Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan Horse [RESOLVED]

Started by balan42 , Mar 30 2008 10:12 AM

  • This topic is locked This topic is locked

#1
balan42
Posted 30 March 2008 - 10:12 AM

balan42

    New Member

  • Member
  • Pip
  • 8 posts
Hi Geeks2go, Antispywareupdates.net. Do I need to say more?? I read through some of the help that you guys provided for people who had the bad luck to get infected with this spyware. I ran COMBOFIX and removed some of the infected files myself. Now I do NOT have any problems with any pop-ups or getting redirected to some wierd sites like before. I have a free version of AVG installed on my computer. Some times, AVG detects this virus and asks for me to Heal? I click on Heal and it says HEALED. But then I have the same thing happen to me after a few days. I ran combofix and I will include the log here. I am also including the name and location of the virus which I see from time to time. I would appreciate it if you can help me to fix my machine. It is running slower than what it used to before. Also when I watch something on youtube for a long time, I have noticed that the picture starts to freeze while the sound will be just fine. I never had this problem before. Any help will be greatly appreciated. Thanks!



C:\System Volume Information\_restore{91D2993E-0F18-4C92-B68E-A4E50820CB8E}\RP599\A0072440.exe

Virus Name Trojan horse SHeur.ABSM

C:\System Volume Information\_restore{91D2993E-0F18-4C92-B68E-A4E50820CB8E}\RP599\A0072345.exe

Virus Name Trojan horse SHeur.AXUS

C:\System Volume Information\_restore{91D2993E-0F18-4C92-B68E-A4E50820CB8E}\RP599\A0072423.exe

Virus Name Trojan horse SHeur.ABSM


COMBOFIX LOG REPORT:

ComboFix 08-03-30.2 - balu 2008-03-30 11:26:09.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.129 [GMT -4:00]
Running from: C:\Documents and Settings\balu\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.

2008-03-16 15:20 . 2008-03-16 15:32 <DIR> d-------- C:\Documents and Settings\balu\Application Data\gtk-2.0
2008-03-16 15:20 . 2008-03-16 15:20 <DIR> d-------- C:\Documents and Settings\balu\.thumbnails
2008-03-16 15:16 . 2008-03-16 15:42 <DIR> d-------- C:\Documents and Settings\balu\.gimp-2.4
2008-03-16 15:14 . 2008-03-16 15:14 <DIR> d-------- C:\GIMP
2008-03-15 23:29 . 2008-03-15 23:29 2,732 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-03-15 19:38 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-11 17:47 . 2008-03-12 20:15 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-10 19:49 . 2008-03-10 19:49 31,232 --a------ C:\WINDOWS\didduid.ini
2008-03-10 19:49 . 2008-03-10 19:49 29,952 --a------ C:\WINDOWS\asferror32.dll
2008-03-10 19:49 . 2008-03-10 19:49 18,944 --a------ C:\WINDOWS\apphelp32.dll
2008-03-09 21:09 . 2008-03-09 21:09 <DIR> d-------- C:\WINDOWS\vmtbflgl
2008-03-09 21:09 . 2008-03-09 21:09 189,952 --a------ C:\WINDOWS\fsvyjmnu.dll
2008-02-24 14:23 . 2008-02-24 14:52 <DIR> d-------- C:\you tube
2008-02-11 21:17 . 2008-02-11 21:18 <DIR> d-------- C:\Program Files\DivX
2008-02-02 14:34 . 2006-10-04 10:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-02-02 14:34 . 2006-10-04 10:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-02-02 14:34 . 2006-10-04 10:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-02-02 14:33 . 2008-02-02 14:33 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-02-02 14:30 . 2008-02-02 14:30 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-02 14:30 . 2008-02-02 14:31 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 13:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-13 00:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-02 17:37 --------- d-----w C:\Program Files\music
2008-01-28 02:51 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
2006-01-30 15:38 36,488,456 ----a-w C:\Program Files\iTunesSetup.exe
2001-09-11 21:27 5 ----a-w C:\Documents and Settings\balu\outfile.dat
.

((((((((((((((((((((((((((((( snapshot_2008-03-16_10.18.39.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-06-26 15:16:01 851,968 ----a-w C:\WINDOWS\$hf_mig$\KB938127\SP2QFE\vgx.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB938127\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB938127\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB938127\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB938127\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB938127\update\updspapi.dll
+ 2007-08-21 06:25:02 683,520 ----a-w C:\WINDOWS\$hf_mig$\KB941202\SP2QFE\inetcomm.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941202\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941202\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941202\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941202\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941202\update\updspapi.dll
+ 2007-10-29 22:35:13 1,287,680 ----a-w C:\WINDOWS\$hf_mig$\KB941568\SP2QFE\quartz.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941568\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941568\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\updspapi.dll
+ 2007-12-04 18:29:10 551,936 ----a-w C:\WINDOWS\$hf_mig$\KB943055\SP2QFE\oleaut32.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB943055\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB943055\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB943055\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB943055\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB943055\update\updspapi.dll
+ 2007-11-07 09:50:47 727,040 ----a-w C:\WINDOWS\$hf_mig$\KB943485\SP2QFE\lsasrv.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB943485\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB943485\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\updspapi.dll
+ 2007-12-07 00:44:30 1,024,000 ----a-w C:\WINDOWS\$hf_mig$\KB944533\SP2QFE\browseui.dll
+ 2007-12-07 00:44:30 151,040 ----a-w C:\WINDOWS\$hf_mig$\KB944533\SP2QFE\cdfview.dll
+ 2007-12-07 00:44:32 1,054,208 ----a-w C:\WINDOWS\$hf_mig$\KB944533\SP2QFE\danim.dll
+ 2007-12-07 00:44:33 357,888 ----a-w C:\WINDOWS\$hf_mig$\KB944533\SP2QFE\dxtmsft.dll
+ 2007-12-07 00:44:33 205,824 ----a-w C:\WINDOWS\$hf_mig$\KB944533\SP2QFE\dxtrans.dll
+ 2007-12-07 00:44:33 55,808 ----a-w C:\WINDOWS\$hf_mig$\KB944533\SP2QFE\extmgr.dll
+ 2007-12-06 10:05:52 18,432 ----a-w C:\WINDOWS\$hf_mig$\KB944533\SP2QFE\iedw.exe
+ 2007-12-07 00:44:33 251,904 ----a-w C:\WINDOWS\$hf_mig$\KB944533\SP2QFE\iepeers.dll
+ 2007-12-07 00:44:33 96,256 ----a-w C:\WINDOWS\$hf_mig$\KB944533\SP2QFE\inseng.dll
+ 2007-12-07 00:44:33 16,384 ----a-w C:\WINDOWS\$hf_mig$\KB944533\SP2QFE\jsproxy.dll
+ 2007-12-07 00:44:35 3,066,368 ----a-w C:\WINDOWS\$hf_mig$\KB944533\SP2QFE\mshtml.dll
+ 2007-12-07 00:44:36 449,024 ----a-w C:\WINDOWS\$hf_mig$\KB944533\SP2QFE\mshtmled.dll
+ 2007-12-07 00:44:36 146,432 ----a-w C:\WINDOWS\$hf_mig$\KB944533\SP2QFE\msrating.dll
+ 2007-12-07 00:44:36 532,480 ----a-w C:\WINDOWS\$hf_mig$\KB944533\SP2QFE\mstime.dll
+ 2007-12-07 00:44:36 39,424 ----a-w C:\WINDOWS\$hf_mig$\KB944533\SP2QFE\pngfilt.dll
+ 2007-12-07 00:44:37 1,499,136 ----a-w C:\WINDOWS\$hf_mig$\KB944533\SP2QFE\shdocvw.dll
+ 2007-12-07 00:44:38 474,112 ----a-w C:\WINDOWS\$hf_mig$\KB944533\SP2QFE\shlwapi.dll
+ 2007-12-07 00:44:39 617,984 ----a-w C:\WINDOWS\$hf_mig$\KB944533\SP2QFE\urlmon.dll
+ 2007-12-07 00:44:39 666,112 ----a-w C:\WINDOWS\$hf_mig$\KB944533\SP2QFE\wininet.dll
+ 2007-12-06 09:38:31 350,720 ----a-w C:\WINDOWS\$hf_mig$\KB944533\SP2QFE\xpsp3res.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB944533\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB944533\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB944533\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB944533\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB944533\update\updspapi.dll
+ 2007-11-13 08:47:45 20,480 ----a-w C:\WINDOWS\$hf_mig$\KB944653\SP2QFE\secdrv.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB944653\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB944653\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\updspapi.dll
- 2008-03-16 03:30:25 1,257,472 ----a-w C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2008-03-19 01:04:59 1,265,664 ----a-w C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2008-03-16 03:30:29 1,224,704 ----a-w C:\WINDOWS\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2008-03-19 01:05:00 1,232,896 ----a-w C:\WINDOWS\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2008-03-19 01:05:24 61,440 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_0e18ade1\CustomMarshalers.dll
+ 2008-03-19 15:25:51 118,784 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_bec1294d\CustomMarshalers.dll
+ 2008-03-19 15:25:44 3,391,488 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_6f34a397\mscorlib.dll
+ 2008-03-19 15:26:16 8,908,800 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_ab8e7cf2\mscorlib.dll
+ 2008-03-19 15:26:07 3,395,584 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_056b9557\System.Design.dll
+ 2008-03-19 15:25:38 1,470,464 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_478e605d\System.Design.dll
+ 2008-03-19 15:25:52 192,512 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_152ed02d\System.Drawing.Design.dll
+ 2008-03-19 15:25:18 90,112 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_b754b63e\System.Drawing.Design.dll
+ 2008-03-19 15:26:11 2,244,608 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_059f71f7\System.Drawing.dll
+ 2008-03-19 15:25:40 835,584 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_cbdb0891\System.Drawing.dll
+ 2008-03-19 15:25:57 7,884,800 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_8d0e1917\System.Windows.Forms.dll
+ 2008-03-19 15:25:26 3,018,752 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_bd3a8fa4\System.Windows.Forms.dll
+ 2008-03-19 15:26:02 5,513,216 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_7d755081\System.Xml.dll
+ 2008-03-19 15:25:32 2,088,960 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_887c42ec\System.Xml.dll
+ 2008-03-19 01:05:14 1,966,080 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_0469ca57\System.dll
+ 2008-03-19 15:25:50 4,788,224 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_17d9dc64\System.dll
- 2008-03-16 03:42:02 593,920 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-03-20 16:25:20 593,920 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-03-16 03:42:02 12,288 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-03-20 16:25:20 12,288 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-03-16 03:42:02 135,168 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-03-20 16:25:19 135,168 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-03-16 03:42:02 11,264 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-03-20 16:25:20 11,264 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-03-16 03:42:03 27,136 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-03-20 16:25:20 27,136 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-03-16 03:42:03 4,096 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-03-20 16:25:20 4,096 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-03-16 03:42:03 794,624 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-03-20 16:25:20 794,624 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-03-16 03:42:02 249,856 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-03-20 16:25:20 249,856 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-03-16 03:42:02 61,440 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-03-20 16:25:19 61,440 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-03-16 03:42:03 23,040 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-03-20 16:25:21 23,040 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-03-16 03:42:02 286,720 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-03-20 16:25:19 286,720 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-03-16 03:42:02 409,600 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-03-20 16:25:19 409,600 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2004-07-15 05:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2007-04-14 01:30:52 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2004-07-15 05:49:22 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2007-04-14 01:30:52 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2004-07-15 04:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2007-04-14 00:57:52 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2003-02-21 02:09:14 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2007-04-14 00:57:58 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2004-07-15 04:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2007-04-14 00:56:30 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2004-07-15 04:33:04 102,400 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2007-04-14 00:58:00 102,400 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2004-07-15 18:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2007-04-14 00:50:46 2,142,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2003-02-21 02:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2007-04-14 00:58:02 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2004-07-15 04:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2007-04-14 00:57:00 2,523,136 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2004-07-15 04:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2007-04-14 00:57:28 2,514,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2004-08-10 20:20:00 106,496 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
+ 2007-01-15 20:11:26 73,728 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
+ 2004-07-15 05:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2504\_aspnet_isapi.dll
+ 2004-07-15 04:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2504\_CORPerfMonExt.dll
+ 2004-07-15 04:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2504\_fusion.dll
+ 2004-07-15 04:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2504\_mscorjit.dll
+ 2004-07-15 18:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2504\_mscorlib.dll
+ 2003-02-21 02:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2504\_mscorsn.dll
+ 2004-07-15 04:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2504\_mscorsvr.dll
+ 2004-07-15 04:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2504\_mscorwks.dll
+ 2003-02-21 11:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2504\_msvcr71.dll
+ 2004-07-15 04:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2504\_PerfCounter.dll
- 2004-07-15 18:31:16 1,224,704 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2007-04-14 01:35:38 1,232,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2004-07-15 18:29:00 1,257,472 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2007-04-14 01:35:46 1,265,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2007-04-18 12:31:37 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2007-12-07 01:07:12 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
- 2007-04-18 12:31:37 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2007-12-07 01:07:12 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
- 2007-04-18 12:31:37 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2007-12-07 01:07:12 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
- 2007-04-18 12:31:37 1,023,488 -c----w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2007-12-07 01:07:12 1,023,488 -c----w C:\WINDOWS\system32\dllcache\browseui.dll
- 2007-04-18 12:31:37 151,040 -c----w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2007-12-07 01:07:12 151,040 -c----w C:\WINDOWS\system32\dllcache\cdfview.dll
- 2007-04-18 12:31:37 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
+ 2007-12-07 01:07:12 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
- 2007-04-18 12:31:37 357,888 -c----w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2007-12-07 01:07:12 357,888 -c----w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-04-18 12:31:37 205,312 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2007-12-07 01:07:12 205,312 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-04-18 12:31:37 55,808 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-12-07 01:07:12 55,808 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-04-18 10:22:13 18,432 -c----w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2007-12-06 13:07:07 18,432 -c----w C:\WINDOWS\system32\dllcache\iedw.exe
- 2007-04-18 12:31:37 251,392 -c----w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2007-12-07 01:07:12 251,392 -c----w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2007-05-16 15:12:02 683,520 -c----w C:\WINDOWS\system32\dllcache\inetcomm.dll
+ 2007-08-21 06:15:44 683,520 -c----w C:\WINDOWS\system32\dllcache\inetcomm.dll
- 2007-04-18 12:31:37 96,256 -c----w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2007-12-07 01:07:12 96,256 -c----w C:\WINDOWS\system32\dllcache\inseng.dll
- 2007-04-18 12:31:37 16,384 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-12-07 01:07:12 16,384 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2006-08-17 12:28:27 721,920 -c----w C:\WINDOWS\system32\dllcache\lsasrv.dll
+ 2007-11-07 09:26:56 721,920 -c----w C:\WINDOWS\system32\dllcache\lsasrv.dll
- 2007-05-04 12:29:16 3,058,688 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2007-12-07 14:37:14 3,059,200 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-04-18 12:31:38 449,024 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2007-12-07 01:07:13 449,024 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-04-18 12:31:38 146,432 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2007-12-07 01:07:13 146,432 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-04-18 12:31:38 532,480 -c----w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2007-12-07 01:07:13 532,480 -c----w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2007-12-04 18:38:13 550,912 -c----w C:\WINDOWS\system32\dllcache\oleaut32.dll
- 2007-04-18 12:31:38 39,424 -c----w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2007-12-07 01:07:13 39,424 -c----w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2007-10-29 22:43:03 1,287,680 -c----w C:\WINDOWS\system32\dllcache\quartz.dll
- 2007-04-18 12:31:38 1,494,528 -c----w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2007-12-07 01:07:13 1,494,528 -c----w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2007-04-18 12:31:38 474,112 -c----w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2007-12-07 01:07:13 474,112 -c----w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2007-04-18 12:31:39 615,424 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-12-07 01:07:14 615,424 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2006-12-19 18:08:07 852,480 -c----w C:\WINDOWS\system32\dllcache\vgx.dll
+ 2007-06-26 15:13:22 851,968 -c----w C:\WINDOWS\system32\dllcache\vgx.dll
- 2007-04-18 12:31:39 658,944 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2007-12-07 01:07:14 659,456 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
- 2002-08-29 12:00:00 27,440 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
+ 2007-11-13 10:25:53 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
- 2007-04-18 12:31:37 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2007-12-07 01:07:12 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-04-18 12:31:37 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2007-12-07 01:07:12 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-04-18 12:31:37 55,808 ------w C:\WINDOWS\system32\extmgr.dll
+ 2007-12-07 01:07:12 55,808 ------w C:\WINDOWS\system32\extmgr.dll
- 2007-04-18 12:31:37 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2007-12-07 01:07:12 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
+ 2007-08-21 06:15:44 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
- 2007-04-18 12:31:37 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2007-12-07 01:07:12 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2007-04-18 12:31:37 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-12-07 01:07:12 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2006-08-17 12:28:27 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
+ 2007-11-07 09:26:56 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
- 2004-07-15 04:24:50 155,648 ----a-w C:\WINDOWS\system32\mscoree.dll
+ 2006-12-22 16:28:14 271,360 ----a-w C:\WINDOWS\system32\mscoree.dll
- 2007-05-04 12:29:16 3,058,688 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2007-12-07 14:37:14 3,059,200 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-04-18 12:31:38 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2007-12-07 01:07:13 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-04-18 12:31:38 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2007-12-07 01:07:13 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-04-18 12:31:38 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2007-12-07 01:07:13 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2006-12-22 17:02:36 6,144 ----a-w C:\WINDOWS\system32\mui\0409\mscorees.dll
- 2007-04-18 12:31:38 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2007-12-07 01:07:13 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2005-08-30 03:54:26 1,287,168 ----a-w C:\WINDOWS\system32\quartz.dll
+ 2007-10-29 22:43:03 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
- 2007-04-18 12:31:38 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2007-12-07 01:07:13 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2007-04-18 12:31:38 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2007-12-07 01:07:13 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2007-04-18 12:31:39 615,424 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-12-07 01:07:14 615,424 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-10-29 10:26:53 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-12-06 09:38:31 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26A12891-344D-4235-9AF5-07A1133A3196}]
C:\Program Files\support.com\tecoC:\DOCUME~1\balu\LOCALS~1\Temp\CEMG555077.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39951c6f-8fe6-4147-b250-1b8f13d182da}]
C:\WINDOWS\system32\msaa936.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}]
C:\Program Files\RXToolBar\sfcont.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8041E642-8CFC-4720-BC9D-D2DB8904286F}]
C:\Program Files\QdrDrive\QdrDrive12.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 12:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 20:42 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Windows KeyHook"="C:\WINDOWS\System32\keyhook.exe" [2004-04-16 18:53 249856]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2004-05-21 16:48 106496]
"SoundMan"="SOUNDMAN.EXE" [2004-05-21 16:51 66048 C:\WINDOWS\SOUNDMAN.EXE]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 21:44 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2004-02-24 12:55 868352]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 15:38 319488]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-05-14 16:53 32768]
"AGRSMMSG"="AGRSMMSG.exe" [2004-05-21 16:48 88363 C:\WINDOWS\AGRSMMSG.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-12-05 17:22 159744]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-12-20 22:54 278528]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-04 00:05 32881]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-09 14:49 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-21 06:36 155648]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 19:00 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-11-10 12:52 34832]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 12:42 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2004-05-29 05:06:05 335872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"4Tu0IEW7UZ"= C:\WINDOWS\jchylgfa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\msaa936]
msaa936.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=

R3 M2500;802.11g Wireless Network Driver;C:\WINDOWS\system32\DRIVERS\M2500.sys [2004-09-10 00:30]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-30 12:50:02 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 11:28:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-30 11:29:26
ComboFix-quarantined-files.txt 2008-03-30 15:29:09
ComboFix2.txt 2008-03-16 14:19:20
ComboFix3.txt 2008-03-15 16:05:22
ComboFix4.txt 2008-03-15 15:10:31
Pre-Run: 48,777,834,496 bytes free
Post-Run: 48,766,390,272 bytes free
.
2008-03-20 16:26:46 --- E O F ---



balan42
  • 0

Advertisements

#2
eddie5659
Posted 04 April 2008 - 07:46 AM

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
Hello balan42, and welcome to Geeks to Go!

Please read this post completely. It may make it easier for you if you print, or copy and paste this post to a new text document for reference later.

This will likely be a few steps process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

Download CWShredder here to its own folder.

Update CWShredder

* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder

Download and install CleanUp!

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
Perform the following steps in safe mode:

Run the CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Close the Shredder.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click Yes.

Restart the computer in Normal Mode.

Please download Spybot Search & Destroy and AdAware.

Follow all the instructions on this website to run a scan with both of these softwares.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.



Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Post the contents of the ActiveScan report as well as a fresh Hijackthis log.


Regards

eddie

Edited by eddie5659, 04 April 2008 - 07:50 AM.

  • 0

#3
balan42
Posted 05 April 2008 - 10:42 AM

balan42

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks a bunch for helping me out Eddie. I am including the Activescan report as well as the Hijack this log. I want to let you know that the Activescan took for ever to complete and I am not really sure if it did go through the entire process. But I am including the report here.

Active Scan report

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-04-05 07:44:13
PROTECTIONS: 1
MALWARE: 17
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
AVG 7.5.519 7.5.519 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00020302 adware/ncase Adware No 0 Yes No c:\windows\didduid.ini
00045952 spyware/media-motor Spyware No 1 Yes No hkey_local_machine\software\mm
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\balu\Cookies\balu@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\balu\Cookies\balu@atdmt[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\balu\Cookies\balu@com[1].txt
00169752 application/need2find HackTools No 0 Yes No hkey_local_machine\software\need2find
00169752 application/need2find HackTools No 0 Yes No hkey_current_user\software\need2find
00525896 Adware/Yazzle Adware No 0 No No C:\571.tmp[■++\Yazzle1552OinAdmin.exe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{91D2993E-0F18-4C92-B68E-A4E50820CB8E}\RP603\A0072549.EXE
01303739 Trj/Downloader.MDW Virus/Trojan No 1 No No C:\572.tmp[BndDrive.dll]
01786416 Adware/Yazzle Adware No 0 Yes No C:\571.tmp
02124530 Trj/Downloader.MDW Virus/Trojan No 1 No No C:\572.tmp[ISMModule.exe]
02886407 Application/DownAndRun HackTools No 0 No No C:\572.tmp[bndloader.exe]
02887265 Adware/Adband Adware No 0 No No C:\572.tmp[ism.exe]
02899760 Application/XPDefender Spyware No 0 Yes No C:\System Volume Information\_restore{91D2993E-0F18-4C92-B68E-A4E50820CB8E}\RP599\A0072432.exe
02903429 Adware/Adband Adware No 0 Yes No C:\System Volume Information\_restore{91D2993E-0F18-4C92-B68E-A4E50820CB8E}\RP599\A0072426.exe
02906886 Adware/SpyAway Adware No 1 Yes No C:\System Volume Information\_restore{91D2993E-0F18-4C92-B68E-A4E50820CB8E}\RP600\A0072512.exe
02906886 Adware/SpyAway Adware No 1 Yes No C:\System Volume Information\_restore{91D2993E-0F18-4C92-B68E-A4E50820CB8E}\RP600\A0072511.exe
02906897 Application/XPDefender Spyware No 0 Yes No C:\System Volume Information\_restore{91D2993E-0F18-4C92-B68E-A4E50820CB8E}\RP603\A0072619.exe
02906897 Application/XPDefender Spyware No 0 Yes No C:\System Volume Information\_restore{91D2993E-0F18-4C92-B68E-A4E50820CB8E}\RP603\A0072611.exe
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location 
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description 
;===============================================================================
=================================================================================
===================
182048 HIGH MS07-069 
176382 HIGH MS07-057 
170906 HIGH MS07-045 
170904 HIGH MS07-043 
;===============================================================================
=================================================================================
===================


Here is the Hijackthis LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:46 AM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {26A12891-344D-4235-9AF5-07A1133A3196} - C:\Program Files\support.com\tecoC:\DOCUME~1\balu\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: (no name) - {39951c6f-8fe6-4147-b250-1b8f13d182da} - C:\WINDOWS\system32\msaa936.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: BndFibu7 IE Helper - {8041E642-8CFC-4720-BC9D-D2DB8904286F} - C:\Program Files\QdrDrive\QdrDrive12.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [4Tu0IEW7UZ] C:\WINDOWS\jchylgfa.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O15 - Trusted Zone: pna.utexas.edu
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comca..... Controls.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1143253056296
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect....stConnect20.ocx
O20 - Winlogon Notify: msaa936 - msaa936.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 8641 bytes


Thanks Eddie!
  • 0

#4
eddie5659
Posted 06 April 2008 - 06:22 AM

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

eddie
  • 0

#5
balan42
Posted 06 April 2008 - 01:51 PM

balan42

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Eddie,

Here is the combofix report:

ComboFix 08-04-04.1 - balu 2008-04-06 15:42:41.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.134 [GMT -4:00]
Running from: C:\Documents and Settings\balu\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-06 to 2008-04-06 )))))))))))))))))))))))))))))))
.

2008-04-05 07:49 . 2008-04-05 07:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-04 20:29 . 2008-04-04 20:29 <DIR> d-------- C:\Program Files\Panda Security
2008-04-04 20:03 . 2008-04-04 20:03 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-04 20:03 . 2008-04-04 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-04 20:02 . 2008-04-04 20:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-04 18:17 . 2008-04-04 18:17 <DIR> d-------- C:\spybot
2008-04-04 18:08 . 2008-04-04 18:08 <DIR> d-------- C:\Program Files\CleanUp!
2008-04-04 18:02 . 2004-05-29 05:06 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-04 18:02 . 2004-05-29 09:44 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-04-04 18:02 . 2004-06-15 02:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-04 18:02 . 2004-06-10 06:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Roxio
2008-04-04 18:02 . 2004-06-11 03:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-04-04 18:02 . 2004-06-02 05:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-04-04 17:51 . 2008-04-04 18:00 <DIR> d-------- C:\cwshredder
2008-03-31 22:51 . 2008-03-31 22:51 <DIR> d-------- C:\Program Files\Bonjour
2008-03-31 22:49 . 2008-04-06 15:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-31 22:49 . 2008-03-31 22:49 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-31 22:48 . 2008-03-31 22:48 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-31 22:48 . 2008-03-31 22:48 <DIR> d-------- C:\Program Files\Apple Software Update
2008-03-31 22:47 . 2008-03-31 22:47 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-03-31 22:47 . 2008-03-31 22:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-03-16 15:20 . 2008-03-16 15:32 <DIR> d-------- C:\Documents and Settings\balu\Application Data\gtk-2.0
2008-03-16 15:20 . 2008-03-16 15:20 <DIR> d-------- C:\Documents and Settings\balu\.thumbnails
2008-03-16 15:16 . 2008-03-16 15:42 <DIR> d-------- C:\Documents and Settings\balu\.gimp-2.4
2008-03-16 15:14 . 2008-03-16 15:14 <DIR> d-------- C:\GIMP
2008-03-15 23:29 . 2008-03-15 23:29 2,732 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-03-15 19:38 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-11 17:47 . 2008-04-04 18:26 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-10 19:49 . 2008-03-10 19:49 31,232 --a------ C:\WINDOWS\didduid.ini
2008-03-10 19:49 . 2008-03-10 19:49 29,952 --a------ C:\WINDOWS\asferror32.dll
2008-03-10 19:49 . 2008-03-10 19:49 18,944 --a------ C:\WINDOWS\apphelp32.dll
2008-03-09 21:09 . 2008-03-09 21:09 <DIR> d-------- C:\WINDOWS\vmtbflgl
2008-03-09 21:09 . 2008-03-09 21:09 189,952 --a------ C:\WINDOWS\fsvyjmnu.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-05 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-01 02:53 --------- d-----w C:\Program Files\iTunes
2008-04-01 02:52 --------- d-----w C:\Program Files\iPod
2008-04-01 02:50 --------- d-----w C:\Program Files\QuickTime
2008-04-01 02:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-15 13:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-12 01:18 --------- d-----w C:\Program Files\DivX
2006-01-30 15:38 36,488,456 ----a-w C:\Program Files\iTunesSetup.exe
2001-09-11 21:27 5 ----a-w C:\Documents and Settings\balu\outfile.dat
.

((((((((((((((((((((((((((((( snapshot_2008-03-30_11.28.56.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-25 22:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2007-07-18 17:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
- 2000-08-31 12:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 12:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 12:00:00 80,412 ----a-w C:\WINDOWS\grep.exe
+ 2008-04-01 02:51:43 86,016 ----a-r C:\WINDOWS\Installer\{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}\PrntWzrdIco.exe
+ 2008-04-01 02:53:35 102,400 ----a-r C:\WINDOWS\Installer\{80FD852F-5AAC-4129-B931-06AAFFA43138}\iTunesIco.exe
+ 2008-04-01 02:48:47 27,136 ----a-r C:\WINDOWS\Installer\{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}\AppleSoftwareUpdateIco.exe
+ 2008-04-05 00:03:47 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2008-04-05 00:03:47 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2008-04-05 00:03:47 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2008-04-05 00:03:47 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2000-08-31 12:00:00 98,816 ----a-w C:\WINDOWS\sed.exe
+ 2000-08-31 12:00:00 161,792 ----a-w C:\WINDOWS\swreg.exe
+ 2000-08-31 12:00:00 136,704 ----a-w C:\WINDOWS\swsc.exe
+ 2000-08-31 12:00:00 212,480 ----a-w C:\WINDOWS\swxcacls.exe
+ 2007-07-24 19:17:08 81,920 ----a-w C:\WINDOWS\system32\dns-sd.exe
+ 2007-07-24 19:17:08 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll
+ 2007-07-11 18:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 17:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
- 2005-02-02 07:21:04 14,408 ----a-w C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
+ 2006-09-19 18:44:04 15,664 ----a-w C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
+ 2007-08-07 17:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2008-02-18 15:16:24 30,464 -c--a-w C:\WINDOWS\system32\DRVSTORE\usbaapl_4351B7DAFF62FD33510D77DFAE3CF8CC82517571\usbaapl.sys
- 2005-05-31 16:20:36 79,432 ----a-w C:\WINDOWS\system32\GEARAspi.dll
+ 2006-10-03 23:47:52 109,360 ----a-w C:\WINDOWS\system32\GEARAspi.dll
+ 2007-12-14 16:32:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
+ 2000-08-31 12:00:00 49,152 ----a-w C:\WINDOWS\VFind.exe
+ 2006-12-02 02:54:32 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 02:54:34 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 02:54:32 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2000-08-31 12:00:00 68,096 ----a-w C:\WINDOWS\zip.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26A12891-344D-4235-9AF5-07A1133A3196}]
C:\Program Files\support.com\tecoC:\DOCUME~1\balu\LOCALS~1\Temp\CEMG555077.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39951c6f-8fe6-4147-b250-1b8f13d182da}]
C:\WINDOWS\system32\msaa936.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8041E642-8CFC-4720-BC9D-D2DB8904286F}]
C:\Program Files\QdrDrive\QdrDrive12.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 12:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 20:42 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Windows KeyHook"="C:\WINDOWS\System32\keyhook.exe" [2004-04-16 18:53 249856]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2004-05-21 16:48 106496]
"SoundMan"="SOUNDMAN.EXE" [2004-05-21 16:51 66048 C:\WINDOWS\SOUNDMAN.EXE]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 21:44 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2004-02-24 12:55 868352]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 15:38 319488]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-05-14 16:53 32768]
"AGRSMMSG"="AGRSMMSG.exe" [2004-05-21 16:48 88363 C:\WINDOWS\AGRSMMSG.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-12-05 17:22 159744]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-04 00:05 32881]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-09 14:49 180269]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 19:00 579072]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-11-10 12:52 34832]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 12:42 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2004-05-29 05:06:05 335872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"4Tu0IEW7UZ"= C:\WINDOWS\jchylgfa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\msaa936]
msaa936.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 M2500;802.11g Wireless Network Driver;C:\WINDOWS\system32\DRIVERS\M2500.sys [2004-09-10 00:30]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-06 19:27:07 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 15:45:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-06 15:45:55
ComboFix-quarantined-files.txt 2008-04-06 19:45:37
ComboFix2.txt 2008-03-30 15:29:27
ComboFix3.txt 2008-03-16 14:19:20
ComboFix4.txt 2008-03-15 16:05:22
ComboFix5.txt 2008-03-15 15:10:31
Pre-Run: 47,433,973,760 bytes free
Post-Run: 47,422,263,296 bytes free
.
2008-03-20 16:26:46 --- E O F ---



And here is the HijackThis log report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:46:36 PM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {26A12891-344D-4235-9AF5-07A1133A3196} - C:\Program Files\support.com\tecoC:\DOCUME~1\balu\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: (no name) - {39951c6f-8fe6-4147-b250-1b8f13d182da} - C:\WINDOWS\system32\msaa936.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: BndFibu7 IE Helper - {8041E642-8CFC-4720-BC9D-D2DB8904286F} - C:\Program Files\QdrDrive\QdrDrive12.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [4Tu0IEW7UZ] C:\WINDOWS\jchylgfa.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O15 - Trusted Zone: pna.utexas.edu
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comca..... Controls.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1143253056296
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect....stConnect20.ocx
O20 - Winlogon Notify: msaa936 - msaa936.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 8678 bytes


Thanks!
  • 0

#6
eddie5659
Posted 07 April 2008 - 02:36 PM

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
Thanks :)


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Also, post a fresh ComboFix log as well as the MBAM log in your next reply.

eddie
  • 0

#7
balan42
Posted 08 April 2008 - 04:25 PM

balan42

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Eddie,

Here is the Malwarebytes' report:

Malwarebytes' Anti-Malware 1.11
Database version: 603

Scan type: Quick Scan
Objects scanned: 34602
Time elapsed: 12 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{5a148cf2-9c7b-4499-8e25-c9383a5e8680} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{daa07812-5c88-4ccc-8d25-10fef65b77b1} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\BndFibu7.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndFibu7.Band (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndFibu7.Band.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndFibu7.BHO (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndFibu7.BHO.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xflock (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\PostInstallC (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\XPdefender (Rogue.XPDefender) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\571.tmp (Adware.Purityscan) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\apphelp32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asferror32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\balu\results.txt (Malware.Trace) -> Quarantined and deleted successfully.



And Here is the ComboFix report:

ComboFix 08-04-08.7 - balu 2008-04-08 18:18:48.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.168 [GMT -4:00]
Running from: C:\Documents and Settings\balu\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 )))))))))))))))))))))))))))))))
.

2008-04-08 17:57 . 2008-04-08 17:57 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-08 17:57 . 2008-04-08 17:57 <DIR> d-------- C:\Documents and Settings\balu\Application Data\Malwarebytes
2008-04-08 17:57 . 2008-04-08 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-05 07:49 . 2008-04-05 07:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-04 20:29 . 2008-04-04 20:29 <DIR> d-------- C:\Program Files\Panda Security
2008-04-04 20:03 . 2008-04-04 20:03 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-04 20:03 . 2008-04-04 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-04 20:02 . 2008-04-04 20:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-04 18:17 . 2008-04-04 18:17 <DIR> d-------- C:\spybot
2008-04-04 18:08 . 2008-04-04 18:08 <DIR> d-------- C:\Program Files\CleanUp!
2008-04-04 18:02 . 2004-05-29 05:06 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-04 18:02 . 2004-05-29 09:44 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-04-04 18:02 . 2004-06-15 02:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-04 18:02 . 2004-06-10 06:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Roxio
2008-04-04 18:02 . 2004-06-11 03:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-04-04 18:02 . 2004-06-02 05:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-04-04 17:51 . 2008-04-04 18:00 <DIR> d-------- C:\cwshredder
2008-03-31 22:51 . 2008-03-31 22:51 <DIR> d-------- C:\Program Files\Bonjour
2008-03-31 22:49 . 2008-04-08 17:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-31 22:49 . 2008-03-31 22:49 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-31 22:48 . 2008-03-31 22:48 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-31 22:48 . 2008-03-31 22:48 <DIR> d-------- C:\Program Files\Apple Software Update
2008-03-31 22:47 . 2008-03-31 22:47 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-03-31 22:47 . 2008-03-31 22:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-03-16 15:20 . 2008-03-16 15:32 <DIR> d-------- C:\Documents and Settings\balu\Application Data\gtk-2.0
2008-03-16 15:20 . 2008-03-16 15:20 <DIR> d-------- C:\Documents and Settings\balu\.thumbnails
2008-03-16 15:16 . 2008-03-16 15:42 <DIR> d-------- C:\Documents and Settings\balu\.gimp-2.4
2008-03-16 15:14 . 2008-03-16 15:14 <DIR> d-------- C:\GIMP
2008-03-15 23:29 . 2008-03-15 23:29 2,732 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-03-15 19:38 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-11 17:47 . 2008-04-04 18:26 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-09 21:09 . 2008-03-09 21:09 <DIR> d-------- C:\WINDOWS\vmtbflgl
2008-03-09 21:09 . 2008-03-09 21:09 189,952 --a------ C:\WINDOWS\fsvyjmnu.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-05 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-01 02:53 --------- d-----w C:\Program Files\iTunes
2008-04-01 02:52 --------- d-----w C:\Program Files\iPod
2008-04-01 02:50 --------- d-----w C:\Program Files\QuickTime
2008-04-01 02:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-15 13:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-12 01:18 --------- d-----w C:\Program Files\DivX
2006-01-30 15:38 36,488,456 ----a-w C:\Program Files\iTunesSetup.exe
2001-09-11 21:27 5 ----a-w C:\Documents and Settings\balu\outfile.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26A12891-344D-4235-9AF5-07A1133A3196}]
C:\Program Files\support.com\tecoC:\DOCUME~1\balu\LOCALS~1\Temp\CEMG555077.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39951c6f-8fe6-4147-b250-1b8f13d182da}]
C:\WINDOWS\system32\msaa936.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8041E642-8CFC-4720-BC9D-D2DB8904286F}]
C:\Program Files\QdrDrive\QdrDrive12.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 12:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 20:42 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Windows KeyHook"="C:\WINDOWS\System32\keyhook.exe" [2004-04-16 18:53 249856]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2004-05-21 16:48 106496]
"SoundMan"="SOUNDMAN.EXE" [2004-05-21 16:51 66048 C:\WINDOWS\SOUNDMAN.EXE]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 21:44 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2004-02-24 12:55 868352]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 15:38 319488]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-05-14 16:53 32768]
"AGRSMMSG"="AGRSMMSG.exe" [2004-05-21 16:48 88363 C:\WINDOWS\AGRSMMSG.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-12-05 17:22 159744]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-04 00:05 32881]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-09 14:49 180269]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 19:00 579072]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-11-10 12:52 34832]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 12:42 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2004-05-29 05:06:05 335872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"4Tu0IEW7UZ"= C:\WINDOWS\jchylgfa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\msaa936]
msaa936.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 M2500;802.11g Wireless Network Driver;C:\WINDOWS\system32\DRIVERS\M2500.sys [2004-09-10 00:30]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 21:51:33 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 18:21:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-08 18:22:01
ComboFix-quarantined-files.txt 2008-04-08 22:21:43
ComboFix2.txt 2008-04-06 19:45:57
ComboFix3.txt 2008-03-30 15:29:27
ComboFix4.txt 2008-03-16 14:19:20
ComboFix5.txt 2008-03-15 16:05:22
Pre-Run: 47,249,809,408 bytes free
Post-Run: 47,239,811,072 bytes free
.
2008-03-20 16:26:46 --- E O F ---

Thanks for the help!
  • 0

#8
eddie5659
Posted 09 April 2008 - 02:34 PM

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\WINDOWS\fsvyjmnu.dll
  • Click on the submit button


Do the same for these files as well:

C:\WINDOWS\system32\msaa936.dll
C:\WINDOWS\jchylgfa.exe


Please post the results in your next reply.


eddie
  • 0

#9
balan42
Posted 09 April 2008 - 05:39 PM

balan42

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Eddie, Here is the report

File: fsvyjmnu.dll

Scan taken on 09 Apr 2008 23:33:03 (GMT)
A-Squared Found nothing
AntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan.Win32.Obfuscated.gx
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found Trojan.Win32.Obfuscated.gx
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


C:\WINDOWS\system32\msaa936.dll
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file


C:\WINDOWS\jchylgfa.exe
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
  • 0

#10
eddie5659
Posted 10 April 2008 - 04:11 PM

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Then, re-open HiJackThis and scan. Check the boxes of all the entries listed below.

O2 - BHO: BndFibu7 IE Helper - {8041E642-8CFC-4720-BC9D-D2DB8904286F} - C:\Program Files\QdrDrive\QdrDrive12.dll (file missing)
O2 - BHO: (no name) - {26A12891-344D-4235-9AF5-07A1133A3196} - C:\Program Files\support.com\tecoC:\DOCUME~1\balu\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: (no name) - {39951c6f-8fe6-4147-b250-1b8f13d182da} - C:\WINDOWS\system32\msaa936.dll (file missing)


Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

QdrDrive
Internet Speed Monitor

Please delete these folders using Windows Explorer(if present):

C:\Program Files\QdrDrive

Reboot to Windows.


Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\fsvyjmnu.dll
C:\WINDOWS\system32\msaa936.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Please go to UploadMalware to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\WINDOWS\jchylgfa.exe
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File




Then, on your next reply, post a fresh HijackThis log, ComboFix log and the OTMoveIt log.

eddie

Edited by eddie5659, 10 April 2008 - 04:33 PM.

  • 0

Advertisements

#11
balan42
Posted 10 April 2008 - 05:05 PM

balan42

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Eddie! This is what I did:

1. I ran ATF cleaner and did whatever you asked me to.
2. I ran HijackThis and checked the three files/objects and fixed it.
3. I ran in SafeMode and checked for those programs you mentioned in Add\Remove prorgams. Didn't find 'em.
4. Checked using windows explorer. There is no folder C:\Program Files\QdrDrive
5. Ran OTMoveIt2. Pasted those two files. It did NOT find them. I verified using windows explorer. Its not there. So there is no OTMoveIt2 report.
6. I tried to upload the file C:\WINDOWS\jchylgfa.exe. Again it said it did not find it. I looked using windows explorer and it is not there.

So I am posting the HijackThis log and combofix log.



HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:36 PM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\keyhook.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\balu\Desktop\OTMoveIt2.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [4Tu0IEW7UZ] C:\WINDOWS\jchylgfa.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O15 - Trusted Zone: pna.utexas.edu
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comca..... Controls.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1143253056296
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect....stConnect20.ocx
O20 - Winlogon Notify: msaa936 - msaa936.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 8261 bytes




Here is the ComboFix log:



ComboFix 08-04-08.7 - balu 2008-04-10 18:49:31.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.198 [GMT -4:00]
Running from: C:\Documents and Settings\balu\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-10 18:43 . 2008-04-10 18:43 <DIR> d-------- C:\_OTMoveIt
2008-04-08 17:57 . 2008-04-08 17:57 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-08 17:57 . 2008-04-08 17:57 <DIR> d-------- C:\Documents and Settings\balu\Application Data\Malwarebytes
2008-04-08 17:57 . 2008-04-08 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-05 07:49 . 2008-04-05 07:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-04 20:29 . 2008-04-04 20:29 <DIR> d-------- C:\Program Files\Panda Security
2008-04-04 20:03 . 2008-04-04 20:03 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-04 20:03 . 2008-04-04 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-04 20:02 . 2008-04-04 20:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-04 18:17 . 2008-04-04 18:17 <DIR> d-------- C:\spybot
2008-04-04 18:08 . 2008-04-04 18:08 <DIR> d-------- C:\Program Files\CleanUp!
2008-04-04 18:02 . 2004-05-29 05:06 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-04 18:02 . 2004-05-29 09:44 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-04-04 18:02 . 2004-06-15 02:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-04 18:02 . 2004-06-10 06:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Roxio
2008-04-04 18:02 . 2004-06-11 03:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-04-04 18:02 . 2004-06-02 05:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-04-04 17:51 . 2008-04-04 18:00 <DIR> d-------- C:\cwshredder
2008-03-31 22:51 . 2008-03-31 22:51 <DIR> d-------- C:\Program Files\Bonjour
2008-03-31 22:49 . 2008-04-10 18:38 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-31 22:49 . 2008-03-31 22:49 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-31 22:48 . 2008-03-31 22:48 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-31 22:48 . 2008-03-31 22:48 <DIR> d-------- C:\Program Files\Apple Software Update
2008-03-31 22:47 . 2008-03-31 22:47 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-03-31 22:47 . 2008-03-31 22:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-03-16 15:20 . 2008-03-16 15:32 <DIR> d-------- C:\Documents and Settings\balu\Application Data\gtk-2.0
2008-03-16 15:20 . 2008-03-16 15:20 <DIR> d-------- C:\Documents and Settings\balu\.thumbnails
2008-03-16 15:16 . 2008-03-16 15:42 <DIR> d-------- C:\Documents and Settings\balu\.gimp-2.4
2008-03-16 15:14 . 2008-03-16 15:14 <DIR> d-------- C:\GIMP
2008-03-15 23:29 . 2008-03-15 23:29 2,732 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-03-15 19:38 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-11 17:47 . 2008-04-04 18:26 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-05 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-01 02:53 --------- d-----w C:\Program Files\iTunes
2008-04-01 02:52 --------- d-----w C:\Program Files\iPod
2008-04-01 02:50 --------- d-----w C:\Program Files\QuickTime
2008-04-01 02:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-15 13:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-12 01:18 --------- d-----w C:\Program Files\DivX
2006-01-30 15:38 36,488,456 ----a-w C:\Program Files\iTunesSetup.exe
2001-09-11 21:27 5 ----a-w C:\Documents and Settings\balu\outfile.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 12:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 20:42 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Windows KeyHook"="C:\WINDOWS\System32\keyhook.exe" [2004-04-16 18:53 249856]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2004-05-21 16:48 106496]
"SoundMan"="SOUNDMAN.EXE" [2004-05-21 16:51 66048 C:\WINDOWS\SOUNDMAN.EXE]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 21:44 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2004-02-24 12:55 868352]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 15:38 319488]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-05-14 16:53 32768]
"AGRSMMSG"="AGRSMMSG.exe" [2004-05-21 16:48 88363 C:\WINDOWS\AGRSMMSG.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-12-05 17:22 159744]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-04 00:05 32881]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-09 14:49 180269]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 19:00 579072]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-11-10 12:52 34832]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 12:42 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2004-05-29 05:06:05 335872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"4Tu0IEW7UZ"= C:\WINDOWS\jchylgfa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\msaa936]
msaa936.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 M2500;802.11g Wireless Network Driver;C:\WINDOWS\system32\DRIVERS\M2500.sys [2004-09-10 00:30]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-10 22:40:58 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 18:52:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-10 18:53:44
ComboFix-quarantined-files.txt 2008-04-10 22:53:27
ComboFix2.txt 2008-04-08 22:22:02
ComboFix3.txt 2008-04-06 19:45:57
ComboFix4.txt 2008-03-30 15:29:27
ComboFix5.txt 2008-03-16 14:19:20
Pre-Run: 47,835,897,856 bytes free
Post-Run: 47,825,072,128 bytes free
.
2008-03-20 16:26:46 --- E O F ---

Thanks Eddie!
  • 0

#12
eddie5659
Posted 13 April 2008 - 08:38 AM

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
Sorry for the late reply, was ill since Thursday, and just about feeling okay now.

Anyway, back to the post :)

Don't worry about OTMoveIt not finding the files. It was just a failsafe, in case HijackThis didn't remove them.


Re-open HiJackThis and scan. Check the boxes of all the entries listed below.

O4 - HKLM\..\Policies\Explorer\Run: [4Tu0IEW7UZ] C:\WINDOWS\jchylgfa.exe
O20 - Winlogon Notify: msaa936 - msaa936.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Reboot your computer.


Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:

Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    Downloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.


Then post a fresh HijackThis log.

eddie
  • 0

#13
balan42
Posted 13 April 2008 - 09:48 AM

balan42

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Eddie!

I did all that you asked me to do. Here is the HIjackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:45 AM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O15 - Trusted Zone: pna.utexas.edu
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comca..... Controls.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1143253056296
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect....stConnect20.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 8203 bytes

Thanks!
  • 0

#14
eddie5659
Posted 13 April 2008 - 12:56 PM

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
How's the computer running now?



We have a couple of last steps to perform and then you're all set.


Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 2 free ones available for personal use:and a good antivirus (these are also free for personal use):It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?

Have a safe and happy computing day!
  • 0

#15
balan42
Posted 14 April 2008 - 06:05 PM

balan42

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Eddie,

Thanks so much for all the help. Things are much better. But I have one problem which was the main reason I came on this forum. As I said in my first post, when I am watching movies online in full screen, from a website like youtube or megavideo, the picture freezes and crawls along but the sound is fine. At that time, I have noticed that the laptop is very hot when that happens. Now I have started to use the ATFCleaner to delete all the temporary internet files before I play a long movie as I thought that might be one of the reasons. Do you have any suggestions? Or is it just my laptop? But thanks anyway eddie for your time.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP