Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojanspm lx removal [RESOLVED]


  • This topic is locked This topic is locked

#1
airstrike99

airstrike99

    New Member

  • Member
  • Pip
  • 5 posts
Hello,

I have been infected with a trojan on my pc. I believe it is Trojanspm lx.

Hijack This log follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:41 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NetProject\scit.exe
C:\Program Files\NetProject\sbmntr.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NetProject\scm.exe
C:\Program Files\NetProject\sbsm.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The BOB&TOM Media Center\The BOB&TOM Media Center.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\vghd\vghd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE
C:\Program Files\vghd\VirtuaGirl_downloader.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe
C:\Program Files\NetProject\sbsm.exe
C:\Program Files\NetProject\sbsm.exe
C:\Program Files\NetProject\sbsm.exe
C:\Program Files\NetProject\sbsm.exe
C:\Program Files\NetProject\sbsm.exe
C:\Program Files\NetProject\sbsm.exe
C:\Program Files\NetProject\sbsm.exe
C:\Program Files\NetProject\sbsm.exe
C:\Program Files\NetProject\sbsm.exe
C:\Program Files\NetProject\sbsm.exe
C:\Program Files\NetProject\sbsm.exe
C:\Program Files\NetProject\sbsm.exe
C:\Program Files\NetProject\sbsm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: 209789 helper - {5C78E2DB-5AFC-4A3B-9B9F-6AF136562E6F} - C:\WINDOWS\system32\209789\209789.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: Internet Service - {DB9FBA9D-AB1B-4CC6-9745-F3B549D64E40} - C:\Program Files\NetProject\wamdl.dll
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [The BOB&TOM Show] C:\Program Files\The BOB&TOM Media Center\The BOB&TOM Media Center.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - Startup: VirtuaGirl HD.LNK = C:\Program Files\vghd\vghd.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservice...om/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservice...om/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1205341450203
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O22 - SharedTaskScheduler: important - {9c87cb31-93d0-4f3e-a360-4a91ff77aeb7} - C:\WINDOWS\system32\dcggain.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe

--
End of file - 10372 bytes
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Uninstall the following via the Add/Remove Panel (Start->Settings->Control Panel->Add/Remove Programs) if found:

209789 helper
NetProject
VirtuaGirl


Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: 209789 helper - {5C78E2DB-5AFC-4A3B-9B9F-6AF136562E6F} - C:\WINDOWS\system32\209789\209789.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll
O3 - Toolbar: Internet Service - {DB9FBA9D-AB1B-4CC6-9745-F3B549D64E40} - C:\Program Files\NetProject\wamdl.dll
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - Startup: VirtuaGirl HD.LNK = C:\Program Files\vghd\vghd.exe
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservice...om/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservice...om/redirect.php (file missing)
O22 - SharedTaskScheduler: important - {9c87cb31-93d0-4f3e-a360-4a91ff77aeb7} - C:\WINDOWS\system32\dcggain.dll


Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\209789\
C:\Program Files\NetProject\
C:\Program Files\vghd\
C:\WINDOWS\system32\dcggain.dll


Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

Download SmitfraudFix at http://siri.urz.free...mitfraudFix.zip and extract the content (a folder named SmitfraudFix) to your desktop.

Open the SmitfraudFix folder. Double-click on smitfraudfix.cmd and select option #1 - Search by typing 1 and press Enter. A text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 or any other option until you are directed to do so!

NOTE: process.exe is detected by some antivirus programs as a Risk Tool. It is not a virus. If you get this detected, ignore it.

  • 0

#3
airstrike99

airstrike99

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thank you greyknight17.

My ComboFix log follows:

ComboFix 08-04-12.5 - Keith Didion 2008-04-13 1:59:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.404 [GMT -5:00]
Running from: C:\Documents and Settings\Keith Didion.KEITH-AA46418D1\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\start.exe
C:\WINDOWS\Web\default.htt
G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

2008-04-08 21:07 . 2008-04-13 01:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-08 21:07 . 2008-04-08 21:07 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-08 18:56 . 2008-04-08 18:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-20 10:26 . 2008-03-20 10:26 <DIR> d-------- C:\Program Files\The BOB&TOM Media Center
2008-03-20 10:25 . 2008-03-20 10:27 <DIR> d-------- C:\Documents and Settings\Keith Didion.KEITH-AA46418D1\Application Data\Premiere
2008-03-13 20:59 . 2008-03-13 20:59 <DIR> d-------- C:\Documents and Settings\Keith Didion.KEITH-AA46418D1\WINDOWS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 06:59 271,016 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2008-04-13 06:59 271,016 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT
2008-04-13 06:59 1,324 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2008-04-13 06:59 1,324 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG
2008-04-13 06:48 13,880 ----a-w C:\WINDOWS\system32\drivers\COMFiltr.sys
2008-04-11 01:15 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-04-08 04:24 --------- d-----w C:\Program Files\Panda Security
2008-03-31 05:09 --------- d-----w C:\Documents and Settings\Keith Didion.KEITH-AA46418D1\Application Data\Apple Computer
2008-03-20 16:24 48 ----a-w C:\WINDOWS\system32\drivers\wnmsav.dat
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 04:52 --------- d-----w C:\Program Files\support.com
2008-03-14 02:00 --------- d-----w C:\Program Files\LexmarkX83
2008-03-12 22:58 --------- d-----w C:\Program Files\Yahoo!
2008-03-12 22:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-12 19:10 633,344 ------w C:\WINDOWS\system32\gpprefcl.dll
2008-03-12 18:47 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-12 16:58 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2008-03-11 15:24 --------- d-----w C:\Program Files\Common Files\SupportSoft
2008-03-09 19:16 --------- d-----w C:\Program Files\Coupons
2008-03-09 18:32 --------- d-----w C:\Program Files\Java
2008-03-08 20:24 --------- d-----w C:\Program Files\iTunes
2008-03-08 20:23 --------- d-----w C:\Program Files\QuickTime
2008-03-08 20:23 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-03-08 20:22 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-03-08 14:55 --------- d-----w C:\Program Files\The Weather Channel Toolbar
2008-03-08 14:54 --------- d-----w C:\Program Files\The Weather Channel FW
2008-03-06 04:11 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-04 15:43 --------- d-----w C:\Program Files\Microsoft Works
2008-03-04 15:32 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-04 15:29 --------- d-----w C:\Program Files\Common Files\L&H
2008-03-04 14:29 327,680 ----a-w C:\WINDOWS\system32\TwcToolbarIe7.dll
2008-03-04 14:25 98,304 ----a-w C:\WINDOWS\system32\TwcToolbarBho.dll
2008-03-04 03:26 --------- d-----w C:\Documents and Settings\Keith Didion.KEITH-AA46418D1\Application Data\Uniblue
2008-03-04 03:05 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-03-04 03:05 --------- d-----w C:\Documents and Settings\Keith Didion.KEITH-AA46418D1\Application Data\SystemRequirementsLab
2008-03-03 06:51 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\NVIDIA
2008-03-03 06:23 --------- d-----w C:\Program Files\LucasArts
2008-03-03 06:22 --------- d-----w C:\Documents and Settings\Keith Didion.KEITH-AA46418D1\Application Data\InstallShield
2008-03-03 03:49 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\sentinel
2008-03-03 03:46 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Backup
2008-03-03 03:43 --------- d-----w C:\Documents and Settings\Keith Didion.KEITH-AA46418D1\Application Data\Thunderbird
2008-03-03 03:43 --------- d-----w C:\Documents and Settings\Keith Didion.KEITH-AA46418D1\Application Data\Talkback
2008-03-03 03:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Thunderbird
2008-03-03 03:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Talkback
2008-03-03 01:05 --------- d-----w C:\Program Files\Common Files\Panda Software
2008-03-02 02:07 --------- d-----w C:\Program Files\Western Digital
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-23 17:11 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-15 00:47 --------- d-----w C:\Program Files\D-Link
2008-02-15 00:47 --------- d-----w C:\Program Files\ANI
2008-02-07 03:53 21,840 -c---tw C:\WINDOWS\system32\SIntfNT.dll
2008-02-07 03:53 17,212 -c---tw C:\WINDOWS\system32\SIntf32.dll
2008-02-07 03:53 12,067 -c---tw C:\WINDOWS\system32\SIntf16.dll
2008-02-05 00:23 693,792 ----a-w C:\WINDOWS\system32\OGACheckControl.DLL
2007-05-10 20:35 219,488 ----a-w C:\Program Files\MSWRD832.CNV
2007-05-10 20:35 120,160 ----a-w C:\Program Files\MSCONV97.DLL
2006-06-21 04:36 215,848 ----a-w C:\Program Files\richink.dll
2005-02-24 12:50 266 --sh--w C:\Program Files\desktop.ini
2005-02-24 12:50 11,079 -c-ha-w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-10-22 09:58 1885464]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 14:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-12-20 09:10 715888]
"The BOB&TOM Show"="C:\Program Files\The BOB&TOM Media Center\The BOB&TOM Media Center.exe" [2005-06-08 12:00 983040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.exe" [2007-07-23 19:30 406832]
"SCANINICIO"="C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe" [2007-07-11 16:17 27952]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\SOUNDMAN.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"Lexmark X83 Button Monitor"="C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe" [2001-10-18 11:25 40960]
"Lexmark X83 Button Manager"="C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe" [2001-06-14 13:42 53248]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-06-27 04:47 36864]

C:\Documents and Settings\Keith Didion.KEITH-AA46418D1\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 17:34:48 3746856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 21:02 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Republic Commando\\GameData\\System\\SWRepublicCommando.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-05-11 10:33]
R1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-05-11 10:33]
R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-05-11 10:33]
R1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-07-11 12:39]
R1 NETFLTDI;Panda Net Driver [TDI Layer];C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-05-11 10:33]
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\Drivers\ShlDrv51.sys [2007-05-23 09:40]
R1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-05-11 10:33]
R1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-05-11 10:33]
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys [2007-06-08 09:44]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-07-12 07:49]
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys [2007-04-24 16:43]
R3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
R3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2007-05-23 05:15]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 04:36:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-08 12:41:58 C:\WINDOWS\Tasks\At1.job"
- C:\Program Files\Panda Security\Panda Internet Security 2008\PAVJOBS.EXEn/PROGRAMADA PAV5.tsk PAV_FOG.OPC
"2008-04-12 05:00:00 C:\WINDOWS\Tasks\Basic clean-up.job"
- C:\Program Files\Panda Software\Panda Internet Security 2007\PlaTasks.exe
"2008-04-06 07:00:58 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job"
- C:\WINDOWS\DEFRAG.EXE
"2008-04-01 06:30:00 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job"
- C:\WINDOWS\CLEANMGR.EXE
"2008-04-06 05:00:00 C:\WINDOWS\Tasks\Tune-up Application Start.job"
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 02:01:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-13 2:01:40
ComboFix-quarantined-files.txt 2008-04-13 07:01:29
Pre-Run: 139,769,552,896 bytes free
Post-Run: 139,759,661,056 bytes free
.
2008-04-09 03:41:01 --- E O F ---
  • 0

#4
airstrike99

airstrike99

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
This is my SmitfraudFix log:

SmitFraudFix v2.312

Scan done at 2:25:31.93, Sun 04/13/2008
Run from C:\Documents and Settings\Keith Didion.KEITH-AA46418D1\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\The BOB&TOM Media Center\The BOB&TOM Media Center.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\Tasks\At?.job FOUND !
C:\WINDOWS\Tasks\At??.job FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\migicons.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Keith Didion.KEITH-AA46418D1


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Keith Didion.KEITH-AA46418D1\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\KEITHD~1.KEI\FAVORI~1

C:\DOCUME~1\KEITHD~1.KEI\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 68.87.72.130
DNS Server Search Order: 68.87.77.130

HKLM\SYSTEM\CCS\Services\Tcpip\..\{50DCFFB9-7EAB-4CD8-B748-67511CDF2260}: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{50DCFFB9-7EAB-4CD8-B748-67511CDF2260}: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{701E5CD9-EB81-4FE7-90D0-0FB7A65227E3}: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CS2\Services\Tcpip\..\{50DCFFB9-7EAB-4CD8-B748-67511CDF2260}: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CS3\Services\Tcpip\..\{50DCFFB9-7EAB-4CD8-B748-67511CDF2260}: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.130 68.87.77.130


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\WINDOWS\system32\gpprefcl.dll
C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Online Security Guide.url
C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Security Troubleshooting.url
C:\WINDOWS\system32\migicons.exe
C:\WINDOWS\Tasks\At1.job

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is everything running so far?
  • 0

#6
airstrike99

airstrike99

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
PC seems to be good right now. A day or two after my initial post, Windows Update installed Aprils Malicious Software Removal Tool, which I think did remove something from the PC.

My internet seems to be a little erratic. Pages taking longer to load than normal. I haven't had the chance to plug my laptop into my network (left it at work) to see if it's my modem/router. ISP is Comcast which has recently acquired my area from Insight. I wouldn't be surprised if page load times might be related to any switchover they may be doing.

Thanks for your help so far.

Most recent ComboFix log:

ComboFix 08-04-12.5 - Keith Didion 2008-04-13 23:32:49.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.412 [GMT -5:00]
Running from: C:\Documents and Settings\Keith Didion.KEITH-AA46418D1\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Keith Didion.KEITH-AA46418D1\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Online Security Guide.url
C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Security Troubleshooting.url
C:\WINDOWS\system32\gpprefcl.dll
C:\WINDOWS\system32\migicons.exe
C:\WINDOWS\Tasks\At1.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Online Security Guide.url
C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Security Troubleshooting.url
C:\WINDOWS\system32\gpprefcl.dll
C:\WINDOWS\system32\migicons.exe
C:\WINDOWS\Tasks\At1.job

.
((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

2008-04-13 02:25 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-13 02:25 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-13 02:25 . 2008-04-12 17:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-13 02:25 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-13 02:25 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-13 02:25 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-13 02:25 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-13 02:25 . 2008-04-13 02:25 3,044 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-08 21:07 . 2008-04-13 18:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-08 21:07 . 2008-04-08 21:07 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-08 18:56 . 2008-04-08 18:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-20 10:26 . 2008-03-20 10:26 <DIR> d-------- C:\Program Files\The BOB&TOM Media Center
2008-03-20 10:25 . 2008-03-20 10:27 <DIR> d-------- C:\Documents and Settings\Keith Didion.KEITH-AA46418D1\Application Data\Premiere

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 23:17 271,016 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2008-04-13 23:17 271,016 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT
2008-04-13 23:17 13,880 ----a-w C:\WINDOWS\system32\drivers\COMFiltr.sys
2008-04-13 23:17 1,324 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2008-04-13 23:17 1,324 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG
2008-04-13 16:41 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-04-08 04:24 --------- d-----w C:\Program Files\Panda Security
2008-03-31 05:09 --------- d-----w C:\Documents and Settings\Keith Didion.KEITH-AA46418D1\Application Data\Apple Computer
2008-03-20 16:24 48 ----a-w C:\WINDOWS\system32\drivers\wnmsav.dat
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 04:52 --------- d-----w C:\Program Files\support.com
2008-03-14 02:00 --------- d-----w C:\Program Files\LexmarkX83
2008-03-12 22:58 --------- d-----w C:\Program Files\Yahoo!
2008-03-12 22:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-12 18:47 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-12 16:58 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2008-03-11 15:24 --------- d-----w C:\Program Files\Common Files\SupportSoft
2008-03-09 19:16 --------- d-----w C:\Program Files\Coupons
2008-03-09 18:32 --------- d-----w C:\Program Files\Java
2008-03-08 20:24 --------- d-----w C:\Program Files\iTunes
2008-03-08 20:23 --------- d-----w C:\Program Files\QuickTime
2008-03-08 20:23 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-03-08 20:22 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-03-08 14:55 --------- d-----w C:\Program Files\The Weather Channel Toolbar
2008-03-08 14:54 --------- d-----w C:\Program Files\The Weather Channel FW
2008-03-06 04:11 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-04 15:43 --------- d-----w C:\Program Files\Microsoft Works
2008-03-04 15:32 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-04 15:29 --------- d-----w C:\Program Files\Common Files\L&H
2008-03-04 14:29 327,680 ----a-w C:\WINDOWS\system32\TwcToolbarIe7.dll
2008-03-04 14:25 98,304 ----a-w C:\WINDOWS\system32\TwcToolbarBho.dll
2008-03-04 03:26 --------- d-----w C:\Documents and Settings\Keith Didion.KEITH-AA46418D1\Application Data\Uniblue
2008-03-04 03:05 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-03-04 03:05 --------- d-----w C:\Documents and Settings\Keith Didion.KEITH-AA46418D1\Application Data\SystemRequirementsLab
2008-03-03 06:51 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\NVIDIA
2008-03-03 06:23 --------- d-----w C:\Program Files\LucasArts
2008-03-03 06:22 --------- d-----w C:\Documents and Settings\Keith Didion.KEITH-AA46418D1\Application Data\InstallShield
2008-03-03 03:49 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\sentinel
2008-03-03 03:46 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Backup
2008-03-03 03:43 --------- d-----w C:\Documents and Settings\Keith Didion.KEITH-AA46418D1\Application Data\Thunderbird
2008-03-03 03:43 --------- d-----w C:\Documents and Settings\Keith Didion.KEITH-AA46418D1\Application Data\Talkback
2008-03-03 03:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Thunderbird
2008-03-03 03:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Talkback
2008-03-03 01:05 --------- d-----w C:\Program Files\Common Files\Panda Software
2008-03-02 02:07 --------- d-----w C:\Program Files\Western Digital
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-23 17:11 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-15 00:47 --------- d-----w C:\Program Files\D-Link
2008-02-15 00:47 --------- d-----w C:\Program Files\ANI
2008-02-07 03:53 21,840 -c---tw C:\WINDOWS\system32\SIntfNT.dll
2008-02-07 03:53 17,212 -c---tw C:\WINDOWS\system32\SIntf32.dll
2008-02-07 03:53 12,067 -c---tw C:\WINDOWS\system32\SIntf16.dll
2008-02-05 00:23 693,792 ----a-w C:\WINDOWS\system32\OGACheckControl.DLL
2007-05-10 20:35 219,488 ----a-w C:\Program Files\MSWRD832.CNV
2007-05-10 20:35 120,160 ----a-w C:\Program Files\MSCONV97.DLL
2006-06-21 04:36 215,848 ----a-w C:\Program Files\richink.dll
2005-02-24 12:50 266 --sh--w C:\Program Files\desktop.ini
2005-02-24 12:50 11,079 -c-ha-w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-10-22 09:58 1885464]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 14:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-12-20 09:10 715888]
"The BOB&TOM Show"="C:\Program Files\The BOB&TOM Media Center\The BOB&TOM Media Center.exe" [2005-06-08 12:00 983040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.exe" [2007-07-23 19:30 406832]
"SCANINICIO"="C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe" [2007-07-11 16:17 27952]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\SOUNDMAN.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"Lexmark X83 Button Monitor"="C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe" [2001-10-18 11:25 40960]
"Lexmark X83 Button Manager"="C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe" [2001-06-14 13:42 53248]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-06-27 04:47 36864]

C:\Documents and Settings\Keith Didion.KEITH-AA46418D1\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 17:34:48 3746856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 21:02 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Republic Commando\\GameData\\System\\SWRepublicCommando.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-05-11 10:33]
R1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-05-11 10:33]
R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-05-11 10:33]
R1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-07-11 12:39]
R1 NETFLTDI;Panda Net Driver [TDI Layer];C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-05-11 10:33]
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\Drivers\ShlDrv51.sys [2007-05-23 09:40]
R1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-05-11 10:33]
R1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-05-11 10:33]
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys [2007-06-08 09:44]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-07-12 07:49]
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
R3 ComFiltr;Panda Anti-Dialer;C:\WINDOWS\system32\DRIVERS\COMFiltr.sys [2008-04-13 18:17]
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys [2007-04-24 16:43]
R3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
R3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2007-05-23 05:15]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 04:36:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-12 05:00:00 C:\WINDOWS\Tasks\Basic clean-up.job"
- C:\Program Files\Panda Software\Panda Internet Security 2007\PlaTasks.exe
"2008-04-06 07:00:58 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job"
- C:\WINDOWS\DEFRAG.EXE
"2008-04-01 06:30:00 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job"
- C:\WINDOWS\CLEANMGR.EXE
"2008-04-06 05:00:00 C:\WINDOWS\Tasks\Tune-up Application Start.job"
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 23:36:24
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-13 23:37:31
ComboFix-quarantined-files.txt 2008-04-14 04:37:25
ComboFix2.txt 2008-04-13 07:01:41
Pre-Run: 139,987,472,384 bytes free
Post-Run: 139,974,832,128 bytes free
.
2008-04-09 03:41:01 --- E O F ---
  • 0

#7
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Delete this file:

C:\WINDOWS\system32\drivers\wnmsav.dat

If you want you can try fixing these in HijackThis as well since they are unnecessary startup programs.

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe


Restart the computer.

Monitor the internet speed and let us know if it is indeed a ISP related issue. Get the laptop if you want to test it out fully.
  • 0

#8
airstrike99

airstrike99

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I think everything is working fine now. I unplugged my modem and let it reset. Internet connection looks to be full speed.

Only odd thing was that when I left for work this morning, I was sure I placed my computer in standby mode. When I came home tonight, the computer was on. I will monitor this and post another topic if necessary.

Thanks for your assistance, greyknight17. :)
  • 0

#9
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Glad your issue is now resolved :)

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Go to Start->Run and type in Combofix /u to remove Combofix from your system.
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP