Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan Downloader.XS [RESOLVED]


  • This topic is locked This topic is locked

#16
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Ok, that looks good.

Run combofix agan now, it may remove some more items.
Post that log when completed :)

Harry
  • 0

Advertisements


#17
~Mix

~Mix

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Harry, During Running Combofix On The Restart I Didn't Know That AVG7.5 Would Start Running... It Updated And Started Scanning And Crashed Combofix And Wouldn't Create The Log... So This Is The Third Scan After A Stopped Second Scan Due To The Scan Still Going.. Then After The Third Scan Was Complete And Came Up; All My Icons And Toolbar Was Not Visible. Then After Restarting One Of My Virus Scanners Said That There Was A Browser Hijacker...
Here's The Log..
ComboFix 08-03-22.1 - Owner 2008-03-23 13:15:59.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.98 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\2search\
C:\Program Files\Accoona\
C:\Program Files\AVSystemCare\
C:\Program Files\bravesentry\
C:\Program Files\ClientMan\
C:\Program Files\Common Files\cpush\
C:\Program Files\Common Files\drivecleaner free\
C:\Program Files\Common Files\KeenValue\
C:\Program Files\Common Files\sogou pxp\
C:\Program Files\Common Files\WinSoftware\
C:\Program Files\CSBB\
C:\Program Files\dialers\
C:\Program Files\DriveCleaner Free\
C:\Program Files\e2g\
C:\Program Files\HbTools\
C:\Program Files\Hotbar\
C:\Program Files\install provider\
C:\Program Files\instant access\
C:\Program Files\ipwindows\
C:\Program Files\kuaiso toolsbar\
C:\Program Files\media-codec\
C:\Program Files\mmediacodec\
C:\Program Files\MyWebSearch\
C:\Program Files\newdotnet\
C:\Program Files\p4p\
C:\Program Files\PestTrap\
C:\Program Files\purityscan\
C:\Program Files\regifast\
C:\Program Files\seekmo\
C:\Program Files\SideFind\
C:\Program Files\spamblockerutility\
C:\Program Files\spysheriff\
C:\Program Files\starware\
C:\Program Files\SurfAccuracy\
C:\Program Files\surfsidekick 3\
C:\Program Files\toolbar888\
C:\Program Files\web buying\
C:\Program Files\webhancer\
C:\Program Files\WhenUSearch\
C:\WINDOWS\mc\
C:\WINDOWS\mslagent\
C:\WINDOWS\wincomp\
C:\WINDOWS\winmgts\
C:\WINDOWS\wintrim\
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 )))))))))))))))))))))))))))))))
.

2008-03-22 20:08 . 2008-03-22 20:08 <DIR> dr-hs---- C:\WINDOWS\voiceip.dll
2008-03-22 20:08 . 2008-03-22 20:08 <DIR> dr-hs---- C:\WINDOWS\mssvr.exe
2008-03-21 21:03 . 2008-03-21 21:03 3,631 --a------ C:\7D.tmp
2008-03-20 23:36 . 2008-03-20 23:36 274 -r-h----- C:\Program Files\pcprivacysoftware.com
2008-03-20 23:36 . 2008-03-20 23:36 274 -r-h----- C:\Program Files\malwarewipe.com
2008-03-20 23:36 . 2008-03-20 23:36 274 -r-h----- C:\Program Files\malwaresweeper.com
2008-03-20 23:36 . 2008-03-20 23:36 274 -r-h----- C:\Program Files\bulletproofsoft.com
2008-03-20 23:36 . 2008-03-20 23:36 274 -r-h----- C:\Program Files\adwareremovergold.com
2008-03-20 23:36 . 2008-03-20 23:36 228 -r-h----- C:\Program Files\gator.com
2008-03-09 15:57 . 2008-03-09 15:57 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-09 15:57 . 2008-03-09 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-09 15:42 . 2008-03-09 15:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-09 14:35 . 2008-03-09 14:35 13,056 --a------ C:\WINDOWS\avisynthex32.dll
2008-03-09 10:22 . 2008-03-09 10:22 <DIR> d-------- C:\Program Files\stc
2008-03-09 10:21 . 2008-03-09 10:21 <DIR> d-------- C:\Program Files\180search assistant
2008-03-09 10:21 . 2008-03-09 10:21 29,184 --a------ C:\WINDOWS\msapasrc.dll
2008-03-09 10:21 . 2008-03-09 10:21 27,904 --a------ C:\WINDOWS\browserad.dll
2008-03-09 10:21 . 2008-03-09 10:21 26,368 --a------ C:\WINDOWS\winsb.dll
2008-03-09 10:21 . 2008-03-09 10:21 24,832 --a------ C:\WINDOWS\123messenger.per
2008-03-09 10:21 . 2008-03-09 10:21 22,272 --a------ C:\WINDOWS\autodisc32.dll
2008-03-09 10:21 . 2008-03-09 10:21 22,016 --a------ C:\WINDOWS\msa64chk.dll
2008-03-09 10:21 . 2008-03-09 10:21 17,920 --a------ C:\WINDOWS\system32\SIPSPI32.dll
2008-03-09 10:18 . 2008-03-21 14:50 25 --a------ C:\WINDOWS\win.ini
2008-03-08 23:53 . 2008-03-09 14:40 <DIR> d-------- C:\Program Files\No Trace
2008-03-08 23:43 . 2008-03-08 23:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-08 23:43 . 2008-03-09 05:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-08 23:27 . 2008-03-08 23:27 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-08 15:10 . 2008-03-08 15:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-08 08:54 . 2008-03-09 01:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-08 08:34 . 2008-03-08 08:34 3,805,830 --a------ C:\WINDOWS\fIHNZfcvR3.exe
2008-03-08 08:33 . 2008-03-08 08:34 <DIR> d-------- C:\WINDOWS\kcshruuf
2008-03-08 08:33 . 2008-03-08 08:33 184,320 --a------ C:\WINDOWS\hirgncvi.dll
2008-03-08 08:33 . 2008-03-08 08:33 38,912 --a------ C:\WINDOWS\bgnqbang.exe
2008-03-08 08:32 . 2008-03-08 08:32 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-03-08 08:31 . 2008-03-08 08:31 295,819 --a------ C:\WINDOWS\system32\L5B49.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 17:15 --------- d--h--w C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-23 17:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-23 00:09 --------- d-----w C:\Program Files\Malware Immunizer
2008-03-22 20:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-19 21:37 --------- d--h--w C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-03-08 17:31 --------- d-----w C:\Program Files\Setup NetZero
2008-03-08 16:42 --------- d-----w C:\Program Files\SpywareGuard
2008-03-08 01:52 --------- d-----w C:\Program Files\Mungyodance
2008-03-08 00:23 --------- d-----w C:\Program Files\StepMania
2008-02-20 10:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-20 10:23 --------- d-----w C:\Program Files\Lavasoft
2008-02-20 10:21 --------- d--h--w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-02-20 10:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-30 10:21 4,446 -c-ha-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-12-29 05:28 27,136 ----a-w C:\WINDOWS\~GLH0000.TMP
.

((((((((((((((((((((((((((((( [email protected]_15.03.07.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 18:08 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-09-07 19:01 43008]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 18:11 4670968]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59 224248]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"Spyware Vanisher"="C:\spywarevanisher-full\SpywareVanisher.exe" [2006-12-24 14:13 4114432]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"CheckNetworkConnection"="C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" [2006-05-19 11:29 1286144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 18:04 135168]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 23:24 32768]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 18:07 90112 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 11:32 7204864]
"nwiz"="nwiz.exe" [2005-09-18 11:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-18 11:32 86016]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 10:58 1773568]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-29 21:57 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"D-Link Air Utility"="C:\Program Files\D-Link\Air Utility\AirCFG.exe" [2003-06-26 18:13 2695168]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59 224248]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 15:05 185632]
"ss245sd"="C:\WINDOWS\ss245sd.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-08 15:15 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-08 15:10 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2005-10-29 21:55:21 2168360]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-12-05 22:54:45 124912]
HP Parallel Port Test.lnk - C:\SCANJET\PrecisionScan\hpppt.exe [2007-04-12 23:42:44 107008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcdbc]
gebcdbc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\StepMania CVS\\Program\\StepMania.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R1 papycpu;papycpu;C:\WINDOWS\system32\drivers\papycpu.sys [1998-10-06 10:36]
R2 MMIndexer;Media Manager Indexer;C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe [1997-07-15 01:00]
R2 NIOC;NIOC Service;C:\WINDOWS\system32\NIOC.SYS [2002-09-27 18:21]
S0 epstwnt;epstwnt;C:\WINDOWS\system32\Drivers\epstwnt.mpd [1998-03-30 02:18]
S2 SHARSHTL;Shuttle Sharer;C:\WINDOWS\system32\Drivers\sharshtl.sys [1998-03-30 02:18]
Start Pending2 WZCBDLService;WZCBDL Service;"C:\Program Files\WZCBDL Service\WZCBDLS.exe" [2002-03-19 12:15]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09826001-48e5-11da-bf8e-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1019e541-51ec-11da-9c61-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{815a0671-62bc-11da-b957-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-03-23 17:02:20 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-23 13:19:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\epstwnt]
"ImagePath"="System32\Drivers\epstwnt.mpd"
.
Completion time: 2008-03-23 13:21:45
ComboFix-quarantined-files.txt 2008-03-23 17:21:35
ComboFix2.txt 2008-03-22 01:18:34
ComboFix3.txt 2008-03-09 19:03:30
.
2007-12-19 01:38:33 --- E O F ---

Edited by ~Mix, 23 March 2008 - 11:40 AM.

  • 0

#18
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Hey ~Mix

  • Download RenV.exe by sUBs to your desktop
  • Double click on it to run it
  • It will search your system drive looking for any modified .exe file and will produce a log for you.
  • Please attach this report to your reply (Do not copy and paste)

Please make sure the results are attached!
  • 0

#19
~Mix

~Mix

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Harry, Here's The Log But, It Doesn't Seem To Have Anything On It...

Attached Files


Edited by ~Mix, 23 March 2008 - 12:25 PM.

  • 0

#20
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Ok mix, thats a good thing.
Lets see if this will do the trick, if not we are going to have to remove some stuff manually.

  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Reboot your machine.
Run ComboFix again, post the logs. This will help me see where we are getting the infections from.

Harry
  • 0

#21
~Mix

~Mix

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Harry, Here Is The Combofix Log.. With Combofix, It Didn't Reboot My Computer, Should I Do That?
ComboFix 08-03-22.1 - Owner 2008-03-23 16:10:07.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.105 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\2search\
C:\Program Files\Accoona\
C:\Program Files\AVSystemCare\
C:\Program Files\bravesentry\
C:\Program Files\ClientMan\
C:\Program Files\Common Files\cpush\
C:\Program Files\Common Files\drivecleaner free\
C:\Program Files\Common Files\KeenValue\
C:\Program Files\Common Files\sogou pxp\
C:\Program Files\Common Files\WinSoftware\
C:\Program Files\CSBB\
C:\Program Files\dialers\
C:\Program Files\DriveCleaner Free\
C:\Program Files\e2g\
C:\Program Files\HbTools\
C:\Program Files\Hotbar\
C:\Program Files\install provider\
C:\Program Files\instant access\
C:\Program Files\ipwindows\
C:\Program Files\kuaiso toolsbar\
C:\Program Files\media-codec\
C:\Program Files\mmediacodec\
C:\Program Files\MyWebSearch\
C:\Program Files\newdotnet\
C:\Program Files\p4p\
C:\Program Files\PestTrap\
C:\Program Files\purityscan\
C:\Program Files\regifast\
C:\Program Files\seekmo\
C:\Program Files\SideFind\
C:\Program Files\spamblockerutility\
C:\Program Files\spysheriff\
C:\Program Files\starware\
C:\Program Files\SurfAccuracy\
C:\Program Files\surfsidekick 3\
C:\Program Files\toolbar888\
C:\Program Files\web buying\
C:\Program Files\webhancer\
C:\Program Files\WhenUSearch\
C:\WINDOWS\mc\
C:\WINDOWS\mslagent\
C:\WINDOWS\wincomp\
C:\WINDOWS\winmgts\
C:\WINDOWS\wintrim\

.
((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 )))))))))))))))))))))))))))))))
.

2008-03-22 20:08 . 2008-03-22 20:08 <DIR> dr-hs---- C:\WINDOWS\voiceip.dll
2008-03-22 20:08 . 2008-03-22 20:08 <DIR> dr-hs---- C:\WINDOWS\mssvr.exe
2008-03-21 21:03 . 2008-03-21 21:03 3,631 --a------ C:\7D.tmp
2008-03-20 23:36 . 2008-03-20 23:36 274 -r-h----- C:\Program Files\pcprivacysoftware.com
2008-03-20 23:36 . 2008-03-20 23:36 274 -r-h----- C:\Program Files\malwarewipe.com
2008-03-20 23:36 . 2008-03-20 23:36 274 -r-h----- C:\Program Files\malwaresweeper.com
2008-03-20 23:36 . 2008-03-20 23:36 274 -r-h----- C:\Program Files\bulletproofsoft.com
2008-03-20 23:36 . 2008-03-20 23:36 274 -r-h----- C:\Program Files\adwareremovergold.com
2008-03-20 23:36 . 2008-03-20 23:36 228 -r-h----- C:\Program Files\gator.com
2008-03-09 15:57 . 2008-03-09 15:57 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-09 15:57 . 2008-03-09 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-09 15:42 . 2008-03-09 15:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-09 14:35 . 2008-03-09 14:35 13,056 --a------ C:\WINDOWS\avisynthex32.dll
2008-03-09 10:22 . 2008-03-09 10:22 <DIR> d-------- C:\Program Files\stc
2008-03-09 10:21 . 2008-03-09 10:21 <DIR> d-------- C:\Program Files\180search assistant
2008-03-09 10:21 . 2008-03-09 10:21 29,184 --a------ C:\WINDOWS\msapasrc.dll
2008-03-09 10:21 . 2008-03-09 10:21 27,904 --a------ C:\WINDOWS\browserad.dll
2008-03-09 10:21 . 2008-03-09 10:21 26,368 --a------ C:\WINDOWS\winsb.dll
2008-03-09 10:21 . 2008-03-09 10:21 24,832 --a------ C:\WINDOWS\123messenger.per
2008-03-09 10:21 . 2008-03-09 10:21 22,272 --a------ C:\WINDOWS\autodisc32.dll
2008-03-09 10:21 . 2008-03-09 10:21 22,016 --a------ C:\WINDOWS\msa64chk.dll
2008-03-09 10:21 . 2008-03-09 10:21 17,920 --a------ C:\WINDOWS\system32\SIPSPI32.dll
2008-03-09 10:18 . 2008-03-23 16:06 25 --a------ C:\WINDOWS\win.ini
2008-03-08 23:53 . 2008-03-09 14:40 <DIR> d-------- C:\Program Files\No Trace
2008-03-08 23:43 . 2008-03-08 23:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-08 23:43 . 2008-03-09 05:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-08 23:27 . 2008-03-08 23:27 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-08 15:10 . 2008-03-08 15:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-08 08:54 . 2008-03-09 01:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-08 08:34 . 2008-03-08 08:34 3,805,830 --a------ C:\WINDOWS\fIHNZfcvR3.exe
2008-03-08 08:33 . 2008-03-08 08:34 <DIR> d-------- C:\WINDOWS\kcshruuf
2008-03-08 08:33 . 2008-03-08 08:33 184,320 --a------ C:\WINDOWS\hirgncvi.dll
2008-03-08 08:33 . 2008-03-08 08:33 38,912 --a------ C:\WINDOWS\bgnqbang.exe
2008-03-08 08:32 . 2008-03-08 08:32 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-03-08 08:31 . 2008-03-08 08:31 295,819 --a------ C:\WINDOWS\system32\L5B49.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 17:15 --------- d--h--w C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-23 17:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-23 00:09 --------- d-----w C:\Program Files\Malware Immunizer
2008-03-22 20:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-19 21:37 --------- d--h--w C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-03-08 17:31 --------- d-----w C:\Program Files\Setup NetZero
2008-03-08 16:42 --------- d-----w C:\Program Files\SpywareGuard
2008-03-08 01:52 --------- d-----w C:\Program Files\Mungyodance
2008-03-08 00:23 --------- d-----w C:\Program Files\StepMania
2008-02-20 10:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-20 10:23 --------- d-----w C:\Program Files\Lavasoft
2008-02-20 10:21 --------- d--h--w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-02-20 10:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-30 10:21 4,446 -c-ha-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-12-29 05:28 27,136 ----a-w C:\WINDOWS\~GLH0000.TMP
.

((((((((((((((((((((((((((((( [email protected]_15.03.07.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 18:08 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-09-07 19:01 43008]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 18:11 4670968]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59 224248]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"Spyware Vanisher"="C:\spywarevanisher-full\SpywareVanisher.exe" [2006-12-24 14:13 4114432]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"CheckNetworkConnection"="C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" [2006-05-19 11:29 1286144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 18:04 135168]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 23:24 32768]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 18:07 90112 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 11:32 7204864]
"nwiz"="nwiz.exe" [2005-09-18 11:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-18 11:32 86016]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 10:58 1773568]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-29 21:57 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"D-Link Air Utility"="C:\Program Files\D-Link\Air Utility\AirCFG.exe" [2003-06-26 18:13 2695168]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59 224248]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 15:05 185632]
"ss245sd"="C:\WINDOWS\ss245sd.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-08 15:15 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-08 15:10 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2005-10-29 21:55:21 2168360]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-12-05 22:54:45 124912]
HP Parallel Port Test.lnk - C:\SCANJET\PrecisionScan\hpppt.exe [2007-04-12 23:42:44 107008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcdbc]
gebcdbc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\StepMania CVS\\Program\\StepMania.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R1 papycpu;papycpu;C:\WINDOWS\system32\drivers\papycpu.sys [1998-10-06 10:36]
R2 MMIndexer;Media Manager Indexer;C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe [1997-07-15 01:00]
R2 NIOC;NIOC Service;C:\WINDOWS\system32\NIOC.SYS [2002-09-27 18:21]
S0 epstwnt;epstwnt;C:\WINDOWS\system32\Drivers\epstwnt.mpd [1998-03-30 02:18]
S2 SHARSHTL;Shuttle Sharer;C:\WINDOWS\system32\Drivers\sharshtl.sys [1998-03-30 02:18]
Start Pending2 WZCBDLService;WZCBDL Service;"C:\Program Files\WZCBDL Service\WZCBDLS.exe" [2002-03-19 12:15]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09826001-48e5-11da-bf8e-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1019e541-51ec-11da-9c61-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{815a0671-62bc-11da-b957-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-03-23 20:08:44 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-23 16:15:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\epstwnt]
"ImagePath"="System32\Drivers\epstwnt.mpd"
.
Completion time: 2008-03-23 16:17:39
ComboFix-quarantined-files.txt 2008-03-23 20:17:30
ComboFix2.txt 2008-03-23 17:21:45
ComboFix3.txt 2008-03-22 01:18:34
ComboFix4.txt 2008-03-09 19:03:30
.
2007-12-19 01:38:33 --- E O F ---
  • 0

#22
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
err, did you run the flash drive tool?
  • 0

#23
~Mix

~Mix

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Yes, Should I Run It Again?
  • 0

#24
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Nope, hold on a minute :)
  • 0

#25
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Hey mix, sorry for the delay there.
More work to do.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\fIHNZfcvR3.exe
    C:\WINDOWS\kcshruuf
    C:\WINDOWS\hirgncvi.dll
    C:\WINDOWS\bgnqbang.exe
    C:\WINDOWS\system32\winfrun32.bin
    C:\WINDOWS\system32\L5B49.tmp
    C:\Program Files\pcprivacysoftware.com
    C:\Program Files\malwarewipe.com
    C:\Program Files\malwaresweeper.com
    C:\Program Files\bulletproofsoft.com
    C:\Program Files\adwareremovergold.com
    C:\Program Files\gator.com
    C:\Program Files\stc
    C:\Program Files\180search assistant
    C:\WINDOWS\msapasrc.dll
    C:\WINDOWS\browserad.dll
    C:\WINDOWS\winsb.dll
    C:\WINDOWS\123messenger.per
    C:\WINDOWS\autodisc32.dll
    C:\WINDOWS\msa64chk.dll
    C:\WINDOWS\system32\SIPSPI32.dll
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Next, lets remove the unwanted items.
Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Save it to your desktop has fixit.reg (filetype = any)

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{815a0671-62bc-11da-b957-806d6172696f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1019e541-51ec-11da-9c61-806d6172696f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09826001-48e5-11da-bf8e-806d6172696f}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcdbc]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ss245sd"=-

NOTICE: This file was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Locate fixit.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Please reply back letting me know if it merged correctly.

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

REBOOT THE MACHINE AGAIN!

Fresh HJT, and run Combofix (again, sorry)

Harry
  • 0

Advertisements


#26
~Mix

~Mix

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Harry, I Got The First Part Done But, The Second Part I Was Wondering Do I Save It In Notepad File Named "fixit.reg"?
  • 0

#27
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts

Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Save it to your desktop has fixit.reg (filetype = any)


Copy and paste it in notepad. Select File, save as, name it as fixit.reg
save it to your desktop, and in the lower part of that you will see file type. Make sure any is selected when you save.

Continue on :)
  • 0

#28
~Mix

~Mix

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Harry, Here's All The Logs
Here's The Combofix Log:
ComboFix 08-03-22.1 - Owner 2008-03-25 16:36:00.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.102 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\2search\
C:\Program Files\Accoona\
C:\Program Files\AVSystemCare\
C:\Program Files\bravesentry\
C:\Program Files\ClientMan\
C:\Program Files\Common Files\cpush\
C:\Program Files\Common Files\drivecleaner free\
C:\Program Files\Common Files\KeenValue\
C:\Program Files\Common Files\sogou pxp\
C:\Program Files\Common Files\WinSoftware\
C:\Program Files\CSBB\
C:\Program Files\dialers\
C:\Program Files\DriveCleaner Free\
C:\Program Files\e2g\
C:\Program Files\HbTools\
C:\Program Files\Hotbar\
C:\Program Files\install provider\
C:\Program Files\instant access\
C:\Program Files\ipwindows\
C:\Program Files\kuaiso toolsbar\
C:\Program Files\media-codec\
C:\Program Files\mmediacodec\
C:\Program Files\MyWebSearch\
C:\Program Files\newdotnet\
C:\Program Files\p4p\
C:\Program Files\PestTrap\
C:\Program Files\purityscan\
C:\Program Files\regifast\
C:\Program Files\seekmo\
C:\Program Files\SideFind\
C:\Program Files\spamblockerutility\
C:\Program Files\spysheriff\
C:\Program Files\starware\
C:\Program Files\SurfAccuracy\
C:\Program Files\surfsidekick 3\
C:\Program Files\toolbar888\
C:\Program Files\web buying\
C:\Program Files\webhancer\
C:\Program Files\WhenUSearch\
C:\WINDOWS\mc\
C:\WINDOWS\mslagent\
C:\WINDOWS\wincomp\
C:\WINDOWS\winmgts\
C:\WINDOWS\wintrim\
C:\WINDOWS\system32\avload32.dll . . . . failed to delete
C:\WINDOWS\system32\axdebugl.dll . . . . failed to delete
C:\WINDOWS\system32\bt848rom.dll . . . . failed to delete
C:\WINDOWS\system32\cdscsix3.dll . . . . failed to delete
C:\WINDOWS\system32\ddirectz.dll . . . . failed to delete
C:\WINDOWS\system32\directpt.dll . . . . failed to delete
C:\WINDOWS\system32\directut.dll . . . . failed to delete
C:\WINDOWS\system32\Dll.dll . . . . failed to delete
C:\WINDOWS\system32\docent0.dll . . . . failed to delete
C:\WINDOWS\system32\docent2.dll . . . . failed to delete
C:\WINDOWS\system32\dvd4free.dll . . . . failed to delete
C:\WINDOWS\system32\emldvc.dll . . . . failed to delete
C:\WINDOWS\system32\extfpu.dll . . . . failed to delete
C:\WINDOWS\system32\extxerox.dll . . . . failed to delete
C:\WINDOWS\system32\flashdrvr.dll . . . . failed to delete
C:\WINDOWS\system32\gatexkey.dll . . . . failed to delete
C:\WINDOWS\system32\gdiwxp.dll . . . . failed to delete
C:\WINDOWS\system32\gdwxp3.dll . . . . failed to delete
C:\WINDOWS\system32\hpprintx.dll . . . . failed to delete
C:\WINDOWS\system32\ideusr50.dll . . . . failed to delete
C:\WINDOWS\system32\ies4dll.dll . . . . failed to delete
C:\WINDOWS\system32\iesdl4l.dll . . . . failed to delete
C:\WINDOWS\system32\logon16x.dll . . . . failed to delete
C:\WINDOWS\system32\lsd_f3.dll . . . . failed to delete
C:\WINDOWS\system32\mcfCC4.dll . . . . failed to delete
C:\WINDOWS\system32\mcfG7A.dll . . . . failed to delete
C:\WINDOWS\system32\mdfpro.dll . . . . failed to delete
C:\WINDOWS\system32\mmxeroxk.dll . . . . failed to delete
C:\WINDOWS\system32\MSplg7.dll . . . . failed to delete
C:\WINDOWS\system32\nclabydll.dll . . . . failed to delete
C:\WINDOWS\system32\nkunpack.dll . . . . failed to delete
C:\WINDOWS\system32\nuclabdll.dll . . . . failed to delete
C:\WINDOWS\system32\obbn13t.dll . . . . failed to delete
C:\WINDOWS\system32\openglss.dll . . . . failed to delete
C:\WINDOWS\system32\printpnp.dll . . . . failed to delete
C:\WINDOWS\system32\prw76sks.sys . . . . failed to delete
C:\WINDOWS\system32\prwsks.dll . . . . failed to delete
C:\WINDOWS\system32\psksds.dll . . . . failed to delete
C:\WINDOWS\system32\rdrVR2.dll . . . . failed to delete
C:\WINDOWS\system32\rsdapi.dll . . . . failed to delete
C:\WINDOWS\system32\satau320.dll . . . . failed to delete
C:\WINDOWS\system32\satdll.dll . . . . failed to delete
C:\WINDOWS\system32\satmmc.dll . . . . failed to delete
C:\WINDOWS\system32\sdcard98.dll . . . . failed to delete
C:\WINDOWS\system32\se500mdm.dll . . . . failed to delete
C:\WINDOWS\system32\se633mxx.dll . . . . failed to delete
C:\WINDOWS\system32\sks2drvr.sys . . . . failed to delete
C:\WINDOWS\system32\sksdll.dll . . . . failed to delete
C:\WINDOWS\system32\tcpG4T.dll . . . . failed to delete
C:\WINDOWS\system32\tcpGDC.dll . . . . failed to delete
C:\WINDOWS\system32\tcpwrk.dll . . . . failed to delete
C:\WINDOWS\system32\wincom32.sys . . . . failed to delete
C:\WINDOWS\system32\wndtx1.dll . . . . failed to delete
C:\WINDOWS\system32\xcdmfree.dll . . . . failed to delete
C:\WINDOWS\system32\zopenssl.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-02-25 to 2008-03-25 )))))))))))))))))))))))))))))))
.

2008-03-23 17:56 . 2008-03-25 15:58 <DIR> d-------- C:\VundoFix Backups
2008-03-23 17:03 . 2008-03-23 17:03 <DIR> d-------- C:\_OTMoveIt
2008-03-22 20:08 . 2008-03-22 20:08 <DIR> dr-hs---- C:\WINDOWS\voiceip.dll
2008-03-22 20:08 . 2008-03-22 20:08 <DIR> dr-hs---- C:\WINDOWS\mssvr.exe
2008-03-21 21:03 . 2008-03-21 21:03 3,631 --a------ C:\7D.tmp
2008-03-09 15:57 . 2008-03-09 15:57 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-09 15:57 . 2008-03-09 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-09 15:42 . 2008-03-09 15:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-09 14:35 . 2008-03-09 14:35 13,056 --a------ C:\WINDOWS\avisynthex32.dll
2008-03-09 10:18 . 2008-03-25 16:44 25 --a------ C:\WINDOWS\win.ini
2008-03-08 23:53 . 2008-03-09 14:40 <DIR> d-------- C:\Program Files\No Trace
2008-03-08 23:43 . 2008-03-08 23:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-08 23:43 . 2008-03-09 05:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-08 23:27 . 2008-03-08 23:27 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-08 15:10 . 2008-03-08 15:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-08 08:54 . 2008-03-09 01:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 04:46 --------- d--h--w C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-03-25 03:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-24 22:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-23 20:35 --------- d-----w C:\Program Files\Malware Immunizer
2008-03-23 17:15 --------- d--h--w C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-08 17:31 --------- d-----w C:\Program Files\Setup NetZero
2008-03-08 16:42 --------- d-----w C:\Program Files\SpywareGuard
2008-03-08 01:52 --------- d-----w C:\Program Files\Mungyodance
2008-03-08 00:23 --------- d-----w C:\Program Files\StepMania
2008-02-20 10:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-20 10:23 --------- d-----w C:\Program Files\Lavasoft
2008-02-20 10:21 --------- d--h--w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-02-20 10:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-30 10:21 4,446 -c-ha-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-12-29 05:28 27,136 ----a-w C:\WINDOWS\~GLH0000.TMP
.

((((((((((((((((((((((((((((( [email protected]_15.03.07.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 18:08 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-09-07 19:01 43008]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 18:11 4670968]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59 224248]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"Spyware Vanisher"="C:\spywarevanisher-full\SpywareVanisher.exe" [2006-12-24 14:13 4114432]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"CheckNetworkConnection"="C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" [2006-05-19 11:29 1286144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 18:04 135168]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 23:24 32768]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 18:07 90112 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 11:32 7204864]
"nwiz"="nwiz.exe" [2005-09-18 11:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-18 11:32 86016]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 10:58 1773568]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-29 21:57 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"D-Link Air Utility"="C:\Program Files\D-Link\Air Utility\AirCFG.exe" [2003-06-26 18:13 2695168]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59 224248]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 15:05 185632]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-08 15:15 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-08 15:10 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2005-10-29 21:55:21 2168360]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-12-05 22:54:45 124912]
HP Parallel Port Test.lnk - C:\SCANJET\PrecisionScan\hpppt.exe [2007-04-12 23:42:44 107008]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\StepMania CVS\\Program\\StepMania.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R1 papycpu;papycpu;C:\WINDOWS\system32\drivers\papycpu.sys [1998-10-06 10:36]
R2 MMIndexer;Media Manager Indexer;C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe [1997-07-15 01:00]
R2 NIOC;NIOC Service;C:\WINDOWS\system32\NIOC.SYS [2002-09-27 18:21]
R2 WZCBDLService;WZCBDL Service;"C:\Program Files\WZCBDL Service\WZCBDLS.exe" [2002-03-19 12:15]
S0 epstwnt;epstwnt;C:\WINDOWS\system32\Drivers\epstwnt.mpd [1998-03-30 02:18]
S2 SHARSHTL;Shuttle Sharer;C:\WINDOWS\system32\Drivers\sharshtl.sys [1998-03-30 02:18]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-25 20:46:05 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 16:43:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Recguard = %WINDIR%\SMINST\RECGUARD.EXE?
Reminder = %WINDIR%\Creator\Remind_XP.exe?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\epstwnt]
"ImagePath"="System32\Drivers\epstwnt.mpd"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\SpywareGuard\sgbhp.exe
.
**************************************************************************
.
Completion time: 2008-03-25 16:54:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-25 20:54:02
ComboFix2.txt 2008-03-25 20:31:24
ComboFix3.txt 2008-03-23 20:17:40
ComboFix4.txt 2008-03-23 17:21:45
ComboFix5.txt 2008-03-22 01:18:34
.
2007-12-19 01:38:33 --- E O F ---

The HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:33:10 PM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\spywarevanisher-full\SpywareVanisher.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\SCANJET\PrecisionScan\hpppt.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-full\SpywareVanisher.exe -FastScan
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=b43127dc-3fb1-45ae-96f2-4935118d933d
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O4 - Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Parallel Port Test.lnk = C:\SCANJET\PrecisionScan\hpppt.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.co...aploader_v5.cab
O21 - SSODL: flammei - {9d635a36-6b3c-4146-8625-f3aaf507bbf8} - (no file)
O22 - SharedTaskScheduler: flammei - {9d635a36-6b3c-4146-8625-f3aaf507bbf8} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

--
End of file - 10690 bytes

VundoFix V7.0.3

Scan started at 5:56:56 PM 3/23/2008

Listing files found while scanning....

C:\windows\system32\lspak.dll

Beginning removal...

Attempting to delete C:\windows\system32\lspak.dll
C:\windows\system32\lspak.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V7.0.3

Scan started at 3:42:25 PM 3/25/2008

Listing files found while scanning....

C:\windows\system32\lspak.dll

Beginning removal...

Attempting to delete C:\windows\system32\lspak.dll
C:\windows\system32\lspak.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\lspak.dll
C:\windows\system32\lspak.dll Could not be deleted.

Performing Repairs to the registry.
Done!
  • 0

#29
harrythook

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Hey ~mix,
You got a neat little infection going on there, its recreating faster than rabbits do

Lets see one thing, copy the contents of the code box below and save it somewhere you can easily find it (word, ect). Print out the instructions given, or just copy them down as you might need them while we do this part.

C:\windows\system32\lspak.dll
C:\WINDOWS\~GLH0000.TMP
C:\Documents and Settings\Owner\Application Data\wklnhst.dat
C:\Program Files\Malware Immunizer
C:\Documents and Settings\Owner\Application Data\BitTorrent
C:\WINDOWS\system32\avload32.dll 
C:\WINDOWS\system32\axdebugl.dll 
C:\WINDOWS\system32\bt848rom.dll 
C:\WINDOWS\system32\cdscsix3.dll 
C:\WINDOWS\system32\ddirectz.dll 
C:\WINDOWS\system32\directpt.dll 
C:\WINDOWS\system32\directut.dll 
C:\WINDOWS\system32\Dll.dll
C:\WINDOWS\system32\docent0.dll
C:\WINDOWS\system32\docent2.dll
C:\WINDOWS\system32\dvd4free.dll
C:\WINDOWS\system32\emldvc.dll 
C:\WINDOWS\system32\extfpu.dll 
C:\WINDOWS\system32\extxerox.dll 
C:\WINDOWS\system32\flashdrvr.dll
C:\WINDOWS\system32\gatexkey.dll 
C:\WINDOWS\system32\gdiwxp.dll
C:\WINDOWS\system32\gdwxp3.dll 
C:\WINDOWS\system32\hpprintx.dll
C:\WINDOWS\system32\ideusr50.dll
C:\WINDOWS\system32\ies4dll.dll 
C:\WINDOWS\system32\iesdl4l.dll 
C:\WINDOWS\system32\logon16x.dll
C:\WINDOWS\system32\lsd_f3.dll
C:\WINDOWS\system32\mcfCC4.dll
C:\WINDOWS\system32\mcfG7A.dll
C:\WINDOWS\system32\mdfpro.dll
C:\WINDOWS\system32\mmxeroxk.dll
C:\WINDOWS\system32\MSplg7.dll
C:\WINDOWS\system32\nclabydll.dll

Reboot the machine into safe mode ( restart, and hit F8 continually to you see the safe mode screen). Start OTMoveIt2.exe, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.

Open the file we saved, copy that and paste it into that.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2

Run Combofix again (sorry :) ) just so we can see where we are at.

Harry
  • 0

#30
~Mix

~Mix

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Harry, I Have Other Users Using This Computer When I'm Gone And The Sites They Get On Might Not Be Good For The Computer... How Do You Think I Should Solve This? I'm Afraid If I Block Some Of The Sites That Are Bad That They Will Move On To Worse Sites...
Here Are The Logs:

ComboFix 08-03-22.1 - Owner 2008-03-25 22:01:35.9 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.209 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\2search\
C:\Program Files\Accoona\
C:\Program Files\AVSystemCare\
C:\Program Files\bravesentry\
C:\Program Files\ClientMan\
C:\Program Files\Common Files\cpush\
C:\Program Files\Common Files\drivecleaner free\
C:\Program Files\Common Files\KeenValue\
C:\Program Files\Common Files\sogou pxp\
C:\Program Files\Common Files\WinSoftware\
C:\Program Files\CSBB\
C:\Program Files\dialers\
C:\Program Files\DriveCleaner Free\
C:\Program Files\e2g\
C:\Program Files\HbTools\
C:\Program Files\Hotbar\
C:\Program Files\install provider\
C:\Program Files\instant access\
C:\Program Files\ipwindows\
C:\Program Files\kuaiso toolsbar\
C:\Program Files\media-codec\
C:\Program Files\mmediacodec\
C:\Program Files\MyWebSearch\
C:\Program Files\newdotnet\
C:\Program Files\p4p\
C:\Program Files\PestTrap\
C:\Program Files\purityscan\
C:\Program Files\regifast\
C:\Program Files\seekmo\
C:\Program Files\SideFind\
C:\Program Files\spamblockerutility\
C:\Program Files\spysheriff\
C:\Program Files\starware\
C:\Program Files\SurfAccuracy\
C:\Program Files\surfsidekick 3\
C:\Program Files\toolbar888\
C:\Program Files\web buying\
C:\Program Files\webhancer\
C:\Program Files\WhenUSearch\
C:\WINDOWS\mc\
C:\WINDOWS\mslagent\
C:\WINDOWS\wincomp\
C:\WINDOWS\winmgts\
C:\WINDOWS\wintrim\
C:\WINDOWS\system32\nkunpack.dll . . . . failed to delete
C:\WINDOWS\system32\nuclabdll.dll . . . . failed to delete
C:\WINDOWS\system32\obbn13t.dll . . . . failed to delete
C:\WINDOWS\system32\openglss.dll . . . . failed to delete
C:\WINDOWS\system32\printpnp.dll . . . . failed to delete
C:\WINDOWS\system32\prw76sks.sys . . . . failed to delete
C:\WINDOWS\system32\prwsks.dll . . . . failed to delete
C:\WINDOWS\system32\psksds.dll . . . . failed to delete
C:\WINDOWS\system32\rdrVR2.dll . . . . failed to delete
C:\WINDOWS\system32\rsdapi.dll . . . . failed to delete
C:\WINDOWS\system32\satau320.dll . . . . failed to delete
C:\WINDOWS\system32\satdll.dll . . . . failed to delete
C:\WINDOWS\system32\satmmc.dll . . . . failed to delete
C:\WINDOWS\system32\sdcard98.dll . . . . failed to delete
C:\WINDOWS\system32\se500mdm.dll . . . . failed to delete
C:\WINDOWS\system32\se633mxx.dll . . . . failed to delete
C:\WINDOWS\system32\sks2drvr.sys . . . . failed to delete
C:\WINDOWS\system32\sksdll.dll . . . . failed to delete
C:\WINDOWS\system32\tcpG4T.dll . . . . failed to delete
C:\WINDOWS\system32\tcpGDC.dll . . . . failed to delete
C:\WINDOWS\system32\tcpwrk.dll . . . . failed to delete
C:\WINDOWS\system32\wincom32.sys . . . . failed to delete
C:\WINDOWS\system32\wndtx1.dll . . . . failed to delete
C:\WINDOWS\system32\xcdmfree.dll . . . . failed to delete
C:\WINDOWS\system32\zopenssl.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-25 22:09 . 2008-03-25 22:10 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-03-23 17:56 . 2008-03-25 15:58 <DIR> d-------- C:\VundoFix Backups
2008-03-23 17:03 . 2008-03-23 17:03 <DIR> d-------- C:\_OTMoveIt
2008-03-22 20:08 . 2008-03-22 20:08 <DIR> dr-hs---- C:\WINDOWS\voiceip.dll
2008-03-22 20:08 . 2008-03-22 20:08 <DIR> dr-hs---- C:\WINDOWS\mssvr.exe
2008-03-21 21:03 . 2008-03-21 21:03 3,631 --a------ C:\7D.tmp
2008-03-09 15:57 . 2008-03-09 15:57 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-09 15:57 . 2008-03-09 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-09 15:42 . 2008-03-09 15:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-09 14:35 . 2008-03-09 14:35 13,056 --a------ C:\WINDOWS\avisynthex32.dll
2008-03-09 10:18 . 2008-03-25 22:09 25 --a------ C:\WINDOWS\win.ini
2008-03-08 23:53 . 2008-03-09 14:40 <DIR> d-------- C:\Program Files\No Trace
2008-03-08 23:43 . 2008-03-08 23:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-08 23:43 . 2008-03-09 05:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-08 23:27 . 2008-03-08 23:27 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-08 15:10 . 2008-03-08 15:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-08 08:54 . 2008-03-09 01:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-25 03:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-23 17:15 --------- d--h--w C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-08 17:31 --------- d-----w C:\Program Files\Setup NetZero
2008-03-08 16:42 --------- d-----w C:\Program Files\SpywareGuard
2008-03-08 01:52 --------- d-----w C:\Program Files\Mungyodance
2008-03-08 00:23 --------- d-----w C:\Program Files\StepMania
2008-02-20 10:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-20 10:23 --------- d-----w C:\Program Files\Lavasoft
2008-02-20 10:21 --------- d--h--w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-02-20 10:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
.

((((((((((((((((((((((((((((( [email protected]_15.03.07.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 18:08 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-09-07 19:01 43008]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 18:11 4670968]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59 224248]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"Spyware Vanisher"="C:\spywarevanisher-full\SpywareVanisher.exe" [2006-12-24 14:13 4114432]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"CheckNetworkConnection"="C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" [2006-05-19 11:29 1286144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 18:04 135168]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 23:24 32768]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 18:07 90112 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 11:32 7204864]
"nwiz"="nwiz.exe" [2005-09-18 11:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-18 11:32 86016]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 10:58 1773568]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-29 21:57 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"D-Link Air Utility"="C:\Program Files\D-Link\Air Utility\AirCFG.exe" [2003-06-26 18:13 2695168]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59 224248]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 15:05 185632]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-08 15:15 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-08 15:10 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2005-10-29 21:55:21 2168360]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-12-05 22:54:45 124912]
HP Parallel Port Test.lnk - C:\SCANJET\PrecisionScan\hpppt.exe [2007-04-12 23:42:44 107008]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\StepMania CVS\\Program\\StepMania.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R1 papycpu;papycpu;C:\WINDOWS\system32\drivers\papycpu.sys [1998-10-06 10:36]
R2 MMIndexer;Media Manager Indexer;C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe [1997-07-15 01:00]
R2 NIOC;NIOC Service;C:\WINDOWS\system32\NIOC.SYS [2002-09-27 18:21]
R2 WZCBDLService;WZCBDL Service;"C:\Program Files\WZCBDL Service\WZCBDLS.exe" [2002-03-19 12:15]
S0 epstwnt;epstwnt;C:\WINDOWS\system32\Drivers\epstwnt.mpd [1998-03-30 02:18]
S2 SHARSHTL;Shuttle Sharer;C:\WINDOWS\system32\Drivers\sharshtl.sys [1998-03-30 02:18]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-26 02:10:46 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 22:08:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Recguard = %WINDIR%\SMINST\RECGUARD.EXE?
Reminder = %WINDIR%\Creator\Remind_XP.exe?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\epstwnt]
"ImagePath"="System32\Drivers\epstwnt.mpd"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
.
**************************************************************************
.
Completion time: 2008-03-25 22:19:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-26 02:19:31
ComboFix2.txt 2008-03-25 20:54:07
ComboFix3.txt 2008-03-25 20:31:24
ComboFix4.txt 2008-03-23 20:17:40
ComboFix5.txt 2008-03-23 17:21:45
.
2007-12-19 01:38:33 --- E O F ---

And The OTMoveIt Log:

C:\windows\system32\lspak.dll moved successfully.
C:\WINDOWS\~GLH0000.TMP moved successfully.
C:\Documents and Settings\Owner\Application Data\wklnhst.dat moved successfully.
C:\Program Files\Malware Immunizer moved successfully.
C:\Documents and Settings\Owner\Application Data\BitTorrent\locale moved successfully.
C:\Documents and Settings\Owner\Application Data\BitTorrent\incomplete moved successfully.
C:\Documents and Settings\Owner\Application Data\BitTorrent\data\torrents moved successfully.
C:\Documents and Settings\Owner\Application Data\BitTorrent\data\resume moved successfully.
C:\Documents and Settings\Owner\Application Data\BitTorrent\data\metainfo moved successfully.
C:\Documents and Settings\Owner\Application Data\BitTorrent\data moved successfully.
C:\Documents and Settings\Owner\Application Data\BitTorrent moved successfully.
C:\WINDOWS\system32\avload32.dll moved successfully.
C:\WINDOWS\system32\axdebugl.dll moved successfully.
C:\WINDOWS\system32\bt848rom.dll moved successfully.
C:\WINDOWS\system32\cdscsix3.dll moved successfully.
C:\WINDOWS\system32\ddirectz.dll moved successfully.
C:\WINDOWS\system32\directpt.dll moved successfully.
C:\WINDOWS\system32\directut.dll moved successfully.
C:\WINDOWS\system32\Dll.dll moved successfully.
C:\WINDOWS\system32\docent0.dll moved successfully.
C:\WINDOWS\system32\docent2.dll moved successfully.
C:\WINDOWS\system32\dvd4free.dll moved successfully.
C:\WINDOWS\system32\emldvc.dll moved successfully.
C:\WINDOWS\system32\extfpu.dll moved successfully.
C:\WINDOWS\system32\extxerox.dll moved successfully.
C:\WINDOWS\system32\flashdrvr.dll moved successfully.
C:\WINDOWS\system32\gatexkey.dll moved successfully.
C:\WINDOWS\system32\gdiwxp.dll moved successfully.
C:\WINDOWS\system32\gdwxp3.dll moved successfully.
C:\WINDOWS\system32\hpprintx.dll moved successfully.
C:\WINDOWS\system32\ideusr50.dll moved successfully.
C:\WINDOWS\system32\ies4dll.dll moved successfully.
C:\WINDOWS\system32\iesdl4l.dll moved successfully.
C:\WINDOWS\system32\logon16x.dll moved successfully.
C:\WINDOWS\system32\lsd_f3.dll moved successfully.
C:\WINDOWS\system32\mcfCC4.dll moved successfully.
C:\WINDOWS\system32\mcfG7A.dll moved successfully.
C:\WINDOWS\system32\mdfpro.dll moved successfully.
C:\WINDOWS\system32\mmxeroxk.dll moved successfully.
C:\WINDOWS\system32\MSplg7.dll moved successfully.
C:\WINDOWS\system32\nclabydll.dll moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03252008_220029
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP