Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I Believe I have a KeyLogger in my Gmail [RESOLVED]

Started by Learnatic , Mar 11 2008 08:14 AM

  • This topic is locked This topic is locked

#1
Learnatic
Posted 11 March 2008 - 08:14 AM

Learnatic

    Member

  • Member
  • PipPipPip
  • 131 posts
Hi all,
A few days ago I sent an email to a friend suggesting she get "Microsoft Office 2007".
Later that day, I received an email from an unknown address, eg [email protected], selling me this product in my Gmail inbox.
Today I mentioned "Microsoft Office 2007" in an email and tonight I received the offer again, also from a strange "Hotmail" account.
I have also been getting ads for watches and 'thing' expanders with my real name in emails.
I believe this points to me having someone watching my emails in Gmail.
How can I prevent this?
Here's my Hijack This Log ... and at the end, a copy and paste of todays example of the rogue Microsoft attempt to sell "Office 2007"
Cheers,
Max.

Here's my Hijack Log.
Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:23 AM, on 12/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Eset\nod32kui.exe
C:\PROGRAMS\AA - Stored Programs\Ad Muncher v4.71 Build 28140 (1782) - CRACKED\Ad Muncher\Ad Muncher\AdMunch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HACE\Mmm\MmmTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\WINDOWS\system32\HDDSvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\OO Software\CleverCache\ooccag.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Max Crane\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft

Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3900 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEP.EXE /FU

"C:\WINDOWS\TEMP\E_S224.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Ad Muncher] "C:\PROGRAMS\AA - Stored Programs\Ad Muncher v4.71 Build 28140 (1782) - CRACKED\Ad Muncher\Ad

Muncher\AdMunch.exe" /bt
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\MmmTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Block frame with Ad Muncher -

http://www.admuncher...i...&pass=8RLS9

45U&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher -

http://www.admuncher...i...&pass=8RLS9

45U&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher -

http://www.admuncher...i...&pass=8RLS9

45U&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher -

http://www.admuncher...i...&pass=8RLS9

45U&id=menu_ie_exclude
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\PROGRAMS\Advanced JPEG Compressor\ajcieex.htm
O8 - Extra context menu item: Report page to the Ad Muncher developers -

http://www.admuncher...i...&pass=8RLS9

45U&id=menu_ie_report
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.mi...b?1193015734890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.mi...b?1193015572453
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: HDD Information Service (HDDSvc) - AltrixSoft (http://www.altrixsoft.com/) - C:\WINDOWS\system32\HDDSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: O&O CleverCache Agent (OOCleverCacheAgent) - O&O Software GmbH - C:\Program Files\OO

Software\CleverCache\ooccag.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared

Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program

Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog

Devices\SoundMAX\SMAgent.exe

--
End of file - 8015 bytes
=================================================
Microsoft Office Enterprise 2007 ready to download Spam

Reply
Reply to all Reply to allForward Forward Print Add Marco to Contacts list Delete this message Report phishing Show original Message text garbled?
Marco Lake <[email protected]>
to bkreiter

show details
09:00
Microsoft Office Enterprise 2007 includes:
• Access 2007
• Communicator 2007
• Excel 2007
• Groove 2007
• InfoPath 2007
• OneNote 2007
• Outlook 2007
• PowerPoint 2007
• Publisher 2007
• Word 2007

http://sofiahenderso...15.blogspot.com

Edited by Learnatic, 11 March 2008 - 04:25 PM.

  • 0

Advertisements

#2
greyknight17
Posted 16 April 2008 - 06:40 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
This is the first time I'm seeing this. Are you sure it's not just an isolated spam issue? It's not uncommon. Also, did you ask your friend if she received your email? Is she having any problems with her computer? I have seen malware that use other computers as zombies to send out emails...

Please make sure that Word Wrap is turned OFF in Notepad before you post your HijackThis log next time. As you can see, the formatting it creates (see the log you posted) makes it harder for us to read it. To turn this off, go to Format and make sure Word Wrap is unchecked.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
  • 0

#3
Learnatic
Posted 16 April 2008 - 09:54 PM

Learnatic

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 131 posts
Thanks GreyKnight,

I've deleted the 'BHO and done another scan.
Also unchecked 'Word Wrap'.
Sorry to add to the confusion.
I also am getting this every five to ten minutes in my Spam filter in gMail
... (I've replaced my real name with "My Name").

.."..Instead of a real one? The reason why replica watches are … 04:30
Vivien Gilmore Can you imagine what it is like to be a real man in bed! - 10 advantages 03:55
Wilt Sollie ello My Name, Conquer her with your power, 8494954317 - 03:04
Theodoric Orlan Hello My Name, Quality Men's products, 6671572470 - Pills 4 Men Your health 02:31
Rikki Hugibert ?Hello My Name, High standard products for you, 8868896979 - Your correct 02:28
Whitney Iago ?Hello My Name, Get Men's Health products in seconds, 3263647887 - Just imagine..".. 2:26

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:28 PM, on 17/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HACE\Mmm\MmmTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\WINDOWS\system32\HDDSvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\OO Software\CleverCache\ooccag.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SiSoftware\SiSoftware Sandra Professional Business XII.SP2\RpcAgentSrv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRAMS\AA - Stored Programs\Ad Muncher v4.71 Build 28140 (1782) - CRACKED\Ad Muncher\Ad Muncher\AdMunch.exe
C:\PROGRAMS\hijackthis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3900 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEP.EXE /FU "C:\WINDOWS\TEMP\E_S224.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\MmmTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher...d=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher...d=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher...id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher...menu_ie_exclude
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\PROGRAMS\Advanced JPEG Compressor\ajcieex.htm
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher...=menu_ie_report
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1193015734890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1193015572453
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: HDD Information Service (HDDSvc) - AltrixSoft (http://www.altrixsoft.com/) - C:\WINDOWS\system32\HDDSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O&O CleverCache Agent (OOCleverCacheAgent) - O&O Software GmbH - C:\Program Files\OO Software\CleverCache\ooccag.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional Business XII.SP2\RpcAgentSrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8293 bytes

Cheers,
Max.
  • 0

#4
greyknight17
Posted 17 April 2008 - 06:54 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I still have my doubts this problem is malware related....but if you want, you can run the below scans:

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.

I see you have a cracked copy of a program also. We don't recommend using pirated copies of any program...
  • 0

#5
Learnatic
Posted 18 April 2008 - 05:54 AM

Learnatic

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 131 posts
G'day GreyKnight,
Having trouble installing the Panda .. please see attached.
Here is the log for ComboBox and I'll keep trying the Panda though getting late.
Thanks for the advice.,
Max.

ComboFix 08-04-16.5 - Max My Name 2008-04-18 18:12:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.646 [GMT 10:00]
Running from: C:\Documents and Settings\Max My Name\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Max My Name\Application Data\inst.exe
C:\RECYCLER\desktopA.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.

2008-04-14 23:04 . 2008-04-17 01:24 <DIR> d-------- C:\Documents and Settings\Max My Name\Application Data\TweakNow RegCleaner Professional
2008-04-10 23:29 . 2008-04-16 15:13 <DIR> d-------- C:\Program Files\SiSoftware
2008-04-08 22:24 . 2008-04-08 22:29 <DIR> d-------- C:\divx
2008-04-08 10:56 . 2008-04-08 10:56 164 --a------ C:\WINDOWS\system32\test.aok
2008-04-08 07:56 . 2008-04-08 08:02 <DIR> d-------- C:\OutputFolder
2008-04-05 09:33 . 2008-04-05 09:33 24 --a------ C:\WINDOWS\system32\Drv32_16.ini
2008-04-01 07:25 . 2008-04-01 07:25 831,488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-04-01 07:25 . 2008-04-01 07:25 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2008-04-01 07:25 . 2008-04-01 07:25 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2008-04-01 07:25 . 2008-04-01 07:25 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2008-04-01 07:25 . 2008-04-01 07:25 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2008-04-01 07:25 . 2008-04-01 07:25 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-25 11:38 . 2008-03-25 11:38 <DIR> d-------- C:\Documents and Settings\Max My Name\Application Data\Malwarebytes
2008-03-25 11:38 . 2008-03-25 11:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-25 05:45 . 2008-03-25 05:45 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-03-22 06:30 . 2008-03-22 06:30 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-03-22 06:30 . 2008-03-22 06:30 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-03-22 06:30 . 2008-03-22 06:30 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-03-22 06:30 . 2008-03-22 06:30 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-03-22 06:30 . 2008-03-22 06:30 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-03-19 07:46 . 2008-03-19 07:46 <DIR> d-------- C:\Documents and Settings\Max My Name\Application Data\JAM Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 04:28 --------- d-----w C:\Documents and Settings\Max My Name\Application Data\LimeWire
2008-04-17 01:34 --------- d-----w C:\Documents and Settings\Max My Name\Application Data\BitTorrent
2008-04-17 01:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-17 01:08 --------- d-----w C:\Program Files\OO Software
2008-04-16 15:25 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-04-16 15:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-16 15:22 --------- d-----w C:\Program Files\audiograbber
2008-04-16 13:32 --------- d-----w C:\Documents and Settings\Max My Name\Application Data\GlarySoft
2008-04-15 00:57 --------- d-----w C:\Documents and Settings\Max My Name\Application Data\Vso
2008-04-12 06:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2008-04-11 23:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-11 23:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-08 12:29 --------- d-----w C:\Program Files\DivX
2008-04-02 09:29 --------- d-----w C:\Program Files\Ashampoo
2008-04-01 09:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\ashampoo
2008-03-25 02:32 --------- d-----w C:\Program Files\ESET
2008-03-15 11:56 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-03-15 11:56 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-03-14 22:23 571 ----a-w C:\Program Files\Shortcut to HiJackThis.exe.lnk
2008-03-14 05:54 3,894 ----a-w C:\Program Files\Filetopia.INI
2008-03-14 05:52 451 ----a-w C:\Program Files\Transfers.dat
2008-03-14 05:52 317 ----a-w C:\Program Files\#PartialList#.CMA
2008-03-14 05:52 1,142 ----a-w C:\Program Files\Transfer.log
2008-03-14 05:51 --------- d-----w C:\Program Files\Files
2008-03-14 05:32 2,862 ----a-w C:\Program Files\#SharedList#.CMA
2008-03-08 03:04 --------- d-----w C:\Program Files\TweakNow PowerPack 2006
2008-03-08 03:04 --------- d-----w C:\Program Files\LimeWire
2008-03-08 02:16 --------- d-----w C:\Program Files\AAAAA
2008-03-01 01:02 827 ----a-w C:\Program Files\ConvertXtoDvd 3.lnk
2008-03-01 01:02 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-01 01:02 47,360 ----a-w C:\Documents and Settings\Max My Name\Application Data\pcouffin.sys
2008-03-01 01:02 --------- d-----w C:\Program Files\VSO
2008-02-19 23:12 --------- d-----w C:\Program Files\DU Meter
2008-02-19 23:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-19 12:48 --------- d-----w C:\Documents and Settings\Max My Name\Application Data\URSoft
2007-09-27 14:06 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT
2007-07-18 00:00 125,651 ----a-w C:\WINDOWS\Fonts\error.exe
2007-05-19 06:48 30,601 ----a-w C:\Documents and Settings\Max My Name\x.exe
2007-02-26 06:55 26 ----a-w C:\Program Files\profile.htm
2007-02-26 06:53 76,800 ----a-w C:\Program Files\Channels.txt
2007-02-26 06:53 100 ----a-w C:\Program Files\Outbox-CoolCat01.dat
2007-02-26 06:52 100 ----a-w C:\Program Files\Inbox-CoolCat01.dat
2007-02-08 12:57 179 ----a-w C:\Program Files\Nodes.dat
2007-02-08 12:53 6,549 ----a-w C:\Program Files\INSTALL.LOG
2007-01-09 23:03 87,608 ----a-w C:\Documents and Settings\Max My Name\Application Data\ezpinst.exe
2003-08-07 06:16 71 ----a-w C:\Program Files\server.dat
2003-05-23 22:24 78,179 ----a-w C:\Program Files\language.lng
2002-12-10 12:44 1,253,888 ----a-w C:\Program Files\Filetopia.exe
2002-06-07 14:50 873 ----a-w C:\Program Files\search.dat
2001-09-28 06:00 164,864 ----a-w C:\Program Files\UNWISE.EXE
2001-07-05 02:46 8,116 ----a-w C:\Program Files\OSLO3071b2.USB
2001-05-08 05:36 114,688 ----a-w C:\Program Files\lxarscan.dll
2001-01-05 14:57 8,095 ----a-w C:\Program Files\wordmap.ini
1998-12-27 05:57 129,536 ----a-w C:\Program Files\lpcdll32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"Mmm"="C:\Program Files\HACE\Mmm\MmmTray.exe" [2006-12-10 21:41 15872]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24 1694208]
"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2007-10-22 22:09 2582288]
"SRS Audio Sandbox"="C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" [2007-09-05 01:06 3158016]
"New Application"="C:\PROGRAMS\AA - Stored Programs\Ad Muncher v4.71 Build 28140 (1782) - CRACKED\Ad Muncher\Ad Muncher\AdMunch.exe" [2007-11-03 11:48 779776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 13:48 1388544]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 17:37 69216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 21:55 54832]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-03-15 21:56 949376]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-07-04 12:41 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 0 (0x0)
"MaxRecentDocs"= 11 (0xb)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Mmm"="C:\Program Files\HACE\Mmm\Mmm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Filetopia.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Business XII.SP2\\RpcAgentSrv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 15:51]
R2 DUMeterSvc;DU Meter Service;C:\Program Files\DU Meter\DUMeterSvc.exe [2007-10-15 15:19]
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;C:\Program Files\SiSoftware\SiSoftware Sandra Professional Business XII.SP2\RpcAgentSrv.exe [2008-04-07 19:26]
R3 AUD;DTV-DVB 3054 Analog Audio Capture;C:\WINDOWS\system32\DRIVERS\3054AudCap.sys [2005-09-23 19:46]
R3 CXAVSTS;DTV-DVB 3054 Digital TS Capture;C:\WINDOWS\system32\drivers\3054BDACap.sys [2005-09-23 19:48]
R3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2006-12-13 18:02]
R3 THAVXBar;DTV-DVB 3054 Analog AVStream Crossbar;C:\WINDOWS\system32\drivers\3054AVXBar.sys [2005-09-23 19:47]
R3 THBDATUNE;DTV-DVB 3054 Digital Tuner/Demod;C:\WINDOWS\system32\drivers\3054BDATune.sys [2005-09-23 19:50]
R3 THIR;DTV-DVB 3054 IR Decoder;C:\WINDOWS\system32\drivers\3054IR.sys [2005-09-23 19:52]
R3 THTUNE;DTV-DVB 3054 Analog Tuner;C:\WINDOWS\system32\drivers\3054Tune.sys [2005-09-23 19:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv REG_MULTI_SZ Tapisrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df290c00-70ab-11dc-a2aa-001485ebe2d0}]
\Shell\AutoRun\command - I:\InstallTomTomHOME.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 07:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-04-18 08:17:02 C:\WINDOWS\Tasks\GlaryInitialize.job"
- C:\PROGRAMS\Glary Utilities\initialize.exe
"2008-04-17 16:22:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-18 18:17:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]
"ImagePath"="C:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\PROGRAMS\AA - Stored Programs\Ad Muncher v4.71 Build 28140 (1782) - CRACKED\Ad Muncher\Ad Muncher\AM28140.dll
-> ?:\WINDOWS\system32\msi.dll
-> ?:\WINDOWS\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\HDDSvc.exe
C:\Program Files\ESET\nod32krn.exe
C:\Program Files\OO Software\CleverCache\ooccag.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
.
**************************************************************************
.
Completion time: 2008-04-18 18:24:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-18 08:24:20

Pre-Run: 46,406,590,464 bytes free
Post-Run: 46,318,501,888 bytes free

Pan_02.jpg
Pan_01.jpg
  • 0

#6
Learnatic
Posted 18 April 2008 - 04:53 PM

Learnatic

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 131 posts
Panda Report ..
Finally got to download application and scan....

Pan_03.jpg

Hope this shows something relevant ..
Cheers,
Max.
  • 0

#7
greyknight17
Posted 18 April 2008 - 07:19 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
For the first two entries there in your third image, can you expand the entries to show what it found to be infected? We can remove it manually.

Uninstall Ad Muncher via the Add/Remove Programs panel...cracked copy.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\WINDOWS\Fonts\error.exe
C:\Documents and Settings\Max My Name\x.exe

Folder::
C:\PROGRAMS\AA - Stored Programs\Ad Muncher v4.71 Build 28140 (1782) - CRACKED\

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"New Application"=-

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

I'm not sure how much this will help with the gmail emails you've been getting. Probably in some email list by now already. Will see what else is showing in the next log...
  • 0

#8
Learnatic
Posted 19 April 2008 - 03:37 PM

Learnatic

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 131 posts
G'day GK17,
Sorry for delay but 'Geeks to Go' wouldn't open up. ... Just got a blank page.

I couldn't find AdMuncher in 'Uninstaller' so manually deleted it all. (Will be purchasing it after this exercise).

Following the above steps now, but here are the expanded Panda results as requested:


..."...Suspicious files (1)
C:\PROGRAM FILES\DU METER\DUMETER.EXE
=======================================

Vulnerabilities (2)

MS08-002 Medium + Info

MS08-002
Technical name: MS08-002
Threat level: Medium
Alias: Vulnerability in LSASS, Vulnerabilidad en LSASS
Type: Vulnerability
Effects: It is an important vulnerability in LSASS on Windows 2003/XP/2000 computers, which allows local privilege escalation in the vulnerable computer.

Affected platforms: Windows 2003/XP/2000

First detected on: Jan. 9, 2008
Detection updated on: Jan. 9, 2008
=======================================

MS08-001 Medium + Info

Title for Virus News List
Virus News
Link to [+news] in Virus News List [+ Noticias]
..."...
  • 0

#9
greyknight17
Posted 19 April 2008 - 03:41 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Post the new combofix log...
  • 0

#10
Learnatic
Posted 19 April 2008 - 04:00 PM

Learnatic

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 131 posts
Things are working OK today..
Here's the log:

ComboFix 08-04-16.5 - Max My Name 2008-04-20 7:44:21.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.603 [GMT 10:00]
Running from: C:\Documents and Settings\Max My Name\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Max My Name\My Documents\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-19 11:40 . 2008-04-19 11:40 <DIR> d-------- C:\Program Files\Outsim
2008-04-19 11:38 . 2008-04-19 11:41 <DIR> d-------- C:\Program Files\Image-Line
2008-04-18 21:36 . 2008-04-19 06:34 <DIR> d-------- C:\Program Files\Panda Security
2008-04-14 23:04 . 2008-04-17 01:24 <DIR> d-------- C:\Documents and Settings\Max My Name\Application Data\TweakNow RegCleaner Professional
2008-04-08 22:24 . 2008-04-08 22:29 <DIR> d-------- C:\divx
2008-04-08 10:56 . 2008-04-08 10:56 164 --a------ C:\WINDOWS\system32\test.aok
2008-04-08 07:56 . 2008-04-08 08:02 <DIR> d-------- C:\OutputFolder
2008-04-05 09:33 . 2008-04-05 09:33 24 --a------ C:\WINDOWS\system32\Drv32_16.ini
2008-04-01 07:25 . 2008-04-01 07:25 831,488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-04-01 07:25 . 2008-04-01 07:25 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2008-04-01 07:25 . 2008-04-01 07:25 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2008-04-01 07:25 . 2008-04-01 07:25 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2008-04-01 07:25 . 2008-04-01 07:25 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2008-04-01 07:25 . 2008-04-01 07:25 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-25 11:38 . 2008-03-25 11:38 <DIR> d-------- C:\Documents and Settings\Max My Name\Application Data\Malwarebytes
2008-03-25 11:38 . 2008-03-25 11:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-25 05:45 . 2008-03-25 05:45 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-03-22 06:30 . 2008-03-22 06:30 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-03-22 06:30 . 2008-03-22 06:30 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-03-22 06:30 . 2008-03-22 06:30 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-03-22 06:30 . 2008-03-22 06:30 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-03-22 06:30 . 2008-03-22 06:30 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-03-19 07:46 . 2008-03-19 07:46 <DIR> d-------- C:\Documents and Settings\Max My Name\Application Data\JAM Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 03:24 --------- d-----w C:\Program Files\AAAAA
2008-04-19 01:41 --------- d-----w C:\Program Files\VstPlugins
2008-04-17 04:28 --------- d-----w C:\Documents and Settings\Max My Name\Application Data\LimeWire
2008-04-17 01:34 --------- d-----w C:\Documents and Settings\Max My Name\Application Data\BitTorrent
2008-04-17 01:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-17 01:08 --------- d-----w C:\Program Files\OO Software
2008-04-16 15:25 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-04-16 15:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-16 15:22 --------- d-----w C:\Program Files\audiograbber
2008-04-16 13:32 --------- d-----w C:\Documents and Settings\Max My Name\Application Data\GlarySoft
2008-04-15 00:57 --------- d-----w C:\Documents and Settings\Max My Name\Application Data\Vso
2008-04-12 06:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2008-04-11 23:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-11 23:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-08 12:29 --------- d-----w C:\Program Files\DivX
2008-04-02 09:29 --------- d-----w C:\Program Files\Ashampoo
2008-04-01 09:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\ashampoo
2008-03-25 02:32 --------- d-----w C:\Program Files\ESET
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-15 11:56 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-03-15 11:56 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-03-15 11:56 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-03-14 22:23 571 ----a-w C:\Program Files\Shortcut to HiJackThis.exe.lnk
2008-03-14 05:54 3,894 ----a-w C:\Program Files\Filetopia.INI
2008-03-14 05:52 451 ----a-w C:\Program Files\Transfers.dat
2008-03-14 05:52 317 ----a-w C:\Program Files\#PartialList#.CMA
2008-03-14 05:52 1,142 ----a-w C:\Program Files\Transfer.log
2008-03-14 05:51 --------- d-----w C:\Program Files\Files
2008-03-14 05:32 2,862 ----a-w C:\Program Files\#SharedList#.CMA
2008-03-08 03:04 --------- d-----w C:\Program Files\TweakNow PowerPack 2006
2008-03-08 03:04 --------- d-----w C:\Program Files\LimeWire
2008-03-01 01:02 827 ----a-w C:\Program Files\ConvertXtoDvd 3.lnk
2008-03-01 01:02 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-01 01:02 47,360 ----a-w C:\Documents and Settings\Max My Name\Application Data\pcouffin.sys
2008-03-01 01:02 --------- d-----w C:\Program Files\VSO
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32(2).dll
2008-02-19 23:12 --------- d-----w C:\Program Files\DU Meter
2008-02-19 23:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-19 12:48 --------- d-----w C:\Documents and Settings\Max My Name\Application Data\URSoft
2007-09-27 14:06 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT
2007-07-18 00:00 125,651 ----a-w C:\WINDOWS\Fonts\error.exe
2007-05-19 06:48 30,601 ----a-w C:\Documents and Settings\Max My Name\x.exe
2007-02-26 06:55 26 ----a-w C:\Program Files\profile.htm
2007-02-26 06:53 76,800 ----a-w C:\Program Files\Channels.txt
2007-02-26 06:53 100 ----a-w C:\Program Files\Outbox-CoolCat01.dat
2007-02-26 06:52 100 ----a-w C:\Program Files\Inbox-CoolCat01.dat
2007-02-08 12:57 179 ----a-w C:\Program Files\Nodes.dat
2007-02-08 12:53 6,549 ----a-w C:\Program Files\INSTALL.LOG
2007-01-09 23:03 87,608 ----a-w C:\Documents and Settings\Max My Name\Application Data\ezpinst.exe
2003-08-07 06:16 71 ----a-w C:\Program Files\server.dat
2003-05-23 22:24 78,179 ----a-w C:\Program Files\language.lng
2002-12-10 12:44 1,253,888 ----a-w C:\Program Files\Filetopia.exe
2002-06-07 14:50 873 ----a-w C:\Program Files\search.dat
2001-09-28 06:00 164,864 ----a-w C:\Program Files\UNWISE.EXE
2001-07-05 02:46 8,116 ----a-w C:\Program Files\OSLO3071b2.USB
2001-05-08 05:36 114,688 ----a-w C:\Program Files\lxarscan.dll
2001-01-05 14:57 8,095 ----a-w C:\Program Files\wordmap.ini
1998-12-27 05:57 129,536 ----a-w C:\Program Files\lpcdll32.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-19_ 9.40.06.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-18 23:16:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-19 21:04:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"Mmm"="C:\Program Files\HACE\Mmm\MmmTray.exe" [2006-12-10 21:41 15872]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24 1694208]
"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2007-10-22 22:09 2582288]
"SRS Audio Sandbox"="C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" [2007-09-05 01:06 3158016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 13:48 1388544]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-03-15 21:56 949376]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-07-04 12:41 6731312]
"Ad Muncher"="C:\PROGRAMS\AdMunch.exe" [2008-04-19 22:39 779776]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 0 (0x0)
"MaxRecentDocs"= 11 (0xb)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Mmm"="C:\Program Files\HACE\Mmm\Mmm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Filetopia.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 15:51]
R2 DUMeterSvc;DU Meter Service;C:\Program Files\DU Meter\DUMeterSvc.exe [2007-10-15 15:19]
R3 AUD;DTV-DVB 3054 Analog Audio Capture;C:\WINDOWS\system32\DRIVERS\3054AudCap.sys [2005-09-23 19:46]
R3 CXAVSTS;DTV-DVB 3054 Digital TS Capture;C:\WINDOWS\system32\drivers\3054BDACap.sys [2005-09-23 19:48]
R3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2006-12-13 18:02]
R3 THAVXBar;DTV-DVB 3054 Analog AVStream Crossbar;C:\WINDOWS\system32\drivers\3054AVXBar.sys [2005-09-23 19:47]
R3 THBDATUNE;DTV-DVB 3054 Digital Tuner/Demod;C:\WINDOWS\system32\drivers\3054BDATune.sys [2005-09-23 19:50]
R3 THIR;DTV-DVB 3054 IR Decoder;C:\WINDOWS\system32\drivers\3054IR.sys [2005-09-23 19:52]
R3 THTUNE;DTV-DVB 3054 Analog Tuner;C:\WINDOWS\system32\drivers\3054Tune.sys [2005-09-23 19:53]
S2 SandraAgentSrv;SiSoftware Deployment Agent Service;C:\Program Files\SiSoftware\SiSoftware Sandra Professional Business XII.SP2\RpcAgentSrv.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv REG_MULTI_SZ Tapisrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df290c00-70ab-11dc-a2aa-001485ebe2d0}]
\Shell\AutoRun\command - I:\InstallTomTomHOME.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 07:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-04-19 21:04:27 C:\WINDOWS\Tasks\GlaryInitialize.job"
- C:\PROGRAMS\Glary Utilities\initialize.exe
"2008-04-17 16:22:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 07:46:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\DUMeterSvc]
"ImagePath"="C:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-04-20 7:50:11
ComboFix-quarantined-files.txt 2008-04-19 21:49:29
ComboFix2.txt 2008-04-18 23:40:42
ComboFix3.txt 2008-04-18 08:24:26

Pre-Run: 46,236,270,592 bytes free
Post-Run: 46,226,612,224 bytes free
  • 0

Advertisements

#11
greyknight17
Posted 19 April 2008 - 06:23 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Are you having any problems installing the XP Recovery Console? Please go back to where you downloaded Combofix fix and read the instructions there on how to install it. Skip the part where it mentions the XP CD. Go to the part without using the CD.

Did you copy and paste those new lines in the CODE box earlier? Let's try it again since it doesn't seem to be removed...

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

DirLook::
C:\Program Files\AAAAA

File::
C:\WINDOWS\Fonts\error.exe
C:\Documents and Settings\Max My Name\x.exe

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#12
Learnatic
Posted 19 April 2008 - 07:22 PM

Learnatic

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 131 posts
Hi GK,
Perhaps the problems are because the NOD32 detects the 'AV' test and locks it away?

I leave the comp to itself when it's running the 'Combofix', not even moving a mouse.

CFScript.txt is in the same location as the ComboFix.exe tool, the desktop.
Pan_04.jpg

Cheers,
Max.
  • 0

#13
Learnatic
Posted 19 April 2008 - 08:08 PM

Learnatic

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 131 posts
ComboFix Log

NOD32, AVGAS, SandBox, AdMuncher (Trial) switched off.

'Recovery Console' installed.

Hope this helps.

ComboFix 08-04-16.5 - Max My Name 2008-04-20 11:43:09.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.678 [GMT 10:00]
Running from: C:\Documents and Settings\Max My Name\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Max My Name\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\Documents and Settings\Max My Name\x.exe
C:\WINDOWS\Fonts\error.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Max My Name\x.exe
C:\WINDOWS\Fonts\error.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-19 11:40 . 2008-04-19 11:40 <DIR> d-------- C:\Program Files\Outsim
2008-04-19 11:38 . 2008-04-19 11:41 <DIR> d-------- C:\Program Files\Image-Line
2008-04-18 21:36 . 2008-04-19 06:34 <DIR> d-------- C:\Program Files\Panda Security
2008-04-14 23:04 . 2008-04-17 01:24 <DIR> d-------- C:\Documents and Settings\Max My Name\Application Data\TweakNow RegCleaner Professional
2008-04-08 22:24 . 2008-04-08 22:29 <DIR> d-------- C:\divx
2008-04-08 10:56 . 2008-04-08 10:56 164 --a------ C:\WINDOWS\system32\test.aok
2008-04-08 07:56 . 2008-04-08 08:02 <DIR> d-------- C:\OutputFolder
2008-04-05 09:33 . 2008-04-05 09:33 24 --a------ C:\WINDOWS\system32\Drv32_16.ini
2008-04-01 07:25 . 2008-04-01 07:25 831,488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-04-01 07:25 . 2008-04-01 07:25 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2008-04-01 07:25 . 2008-04-01 07:25 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2008-04-01 07:25 . 2008-04-01 07:25 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2008-04-01 07:25 . 2008-04-01 07:25 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2008-04-01 07:25 . 2008-04-01 07:25 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-25 11:38 . 2008-03-25 11:38 <DIR> d-------- C:\Documents and Settings\Max My Name\Application Data\Malwarebytes
2008-03-25 11:38 . 2008-03-25 11:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-25 05:45 . 2008-03-25 05:45 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-03-22 06:30 . 2008-03-22 06:30 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-03-22 06:30 . 2008-03-22 06:30 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-03-22 06:30 . 2008-03-22 06:30 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-03-22 06:30 . 2008-03-22 06:30 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-03-22 06:30 . 2008-03-22 06:30 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 03:24 --------- d-----w C:\Program Files\AAAAA
2008-04-19 01:41 --------- d-----w C:\Program Files\VstPlugins
2008-04-17 04:28 --------- d-----w C:\Documents and Settings\Max My Name\Application Data\LimeWire
2008-04-17 01:34 --------- d-----w C:\Documents and Settings\Max My Name\Application Data\BitTorrent
2008-04-17 01:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-17 01:08 --------- d-----w C:\Program Files\OO Software
2008-04-16 15:25 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-04-16 15:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-16 15:22 --------- d-----w C:\Program Files\audiograbber
2008-04-16 13:32 --------- d-----w C:\Documents and Settings\Max My Name\Application Data\GlarySoft
2008-04-15 00:57 --------- d-----w C:\Documents and Settings\Max My Name\Application Data\Vso
2008-04-12 06:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2008-04-11 23:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-11 23:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-08 12:29 --------- d-----w C:\Program Files\DivX
2008-04-02 09:29 --------- d-----w C:\Program Files\Ashampoo
2008-04-01 09:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\ashampoo
2008-03-25 02:32 --------- d-----w C:\Program Files\ESET
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-18 21:46 --------- d-----w C:\Documents and Settings\Max My Name\Application Data\JAM Software
2008-03-15 11:56 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-03-15 11:56 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-03-15 11:56 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-03-14 22:23 571 ----a-w C:\Program Files\Shortcut to HiJackThis.exe.lnk
2008-03-14 05:54 3,894 ----a-w C:\Program Files\Filetopia.INI
2008-03-14 05:52 451 ----a-w C:\Program Files\Transfers.dat
2008-03-14 05:52 317 ----a-w C:\Program Files\#PartialList#.CMA
2008-03-14 05:52 1,142 ----a-w C:\Program Files\Transfer.log
2008-03-14 05:51 --------- d-----w C:\Program Files\Files
2008-03-14 05:32 2,862 ----a-w C:\Program Files\#SharedList#.CMA
2008-03-08 03:04 --------- d-----w C:\Program Files\TweakNow PowerPack 2006
2008-03-08 03:04 --------- d-----w C:\Program Files\LimeWire
2008-03-01 01:02 827 ----a-w C:\Program Files\ConvertXtoDvd 3.lnk
2008-03-01 01:02 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-01 01:02 47,360 ----a-w C:\Documents and Settings\Max My Name\Application Data\pcouffin.sys
2008-03-01 01:02 --------- d-----w C:\Program Files\VSO
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32(2).dll
2007-09-27 14:06 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT
2007-02-26 06:55 26 ----a-w C:\Program Files\profile.htm
2007-02-26 06:53 76,800 ----a-w C:\Program Files\Channels.txt
2007-02-26 06:53 100 ----a-w C:\Program Files\Outbox-CoolCat01.dat
2007-02-26 06:52 100 ----a-w C:\Program Files\Inbox-CoolCat01.dat
2007-02-08 12:57 179 ----a-w C:\Program Files\Nodes.dat
2007-02-08 12:53 6,549 ----a-w C:\Program Files\INSTALL.LOG
2007-01-09 23:03 87,608 ----a-w C:\Documents and Settings\Max My Name\Application Data\ezpinst.exe
2003-08-07 06:16 71 ----a-w C:\Program Files\server.dat
2003-05-23 22:24 78,179 ----a-w C:\Program Files\language.lng
2002-12-10 12:44 1,253,888 ----a-w C:\Program Files\Filetopia.exe
2002-06-07 14:50 873 ----a-w C:\Program Files\search.dat
2001-09-28 06:00 164,864 ----a-w C:\Program Files\UNWISE.EXE
2001-07-05 02:46 8,116 ----a-w C:\Program Files\OSLO3071b2.USB
2001-05-08 05:36 114,688 ----a-w C:\Program Files\lxarscan.dll
2001-01-05 14:57 8,095 ----a-w C:\Program Files\wordmap.ini
1998-12-27 05:57 129,536 ----a-w C:\Program Files\lpcdll32.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\AAAAA ----

2008-02-29 15:27 7451 --a------ C:\Program Files\AAAAA\Wopti.Utilities.Special.Edition.v7.8.8.218-TE\Wopti.Utilities.Special.Edition.v7.8.8.218-TE\te.nfo
2008-02-24 01:58 136 --a------ C:\Program Files\AAAAA\Wopti.Utilities.Special.Edition.v7.8.8.218-TE\Wopti.Utilities.Special.Edition.v7.8.8.218-TE\Crack\Registration.reg
2008-02-22 08:59 3391256 --a------ C:\Program Files\AAAAA\Wopti.Utilities.Special.Edition.v7.8.8.218-TE\Wopti.Utilities.Special.Edition.v7.8.8.218-TE\setup.exe


((((((((((((((((((((((((((((( snapshot@2008-04-19_ 9.40.06.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-18 23:16:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-20 01:11:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"Mmm"="C:\Program Files\HACE\Mmm\MmmTray.exe" [2006-12-10 21:41 15872]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24 1694208]
"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2007-10-22 22:09 2582288]
"SRS Audio Sandbox"="C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" [2007-09-05 01:06 3158016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 13:48 1388544]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-03-15 21:56 949376]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-07-04 12:41 6731312]
"Ad Muncher"="C:\PROGRAMS\AdMunch.exe" [2008-04-19 22:39 779776]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 0 (0x0)
"MaxRecentDocs"= 11 (0xb)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Mmm"="C:\Program Files\HACE\Mmm\Mmm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Filetopia.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 15:51]
R2 DUMeterSvc;DU Meter Service;C:\Program Files\DU Meter\DUMeterSvc.exe [2007-10-15 15:19]
R3 AUD;DTV-DVB 3054 Analog Audio Capture;C:\WINDOWS\system32\DRIVERS\3054AudCap.sys [2005-09-23 19:46]
R3 CXAVSTS;DTV-DVB 3054 Digital TS Capture;C:\WINDOWS\system32\drivers\3054BDACap.sys [2005-09-23 19:48]
R3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2006-12-13 18:02]
R3 THAVXBar;DTV-DVB 3054 Analog AVStream Crossbar;C:\WINDOWS\system32\drivers\3054AVXBar.sys [2005-09-23 19:47]
R3 THBDATUNE;DTV-DVB 3054 Digital Tuner/Demod;C:\WINDOWS\system32\drivers\3054BDATune.sys [2005-09-23 19:50]
R3 THIR;DTV-DVB 3054 IR Decoder;C:\WINDOWS\system32\drivers\3054IR.sys [2005-09-23 19:52]
R3 THTUNE;DTV-DVB 3054 Analog Tuner;C:\WINDOWS\system32\drivers\3054Tune.sys [2005-09-23 19:53]
S2 SandraAgentSrv;SiSoftware Deployment Agent Service;C:\Program Files\SiSoftware\SiSoftware Sandra Professional Business XII.SP2\RpcAgentSrv.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv REG_MULTI_SZ Tapisrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df290c00-70ab-11dc-a2aa-001485ebe2d0}]
\Shell\AutoRun\command - I:\InstallTomTomHOME.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 07:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-04-20 01:11:23 C:\WINDOWS\Tasks\GlaryInitialize.job"
- C:\PROGRAMS\Glary Utilities\initialize.exe
"2008-04-17 16:22:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 11:45:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\DUMeterSvc]
"ImagePath"="C:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-04-20 11:49:06
ComboFix-quarantined-files.txt 2008-04-20 01:48:45
ComboFix2.txt 2008-04-19 21:50:12
ComboFix3.txt 2008-04-18 23:40:42
ComboFix4.txt 2008-04-18 08:24:26

Pre-Run: 46,207,086,592 bytes free
Post-Run: 46,195,638,272 bytes free

Edited by Learnatic, 19 April 2008 - 08:53 PM.

  • 0

#14
greyknight17
Posted 19 April 2008 - 08:54 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, I see you have other cracked programs inside this folder:

C:\Program Files\AAAAA\

I need to stress this again. Using hacked copies of commercial programs is asking for trouble. This is how many users get infected with spyware and viruses.

Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Go to Start->Run and type in Combofix /u and hit OK to remove Combofix. You should be set to go now if there are no other problems. The issue with Gmail is most likely not solvable at this stage if you still get incoming junk. I suggest changing your email address and see if the same problem occurs. Make sure when you send out any emails that you are sending it to a correct email address also.
  • 0

#15
Learnatic
Posted 19 April 2008 - 09:01 PM

Learnatic

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 131 posts
Okiedokie GreyKnight ..

Thanks for the help ... and good advice on the 'iffy' proframmes.

Cheers,

Happy Springtime,

Max.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP