Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Invasion [RESOLVED]


  • This topic is locked This topic is locked

#1
terrorcyanide

terrorcyanide

    New Member

  • Member
  • Pip
  • 9 posts
My computer was attacked by spyware last night. Please help. I'm using Windows XP.
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello terrorcyanide

Welcome to G2Go. :)
=====================
* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\Hijack This.
  • Click on I agree
  • Then Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

  • 0

#3
terrorcyanide

terrorcyanide

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:47 AM, on 2/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Lexmark P910 Series\lxbymon.exe
C:\Program Files\Lexmark P910 Series\ezprint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\WINDOWS\system32\lxbycoms.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\XP Antivirus\xpa.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &WinSec Toolbar - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - C:\WINDOWS\system32\wscmp.dll
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LXBYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBYtime.dll,[email protected]
O4 - HKLM\..\Run: [lxbymon.exe] "C:\Program Files\Lexmark P910 Series\lxbymon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark P910 Series\ezprint.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvter.dll,startup
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [78828178] rundll32.exe "C:\WINDOWS\system32\pxhrhpry.dll",b
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\ieupdates.exe"
O4 - HKCU\..\Run: [XP Antivirus] C:\Program Files\XP Antivirus\xpa.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx
O21 - SSODL: zip - {3c2bb4eb-5158-4be5-b0c6-c8c6007c6307} - C:\WINDOWS\Installer\{3c2bb4eb-5158-4be5-b0c6-c8c6007c6307}\zip.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxby_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbycoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

--
End of file - 8825 bytes
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#5
terrorcyanide

terrorcyanide

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
COMBOFIX LOG:

ComboFix 08-02-17.2 - Owner 2008-02-17 11:40:55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.119 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.LEANMACHINE\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cbxxu.dll
C:\WINDOWS\system32\rqroolk.dll
C:\Documents and Settings\Owner.LEANMACHINE\Application Data\SpyGuardPro
C:\Documents and Settings\Owner.LEANMACHINE\Application Data\SpyGuardPro\avtasks.dat
C:\Documents and Settings\Owner.LEANMACHINE\Application Data\SpyGuardPro\Logs\av.log
C:\Documents and Settings\Owner.LEANMACHINE\Application Data\SpyGuardPro\Logs\ga6Support.log
C:\Documents and Settings\Owner.LEANMACHINE\Application Data\SpyGuardPro\Logs\update.log
C:\Documents and Settings\Owner.LEANMACHINE\ResErrors.log
C:\Program Files\SpyGuardPro
C:\Program Files\SpyGuardPro\history.db
C:\UGA6P
C:\WINDOWS\system32\cbxxu.dll
C:\WINDOWS\system32\drvrehr.dll
C:\WINDOWS\system32\drvterr.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ntload.sys
C:\WINDOWS\system32\oartarvi.dll
C:\WINDOWS\system32\pxhrhpry.dll
C:\WINDOWS\system32\rqroolk.dll
C:\WINDOWS\system32\uxxbc.ini
C:\WINDOWS\system32\uxxbc.ini2
C:\WINDOWS\system32\winoqy32.dll
C:\WINDOWS\system32\winsrc.dll
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\wscmp.dll
C:\WINDOWS\system32\yaywurq.dll
C:\WINDOWS\system32\yrphrhxp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FMTR
-------\LEGACY_NTLOAD
-------\ntload


((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.

2008-02-17 11:38 . 2008-02-17 11:38 103,936 --a------ C:\WINDOWS\system32\drvreh.dll
2008-02-17 11:38 . 2008-02-17 11:38 15,872 --a------ C:\WINDOWS\system32\drvlal.dll
2008-02-17 11:07 . 2008-02-17 11:07 0 --a------ C:\WINDOWS\system32\sex1.ico.tmp
2008-02-17 10:55 . 2008-02-17 10:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-17 04:44 . 2008-02-17 04:44 0 --a------ C:\WINDOWS\system32\sex2.ico.tmp
2008-02-17 04:43 . 2008-02-17 04:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-17 04:43 . 2008-02-17 04:43 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-16 18:32 . 2008-02-16 18:32 <DIR> d-------- C:\Documents and Settings\Owner.LEANMACHINE\Application Data\Grisoft
2008-02-16 18:31 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-16 18:30 . 2008-02-16 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-16 18:16 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-02-16 18:16 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-02-16 18:16 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-02-16 17:55 . 2008-02-16 17:56 <DIR> d-------- C:\Program Files\XP Antivirus
2008-02-15 21:32 . 2008-02-15 21:32 <DIR> d-------- C:\Program Files\iolo
2008-02-15 21:32 . 2008-02-15 21:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-02-15 21:32 . 2006-03-28 09:54 696,320 --a------ C:\WINDOWS\system32\libeay32.dll
2008-02-15 21:32 . 2007-03-27 09:53 435,816 --a------ C:\WINDOWS\system32\Incinerator.dll
2008-02-15 21:32 . 2006-03-28 09:55 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-02-15 21:32 . 2006-11-25 17:39 41,472 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2008-02-15 21:32 . 2006-11-25 17:39 25,264 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-02-15 21:32 . 2008-02-15 21:32 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-02-15 21:28 . 2008-02-15 21:53 <DIR> d-------- C:\Documents and Settings\Owner.LEANMACHINE\Application Data\iolo
2008-02-15 21:28 . 2008-02-15 21:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-02-15 20:56 . 2008-02-16 18:31 3,262 --a------ C:\WINDOWS\system32\sex2.ico
2008-02-15 20:56 . 2008-02-17 10:51 3,262 --a------ C:\WINDOWS\system32\sex1.ico
2008-01-27 18:43 . 2008-01-27 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2008-01-27 18:41 . 2008-01-27 18:41 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2008-01-27 18:40 . 2003-07-30 18:28 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2008-01-27 18:40 . 2003-07-30 18:28 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-01-27 18:40 . 2003-07-30 18:28 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-01-27 18:39 . 2008-01-27 18:40 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-01-27 18:37 . 2008-01-27 18:40 <DIR> d-------- C:\Program Files\Macromedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 23:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 03:02 --------- d-----w C:\Program Files\Lx_cats
2008-01-15 01:53 --------- d-----w C:\Program Files\Autodesk Architectural Desktop 3
2008-01-15 01:18 --------- d-----w C:\Documents and Settings\Owner.LEANMACHINE\Application Data\Autodesk
2008-01-15 01:11 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-01-15 00:59 --------- d-----w C:\Program Files\WexTech
2008-01-15 00:59 --------- d-----w C:\Program Files\Common Files\Wextech Shared
2008-01-15 00:59 --------- d-----w C:\Program Files\Common Files\LHSPF
2008-01-15 00:58 --------- d-----w C:\Program Files\Volo View Express
2008-01-10 06:19 --------- d-----w C:\Documents and Settings\Owner.LEANMACHINE\Application Data\Apple Computer
2008-01-10 06:18 --------- d-----w C:\Program Files\iTunes
2008-01-10 06:18 --------- d-----w C:\Program Files\iPod
2008-01-10 06:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-10 06:15 --------- d-----w C:\Program Files\QuickTime
2008-01-10 06:12 --------- d-----w C:\Program Files\Apple Software Update
2008-01-10 06:10 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-10 06:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-10 00:23 --------- d-----w C:\Program Files\NETGEAR
2008-01-07 05:02 28,276 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-01-02 05:03 --------- d-----w C:\Documents and Settings\Owner.LEANMACHINE\Application Data\FaxCtr
2007-12-29 15:25 --------- d-----w C:\Program Files\Lexmark_P910 Series
2007-12-29 15:25 --------- d-----w C:\Program Files\Lexmark P910 Series
2007-12-29 15:24 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2007-12-29 15:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\FaxCtr
2007-12-27 15:55 --------- d-----w C:\Program Files\Real
2007-12-27 15:55 --------- d-----w C:\Program Files\Common Files\xing shared
2007-12-27 15:55 --------- d-----w C:\Program Files\Common Files\Real
2007-12-27 03:33 --------- d-----w C:\Program Files\Google
2007-12-26 23:30 --------- d-----w C:\Documents and Settings\Owner.LEANMACHINE\Application Data\Yahoo!
2007-12-25 15:29 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-24 21:00 --------- d-----w C:\Program Files\Program Files
2007-12-24 14:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-24 13:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-24 13:53 --------- d-----w C:\Program Files\Yahoo!
2007-12-24 06:04 --------- d-----w C:\Program Files\Common Files\SupportSoft
2007-12-24 06:04 --------- d-----w C:\Program Files\Common Files\Motive
2007-12-24 06:04 --------- d-----w C:\Program Files\BellSouth
2007-12-24 06:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\MotiveSysIDs
2007-12-24 05:56 53,933 ----a-w C:\Program Files\INSTALL.LOG
2007-12-24 05:56 --------- d-----w C:\Program Files\AT&T
2007-12-24 05:56 --------- d-----w C:\Documents and Settings\Owner.LEANMACHINE\Application Data\AT&T
2007-12-24 05:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\AT&T
2007-12-24 05:55 --------- d-----w C:\Program Files\BellSouth Application Management
2007-12-24 05:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2007-12-24 05:52 --------- d-----w C:\Program Files\blstoolbar
2007-12-24 05:22 --------- d-----w C:\Program Files\Common Files\Network Associates
2007-12-24 04:43 --------- d-----w C:\Program Files\HPQ
2007-12-24 04:37 --------- d-----w C:\Program Files\CONEXANT
2007-12-23 23:12 --------- d-----w C:\Program Files\Java
2007-12-23 23:12 --------- d-----w C:\Program Files\Common Files\Java
2007-12-23 23:08 --------- d-----w C:\Program Files\MUSICMATCH
2007-12-23 23:07 --------- d-----w C:\Program Files\MSN Encarta Plus
2007-12-23 23:03 --------- d-----w C:\Program Files\ATI Technologies
2007-12-23 23:02 --------- d-----w C:\Program Files\Synaptics
2007-12-23 23:01 --------- d-----w C:\Program Files\NSC
2007-12-23 23:00 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-23 22:58 --------- d-----w C:\Program Files\HP
2007-12-23 22:19 --------- d-----w C:\Program Files\McAfee
2007-12-22 23:09 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
1997-07-22 00:30 1,045,776 --sha-w C:\WINDOWS\system32\Msjet35.dll
1997-06-23 08:00 123,664 --sha-w C:\WINDOWS\system32\Msjint35.dll
1997-06-23 17:06 24,848 --sha-w C:\WINDOWS\system32\Msjter35.dll
1997-06-23 17:06 252,176 --sha-w C:\WINDOWS\system32\Msrd2x35.dll
1997-06-23 17:06 287,504 --sha-w C:\WINDOWS\system32\Msxbse35.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfee.InstantUpdate.Monitor"="C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" [2002-05-02 01:04 114756]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 11:24 1694208]
"XP Antivirus"="C:\Program Files\XP Antivirus\xpa.exe" [2008-02-16 17:56 530944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alogserv"="C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe" [2002-01-04 06:02 36881]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-22 17:10 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-22 18:06 610304]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 12:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-25 15:30 335872]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 06:26 45056]
"MMTray"="" []
"QT4HPOT"="C:\Program Files\HPQ\One-Touch\OneTouch.EXE" [ ]
"CARPService"="carpserv.exe" [2003-05-21 15:35 4608 C:\WINDOWS\system32\carpserv.exe]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 13:12 2061816]
"HelpCenter4.1"="C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-06-28 19:02 198184]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22 3739648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-27 10:54 185896]
"LXBYCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBYtime.dll" [2004-09-10 06:59 69632]
"lxbymon.exe"="C:\Program Files\Lexmark P910 Series\lxbymon.exe" [2004-09-22 05:43 188416]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2004-09-22 11:18 299008]
"EzPrint"="C:\Program Files\Lexmark P910 Series\ezprint.exe" [2004-09-17 08:24 61440]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"MSDrive"="C:\WINDOWS\system32\drvreh.dll" [2008-02-17 11:38 103936]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2007-03-27 09:53 747624]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"MSDisp32"="C:\WINDOWS\system32\drvlal.dll" [2008-02-17 11:38 15872]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2008-01-09 19:23:19 745472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"zip"= {ac6e045c-1886-43c0-88d0-889af2146456} - C:\WINDOWS\Installer\{ac6e045c-1886-43c0-88d0-889af2146456}\zip.dll [2008-02-17 11:38 38438]

R2 AvSynMgr;AVSync Manager;C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe [2002-01-04 06:02]
R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [2005-04-01 11:43]
R2 McciCMService;McciCMService;"C:\Program Files\Common Files\Motive\McciCMService.exe" [2007-09-01 11:40]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;C:\WINDOWS\system32\drivers\caliaud.sys [2002-11-05 11:04]
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys [2002-11-05 11:04]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\DP83815.SYS [2003-07-16 21:01]
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2001-08-17 07:12]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-16 11:39]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-15 18:22:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 11:52:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\Installer\{ac6e045c-1886-43c0-88d0-889af2146456}\zip.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-17 11:55:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-17 16:55:15
.






HIJACK THIS log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02, on 2008-02-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LXBYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBYtime.dll,[email protected]
O4 - HKLM\..\Run: [lxbymon.exe] "C:\Program Files\Lexmark P910 Series\lxbymon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark P910 Series\ezprint.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvreh.dll,startup
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvlal.dll,startup
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [XP Antivirus] C:\Program Files\XP Antivirus\xpa.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx
O21 - SSODL: zip - {ac6e045c-1886-43c0-88d0-889af2146456} - C:\WINDOWS\Installer\{ac6e045c-1886-43c0-88d0-889af2146456}\zip.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxby_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbycoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

--
End of file - 8119 bytes




My laptops running much faster than yesterday..
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\drvreh.dll
C:\WINDOWS\system32\drvlal.dll
C:\WINDOWS\system32\sex1.ico.tmp
C:\WINDOWS\system32\sex2.ico.tmp
C:\WINDOWS\system32\sex2.ico
C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\Installer\{ac6e045c-1886-43c0-88d0-889af2146456}\zip.dll
Folder::
C:\Program Files\XP Antivirus
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XP Antivirus"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSDrive"=-
"MSDisp32"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"zip"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#7
terrorcyanide

terrorcyanide

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Did as you suggested. Here you go.

COMBOFIX LOG:


ComboFix 08-02-17.2 - Owner 2008-02-17 14:04:55.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.199 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.LEANMACHINE\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.LEANMACHINE\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\Installer\{ac6e045c-1886-43c0-88d0-889af2146456}\zip.dll
C:\WINDOWS\system32\drvlal.dll
C:\WINDOWS\system32\drvreh.dll
C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\system32\sex1.ico.tmp
C:\WINDOWS\system32\sex2.ico
C:\WINDOWS\system32\sex2.ico.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\XP Antivirus
C:\Program Files\XP Antivirus\xpa.exe
C:\WINDOWS\Installer\{ac6e045c-1886-43c0-88d0-889af2146456}\zip.dll
C:\WINDOWS\system32\drvlal.dll
C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\system32\sex1.ico.tmp
C:\WINDOWS\system32\sex2.ico
C:\WINDOWS\system32\sex2.ico.tmp

.
((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.

2008-02-17 10:55 . 2008-02-17 10:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-17 04:43 . 2008-02-17 04:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-17 04:43 . 2008-02-17 04:43 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-16 18:32 . 2008-02-16 18:32 <DIR> d-------- C:\Documents and Settings\Owner.LEANMACHINE\Application Data\Grisoft
2008-02-16 18:31 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-16 18:30 . 2008-02-16 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-16 18:16 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-02-16 18:16 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-02-16 18:16 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-02-15 21:32 . 2008-02-15 21:32 <DIR> d-------- C:\Program Files\iolo
2008-02-15 21:32 . 2008-02-15 21:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-02-15 21:32 . 2006-03-28 09:54 696,320 --a------ C:\WINDOWS\system32\libeay32.dll
2008-02-15 21:32 . 2007-03-27 09:53 435,816 --a------ C:\WINDOWS\system32\Incinerator.dll
2008-02-15 21:32 . 2006-03-28 09:55 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-02-15 21:32 . 2006-11-25 17:39 41,472 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2008-02-15 21:32 . 2006-11-25 17:39 25,264 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-02-15 21:32 . 2008-02-15 21:32 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-02-15 21:28 . 2008-02-15 21:53 <DIR> d-------- C:\Documents and Settings\Owner.LEANMACHINE\Application Data\iolo
2008-02-15 21:28 . 2008-02-15 21:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-01-27 18:43 . 2008-01-27 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2008-01-27 18:41 . 2008-01-27 18:41 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2008-01-27 18:40 . 2003-07-30 18:28 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2008-01-27 18:40 . 2003-07-30 18:28 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-01-27 18:40 . 2003-07-30 18:28 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-01-27 18:39 . 2008-01-27 18:40 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-01-27 18:37 . 2008-01-27 18:40 <DIR> d-------- C:\Program Files\Macromedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 23:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 03:02 --------- d-----w C:\Program Files\Lx_cats
2008-01-15 01:53 --------- d-----w C:\Program Files\Autodesk Architectural Desktop 3
2008-01-15 01:18 --------- d-----w C:\Documents and Settings\Owner.LEANMACHINE\Application Data\Autodesk
2008-01-15 01:11 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-01-15 00:59 --------- d-----w C:\Program Files\WexTech
2008-01-15 00:59 --------- d-----w C:\Program Files\Common Files\Wextech Shared
2008-01-15 00:59 --------- d-----w C:\Program Files\Common Files\LHSPF
2008-01-15 00:58 --------- d-----w C:\Program Files\Volo View Express
2008-01-10 06:19 --------- d-----w C:\Documents and Settings\Owner.LEANMACHINE\Application Data\Apple Computer
2008-01-10 06:18 --------- d-----w C:\Program Files\iTunes
2008-01-10 06:18 --------- d-----w C:\Program Files\iPod
2008-01-10 06:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-10 06:15 --------- d-----w C:\Program Files\QuickTime
2008-01-10 06:12 --------- d-----w C:\Program Files\Apple Software Update
2008-01-10 06:10 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-10 06:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-10 00:23 --------- d-----w C:\Program Files\NETGEAR
2008-01-07 05:02 28,276 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-01-02 05:03 --------- d-----w C:\Documents and Settings\Owner.LEANMACHINE\Application Data\FaxCtr
2007-12-29 15:25 --------- d-----w C:\Program Files\Lexmark_P910 Series
2007-12-29 15:25 --------- d-----w C:\Program Files\Lexmark P910 Series
2007-12-29 15:24 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2007-12-29 15:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\FaxCtr
2007-12-27 15:55 --------- d-----w C:\Program Files\Real
2007-12-27 15:55 --------- d-----w C:\Program Files\Common Files\xing shared
2007-12-27 15:55 --------- d-----w C:\Program Files\Common Files\Real
2007-12-27 15:54 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-27 15:54 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-12-27 03:33 --------- d-----w C:\Program Files\Google
2007-12-26 23:30 --------- d-----w C:\Documents and Settings\Owner.LEANMACHINE\Application Data\Yahoo!
2007-12-25 15:29 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-24 21:00 --------- d-----w C:\Program Files\Program Files
2007-12-24 14:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-24 13:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-24 13:53 --------- d-----w C:\Program Files\Yahoo!
2007-12-24 06:04 --------- d-----w C:\Program Files\Common Files\SupportSoft
2007-12-24 06:04 --------- d-----w C:\Program Files\Common Files\Motive
2007-12-24 06:04 --------- d-----w C:\Program Files\BellSouth
2007-12-24 06:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\MotiveSysIDs
2007-12-24 05:56 53,933 ----a-w C:\Program Files\INSTALL.LOG
2007-12-24 05:56 --------- d-----w C:\Program Files\AT&T
2007-12-24 05:56 --------- d-----w C:\Documents and Settings\Owner.LEANMACHINE\Application Data\AT&T
2007-12-24 05:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\AT&T
2007-12-24 05:55 --------- d-----w C:\Program Files\BellSouth Application Management
2007-12-24 05:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2007-12-24 05:52 --------- d-----w C:\Program Files\blstoolbar
2007-12-24 05:22 --------- d-----w C:\Program Files\Common Files\Network Associates
2007-12-24 04:43 --------- d-----w C:\Program Files\HPQ
2007-12-24 04:37 --------- d-----w C:\Program Files\CONEXANT
2007-12-23 23:12 --------- d-----w C:\Program Files\Java
2007-12-23 23:12 --------- d-----w C:\Program Files\Common Files\Java
2007-12-23 23:08 --------- d-----w C:\Program Files\MUSICMATCH
2007-12-23 23:07 --------- d-----w C:\Program Files\MSN Encarta Plus
2007-12-23 23:03 --------- d-----w C:\Program Files\ATI Technologies
2007-12-23 23:02 --------- d-----w C:\Program Files\Synaptics
2007-12-23 23:01 --------- d-----w C:\Program Files\NSC
2007-12-23 23:00 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-23 22:58 --------- d-----w C:\Program Files\HP
2007-12-23 22:19 --------- d-----w C:\Program Files\McAfee
2007-12-22 23:09 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
1997-07-22 00:30 1,045,776 --sha-w C:\WINDOWS\system32\Msjet35.dll
1997-06-23 08:00 123,664 --sha-w C:\WINDOWS\system32\Msjint35.dll
1997-06-23 17:06 24,848 --sha-w C:\WINDOWS\system32\Msjter35.dll
1997-06-23 17:06 252,176 --sha-w C:\WINDOWS\system32\Msrd2x35.dll
1997-06-23 17:06 287,504 --sha-w C:\WINDOWS\system32\Msxbse35.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfee.InstantUpdate.Monitor"="C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" [2002-05-02 01:04 114756]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 11:24 1694208]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alogserv"="C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe" [2002-01-04 06:02 36881]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-22 17:10 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-22 18:06 610304]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 12:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-25 15:30 335872]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 06:26 45056]
"MMTray"="" []
"QT4HPOT"="C:\Program Files\HPQ\One-Touch\OneTouch.EXE" [ ]
"CARPService"="carpserv.exe" [2003-05-21 15:35 4608 C:\WINDOWS\system32\carpserv.exe]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 13:12 2061816]
"HelpCenter4.1"="C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-06-28 19:02 198184]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22 3739648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-27 10:54 185896]
"LXBYCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBYtime.dll" [2004-09-10 06:59 69632]
"lxbymon.exe"="C:\Program Files\Lexmark P910 Series\lxbymon.exe" [2004-09-22 05:43 188416]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2004-09-22 11:18 299008]
"EzPrint"="C:\Program Files\Lexmark P910 Series\ezprint.exe" [2004-09-17 08:24 61440]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2007-03-27 09:53 747624]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2008-01-09 19:23:19 745472]

R2 AvSynMgr;AVSync Manager;C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe [2002-01-04 06:02]
R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [2005-04-01 11:43]
R2 McciCMService;McciCMService;"C:\Program Files\Common Files\Motive\McciCMService.exe" [2007-09-01 11:40]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;C:\WINDOWS\system32\drivers\caliaud.sys [2002-11-05 11:04]
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys [2002-11-05 11:04]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\DP83815.SYS [2003-07-16 21:01]
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2001-08-17 07:12]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-16 11:39]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-15 18:22:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 14:07:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-17 14:07:58
ComboFix-quarantined-files.txt 2008-02-17 19:07:35
ComboFix2.txt 2008-02-17 16:55:35
.
2008-02-13 05:05:37 --- E O F ---




HIJACKTHIS LOG:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:08, on 2008-02-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LXBYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBYtime.dll,[email protected]
O4 - HKLM\..\Run: [lxbymon.exe] "C:\Program Files\Lexmark P910 Series\lxbymon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark P910 Series\ezprint.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxby_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbycoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

--
End of file - 7908 bytes
  • 0

#8
terrorcyanide

terrorcyanide

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Also, now the security breach pop ups have stopped. Initially when it had happened it installed 2 icons on my desktop, which on being deleted would return, now have stopped, and don't see those shortcuts anymore.
  • 0

#9
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Great :)

Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#10
terrorcyanide

terrorcyanide

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-02-17 21:59
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/02/2008
Kaspersky Anti-Virus database records: 570085
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 52238
Number of viruses found: 6
Number of infected objects: 23
Number of suspicious objects: 0
Duration of the scan process: 01:38:09

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.LEANMACHINE\Application Data\AT&T\Internet Security Wizard\client_gateway.log Object is locked skipped
C:\Documents and Settings\Owner.LEANMACHINE\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner.LEANMACHINE\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner.LEANMACHINE\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.LEANMACHINE\Local Settings\Application Data\SupportSoft\HelpCenter4.1\Owner\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\Owner.LEANMACHINE\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.LEANMACHINE\Local Settings\History\History.IE5\MSHist012008021720080218\index.dat Object is locked skipped
C:\Documents and Settings\Owner.LEANMACHINE\Local Settings\Temp\Perflib_Perfdata_450.dat Object is locked skipped
C:\Documents and Settings\Owner.LEANMACHINE\Local Settings\Temp\Perflib_Perfdata_a3c.dat Object is locked skipped
C:\Documents and Settings\Owner.LEANMACHINE\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.LEANMACHINE\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.LEANMACHINE\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner.LEANMACHINE\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\Installer\{ac6e045c-1886-43c0-88d0-889af2146456}\zip.dll.vir Infected: Trojan-Downloader.Win32.BHO.ct skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drvlal.dll.vir Infected: Trojan.Win32.Dialer.yz skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\winoqy32.dll.vir Infected: Trojan.Win32.Dialer.yz skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wscmp.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yaywurq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-17_115222.87.zip/rqroolk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-17_115222.87.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{530FCE31-760E-4A18-AD93-B6C79A2F7121}\RP140\A0011022.sys Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{530FCE31-760E-4A18-AD93-B6C79A2F7121}\RP140\A0011023.sys Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{530FCE31-760E-4A18-AD93-B6C79A2F7121}\RP140\A0011028.exe Infected: not-a-virus:FraudTool.Win32.BestSeller.c skipped
C:\System Volume Information\_restore{530FCE31-760E-4A18-AD93-B6C79A2F7121}\RP140\A0011029.exe Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{530FCE31-760E-4A18-AD93-B6C79A2F7121}\RP140\A0011032.exe Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{530FCE31-760E-4A18-AD93-B6C79A2F7121}\RP140\A0011039.old Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{530FCE31-760E-4A18-AD93-B6C79A2F7121}\RP140\A0011041.old Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{530FCE31-760E-4A18-AD93-B6C79A2F7121}\RP140\A0011042.old Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{530FCE31-760E-4A18-AD93-B6C79A2F7121}\RP140\A0011046.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{530FCE31-760E-4A18-AD93-B6C79A2F7121}\RP141\A0011061.dll Infected: not-a-virus:AdWare.Win32.BHO.cc skipped
C:\System Volume Information\_restore{530FCE31-760E-4A18-AD93-B6C79A2F7121}\RP141\A0011070.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{530FCE31-760E-4A18-AD93-B6C79A2F7121}\RP141\A0011080.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{530FCE31-760E-4A18-AD93-B6C79A2F7121}\RP141\A0011135.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{530FCE31-760E-4A18-AD93-B6C79A2F7121}\RP142\A0011144.dll Infected: Trojan-Downloader.Win32.BHO.ct skipped
C:\System Volume Information\_restore{530FCE31-760E-4A18-AD93-B6C79A2F7121}\RP142\A0011145.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{530FCE31-760E-4A18-AD93-B6C79A2F7121}\RP142\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Installer\{3c2bb4eb-5158-4be5-b0c6-c8c6007c6307}\zip.dll Infected: Trojan-Downloader.Win32.BHO.ct skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\WebPoolFileFile Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

Advertisements


#11
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\Installer\{3c2bb4eb-5158-4be5-b0c6-c8c6007c6307}\zip.dll


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#12
terrorcyanide

terrorcyanide

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
All my desktop icons disappeared.. including the task bar.. :)




ComboFix 08-02-17.2 - Owner 2008-02-17 22:31:56.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.173 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.LEANMACHINE\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.LEANMACHINE\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\Installer\{3c2bb4eb-5158-4be5-b0c6-c8c6007c6307}\zip.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Installer\{3c2bb4eb-5158-4be5-b0c6-c8c6007c6307}\zip.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.

2008-02-17 14:30 . 2008-02-17 14:30 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-17 14:30 . 2008-02-17 14:30 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-17 14:30 . 2008-02-17 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-17 10:55 . 2008-02-17 10:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-17 04:43 . 2008-02-17 04:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-17 04:43 . 2008-02-17 04:43 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-16 18:32 . 2008-02-16 18:32 <DIR> d-------- C:\Documents and Settings\Owner.LEANMACHINE\Application Data\Grisoft
2008-02-16 18:31 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-16 18:30 . 2008-02-16 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-16 18:16 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-02-16 18:16 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-02-16 18:16 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-02-15 21:32 . 2008-02-15 21:32 <DIR> d-------- C:\Program Files\iolo
2008-02-15 21:32 . 2008-02-15 21:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-02-15 21:32 . 2006-03-28 09:54 696,320 --a------ C:\WINDOWS\system32\libeay32.dll
2008-02-15 21:32 . 2007-03-27 09:53 435,816 --a------ C:\WINDOWS\system32\Incinerator.dll
2008-02-15 21:32 . 2006-03-28 09:55 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-02-15 21:32 . 2006-11-25 17:39 41,472 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2008-02-15 21:32 . 2006-11-25 17:39 25,264 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-02-15 21:32 . 2008-02-15 21:32 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-02-15 21:28 . 2008-02-15 21:53 <DIR> d-------- C:\Documents and Settings\Owner.LEANMACHINE\Application Data\iolo
2008-02-15 21:28 . 2008-02-15 21:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-01-27 18:43 . 2008-01-27 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2008-01-27 18:41 . 2008-01-27 18:41 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2008-01-27 18:40 . 2003-07-30 18:28 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2008-01-27 18:40 . 2003-07-30 18:28 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-01-27 18:40 . 2003-07-30 18:28 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-01-27 18:39 . 2008-01-27 18:40 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-01-27 18:37 . 2008-01-27 18:40 <DIR> d-------- C:\Program Files\Macromedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 23:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 03:02 --------- d-----w C:\Program Files\Lx_cats
2008-01-15 01:53 --------- d-----w C:\Program Files\Autodesk Architectural Desktop 3
2008-01-15 01:18 --------- d-----w C:\Documents and Settings\Owner.LEANMACHINE\Application Data\Autodesk
2008-01-15 01:11 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-01-15 00:59 --------- d-----w C:\Program Files\WexTech
2008-01-15 00:59 --------- d-----w C:\Program Files\Common Files\Wextech Shared
2008-01-15 00:59 --------- d-----w C:\Program Files\Common Files\LHSPF
2008-01-15 00:58 --------- d-----w C:\Program Files\Volo View Express
2008-01-10 06:19 --------- d-----w C:\Documents and Settings\Owner.LEANMACHINE\Application Data\Apple Computer
2008-01-10 06:18 --------- d-----w C:\Program Files\iTunes
2008-01-10 06:18 --------- d-----w C:\Program Files\iPod
2008-01-10 06:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-10 06:15 --------- d-----w C:\Program Files\QuickTime
2008-01-10 06:12 --------- d-----w C:\Program Files\Apple Software Update
2008-01-10 06:10 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-10 06:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-10 00:23 --------- d-----w C:\Program Files\NETGEAR
2008-01-07 05:02 28,276 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-01-02 05:03 --------- d-----w C:\Documents and Settings\Owner.LEANMACHINE\Application Data\FaxCtr
2007-12-29 15:25 --------- d-----w C:\Program Files\Lexmark_P910 Series
2007-12-29 15:25 --------- d-----w C:\Program Files\Lexmark P910 Series
2007-12-29 15:24 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2007-12-29 15:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\FaxCtr
2007-12-27 15:55 --------- d-----w C:\Program Files\Real
2007-12-27 15:55 --------- d-----w C:\Program Files\Common Files\xing shared
2007-12-27 15:55 --------- d-----w C:\Program Files\Common Files\Real
2007-12-27 15:54 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-27 15:54 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-12-27 03:33 --------- d-----w C:\Program Files\Google
2007-12-26 23:30 --------- d-----w C:\Documents and Settings\Owner.LEANMACHINE\Application Data\Yahoo!
2007-12-25 15:29 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-24 21:00 --------- d-----w C:\Program Files\Program Files
2007-12-24 14:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-24 13:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-24 13:53 --------- d-----w C:\Program Files\Yahoo!
2007-12-24 06:04 --------- d-----w C:\Program Files\Common Files\SupportSoft
2007-12-24 06:04 --------- d-----w C:\Program Files\Common Files\Motive
2007-12-24 06:04 --------- d-----w C:\Program Files\BellSouth
2007-12-24 06:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\MotiveSysIDs
2007-12-24 05:56 53,933 ----a-w C:\Program Files\INSTALL.LOG
2007-12-24 05:56 --------- d-----w C:\Program Files\AT&T
2007-12-24 05:56 --------- d-----w C:\Documents and Settings\Owner.LEANMACHINE\Application Data\AT&T
2007-12-24 05:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\AT&T
2007-12-24 05:55 --------- d-----w C:\Program Files\BellSouth Application Management
2007-12-24 05:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2007-12-24 05:52 --------- d-----w C:\Program Files\blstoolbar
2007-12-24 05:22 --------- d-----w C:\Program Files\Common Files\Network Associates
2007-12-24 04:43 --------- d-----w C:\Program Files\HPQ
2007-12-24 04:37 --------- d-----w C:\Program Files\CONEXANT
2007-12-23 23:12 --------- d-----w C:\Program Files\Java
2007-12-23 23:12 --------- d-----w C:\Program Files\Common Files\Java
2007-12-23 23:08 --------- d-----w C:\Program Files\MUSICMATCH
2007-12-23 23:07 --------- d-----w C:\Program Files\MSN Encarta Plus
2007-12-23 23:03 --------- d-----w C:\Program Files\ATI Technologies
2007-12-23 23:02 --------- d-----w C:\Program Files\Synaptics
2007-12-23 23:01 --------- d-----w C:\Program Files\NSC
2007-12-23 23:00 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-23 22:58 --------- d-----w C:\Program Files\HP
2007-12-23 22:19 --------- d-----w C:\Program Files\McAfee
2007-12-22 23:09 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
1997-07-22 00:30 1,045,776 --sha-w C:\WINDOWS\system32\Msjet35.dll
1997-06-23 08:00 123,664 --sha-w C:\WINDOWS\system32\Msjint35.dll
1997-06-23 17:06 24,848 --sha-w C:\WINDOWS\system32\Msjter35.dll
1997-06-23 17:06 252,176 --sha-w C:\WINDOWS\system32\Msrd2x35.dll
1997-06-23 17:06 287,504 --sha-w C:\WINDOWS\system32\Msxbse35.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfee.InstantUpdate.Monitor"="C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" [2002-05-02 01:04 114756]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 11:24 1694208]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alogserv"="C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe" [2002-01-04 06:02 36881]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-22 17:10 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-22 18:06 610304]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 12:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-25 15:30 335872]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 06:26 45056]
"MMTray"="" []
"QT4HPOT"="C:\Program Files\HPQ\One-Touch\OneTouch.EXE" [ ]
"CARPService"="carpserv.exe" [2003-05-21 15:35 4608 C:\WINDOWS\system32\carpserv.exe]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 13:12 2061816]
"HelpCenter4.1"="C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-06-28 19:02 198184]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22 3739648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-27 10:54 185896]
"LXBYCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBYtime.dll" [2004-09-10 06:59 69632]
"lxbymon.exe"="C:\Program Files\Lexmark P910 Series\lxbymon.exe" [2004-09-22 05:43 188416]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2004-09-22 11:18 299008]
"EzPrint"="C:\Program Files\Lexmark P910 Series\ezprint.exe" [2004-09-17 08:24 61440]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2007-03-27 09:53 747624]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2008-01-09 19:23:19 745472]

R2 AvSynMgr;AVSync Manager;C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe [2002-01-04 06:02]
R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [2005-04-01 11:43]
R2 McciCMService;McciCMService;"C:\Program Files\Common Files\Motive\McciCMService.exe" [2007-09-01 11:40]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;C:\WINDOWS\system32\drivers\caliaud.sys [2002-11-05 11:04]
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys [2002-11-05 11:04]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\DP83815.SYS [2003-07-16 21:01]
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2001-08-17 07:12]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-16 11:39]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-15 18:22:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 22:35:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-17 22:36:30
ComboFix-quarantined-files.txt 2008-02-18 03:35:58
ComboFix2.txt 2008-02-17 19:07:59
ComboFix3.txt 2008-02-17 16:55:35
.
2008-02-13 05:05:37 --- E O F ---
  • 0

#13
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok hit ctrl alt delete all at the same time on your keyboard to open up Task manager.

Click on File at the top and then New Task run.
Type in this explorer.exe then hit ok.

This infection is hooked into that file that is why it killed it when you deleted that file.

Let me know if that fixes it.
  • 0

#14
terrorcyanide

terrorcyanide

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
It worked.. Thanks.. Is that the solution to whenever that happens?

Here the HIJACK THIS log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:50, on 2008-02-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LXBYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBYtime.dll,[email protected]
O4 - HKLM\..\Run: [lxbymon.exe] "C:\Program Files\Lexmark P910 Series\lxbymon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark P910 Series\ezprint.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxby_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbycoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

--
End of file - 8070 bytes
  • 0

#15
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Well it shouldn't happen again but yes usually that is the way to fix the problem.
======================================================
Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


Now click on Fix Checked and then close Hijackthis.
====================================
Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

    The above procedure will delete the following:

    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Clean System Restore points.

Also delete anything that we used that is left over.
===================================
After that Your log is clean. :)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP