9c826}
HKCR\CLSID\{9CBB64D4-ECD7-426F-AC75-528D60D9C826}
HKCR\CLSID\{9CBB64D4-ECD7-426F-AC75-528D60D9C826}\InprocServer32
HKCR\CLSID\{9CBB64D4-ECD7-426F-AC75-528D60D9C826}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{a4a78f6f-4067-4b53-ada9-5520a12fb028}
HKCR\CLSID\{A4A78F6F-4067-4B53-ADA9-5520A12FB028}
HKCR\CLSID\{A4A78F6F-4067-4B53-ADA9-5520A12FB028}\InprocServer32
HKCR\CLSID\{A4A78F6F-4067-4B53-ADA9-5520A12FB028}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{a59f7bb9-792d-4e12-8356-75bae8a88e4b}
HKCR\CLSID\{A59F7BB9-792D-4E12-8356-75BAE8A88E4B}
HKCR\CLSID\{A59F7BB9-792D-4E12-8356-75BAE8A88E4B}\InprocServer32
HKCR\CLSID\{A59F7BB9-792D-4E12-8356-75BAE8A88E4B}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{a8467b9d-0c93-4769-be19-7c01afd693f7}
HKCR\CLSID\{A8467B9D-0C93-4769-BE19-7C01AFD693F7}
HKCR\CLSID\{A8467B9D-0C93-4769-BE19-7C01AFD693F7}\InprocServer32
HKCR\CLSID\{A8467B9D-0C93-4769-BE19-7C01AFD693F7}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{a91f5974-1403-4d1d-b16d-1a856768100b}
HKCR\CLSID\{A91F5974-1403-4D1D-B16D-1A856768100B}
HKCR\CLSID\{A91F5974-1403-4D1D-B16D-1A856768100B}\InprocServer32
HKCR\CLSID\{A91F5974-1403-4D1D-B16D-1A856768100B}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{ac4a8b8f-57db-4fb5-879a-e151b6bfc92a}
HKCR\CLSID\{AC4A8B8F-57DB-4FB5-879A-E151B6BFC92A}
HKCR\CLSID\{AC4A8B8F-57DB-4FB5-879A-E151B6BFC92A}\InprocServer32
HKCR\CLSID\{AC4A8B8F-57DB-4FB5-879A-E151B6BFC92A}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{acf2452e-8e9b-48f9-9827-43dc63993cbb}
HKCR\CLSID\{ACF2452E-8E9B-48F9-9827-43DC63993CBB}
HKCR\CLSID\{ACF2452E-8E9B-48F9-9827-43DC63993CBB}\InprocServer32
HKCR\CLSID\{ACF2452E-8E9B-48F9-9827-43DC63993CBB}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{b7b3f5a2-acfb-40b7-af25-86a77513eeea}
HKCR\CLSID\{B7B3F5A2-ACFB-40B7-AF25-86A77513EEEA}
HKCR\CLSID\{B7B3F5A2-ACFB-40B7-AF25-86A77513EEEA}\InprocServer32
HKCR\CLSID\{B7B3F5A2-ACFB-40B7-AF25-86A77513EEEA}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{da40825d-b2bd-44ce-96ae-acaafced7e89}
HKCR\CLSID\{DA40825D-B2BD-44CE-96AE-ACAAFCED7E89}
HKCR\CLSID\{DA40825D-B2BD-44CE-96AE-ACAAFCED7E89}\InprocServer32
HKCR\CLSID\{DA40825D-B2BD-44CE-96AE-ACAAFCED7E89}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{e12963e5-2ba2-4630-bc98-f9aef0e6e19a}
HKCR\CLSID\{E12963E5-2BA2-4630-BC98-F9AEF0E6E19A}
HKCR\CLSID\{E12963E5-2BA2-4630-BC98-F9AEF0E6E19A}\InprocServer32
HKCR\CLSID\{E12963E5-2BA2-4630-BC98-F9AEF0E6E19A}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{e7238b8c-b101-41d0-8554-5e0ae43ebd98}
HKCR\CLSID\{E7238B8C-B101-41D0-8554-5E0AE43EBD98}
HKCR\CLSID\{E7238B8C-B101-41D0-8554-5E0AE43EBD98}\InprocServer32
HKCR\CLSID\{E7238B8C-B101-41D0-8554-5E0AE43EBD98}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{ea1fe023-63cf-401b-89f2-add54364689b}
HKCR\CLSID\{EA1FE023-63CF-401B-89F2-ADD54364689B}
HKCR\CLSID\{EA1FE023-63CF-401B-89F2-ADD54364689B}\InprocServer32
HKCR\CLSID\{EA1FE023-63CF-401B-89F2-ADD54364689B}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{ef15edea-78e9-4521-b8c1-278d532c4e99}
HKCR\CLSID\{EF15EDEA-78E9-4521-B8C1-278D532C4E99}
HKCR\CLSID\{EF15EDEA-78E9-4521-B8C1-278D532C4E99}\InprocServer32
HKCR\CLSID\{EF15EDEA-78E9-4521-B8C1-278D532C4E99}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{f7f1ff23-2de4-43bd-805a-376eeb27484a}
HKCR\CLSID\{F7F1FF23-2DE4-43BD-805A-376EEB27484A}
HKCR\CLSID\{F7F1FF23-2DE4-43BD-805A-376EEB27484A}\InprocServer32
HKCR\CLSID\{F7F1FF23-2DE4-43BD-805A-376EEB27484A}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{f88e2272-6123-4caf-8778-4e366090cdc0}
HKCR\CLSID\{F88E2272-6123-4CAF-8778-4E366090CDC0}
HKCR\CLSID\{F88E2272-6123-4CAF-8778-4E366090CDC0}\InprocServer32
HKCR\CLSID\{F88E2272-6123-4CAF-8778-4E366090CDC0}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{f914fa32-5956-455b-9d5c-a295f950474b}
HKCR\CLSID\{F914FA32-5956-455B-9D5C-A295F950474B}
HKCR\CLSID\{F914FA32-5956-455B-9D5C-A295F950474B}\InprocServer32
HKCR\CLSID\{F914FA32-5956-455B-9D5C-A295F950474B}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{fe7df926-bae3-4c0e-8df9-4b439f7a50d9}
HKCR\CLSID\{FE7DF926-BAE3-4C0E-8DF9-4B439F7A50D9}
HKCR\CLSID\{FE7DF926-BAE3-4C0E-8DF9-4B439F7A50D9}\InprocServer32
HKCR\CLSID\{FE7DF926-BAE3-4C0E-8DF9-4B439F7A50D9}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0a9f9196-a6cc-4dce-8d31-8d65b64cd44c}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f914fa32-5956-455b-9d5c-a295f950474b}

Adware.AdBlaster
HKLM\Software\Classes\CLSID\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}
HKCR\CLSID\{2D7CB618-CC1C-4126-A7E3-F5B12D3BCF71}
HKCR\CLSID\{2D7CB618-CC1C-4126-A7E3-F5B12D3BCF71}\InprocServer32

AdBars BHO
HKLM\Software\Classes\CLSID\{51641ef3-8a7a-4d84-8659-b0911e947cc8}
HKCR\CLSID\{51641EF3-8A7A-4D84-8659-B0911E947CC8}
HKCR\CLSID\{51641EF3-8A7A-4D84-8659-B0911E947CC8}\InprocServer32

Adware.404Search
HKLM\Software\Classes\CLSID\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}
HKCR\CLSID\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}
HKCR\CLSID\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}\InprocServer32

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{54645654-2225-4455-44A1-9F4543D34546}
HKLM\Software\Classes\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}\InprocServer32
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}\InprocServer32#ThreadingModel
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}\ProgID
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}\Programmable
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}\TypeLib
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}\VersionIndependentProgID
C:\PROGRAM FILES\HELPER\1202569705.DLL
HKCR\CLSID\{54645654-2225-4455-44A1-9F4543D34546}
HKCR\CLSID\{54645654-2225-4455-44A1-9F4543D34546}\InprocServer32

Rootkit.RunTime3/FutureGen
HKLM\System\ControlSet001\Services\Fkq26
C:\WINDOWS\SYSTEM32\DRIVERS\FKQ26.SYS
HKLM\System\ControlSet003\Services\Fkq26
HKLM\System\CurrentControlSet\Services\Fkq26

Adware.Tracking Cookie
C:\Documents and Settings\veary\Cookies\[email protected][1].txt
C:\Documents and Settings\veary\Cookies\[email protected][1].txt
C:\Documents and Settings\veary\Cookies\[email protected][1].txt
C:\Documents and Settings\veary\Cookies\[email protected][1].txt
C:\Documents and Settings\veary\Cookies\[email protected][1].txt
C:\Documents and Settings\veary\Cookies\[email protected][1].txt
C:\Documents and Settings\veary\Cookies\[email protected][1].txt
C:\Documents and Settings\veary\Cookies\[email protected][1].txt
C:\Documents and Settings\veary\Cookies\[email protected][1].txt
C:\Documents and Settings\veary\Cookies\[email protected][1].txt
C:\Documents and Settings\veary\Cookies\[email protected][1].txt
C:\Documents and Settings\veary\Cookies\[email protected][1].txt
C:\Documents and Settings\veary\Cookies\[email protected][1].txt
C:\Documents and Settings\veary\Cookies\[email protected][1].txt
C:\Documents and Settings\veary\Cookies\[email protected][1].txt
C:\Documents and Settings\veary\Cookies\[email protected][1].txt
C:\Documents and Settings\veary\Cookies\[email protected][1].txt

Malware.MalwareAlarm
C:\Program Files\MalwareAlarm\MalwareAlarm.lic
C:\Program Files\MalwareAlarm\MalwareAlarm1.ma
C:\Program Files\MalwareAlarm\routines.dll
C:\Program Files\MalwareAlarm\Uninstall.exe
C:\Program Files\MalwareAlarm
C:\Documents and Settings\veary\Desktop\MalwareAlarm.lnk

Trojan.DNSChanger-Codec
HKCR\CLSID\E404.e404mgr
HKCR\CLSID\E404.e404mgr#UserId

Adware.Web Buying
HKU\S-1-5-21-583907252-1682526488-1343024091-1004\Software\WebBuying

Trojan.Downloader-Gen/RetAd
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#runner1 [ C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3
D1DC7E4638E8323A15806F97BDE4417E6FD967002BA754E2C2832213329D26033AAC ]

Adware.E404 Helper/Hij
HKCR\E404.e404mgr
HKCR\E404.e404mgr\CLSID
HKCR\E404.e404mgr\CurVer
HKCR\E404.e404mgr.1
HKCR\E404.e404mgr.1\CLSID
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0\win32
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\FLAGS
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\HELPDIR
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid32
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib#Version

RootKit.TnCore/Trace
C:\WINDOWS\system32\drivers\core.cache.dsk

Adware.VXGame-Trace
HKU\S-1-5-21-583907252-1682526488-1343024091-1004\Software\kernelexe

Adware.E404 Helper/Variant-A
C:\LQFTHFIS.EXE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\49HS640G\LMMQRV[1].HTM
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\R0Q7F67U\IFTKK[1].HTM

Trojan.Unknown Origin
C:\OAWIA.EXE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\DZ9CKG9C\WJKBCTTKLC[1].HTM
C:\WINDOWS\SYSTEM32\WNIS6\ENAMD83122.EXE

Adware.E404 Helper/Variant
C:\PROGRAM FILES\HELPER\1202558915.DLL
C:\PROGRAM FILES\HELPER\1202558916.DLL

Trojan.Downloader-Gen/Bundle Installer
C:\WINDOWS\B116.EXE
C:\WINDOWS\B122.EXE
C:\WINDOWS\B147.EXE
C:\WINDOWS\B149.EXE

Malware.LocusSoftware Inc-Installer
C:\WINDOWS\DOWNLOADED PROGRAM FILES\UGA6P_0001_N122M0611NETINSTALLER.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\UGA6P_0001_N122M2210NETINSTALLER.EXE

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\CFHKJ.INI

Trojan.Unclassifed/AffiliateBundle
C:\WINDOWS\SYSTEM32\PMNNOML.DLL

Trace.Known Threat Sources
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\YNYFGDU3\ico_4[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\OB23KH4B\body_bg[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\0DE3STUV\pbmarker[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\0DE3STUV\index[2].htm
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\I98NIDW7\scan[1].php
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\I98NIDW7\crypt[2].htm
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\I98NIDW7\ajax[2].htm
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\YNYFGDU3\g-bottomleft[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\I98NIDW7\Activex[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\OB23KH4B\errorhandler[2].htm
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\OB23KH4B\ADCFreeInstaller[1].exe
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\OB23KH4B\g-top[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\YNYFGDU3\spyware[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\I98NIDW7\scan_bot[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\0DE3STUV\footer_bg[2].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\I98NIDW7\feat_bg[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\0DE3STUV\scans_top[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\0DE3STUV\styles[2].css
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\YNYFGDU3\feat_bot[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\0DE3STUV\logo[1].jpg
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\0DE3STUV\styles[4].css
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\YNYFGDU3\g-topleft[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\0DE3STUV\feat_li[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\OB23KH4B\common[2].js
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\YNYFGDU3\spacer[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\0DE3STUV\g-bottom[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\YNYFGDU3\c12_bg[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\I98NIDW7\ico_1[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\YNYFGDU3\ico_5[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\0DE3STUV\c21_bg[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\I98NIDW7\logo_bot[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\0DE3STUV\bar[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\OB23KH4B\g-left[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\I98NIDW7\c22_bg[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\0DE3STUV\5_swp[1]
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\OB23KH4B\logo2[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\OB23KH4B\feat_top[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\YNYFGDU3\c11_bg[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\OB23KH4B\scans_bg[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\0DE3STUV\styles[1].css
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\OB23KH4B\scan_now[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\I98NIDW7\window[1].js
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\OB23KH4B\g-bottomright[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\YNYFGDU3\progressbar[2].js
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\OB23KH4B\g-topright[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\0DE3STUV\buttonbg[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\OB23KH4B\lupa[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\I98NIDW7\pbbg[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\OB23KH4B\managers[2].htm
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\0DE3STUV\kluch[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\YNYFGDU3\ax[1].gif
C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\I98NIDW7\closebutton[1].gif
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello dvea

Welcome to G2Go. :)
=================
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
dvea

dvea

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
Here is the combofix log you asked for:


ComboFix 08-02-14.2 - veary 2008-02-16 9:06:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.103 [GMT -5:00]
Running from: C:\Documents and Settings\veary\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\ptilinkk.sys
C:\Program Files\akl
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\unsetup.dat
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\winam.dat
C:\Program Files\Helper
C:\Program Files\Insider
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\temp\tn3
C:\WINDOWS\aconti.log
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\default.htm
C:\WINDOWS\system32\cfhkj.ini2
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(4).dsk
C:\WINDOWS\system32\drivers\core.cache(5).dsk
C:\WINDOWS\system32\drivers\core.cache(6).dsk
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\Nsw72.sys
C:\WINDOWS\system32\drivers\ptilinkk.sys
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rfeoaitg.ini
C:\WINDOWS\system32\tulkvqfi.ini
C:\WINDOWS\system32\wleoingw.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NSW72
-------\LEGACY_PTILINKK
-------\LEGACY_RUNTIME
-------\Nsw72
-------\ptilinkk


((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

2008-02-16 09:15 . 2008-02-16 09:15 21,120 --a------ C:\WINDOWS\system32\drivers\Otx83.sys
2008-02-16 09:15 . 2008-02-16 09:15 21,120 --a------ C:\WINDOWS\system32\drivers\Fko15.sys
2008-02-15 22:27 . 2008-02-15 22:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-15 21:16 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-15 21:15 . 2008-02-15 21:15 73 --a------ C:\WINDOWS\system32\pfdnnt_actions.sys
2008-02-15 20:57 . 2008-02-15 21:39 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-15 20:57 . 2008-02-15 21:11 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-15 20:57 . 2008-02-15 21:11 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-15 20:57 . 2008-02-15 21:11 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-15 20:49 . 2008-02-15 22:22 6,656 --a------ C:\WINDOWS\system32\WLCtrl32.dll
2008-02-15 18:44 . 2008-02-15 21:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-15 18:44 . 2008-02-15 18:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-15 18:44 . 2008-02-15 18:44 <DIR> d-------- C:\Documents and Settings\veary\Application Data\SUPERAntiSpyware.com
2008-02-15 18:44 . 2008-02-15 18:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 08:22 . 2008-02-14 08:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Maxtor
2008-02-14 08:17 . 2008-02-14 08:17 <DIR> d-------- C:\Program Files\InstallShield Installation Information
2008-02-14 08:14 . 2008-02-14 08:19 <DIR> d-------- C:\Program Files\Maxtor
2008-02-14 08:13 . 2008-02-14 08:13 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-02-13 23:32 . 2008-02-13 23:32 158 --a------ C:\WINDOWS\wininit.ini
2008-02-13 22:37 . 2008-02-13 22:37 27,648 --a------ C:\WINDOWS\expacc.exe
2008-02-13 22:35 . 2003-03-31 07:00 150,016 --a--c--- C:\WINDOWS\system32\dllcache\winzm.ime
2008-02-13 22:35 . 2003-03-31 07:00 150,016 --a--c--- C:\WINDOWS\system32\dllcache\winsp.ime
2008-02-13 22:35 . 2003-03-31 07:00 150,016 --a--c--- C:\WINDOWS\system32\dllcache\winpy.ime
2008-02-13 22:35 . 2003-03-31 07:00 74,752 --a--c--- C:\WINDOWS\system32\dllcache\winar30.ime
2008-02-13 22:35 . 2003-03-31 07:00 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime
2008-02-13 22:35 . 2003-03-31 07:00 61,952 --a--c--- C:\WINDOWS\system32\dllcache\winime.ime
2008-02-13 22:33 . 2003-03-31 07:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-02-13 22:32 . 2003-03-31 07:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-02-13 22:31 . 2003-03-31 07:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-02-13 22:30 . 2001-08-17 22:36 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2008-02-13 22:26 . 2008-02-13 22:26 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-02-13 22:26 . 2008-02-13 22:26 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-02-13 22:26 . 2008-02-13 22:26 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-02-13 22:26 . 2008-02-13 22:26 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-02-13 22:26 . 2008-02-13 22:26 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-02-13 22:25 . 2003-03-31 07:00 155,648 --a--c--- C:\WINDOWS\system32\dllcache\icwhelp.dll
2008-02-13 22:25 . 2003-03-31 07:00 73,728 --a--c--- C:\WINDOWS\system32\dllcache\icwtutor.exe
2008-02-13 22:25 . 2003-03-31 07:00 61,440 --a--c--- C:\WINDOWS\system32\dllcache\icwres.dll
2008-02-13 22:25 . 2003-03-31 07:00 57,344 --a--c--- C:\WINDOWS\system32\dllcache\icwconn.dll
2008-02-13 22:25 . 2003-03-31 07:00 45,056 --a--c--- C:\WINDOWS\system32\dllcache\icwutil.dll
2008-02-13 22:25 . 2003-03-31 07:00 40,960 --a--c--- C:\WINDOWS\system32\dllcache\trialoc.dll
2008-02-13 22:25 . 2003-03-31 07:00 24,576 --a--c--- C:\WINDOWS\system32\dllcache\icwrmind.exe
2008-02-13 22:08 . 2003-03-31 07:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-02-13 22:08 . 2003-03-31 07:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-02-13 22:08 . 2003-03-31 07:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-02-13 22:08 . 2003-03-31 07:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-02-13 21:47 . 2008-02-13 22:38 8,704 --------- C:\WINDOWS\system32\LogCrypt.dll
2008-02-09 10:09 . 2008-02-15 20:49 6,144 --a------ C:\WINDOWS\system32\cru629.dat
2008-02-09 10:09 . 2008-02-13 21:45 6,144 --a------ C:\WINDOWS\cru629.dat
2008-02-09 10:08 . 2008-02-09 10:08 <DIR> d-------- C:\WINDOWS\iekipgfv
2008-02-09 07:09 . 2008-02-09 07:09 <DIR> d-------- C:\WINDOWS\trtowkfa
2008-02-09 07:08 . 2008-02-09 07:08 54,764 --a------ C:\WINDOWS\system32\4fdw.dll
2008-02-09 07:08 . 2003-03-31 07:00 22,016 --a------ C:\WINDOWS\system32\userini.exe
2008-02-09 07:08 . 2008-02-09 07:08 18,976 --a------ C:\Documents and Settings\veary\f5nD.exe
2008-02-09 07:08 . 2008-02-09 07:08 4,256 --a------ C:\Documents and Settings\veary\s5AZ.exe
2008-02-09 07:08 . 2008-02-09 10:08 2 --a------ C:\-2145159723
2008-01-28 22:26 . 2008-01-28 22:26 <DIR> d-------- C:\WINDOWS\system32\A0A2A2A8ABA8A5
2008-01-26 15:49 . 2008-02-15 20:26 <DIR> d-------- C:\WINDOWS\system32\wnis6
2008-01-26 15:49 . 2008-01-26 15:49 <DIR> d-------- C:\WINDOWS\system32\ets1
2008-01-26 15:49 . 2008-02-03 10:24 <DIR> d-------- C:\WINDOWS\system32\comg9
2008-01-26 15:38 . 2008-02-03 10:22 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-26 15:20 . 2008-01-26 15:49 <DIR> d-------- C:\WINDOWS\system32\nip4
2008-01-26 15:20 . 2008-01-26 15:20 <DIR> d-------- C:\Temp\gTiis19
2008-01-26 15:20 . 2008-01-26 15:20 <DIR> d-------- C:\Temp\cXzz9
2008-01-26 15:20 . 2008-02-16 09:07 <DIR> d-------- C:\Temp
2008-01-26 15:20 . 2008-01-26 15:20 545,933 --a------ C:\Temp\tOncha0119.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 02:35 --------- d-----w C:\Program Files\SpywareGuard
2008-02-16 02:34 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-16 02:31 --------- d-----w C:\Program Files\iTunes
2008-02-16 02:30 --------- d-----w C:\Program Files\AIM6
2003-03-31 12:00 4,096 --sha-w C:\WINDOWS\system32\bnu.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0a9f9196-a6cc-4dce-8d31-8d65b64cd44c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87b009e5-bc67-470c-bb3b-b0151bc4224b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A5317F8A-D2F4-4737-AB5F-D68E5C8046DB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE21AE1A-4578-425D-B749-E1E9E23FD869}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C554D4EB-2EA0-4BF3-8861-DCC266E1A8CF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f914fa32-5956-455b-9d5c-a295f950474b}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-09-29 15:22 50528]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46 1460560]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42 267064]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06 79224]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2007-10-01 20:08 451896]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2007-10-29 22:04 451896]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 16:24 81920]
"8A8C8C9295928F94"="797B7B8184817E.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"braviax"="C:\WINDOWS\System32\braviax.exe" [ ]

C:\Documents and Settings\veary\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 18:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"1BeGfKSVOf"= rundll32.exe "C:\WINDOWS\mlslsfmx.dll",DllCleanServer

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LogCrypt]
LogCrypt.dll 2008-02-13 22:38 8704 C:\WINDOWS\system32\LogCrypt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll 2008-02-15 22:22 6656 C:\WINDOWS\system32\WLCtrl32.dll

R0 Otx83;Otx83;C:\WINDOWS\System32\Drivers\Otx83.sys [2008-02-16 09:15]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 KTC111;Kingston EtherRx KNE111TX NDIS 5.0 Miniport Driver;C:\WINDOWS\System32\DRIVERS\KTC111.SYS [2001-08-17 07:12]
S0 Fko15;Fko15;C:\WINDOWS\System32\Drivers\Fko15.sys [2008-02-16 09:15]
S3 MSControlService;Microsoft cache control;C:\WINDOWS\System32\windows []

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
*Newly Created Service* - OTX83
.
Contents of the 'Scheduled Tasks' folder
"2008-02-15 12:40:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 09:15:55
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\LogCrypt.dll
-> C:\WINDOWS\system32\WLCtrl32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\lxctcoms.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-16 9:18:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-16 14:18:18

And the new Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:01 AM, on 2/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\lxctcoms.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {0a9f9196-a6cc-4dce-8d31-8d65b64cd44c} - (no file)
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {87b009e5-bc67-470c-bb3b-b0151bc4224b} - (no file)
O2 - BHO: (no name) - {A5317F8A-D2F4-4737-AB5F-D68E5C8046DB} - (no file)
O2 - BHO: (no name) - {AE21AE1A-4578-425D-B749-E1E9E23FD869} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {C554D4EB-2EA0-4BF3-8861-DCC266E1A8CF} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {f914fa32-5956-455b-9d5c-a295f950474b} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [8A8C8C9295928F94] 797B7B8184817E.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3
D1DC7E4638E8323A15806F97BDE4417E6FD967002BA754E2C2832213329D26033AAC
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.8\webbuying.exe
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKLM\..\Policies\Explorer\Run: [1BeGfKSVOf] rundll32.exe "C:\WINDOWS\mlslsfmx.dll",DllCleanServer
O4 - HKUS\S-1-5-18\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.marsd.k12...lient/wfica.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.ai...AIM.9.5.1.8.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: LogCrypt - C:\WINDOWS\SYSTEM32\LogCrypt.dll
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxct_device - - C:\WINDOWS\System32\lxctcoms.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\System32\windows (file missing)
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7744 bytes

Edited by dvea, 16 February 2008 - 08:30 AM.

  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\drivers\Otx83.sys
C:\WINDOWS\system32\drivers\Fko15.sys
C:\WINDOWS\expacc.exe
C:\WINDOWS\system32\LogCrypt.dll
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\cru629.dat
C:\WINDOWS\system32\4fdw.dll
C:\Documents and Settings\veary\f5nD.exe
C:\Documents and Settings\veary\s5AZ.exe
C:\Temp\tOncha0119.exe
C:\WIndows\797B7B8184817E.exe
C:\Windows\system32\797B7B8184817E.exe
C:\WINDOWS\System32\braviax.exe
C:\WINDOWS\mlslsfmx.dll
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu1000106.exe.tmp
C:\Windows\xpupdate.exe 
Folder::
C:\WINDOWS\iekipgfv
C:\WINDOWS\trtowkfa
C:\-2145159723
C:\WINDOWS\system32\A0A2A2A8ABA8A5
C:\WINDOWS\system32\wnis6
C:\WINDOWS\system32\ets1
C:\WINDOWS\system32\comg9
C:\Program Files\Dot1XCfg
C:\WINDOWS\system32\nip4
C:\Temp\gTiis19
C:\Temp\cXzz9
C:\Program Files\Viewpoint
C:\WINDOWS\System32\windows 
C:\Program Files\Web Buying
Driver::
4fdw
Otx83
Fko15
Viewpoint Manager Service
Microsoft cache control
MSControlService
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0a9f9196-a6cc-4dce-8d31-8d65b64cd44c}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87b009e5-bc67-470c-bb3b-b0151bc4224b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A5317F8A-D2F4-4737-AB5F-D68E5C8046DB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE21AE1A-4578-425D-B749-E1E9E23FD869}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C554D4EB-2EA0-4BF3-8861-DCC266E1A8CF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f914fa32-5956-455b-9d5c-a295f950474b}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dot1XCfg"=-
"WebBuying"=-
"Insider"=-
"Windows update loader"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"8A8C8C9295928F94"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"braviax"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"1BeGfKSVOf"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LogCrypt]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#5
dvea

dvea

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
Here is the combofix txt log followed by a new hijack this:

ComboFix 08-02-14.2 - veary 2008-02-16 16:04:56.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.120 [GMT -5:00]
Running from: C:\Documents and Settings\veary\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

2008-02-16 10:00 . 2008-02-16 10:00 14,336 --a------ C:\WINDOWS\system32\drivers\dumplog.exe
2008-02-15 22:27 . 2008-02-15 22:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-15 21:16 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-15 21:15 . 2008-02-15 21:15 73 --a------ C:\WINDOWS\system32\pfdnnt_actions.sys
2008-02-15 20:57 . 2008-02-15 21:39 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-15 20:57 . 2008-02-15 21:11 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-15 20:57 . 2008-02-15 21:11 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-15 20:57 . 2008-02-15 21:11 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-15 18:44 . 2008-02-15 21:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-15 18:44 . 2008-02-15 18:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-15 18:44 . 2008-02-15 18:44 <DIR> d-------- C:\Documents and Settings\veary\Application Data\SUPERAntiSpyware.com
2008-02-15 18:44 . 2008-02-15 18:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 08:22 . 2008-02-14 08:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Maxtor
2008-02-14 08:17 . 2008-02-14 08:17 <DIR> d-------- C:\Program Files\InstallShield Installation Information
2008-02-14 08:14 . 2008-02-14 08:19 <DIR> d-------- C:\Program Files\Maxtor
2008-02-14 08:13 . 2008-02-14 08:13 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-02-13 23:32 . 2008-02-13 23:32 158 --a------ C:\WINDOWS\wininit.ini
2008-02-13 22:35 . 2003-03-31 07:00 150,016 --a--c--- C:\WINDOWS\system32\dllcache\winzm.ime
2008-02-13 22:35 . 2003-03-31 07:00 150,016 --a--c--- C:\WINDOWS\system32\dllcache\winsp.ime
2008-02-13 22:35 . 2003-03-31 07:00 150,016 --a--c--- C:\WINDOWS\system32\dllcache\winpy.ime
2008-02-13 22:35 . 2003-03-31 07:00 74,752 --a--c--- C:\WINDOWS\system32\dllcache\winar30.ime
2008-02-13 22:35 . 2003-03-31 07:00 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime
2008-02-13 22:35 . 2003-03-31 07:00 61,952 --a--c--- C:\WINDOWS\system32\dllcache\winime.ime
2008-02-13 22:33 . 2003-03-31 07:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-02-13 22:32 . 2003-03-31 07:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-02-13 22:31 . 2003-03-31 07:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-02-13 22:30 . 2001-08-17 22:36 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2008-02-13 22:26 . 2008-02-13 22:26 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-02-13 22:26 . 2008-02-13 22:26 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-02-13 22:26 . 2008-02-13 22:26 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-02-13 22:26 . 2008-02-13 22:26 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-02-13 22:26 . 2008-02-13 22:26 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-02-13 22:25 . 2003-03-31 07:00 155,648 --a--c--- C:\WINDOWS\system32\dllcache\icwhelp.dll
2008-02-13 22:25 . 2003-03-31 07:00 73,728 --a--c--- C:\WINDOWS\system32\dllcache\icwtutor.exe
2008-02-13 22:25 . 2003-03-31 07:00 61,440 --a--c--- C:\WINDOWS\system32\dllcache\icwres.dll
2008-02-13 22:25 . 2003-03-31 07:00 57,344 --a--c--- C:\WINDOWS\system32\dllcache\icwconn.dll
2008-02-13 22:25 . 2003-03-31 07:00 45,056 --a--c--- C:\WINDOWS\system32\dllcache\icwutil.dll
2008-02-13 22:25 . 2003-03-31 07:00 40,960 --a--c--- C:\WINDOWS\system32\dllcache\trialoc.dll
2008-02-13 22:25 . 2003-03-31 07:00 24,576 --a--c--- C:\WINDOWS\system32\dllcache\icwrmind.exe
2008-02-13 22:08 . 2003-03-31 07:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-02-13 22:08 . 2003-03-31 07:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-02-13 22:08 . 2003-03-31 07:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-02-13 22:08 . 2003-03-31 07:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-02-09 07:08 . 2003-03-31 07:00 22,016 --a------ C:\WINDOWS\system32\userini.exe
2008-02-09 07:08 . 2008-02-09 10:08 2 --a------ C:\-2145159723
2008-01-26 15:20 . 2008-02-16 10:22 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 02:35 --------- d-----w C:\Program Files\SpywareGuard
2008-02-16 02:34 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-16 02:31 --------- d-----w C:\Program Files\iTunes
2008-02-16 02:30 --------- d-----w C:\Program Files\AIM6
2003-03-31 12:00 4,096 --sha-w C:\WINDOWS\system32\bnu.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-09-29 15:22 50528]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46 1460560]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42 267064]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06 79224]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2007-10-01 20:08 451896]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2007-10-29 22:04 451896]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 16:24 81920]

C:\Documents and Settings\veary\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 18:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 KTC111;Kingston EtherRx KNE111TX NDIS 5.0 Miniport Driver;C:\WINDOWS\System32\DRIVERS\KTC111.SYS [2001-08-17 07:12]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-15 12:40:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 16:06:19
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-16 16:06:56
ComboFix-quarantined-files.txt 2008-02-16 21:06:46
ComboFix2.txt 2008-02-16 15:27:56
ComboFix3.txt 2008-02-16 14:18:31



Hi jack this:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:12:12 PM, on 2/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\lxctcoms.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {0a9f9196-a6cc-4dce-8d31-8d65b64cd44c} - (no file)
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {87b009e5-bc67-470c-bb3b-b0151bc4224b} - (no file)
O2 - BHO: (no name) - {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} - (no file)
O2 - BHO: (no name) - {A5317F8A-D2F4-4737-AB5F-D68E5C8046DB} - (no file)
O2 - BHO: (no name) - {AE21AE1A-4578-425D-B749-E1E9E23FD869} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {C554D4EB-2EA0-4BF3-8861-DCC266E1A8CF} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {f914fa32-5956-455b-9d5c-a295f950474b} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.marsd.k12...lient/wfica.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.ai...AIM.9.5.1.8.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxct_device - - C:\WINDOWS\System32\lxctcoms.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

--
End of file - 6571 bytes
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please see this post and re-read the directions please. >Here

You needed to copy the files I provided to a notepad document and save it as a CFscript.
Then drag it and drop it into Combofix.
Please then post the resulting Combofixx log and a new Hijackthis log please.
  • 0

#7
dvea

dvea

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
Sorry, hopefully this is it:

ComboFix 08-02-14.2 - veary 2008-02-17 10:06:46.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.110 [GMT -5:00]
Running from: C:\Documents and Settings\veary\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\veary\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\veary\f5nD.exe
C:\Documents and Settings\veary\s5AZ.exe
C:\Temp\tOncha0119.exe
C:\WIndows\797B7B8184817E.exe
C:\WINDOWS\cru629.dat
C:\WINDOWS\expacc.exe
C:\WINDOWS\mlslsfmx.dll
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu1000106.exe.tmp
C:\WINDOWS\system32\4fdw.dll
C:\Windows\system32\797B7B8184817E.exe
C:\WINDOWS\System32\braviax.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\drivers\Fko15.sys
C:\WINDOWS\system32\drivers\Otx83.sys
C:\WINDOWS\system32\LogCrypt.dll
C:\WINDOWS\system32\WLCtrl32.dll
C:\Windows\xpupdate.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-2145159723\

.
((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.

2008-02-16 10:00 . 2008-02-16 10:00 14,336 --a------ C:\WINDOWS\system32\drivers\dumplog.exe
2008-02-15 22:27 . 2008-02-15 22:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-15 21:16 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-15 21:15 . 2008-02-15 21:15 73 --a------ C:\WINDOWS\system32\pfdnnt_actions.sys
2008-02-15 20:57 . 2008-02-15 21:39 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-15 20:57 . 2008-02-15 21:11 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-15 20:57 . 2008-02-15 21:11 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-15 20:57 . 2008-02-15 21:11 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-15 18:44 . 2008-02-15 21:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-15 18:44 . 2008-02-15 18:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-15 18:44 . 2008-02-15 18:44 <DIR> d-------- C:\Documents and Settings\veary\Application Data\SUPERAntiSpyware.com
2008-02-15 18:44 . 2008-02-15 18:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 08:22 . 2008-02-14 08:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Maxtor
2008-02-14 08:17 . 2008-02-14 08:17 <DIR> d-------- C:\Program Files\InstallShield Installation Information
2008-02-14 08:14 . 2008-02-14 08:19 <DIR> d-------- C:\Program Files\Maxtor
2008-02-14 08:13 . 2008-02-14 08:13 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-02-13 23:32 . 2008-02-13 23:32 158 --a------ C:\WINDOWS\wininit.ini
2008-02-13 22:35 . 2003-03-31 07:00 150,016 --a--c--- C:\WINDOWS\system32\dllcache\winzm.ime
2008-02-13 22:35 . 2003-03-31 07:00 150,016 --a--c--- C:\WINDOWS\system32\dllcache\winsp.ime
2008-02-13 22:35 . 2003-03-31 07:00 150,016 --a--c--- C:\WINDOWS\system32\dllcache\winpy.ime
2008-02-13 22:35 . 2003-03-31 07:00 74,752 --a--c--- C:\WINDOWS\system32\dllcache\winar30.ime
2008-02-13 22:35 . 2003-03-31 07:00 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime
2008-02-13 22:35 . 2003-03-31 07:00 61,952 --a--c--- C:\WINDOWS\system32\dllcache\winime.ime
2008-02-13 22:33 . 2003-03-31 07:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-02-13 22:32 . 2003-03-31 07:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-02-13 22:31 . 2003-03-31 07:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-02-13 22:30 . 2001-08-17 22:36 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2008-02-13 22:26 . 2008-02-13 22:26 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-02-13 22:26 . 2008-02-13 22:26 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-02-13 22:26 . 2008-02-13 22:26 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-02-13 22:26 . 2008-02-13 22:26 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-02-13 22:26 . 2008-02-13 22:26 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-02-13 22:25 . 2003-03-31 07:00 155,648 --a--c--- C:\WINDOWS\system32\dllcache\icwhelp.dll
2008-02-13 22:25 . 2003-03-31 07:00 73,728 --a--c--- C:\WINDOWS\system32\dllcache\icwtutor.exe
2008-02-13 22:25 . 2003-03-31 07:00 61,440 --a--c--- C:\WINDOWS\system32\dllcache\icwres.dll
2008-02-13 22:25 . 2003-03-31 07:00 57,344 --a--c--- C:\WINDOWS\system32\dllcache\icwconn.dll
2008-02-13 22:25 . 2003-03-31 07:00 45,056 --a--c--- C:\WINDOWS\system32\dllcache\icwutil.dll
2008-02-13 22:25 . 2003-03-31 07:00 40,960 --a--c--- C:\WINDOWS\system32\dllcache\trialoc.dll
2008-02-13 22:25 . 2003-03-31 07:00 24,576 --a--c--- C:\WINDOWS\system32\dllcache\icwrmind.exe
2008-02-13 22:08 . 2003-03-31 07:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-02-13 22:08 . 2003-03-31 07:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-02-13 22:08 . 2003-03-31 07:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-02-13 22:08 . 2003-03-31 07:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-02-09 07:08 . 2003-03-31 07:00 22,016 --a------ C:\WINDOWS\system32\userini.exe
2008-02-09 07:08 . 2008-02-09 10:08 2 --a------ C:\-2145159723
2008-01-26 15:20 . 2008-02-16 10:22 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 02:35 --------- d-----w C:\Program Files\SpywareGuard
2008-02-16 02:34 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-16 02:31 --------- d-----w C:\Program Files\iTunes
2008-02-16 02:30 --------- d-----w C:\Program Files\AIM6
2003-03-31 12:00 4,096 --sha-w C:\WINDOWS\system32\bnu.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-09-29 15:22 50528]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46 1460560]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42 267064]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06 79224]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2007-10-01 20:08 451896]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2007-10-29 22:04 451896]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 16:24 81920]

C:\Documents and Settings\veary\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 18:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 KTC111;Kingston EtherRx KNE111TX NDIS 5.0 Miniport Driver;C:\WINDOWS\System32\DRIVERS\KTC111.SYS [2001-08-17 07:12]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-15 12:40:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 10:08:06
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-17 10:08:40
ComboFix-quarantined-files.txt 2008-02-17 15:08:31
ComboFix2.txt 2008-02-16 21:06:57
ComboFix3.txt 2008-02-16 15:27:56
ComboFix4.txt 2008-02-16 14:18:31


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:19 AM, on 2/17/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\lxctcoms.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {0a9f9196-a6cc-4dce-8d31-8d65b64cd44c} - (no file)
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {87b009e5-bc67-470c-bb3b-b0151bc4224b} - (no file)
O2 - BHO: (no name) - {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} - (no file)
O2 - BHO: (no name) - {A5317F8A-D2F4-4737-AB5F-D68E5C8046DB} - (no file)
O2 - BHO: (no name) - {AE21AE1A-4578-425D-B749-E1E9E23FD869} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {C554D4EB-2EA0-4BF3-8861-DCC266E1A8CF} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {f914fa32-5956-455b-9d5c-a295f950474b} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.marsd.k12...lient/wfica.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.ai...AIM.9.5.1.8.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxct_device - - C:\WINDOWS\System32\lxctcoms.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

--
End of file - 6605 bytes
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yep that was it :)


Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {0a9f9196-a6cc-4dce-8d31-8d65b64cd44c} - (no file)
O2 - BHO: (no name) - {87b009e5-bc67-470c-bb3b-b0151bc4224b} - (no file)
O2 - BHO: (no name) - {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} - (no file)
O2 - BHO: (no name) - {A5317F8A-D2F4-4737-AB5F-D68E5C8046DB} - (no file)
O2 - BHO: (no name) - {AE21AE1A-4578-425D-B749-E1E9E23FD869} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {C554D4EB-2EA0-4BF3-8861-DCC266E1A8CF} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {f914fa32-5956-455b-9d5c-a295f950474b} - (no file)



Now click on Fix Checked and then close Hijackthis.
=====================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#9
dvea

dvea

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
Here is the kapersky scan:


Sunday, February 17, 2008 3:37:34 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/02/2008
Kaspersky Anti-Virus database records: 570085


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 32840
Number of viruses found 23
Number of infected objects 42
Number of suspicious objects 2
Duration of the scan process 01:13:28

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Pure Networks\Log\logfile.nmapp_exe.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Pure Networks\Log\logfile.nmctxth_exe.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Pure Networks\Log\logfile.nmsrvc_exe.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.8.8/wbuninst.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\veary\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped

C:\Documents and Settings\veary\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\veary\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped

C:\Documents and Settings\veary\Local Settings\Application Data\AOL OCP\AIM\Storage\data\alexanddogs\localStorage\common.cls Object is locked skipped

C:\Documents and Settings\veary\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\veary\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\veary\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\veary\Local Settings\History\History.IE5\MSHist012008021720080218\index.dat Object is locked skipped

C:\Documents and Settings\veary\Local Settings\Temp\~DF29E8.tmp Object is locked skipped

C:\Documents and Settings\veary\Local Settings\Temp\~DFD1EC.tmp Object is locked skipped

C:\Documents and Settings\veary\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\veary\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\veary\NTUSER.DAT.LOG Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped

C:\QooBox\Quarantine\C\Documents and Settings\veary\f5nD.exe.vir Infected: Trojan.Win32.Agent.fdb skipped

C:\QooBox\Quarantine\C\Documents and Settings\veary\s5AZ.exe.vir Infected: Trojan-Downloader.Win32.Tiny.ahz skipped

C:\QooBox\Quarantine\C\Temp\tOncha0119.exe.vir/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped

C:\QooBox\Quarantine\C\Temp\tOncha0119.exe.vir/data0003 Infected: not-a-virus:AdWare.Win32.Agent.co skipped

C:\QooBox\Quarantine\C\Temp\tOncha0119.exe.vir/data0004 Infected: Trojan-Downloader.Win32.Small.hwg skipped

C:\QooBox\Quarantine\C\Temp\tOncha0119.exe.vir/data0006/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped

C:\QooBox\Quarantine\C\Temp\tOncha0119.exe.vir/data0006 Infected: not-a-virus:AdWare.Win32.TTC.a skipped

C:\QooBox\Quarantine\C\Temp\tOncha0119.exe.vir NSIS: infected - 5 skipped

C:\QooBox\Quarantine\C\WINDOWS\cru629.dat.vir Infected: Backdoor.Win32.Small.ctw skipped

C:\QooBox\Quarantine\C\WINDOWS\expacc.exe.vir Infected: Trojan-Downloader.Win32.Diehard.ef skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\cru629.dat.vir Infected: Backdoor.Win32.Small.ctw skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\Fko15.sys.vir Infected: Email-Worm.Win32.Agent.e skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\LogCrypt.dll.vir Infected: Trojan.Win32.Agent.eub skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\WLCtrl32.dll.vir Infected: Email-Worm.Win32.Agent.e skipped

C:\QooBox\Quarantine\catchme2008-02-16_ 91535.61.zip/Nsw72.sys Infected: Email-Worm.Win32.Agent.e skipped

C:\QooBox\Quarantine\catchme2008-02-16_ 91535.61.zip/ptilinkk.sys Infected: Rootkit.Win32.Agent.to skipped

C:\QooBox\Quarantine\catchme2008-02-16_ 91535.61.zip ZIP: infected - 2 skipped

C:\QooBox\Quarantine\catchme2008-02-16_102531.91.zip/Otx83.sys Infected: Email-Worm.Win32.Agent.e skipped

C:\QooBox\Quarantine\catchme2008-02-16_102531.91.zip/4fdw.dll Infected: Trojan.Win32.Agent.fcn skipped

C:\QooBox\Quarantine\catchme2008-02-16_102531.91.zip ZIP: infected - 2 skipped

C:\System Volume Information\_restore{E7F25F7B-654D-41F6-96B8-184F26A05E9F}\RP10\A0000276.exe Infected: Trojan.Win32.Agent.fdb skipped

C:\System Volume Information\_restore{E7F25F7B-654D-41F6-96B8-184F26A05E9F}\RP10\A0000277.exe Infected: Trojan-Downloader.Win32.Tiny.ahz skipped

C:\System Volume Information\_restore{E7F25F7B-654D-41F6-96B8-184F26A05E9F}\RP10\A0000278.exe Infected: Trojan-Downloader.Win32.Diehard.ef skipped

C:\System Volume Information\_restore{E7F25F7B-654D-41F6-96B8-184F26A05E9F}\RP10\A0000279.sys Infected: Email-Worm.Win32.Agent.e skipped

C:\System Volume Information\_restore{E7F25F7B-654D-41F6-96B8-184F26A05E9F}\RP10\A0000280.dll Infected: Trojan.Win32.Agent.eub skipped

C:\System Volume Information\_restore{E7F25F7B-654D-41F6-96B8-184F26A05E9F}\RP10\A0000281.dll Infected: Email-Worm.Win32.Agent.e skipped

C:\System Volume Information\_restore{E7F25F7B-654D-41F6-96B8-184F26A05E9F}\RP11\change.log Object is locked skipped

C:\System Volume Information\_restore{E7F25F7B-654D-41F6-96B8-184F26A05E9F}\RP7\A0000113.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped

C:\System Volume Information\_restore{E7F25F7B-654D-41F6-96B8-184F26A05E9F}\RP7\A0000114.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{E7F25F7B-654D-41F6-96B8-184F26A05E9F}\RP7\A0000115.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{E7F25F7B-654D-41F6-96B8-184F26A05E9F}\RP7\A0000117.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{E7F25F7B-654D-41F6-96B8-184F26A05E9F}\RP7\A0000118.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{E7F25F7B-654D-41F6-96B8-184F26A05E9F}\RP7\A0000119.dll Infected: not-a-virus:AdWare.Win32.Agent.acn skipped

C:\System Volume Information\_restore{E7F25F7B-654D-41F6-96B8-184F26A05E9F}\RP7\A0000120.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped

C:\System Volume Information\_restore{E7F25F7B-654D-41F6-96B8-184F26A05E9F}\RP7\A0000121.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.etj skipped

C:\System Volume Information\_restore{E7F25F7B-654D-41F6-96B8-184F26A05E9F}\RP7\A0000137.exe Infected: Trojan-Downloader.Win32.Agent.hyy skipped

C:\System Volume Information\_restore{E7F25F7B-654D-41F6-96B8-184F26A05E9F}\RP7\A0000138.exe Infected: Backdoor.Win32.Agobot.app skipped

C:\System Volume Information\_restore{E7F25F7B-654D-41F6-96B8-184F26A05E9F}\RP7\A0000139.exe Infected: Trojan-Downloader.Win32.VB.cgu skipped

C:\System Volume Information\_restore{E7F25F7B-654D-41F6-96B8-184F26A05E9F}\RP8\A0000149.dll Infected: Email-Worm.Win32.Agent.e skipped

C:\System Volume Information\_restore{E7F25F7B-654D-41F6-96B8-184F26A05E9F}\RP8\A0000167.sys Infected: Email-Worm.Win32.Agent.e skipped

C:\WINDOWS\Debug\oakley.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\49HS640G\vsskkopgtx[1].htm Infected: Trojan.Win32.Pakes.ccn skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C5TW3FRF\ddos[1].txt Infected: Trojan-Dropper.Win32.Nulprot.q skipped

C:\WINDOWS\system32\drivers\dumplog.exe Infected: Trojan-Dropper.Win32.Agent.drt skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_4e8.dat Object is locked skipped

C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

    The above procedure will delete the following:

    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Clean System Restore points.

Also delete anything that we used that is left over.
=================================
After that Your log is clean. :)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here
  • 0

Advertisements


#11
dvea

dvea

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
okay, I think I am done. Hopefully no more viruses. Now for my other computer.
  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
If you want download Hijackthis to the other and we will clean it up as well.
You can post it here in this thread. :)

* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\Hijack This.
  • Click on I agree
  • Then Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

  • 0

#13
dvea

dvea

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
I am trying to reply with my hijack this log on my other machine, but everytime I hit reply on this forum, internet explorer wants to close down and says error. I will save the logs to disc and send them from this machine.

Okay here are the logs I saved

HiJack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:26:14 PM, on 2/17/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\WINDOWS\System32\lxctcoms.exe
F:\Program Files\Viewpoint\Common\ViewpointService.exe
F:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\WINDOWS\System32\wuauclt.exe
F:\WINDOWS\System32\wuauclt.exe
F:\Program Files\Internet Explorer\iexplore.exe
f:\program files\aol\aim toolbar 5.0\AolTbServer.exe
F:\Documents and Settings\Veary\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - F:\Program Files\AOL Search\AOLSearch.dll
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - F:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: {221f26bf-c2b1-0eab-c1f4-24508827dcd0} - {0dcd7288-0542-4f1c-bae0-1b2cfb62f122} - F:\WINDOWS\System32\orguoewx.dll (file missing)
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - F:\Program Files\AOL Search\AOLSearch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - F:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - F:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [237615a2] rundll32.exe "F:\WINDOWS\System32\cbxmteja.dll",b
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Raos] "F:\PROGRA~1\COMMON~1\SSTEM~1\explorer.exe" -vt ndrv
O4 - HKCU\..\Run: [Infl] F:\WINDOWS\system32\??crosoft\w?auboot.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: RABCO - Auto Update.lnk = F:\Program Files\RABCO\RABCOse.exe
O8 - Extra context menu item: &AOL Toolbar Search - f:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - F:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.marsd.k12...lient/wfica.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189174975873
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1193096796148
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer....l/installer.exe
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: halzasal - halzasal.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxct_device - - F:\WINDOWS\System32\lxctcoms.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - F:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - F:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 5674 bytes

Hijack this uninstall list:

Adobe Flash Player 9 ActiveX
Adobe Shockwave Player
AIM 6
Aim Plugin for QQ Games
AIM Toolbar 5.0
AIMTunes
AOL Instant Messenger
AOL Search
AVG Anti-Spyware 7.5
Citrix ICA Web Client
Disney Pirates of the Caribbean Online
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Java™ 6 Update 2
Java™ 6 Update 3
Lexmark 5400 Series
Linksys Wireless-G PCI Adapter
Norton Security Scan
Norton Security Scan
Panda ActiveScan
QQ Games
RABCO
SUPERAntiSpyware Free Edition
Viewpoint Media Player
Virtools 3D Life Player
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q810833
Windows XP Hotfix (SP1) Q815021
Windows XP Hotfix (SP2) [See Q329115 for more information]

Panda scan:

Incident Status Location

Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\[email protected][2].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\john [email protected][2].txt
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Cookies\john [email protected][1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\WINDOWS\Cookies\[email protected][1].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\john [email protected][3].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\[email protected][3].txt
Spyware:Cookie/Target Not disinfected C:\WINDOWS\Cookies\[email protected][2].txt
Spyware:Cookie/Doubleclick Not disinfected F:\Documents and Settings\Veary\Cookies\[email protected][1].txt
Spyware:Spyware/Virtumonde Not disinfected F:\WINDOWS\system32\vsaodcbx.dll
Virus:Trj/ZapChast.DO Disinfected F:\WINDOWS\system32\windows
Superanti spyware scan:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/17/2008 at 11:34 AM

Application Version : 3.9.1008

Core Rules Database Version : 3404
Trace Rules Database Version: 1396

Scan type : Complete Scan
Total Scan Time : 01:14:45

Memory items scanned : 341
Memory threats detected : 6
Registry items scanned : 3969
Registry threats detected : 131
File items scanned : 37515
File threats detected : 210

Trojan.Unclassifed/AffiliateBundle
F:\WINDOWS\SYSTEM32\AWTTTQP.DLL
F:\WINDOWS\SYSTEM32\AWTTTQP.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\awtttqp
F:\WINDOWS\SYSTEM32\CBXURON.DLL
F:\WINDOWS\SYSTEM32\JKKKIJG.DLL

Adware.Vundo Variant/Resident
F:\WINDOWS\SYSTEM32\OPNMN.DLL
F:\WINDOWS\SYSTEM32\OPNMN.DLL

Adware.Vundo-Variant/Small-A
F:\WINDOWS\SYSTEM32\ELMKCWVQ.DLL
F:\WINDOWS\SYSTEM32\ELMKCWVQ.DLL
HKLM\Software\Classes\CLSID\{e3ca10ec-899c-40d2-8741-2dc32ba748a9}
HKCR\CLSID\{E3CA10EC-899C-40D2-8741-2DC32BA748A9}
HKCR\CLSID\{E3CA10EC-899C-40D2-8741-2DC32BA748A9}\InprocServer32
HKCR\CLSID\{E3CA10EC-899C-40D2-8741-2DC32BA748A9}\InprocServer32#ThreadingModel
F:\WINDOWS\SYSTEM32\THEHXYJR.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e3ca10ec-899c-40d2-8741-2dc32ba748a9}
F:\WINDOWS\SYSTEM32\CBXMTEJA.DLL
F:\WINDOWS\SYSTEM32\ORGUOEWX.DLL

Adware.WebBuying Assistant-Installer
F:\PROGRAM FILES\WEB BUYING\V1.8.8\WEBBUYING.EXE
F:\PROGRAM FILES\WEB BUYING\V1.8.8\WEBBUYING.EXE
[WebBuying] F:\PROGRAM FILES\WEB BUYING\V1.8.8\WEBBUYING.EXE
F:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB909EB-A8F8-40B2-8E04-9F761986C674}\RP170\A0008911.EXE

Adware.ClickSpring/Resident
F:\WINDOWS\system32\CROSOF~1\WAUBOO~1.EXE
F:\WINDOWS\system32\CROSOF~1\WAUBOO~1.EXE

Adware.Rabio Search Enhancer
F:\PROGRAM FILES\RABCO\X_RABCOSE.EXE
F:\PROGRAM FILES\RABCO\X_RABCOSE.EXE
HKLM\Software\Classes\CLSID\{1C2E5D27-A17C-4D89-85DD-3553C189380D}
HKCR\CLSID\{1C2E5D27-A17C-4D89-85DD-3553C189380D}
HKCR\CLSID\{1C2E5D27-A17C-4D89-85DD-3553C189380D}
HKCR\CLSID\{1C2E5D27-A17C-4D89-85DD-3553C189380D}#AppID
HKCR\CLSID\{1C2E5D27-A17C-4D89-85DD-3553C189380D}\InprocServer32
HKCR\CLSID\{1C2E5D27-A17C-4D89-85DD-3553C189380D}\InprocServer32#ThreadingModel
HKCR\CLSID\{1C2E5D27-A17C-4D89-85DD-3553C189380D}\ProgID
HKCR\CLSID\{1C2E5D27-A17C-4D89-85DD-3553C189380D}\Programmable
HKCR\CLSID\{1C2E5D27-A17C-4D89-85DD-3553C189380D}\TypeLib
HKCR\CLSID\{1C2E5D27-A17C-4D89-85DD-3553C189380D}\VersionIndependentProgID
F:\PROGRAM FILES\RABCO\RABCO.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1C2E5D27-A17C-4D89-85DD-3553C189380D}
F:\PROGRAM FILES\RABCO\RABCOSE.EXE
F:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB909EB-A8F8-40B2-8E04-9F761986C674}\RP170\A0008921.EXE
F:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB909EB-A8F8-40B2-8E04-9F761986C674}\RP170\A0008931.EXE
F:\WINDOWS\SYSTEM32\W11\HIBA3133.EXE

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{03DA6FC9-1B11-4424-8780-FC5B8721A781}
HKCR\CLSID\{03DA6FC9-1B11-4424-8780-FC5B8721A781}
HKCR\CLSID\{03DA6FC9-1B11-4424-8780-FC5B8721A781}
HKCR\CLSID\{03DA6FC9-1B11-4424-8780-FC5B8721A781}\InProcServer32
HKCR\CLSID\{03DA6FC9-1B11-4424-8780-FC5B8721A781}\InProcServer32#ThreadingModel
F:\PROGRAM FILES\INTERNET EXPLORER\LANUXA89104.DLL
HKLM\Software\Classes\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32#ThreadingModel
F:\WINDOWS\SYSTEM32\HALZASAL.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03DA6FC9-1B11-4424-8780-FC5B8721A781}
F:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB909EB-A8F8-40B2-8E04-9F761986C674}\RP170\A0008910.EXE

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{383ACBB0-072B-73D1-0211-5300BDBB89C9}
HKCR\CLSID\{383ACBB0-072B-73D1-0211-5300BDBB89C9}
HKCR\CLSID\{383ACBB0-072B-73D1-0211-5300BDBB89C9}\InprocServer32
HKCR\CLSID\{383ACBB0-072B-73D1-0211-5300BDBB89C9}\InprocServer32#ThreadingModel
HKCR\CLSID\{383ACBB0-072B-73D1-0211-5300BDBB89C9}\Programmable
HKCR\CLSID\{383ACBB0-072B-73D1-0211-5300BDBB89C9}\TypeLib
F:\WINDOWS\SYSTEM32\AUGBAK.DLL
HKLM\Software\Classes\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{E180F496-8A4B-44E2-9FE0-0364E345DB7F}
HKCR\CLSID\{E180F496-8A4B-44E2-9FE0-0364E345DB7F}
HKCR\CLSID\{E180F496-8A4B-44E2-9FE0-0364E345DB7F}\InprocServer32
HKCR\CLSID\{E180F496-8A4B-44E2-9FE0-0364E345DB7F}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{383ACBB0-072B-73D1-0211-5300BDBB89C9}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E180F496-8A4B-44E2-9FE0-0364E345DB7F}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{E180F496-8A4B-44E2-9FE0-0364E345DB7F}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{E180F496-8A4B-44E2-9FE0-0364E345DB7F}

Adware.WebBuying Assistant
HKLM\Software\Classes\CLSID\{61b4c704-f8dd-4ad5-b30d-bc6f3dc37b6a}
HKCR\CLSID\{61B4C704-F8DD-4AD5-B30D-BC6F3DC37B6A}
HKCR\CLSID\{61B4C704-F8DD-4AD5-B30D-BC6F3DC37B6A}\InprocServer32
HKCR\CLSID\{61B4C704-F8DD-4AD5-B30D-BC6F3DC37B6A}\InprocServer32#ThreadingModel
F:\WINDOWS\SYSTEM32\LQXTBIG.DLL
HKLM\Software\Classes\CLSID\{ddb6a43e-6deb-4f93-94f3-8549a7683038}
HKCR\CLSID\{DDB6A43E-6DEB-4F93-94F3-8549A7683038}
HKCR\CLSID\{DDB6A43E-6DEB-4F93-94F3-8549A7683038}\InprocServer32
HKCR\CLSID\{DDB6A43E-6DEB-4F93-94F3-8549A7683038}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{61b4c704-f8dd-4ad5-b30d-bc6f3dc37b6a}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ddb6a43e-6deb-4f93-94f3-8549a7683038}

Adware.Vundo-Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A4B1E51-C7E3-4F92-8C50-2F4369C6109D}
HKCR\CLSID\{1A4B1E51-C7E3-4F92-8C50-2F4369C6109D}
HKCR\CLSID\{1A4B1E51-C7E3-4F92-8C50-2F4369C6109D}\InprocServer32
HKCR\CLSID\{1A4B1E51-C7E3-4F92-8C50-2F4369C6109D}\InprocServer32#ThreadingModel

Adware.Tracking Cookie
F:\Documents and Settings\Veary\Cookies\[email protected][1].txt
F:\Documents and Settings\Veary\Cookies\[email protected][2].txt
F:\Documents and Settings\Veary\Cookies\[email protected][2].txt
F:\Documents and Settings\Veary\Cookies\[email protected][1].txt
F:\Documents and Settings\Veary\Cookies\[email protected][1].txt
F:\Documents and Settings\Veary\Cookies\[email protected][1].txt
F:\Documents and Settings\Veary\Cookies\[email protected][2].txt
F:\Documents and Settings\Veary\Cookies\[email protected][1].txt
F:\Documents and Settings\Veary\Cookies\[email protected][2].txt
F:\Documents and Settings\Veary\Cookies\[email protected][1].txt
F:\Documents and Settings\Veary\Cookies\[email protected][1].txt
F:\Documents and Settings\Veary\Cookies\[email protected][2].txt
F:\Documents and Settings\Veary\Cookies\[email protected][1].txt
F:\Documents and Settings\Veary\Cookies\[email protected][1].txt
F:\Documents and Settings\Veary\Cookies\[email protected][2].txt
F:\Documents and Settings\Veary\Cookies\[email protected][1].txt
F:\Documents and Settings\Veary\Cookies\[email protected][1].txt
F:\Documents and Settings\Veary\Cookies\[email protected][1].txt
F:\Documents and Settings\Veary\Cookies\[email protected][1].txt
F:\Documents and Settings\Veary\Cookies\[email protected][1].txt
F:\Documents and Settings\Veary\Cookies\[email protected][1].txt
F:\Documents and Settings\Veary\Cookies\[email protected][1].txt
F:\Documents and Settings\Veary\Cookies\[email protected][1].txt
F:\Documents and Settings\Veary\Cookies\[email protected][1].txt
F:\Documents and Settings\Veary\Cookies\[email protected][2].txt
F:\Documents and Settings\Veary\Cookies\[email protected][2].txt
F:\Documents and Settings\Veary\Cookies\[email protected][1].txt
F:\Documents and Settings\Veary\Cookies\[email protected][2].txt
F:\Documents and Settings\Veary\Cookies\[email protected][2].txt
F:\Documents and Settings\Veary\Cookies\[email protected][2].txt
F:\Documents and Settings\Veary\Cookies\[email protected][2].txt
F:\Documents and Settings\Veary\Cookies\[email protected][2].txt
F:\Documents and Settings\Veary\Cookies\[email protected][1].txt
F:\Documents and Settings\Veary\Cookies\[email protected][1].txt
C:\WINDOWS\Cookies\john [email protected][1].txt
C:\WINDOWS\Cookies\john [email protected][1].txt
C:\WINDOWS\Cookies\john [email protected][2].txt
C:\WINDOWS\Cookies\john [email protected][2].txt
C:\WINDOWS\Cookies\john [email protected][1].txt
C:\WINDOWS\Cookies\john [email protected][1].txt
C:\WINDOWS\Cookies\john [email protected][1].txt
C:\WINDOWS\Cookies\john [email protected][2].txt
C:\WINDOWS\Cookies\john [email protected][1].txt
C:\WINDOWS\Cookies\[email protected][2].txt
C:\WINDOWS\Cookies\john [email protected][1].txt
C:\WINDOWS\Cookies\john [email protected][2].txt
C:\WINDOWS\Cookies\john [email protected][1].txt
C:\WINDOWS\Cookies\john [email protected][1].txt
C:\WINDOWS\Cookies\john [email protected][1].txt
C:\WINDOWS\Cookies\john [email protected][1].txt
C:\WINDOWS\Cookies\john [email protected][1].txt
C:\WINDOWS\Cookies\[email protected][1].txt
C:\WINDOWS\Cookies\[email protected][1].txt
C:\WINDOWS\Cookies\[email protected][1].txt
C:\WINDOWS\Cookies\[email protected][2].txt
C:\WINDOWS\Cookies\[email protected][1].txt
C:\WINDOWS\Cookies\[email protected][2].txt
C:\WINDOWS\Cookies\john [email protected][2].txt
C:\WINDOWS\Cookies\john [email protected][2].txt
C:\WINDOWS\Cookies\john [email protected][2].txt
C:\WINDOWS\Cookies\[email protected][1].txt
C:\WINDOWS\Cookies\[email protected][2].txt
C:\WINDOWS\Cookies\[email protected][1].txt
C:\WINDOWS\Cookies\[email protected][3].txt
C:\WINDOWS\Cookies\[email protected]s.buddy4u[3].txt
C:\WINDOWS\Cookies\[email protected][2].txt
C:\WINDOWS\Cookies\[email protected][1].txt
C:\WINDOWS\Cookies\john [email protected][1].txt
C:\WINDOWS\Cookies\john [email protected][3].txt
C:\WINDOWS\Cookies\john [email protected][2].txt
C:\WINDOWS\Cookies\john [email protected][1].txt
C:\WINDOWS\Cookies\john [email protected][1].txt
C:\WINDOWS\Cookies\john [email protected][5].txt
C:\WINDOWS\Cookies\john [email protected][1].txt
C:\WINDOWS\Cookies\[email protected][3].txt
C:\WINDOWS\Cookies\[email protected][1].txt
C:\WINDOWS\Cookies\[email protected][1].txt
C:\WINDOWS\Cookies\[email protected][3].txt
C:\WINDOWS\Cookies\[email protected][1].txt
C:\WINDOWS\Cookies\[email protected][1].txt
C:\WINDOWS\Cookies\[email protected][2].txt
C:\WINDOWS\Cookies\[email protected][1].txt
C:\WINDOWS\Cookies\[email protected][1].txt
C:\WINDOWS\Cookies\[email protected][1].txt
C:\WINDOWS\Cookies\[email protected][2].txt
C:\WINDOWS\Cookies\[email protected][1].txt
C:\WINDOWS\Cookies\[email protected][1].txt
C:\WINDOWS\Cookies\[email protected][1].txt
C:\WINDOWS\Cookies\john [email protected][2].txt
C:\WINDOWS\Cookies\john [email protected][2].txt
C:\WINDOWS\Cookies\john [email protected][1].txt
C:\WINDOWS\Cookies\[email protected][4].txt
C:\WINDOWS\Cookies\[email protected][1].txt
C:\WINDOWS\Cookies\[email protected][2].txt
C:\WINDOWS\Cookies\[email protected][2].txt
C:\WINDOWS\Cookies\[email protected][2].txt
C:\WINDOWS\Cookies\[email protected][2].txt
C:\WINDOWS\Cookies\john [email protected][2].txt
C:\WINDOWS\Cookies\john [email protected][1].txt
C:\WINDOWS\Cookies\john [email protected][2].txt
C:\WINDOWS\Cookies\john [email protected][1].txt
C:\WINDOWS\Cookies\john [email protected][1].txt
C:\WINDOWS\Cookies\john [email protected][2].txt
C:\WINDOWS\Cookies\john [email protected][2].txt
F:\Documents and Settings\Veary\Cookies\[email protected][2].txt

Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#Type
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#Start
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#Contact
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoRemove
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#UninstallString
F:\Program Files\Network Monitor
F:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB909EB-A8F8-40B2-8E04-9F761986C674}\RP170\A0008913.EXE

Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Services\cmdService
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Type
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Start
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#NextInstance
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#Contact
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoRemove
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#UninstallString
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

Adware.Adservs
F:\WINDOWS\system32\atmtd.dll
F:\WINDOWS\system32\atmtd.dll._
F:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB909EB-A8F8-40B2-8E04-9F761986C674}\RP170\A0008908.EXE
F:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB909EB-A8F8-40B2-8E04-9F761986C674}\RP170\A0008909.DLL

Trojan.Unknown Origin
F:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
F:\WINDOWS\system32\nGpxx01
HKLM\Software\xpre
HKLM\Software\xpre#execount
F:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB909EB-A8F8-40B2-8E04-9F761986C674}\RP170\A0008906.VBS
F:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB909EB-A8F8-40B2-8E04-9F761986C674}\RP170\A0008907.VBS

Adware.ClickSpring/Outer Info Network
F:\Program Files\Outerinfo\FF\chrome.manifest
F:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt
F:\Program Files\Outerinfo\FF\components
F:\Program Files\Outerinfo\FF\install.rdf
F:\Program Files\Outerinfo\FF
F:\Program Files\Outerinfo\Terms.rtf
F:\Program Files\Outerinfo
F:\Documents and Settings\Veary\Start Menu\Programs\Outerinfo\Terms.lnk
F:\Documents and Settings\Veary\Start Menu\Programs\Outerinfo\Uninstall.lnk
F:\Documents and Settings\Veary\Start Menu\Programs\Outerinfo

Adware.Web Buying
F:\Program Files\Web Buying\v1.8.8\wbuninst.exe
F:\Program Files\Web Buying\v1.8.8
F:\Program Files\Web Buying
HKU\.DEFAULT\Software\WebBuying
HKU\S-1-5-21-507921405-1580436667-1060284298-1003\Software\WebBuying
HKU\S-1-5-18\Software\WebBuying
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebBuying
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebBuying#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebBuying#UninstallString

Adware.ClickSpring
F:\DOCUMENTS AND SETTINGS\VEARY\LOCAL SETTINGS\TEMP\!UPDATE.EXE
F:\DOCUMENTS AND SETTINGS\VEARY\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\18JKIS5C\!UPDATE-4495[1].0000
F:\PROGRAM FILES\COMMON FILES\SSTEM~1\EXPLORER.EXE
F:\SYSTEM VOLUME INFORMATION\_RESTORE{1DB909EB-A8F8-40B2-8E04-9F761986C674}\RP170\A0008904.EXE

Trojan.Unclassified/17PHolmes-A
F:\WINDOWS\17PHOLMES572.EXE

Trojan.Downloader-Gen/MROFIN
F:\WINDOWS\MROFINU1000106.EXE
F:\WINDOWS\MROFINU572.EXE
F:\WINDOWS\MROFINU572.EXE.TMP

Trace.Known Threat Sources
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\PQCVH0DZ\index[1].htm
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\PQCVH0DZ\top_bg[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\3DECMECP\crypt[1].htm
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\3DECMECP\u_top_right[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\C6ATALGP\CAQ3KJZ8.php
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\3DECMECP\ajax[1].htm
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\18JKIS5C\errorhandler[1].htm
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\C6ATALGP\style604[1].css
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\C6ATALGP\download[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\18JKIS5C\managers[1].htm
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\3DECMECP\chec[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\18JKIS5C\sered[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\C6ATALGP\midle[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\18JKIS5C\spacer[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\C6ATALGP\u_top_left[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\3DECMECP\AC_RunActiveContent[1].htm
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\3DECMECP\i44_f3[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\3DECMECP\CAU1C9YJ.php
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\PQCVH0DZ\install_sbd_en[1].exe
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\PQCVH0DZ\u_bottom_left[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\3DECMECP\bottom_bg[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\C6ATALGP\stats[1].jpg
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\C6ATALGP\AC_ActiveX[1].htm
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\PQCVH0DZ\errorhandler[1].htm
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\PQCVH0DZ\note[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\18JKIS5C\i44_ic2[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\C6ATALGP\spacer[3].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\18JKIS5C\lines[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\PQCVH0DZ\setup_en[1].exe
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\18JKIS5C\i44_boton[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\18JKIS5C\ajax[1].htm
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\PQCVH0DZ\i44_ic3[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\PQCVH0DZ\top_bg[2].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\C6ATALGP\managers[1].htm
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\3DECMECP\u_bottom_right[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\18JKIS5C\data[1]
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\PQCVH0DZ\CAH8IHTB.php
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\C6ATALGP\i44_fonflash[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\C6ATALGP\stats[2].jpg
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\PQCVH0DZ\i44_u1[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\PQCVH0DZ\i44_ic1[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\18JKIS5C\u_bottom_left[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\18JKIS5C\note[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\C6ATALGP\i44_ug1[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\PQCVH0DZ\i44_ug3[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\18JKIS5C\index[1].htm
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\3DECMECP\i44_ug2[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\18JKIS5C\bottom_bg[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\3DECMECP\CA8T4F4Z.php
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\PQCVH0DZ\u_top_right[1].gif
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\18JKIS5C\crypt[1].htm
F:\Documents and Settings\Veary\Local Settings\Temporary Internet Files\Content.IE5\PQCVH0DZ\i44_f2[1].gif

Edited by dvea, 18 February 2008 - 11:20 AM.

  • 0

#14
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hi again save this tool to your other computer either by disk or flash drive.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#15
dvea

dvea

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
Here they are:


ComboFix 08-02-17.2 - Veary 2008-02-18 15:54:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.93 [GMT -5:00]
Running from: F:\Documents and Settings\Veary\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Documents and Settings\LocalService\Application Data\NetMon
F:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
F:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
F:\Documents and Settings\NetworkService\Application Data\NetMon
F:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
F:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
F:\Program Files\Common Files\sstem~1
F:\Program Files\Common Files\sstem~1\s?stem\
F:\WINDOWS\cookies.ini
F:\WINDOWS\system32\a1
F:\WINDOWS\system32\ajetmxbc.ini
F:\WINDOWS\system32\crosof~1
F:\WINDOWS\system32\halzasal.dllbox
F:\WINDOWS\system32\nmnpo.ini
F:\WINDOWS\system32\nmnpo.ini2
F:\WINDOWS\system32\p9
F:\WINDOWS\system32\p9\liopud89104.exe
F:\WINDOWS\system32\pac.txt
F:\WINDOWS\system32\qvwckmle.ini
F:\WINDOWS\system32\v6
F:\WINDOWS\system32\vsaodcbx.dll
F:\WINDOWS\system32\w11

.
((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.

2008-02-17 14:22 . 2008-02-17 15:43 <DIR> d-------- F:\WINDOWS\system32\ActiveScan
2008-02-17 14:22 . 2008-02-17 14:22 30,590 --a------ F:\WINDOWS\system32\pavas.ico
2008-02-17 14:22 . 2008-02-17 14:22 2,550 --a------ F:\WINDOWS\system32\Uninstall.ico
2008-02-17 14:22 . 2008-02-17 14:22 1,406 --a------ F:\WINDOWS\system32\Help.ico
2008-02-17 10:16 . 2008-02-17 15:36 <DIR> d-------- F:\Program Files\SUPERAntiSpyware
2008-02-17 10:16 . 2008-02-17 10:16 <DIR> d-------- F:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 10:16 . 2008-02-17 10:16 <DIR> d-------- F:\Documents and Settings\Veary\Application Data\SUPERAntiSpyware.com
2008-02-17 10:16 . 2008-02-17 10:16 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-16 16:46 . 2008-02-16 16:46 <DIR> d-------- F:\Documents and Settings\Veary\Application Data\Grisoft
2008-02-16 16:45 . 2007-05-30 07:10 10,872 --a------ F:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-16 16:44 . 2008-02-16 16:44 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-15 19:25 . 2008-02-15 19:25 <DIR> d-------- F:\WINDOWS\DA15D5355E1D4076B5208571346D6238.TMP
2008-02-15 19:21 . 2008-02-15 19:21 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Rabio
2008-02-15 19:21 . 2008-02-15 19:21 26,096 --a------ F:\WINDOWS\system32\ljjkkhi.dll
2008-02-15 19:17 . 2008-02-16 17:30 <DIR> d--hs---- F:\WINDOWS\S2lkcyAy
2008-02-15 19:17 . 2008-02-15 19:20 <DIR> d-------- F:\Program Files\RABCO
2008-02-13 18:50 . 2008-02-13 18:50 <DIR> d-------- F:\Documents and Settings\Veary\Application Data\QQ Games Plugin
2008-02-13 18:50 . 2008-02-13 18:50 <DIR> d-------- F:\Documents and Settings\Veary\Application Data\acccore
2008-02-13 18:49 . 2008-02-13 18:49 <DIR> d-------- F:\Program Files\Tencent
2008-02-13 18:48 . 2008-02-17 15:33 <DIR> d-------- F:\Program Files\AOL Search
2008-02-13 18:48 . 2008-02-13 18:50 <DIR> d-------- F:\Program Files\AIMTunes
2008-02-13 18:48 . 2008-02-13 18:48 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-13 18:48 . 2008-02-13 18:48 21 --a------ F:\WINDOWS\atid.ini
2008-02-13 18:47 . 2008-02-13 18:50 <DIR> d-------- F:\Program Files\AIM6
2008-02-13 18:47 . 2008-02-13 18:51 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\AOL OCP
2008-02-13 18:47 . 2008-02-13 18:47 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\AOL
2008-02-13 18:47 . 2008-02-13 18:50 1,348 --ah----- F:\IPH.PH
2008-02-02 10:47 . 2008-02-02 10:47 <DIR> d-------- F:\Program Files\Disney

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 23:01 --------- d-----w F:\Program Files\Common Files\Symantec Shared
2008-02-17 23:00 --------- d-----w F:\Program Files\Norton Security Scan
2008-02-17 20:36 --------- d-----w F:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2008-02-17 20:34 --------- d-----w F:\Program Files\Google
2008-02-13 23:47 --------- d-----w F:\Program Files\Viewpoint
2008-02-13 23:47 --------- d-----w F:\Program Files\Common Files\AOL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0dcd7288-0542-4f1c-bae0-1b2cfb62f122}]
F:\WINDOWS\System32\orguoewx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22}]
2008-01-03 11:27 111968 --a------ F:\Program Files\AOL Search\AOLSearch.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="F:\Program Files\Messenger\msmsgs.exe" [2001-08-02 06:14 1077277]
"Aim6"="" []
"Raos"="F:\PROGRA~1\COMMON~1\SSTEM~1\explorer.exe" [ ]
"Infl"="F:\WINDOWS\system32\??crosoft\w?auboot.exe" [ ]
"SUPERAntiSpyware"="F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"!AVG Anti-Spyware"="F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"237615a2"="F:\WINDOWS\System32\cbxmteja.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-09-07 19:29 171448]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= F:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
F:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 F:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\halzasal]
halzasal.dll

R2 Viewpoint Manager Service;Viewpoint Manager Service;"F:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 ati2mpaa;ati2mpaa;F:\WINDOWS\System32\DRIVERS\ati2mpaa.sys [2001-08-17 07:48]

*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2008-02-18 02:05:11 F:\WINDOWS\Tasks\Norton Security Scan.job"
- F:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 15:59:11
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
F:\WINDOWS\System32\lxctcoms.exe
F:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
F:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
F:\WINDOWS\System32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-02-18 16:02:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-18 21:01:52
.
2008-02-14 08:01:20 --- E O F ---



Hijack This:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:03:44 PM, on 2/18/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\WINDOWS\System32\lxctcoms.exe
F:\Program Files\Viewpoint\Common\ViewpointService.exe
F:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
F:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\WINDOWS\System32\wuauclt.exe
F:\WINDOWS\explorer.exe
F:\WINDOWS\System32\wuauclt.exe
F:\Documents and Settings\Veary\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - F:\Program Files\AOL Search\AOLSearch.dll
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: {221f26bf-c2b1-0eab-c1f4-24508827dcd0} - {0dcd7288-0542-4f1c-bae0-1b2cfb62f122} - F:\WINDOWS\System32\orguoewx.dll (file missing)
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - F:\Program Files\AOL Search\AOLSearch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - F:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - F:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [237615a2] rundll32.exe "F:\WINDOWS\System32\cbxmteja.dll",b
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Raos] "F:\PROGRA~1\COMMON~1\SSTEM~1\explorer.exe" -vt ndrv
O4 - HKCU\..\Run: [Infl] F:\WINDOWS\system32\??crosoft\w?auboot.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: RABCO - Auto Update.lnk = F:\Program Files\RABCO\RABCOse.exe
O8 - Extra context menu item: &AOL Toolbar Search - f:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - F:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.marsd.k12...lient/wfica.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189174975873
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1193096796148
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer....l/installer.exe
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: halzasal - halzasal.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxct_device - - F:\WINDOWS\System32\lxctcoms.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - F:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - F:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 5526 bytes
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP