Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help! Abebot Trojandownloader.xs


  • Please log in to reply

#1
DAYUM

DAYUM

    New Member

  • Member
  • Pip
  • 2 posts
I have recently discovered a trojan name Abebot/Trojandownloader.xs has snuck in on my new computer. I have run several recommended spyware removers but to no avail the trojan still stays. My Kaspersky Security keeps notifying me of all these other Trojans and viruses trying to get in.
My computer is slowing right down

It has a little yellow exclamation logo that sits by the clock every now and then. It randomly opens blank Internet Browsers. and a Red Fake Security pops up all day long saying Abebot Severe Risk and Trojandownloader.xs with a link to what looks like a fake spyware remover site. Plus a Blue fake windows popup saying System Critical Error you have spyware.

Please help me to get rid of this nasty trojan...
Thanks Amanda

Here is my hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:45, on 2008-04-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\zgpwjytk\lencpgri.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\PDF Complete\pdfsty.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RealPopup\RealPopup.exe
C:\WINDOWS\system32\hedujitw.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [5013b5a8] rundll32.exe "C:\WINDOWS\system32\ojtaqonf.dll",b
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPopup] "C:\Program Files\RealPopup\RealPopup.exe" BOOT
O4 - HKCU\..\Run: [rhsfoyrc] C:\WINDOWS\system32\hedujitw.exe
O4 - HKCU\..\Run: [xfrybzve] C:\WINDOWS\system32\xgvmdezm.exe
O4 - HKCU\..\Run: [kfuxcynp] C:\WINDOWS\system32\pubotevq.exe
O4 - HKCU\..\Run: [kfevyvie] C:\WINDOWS\system32\evcnalsp.exe
O4 - HKLM\..\Policies\Explorer\Run: [qXSSfprdOv] C:\Documents and Settings\All Users\Application Data\zgpwjytk\lencpgri.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: RealPopup.lnk = C:\Program Files\RealPopup\RealPopup.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_NZ&c=74&bd=smb&pf=workstation
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1207084628537
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = goodguys.co.nz
O17 - HKLM\Software\..\Telephony: DomainName = goodguys.co.nz
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = goodguys.co.nz
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 9238 bytes

:)
  • 0

Advertisements


#2
DAYUM

DAYUM

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I have downloaded Combofix and followed instructions from another thread about a similar problem.. What do I do from here?? Thanks in advance.
It is 6pm here in NZ I will check back either tonight or at 9am in the morning.

ComboFix 08-04-13.2 - amanda 2008-04-14 17:57:33.3 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1777 [GMT 12:00]
Running from: C:\Documents and Settings\amanda\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\fnoqatjo.ini
C:\WINDOWS\system32\NpYbeMoq.ini
C:\WINDOWS\system32\NpYbeMoq.ini2
C:\WINDOWS\system32\ojtaqonf.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

2008-04-14 18:00 . 2008-04-14 18:00 102,400 --a------ C:\WINDOWS\system32\wlotqhox.exe
2008-04-14 17:37 . 2008-04-14 17:37 102,400 --a------ C:\WINDOWS\system32\evcnalsp.exe
2008-04-14 17:24 . 2008-04-14 17:24 102,400 --a------ C:\WINDOWS\system32\pubotevq.exe
2008-04-14 16:49 . 2008-04-14 16:49 94,208 --a------ C:\WINDOWS\system32\xgvmdezm.exe
2008-04-11 10:21 . 2008-04-11 10:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-11 08:57 . 2008-04-11 08:57 <DIR> d-------- C:\Documents and Settings\amanda\Application Data\SampleView
2008-04-11 08:54 . 2008-04-11 08:54 3,648 --a------ C:\WINDOWS\system32\xuuvitjk.dll
2008-04-10 16:17 . 2008-04-10 16:17 2,556 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-10 16:16 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-10 16:16 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-10 16:16 . 2008-03-29 00:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-10 16:16 . 2008-04-08 22:44 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-10 16:16 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-10 16:16 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-10 16:16 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-10 15:19 . 2008-04-10 15:19 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-04-10 15:19 . 2008-04-10 15:19 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-04-10 15:18 . 2008-04-10 15:18 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-04-10 15:18 . 2008-04-14 18:01 3,204,128 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-10 15:18 . 2008-04-14 18:01 71,456 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-10 15:18 . 2008-04-14 17:55 49,160 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-10 15:18 . 2008-04-14 17:55 8,744 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-10 15:05 . 2008-04-10 15:05 <DIR> d-------- C:\kav
2008-04-10 14:02 . 2008-04-10 14:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-10 14:02 . 2008-04-14 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-10 12:58 . 2008-04-10 15:10 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-10 11:54 . 2008-04-11 09:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-10 11:12 . 2008-04-10 11:12 0 --a------ C:\WINDOWS\VPC32.INI
2008-04-09 09:14 . 2008-04-09 09:14 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-09 09:14 . 2008-04-09 09:14 <DIR> d-------- C:\Program Files\Microsoft Works
2008-04-09 09:10 . 2008-04-09 09:14 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-09 09:10 . 2008-04-09 09:10 <DIR> dr-h----- C:\MSOCache
2008-04-09 09:10 . 2008-04-11 14:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-07 17:00 . 2008-04-07 17:00 <DIR> d-------- C:\Documents and Settings\amanda\Application Data\Roxio
2008-04-07 14:23 . 2008-04-07 14:23 <DIR> d-------- C:\Documents and Settings\amanda\Application Data\RealPopup
2008-04-07 12:17 . 2008-04-07 12:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-04-03 19:22 . 2008-04-03 19:22 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-04-03 19:21 . 2008-04-03 19:24 <DIR> d-------- C:\Documents and Settings\amanda\Application Data\U3
2008-04-03 19:21 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-03 08:23 . 2008-04-03 08:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-04-02 16:28 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-04-02 16:28 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-04-02 13:05 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-02 13:05 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-02 11:28 . 2008-04-02 11:28 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-04-02 11:04 . 2008-04-02 11:04 <DIR> d-------- C:\Documents and Settings\amanda\Application Data\AdobeUM
2008-04-02 10:40 . 2008-04-02 10:40 <DIR> d-------- C:\Documents and Settings\amanda\Contacts
2008-04-02 10:27 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-04-02 10:27 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-04-02 10:11 . 2008-04-02 10:11 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-02 10:10 . 2008-04-02 10:10 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-02 09:38 . 2007-07-10 01:16 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-02 09:16 . 2008-04-02 09:16 <DIR> d--hs---- C:\Documents and Settings\amanda\UserData
2008-04-02 09:11 . 2008-04-10 09:40 376 --a------ C:\WINDOWS\ODBC.INI
2008-04-02 09:03 . 2008-04-02 09:03 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-02 09:03 . 2004-08-17 12:40 16,384 --a------ C:\WINDOWS\system32\FileOps.exe
2008-04-02 08:52 . 2008-04-02 08:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-02 08:50 . 2008-04-02 08:50 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-04-02 08:38 . 2008-03-14 13:37 <DIR> d-------- C:\Documents and Settings\amanda\Application Data\InstallShield
2008-04-02 08:38 . 2008-04-14 16:47 <DIR> d-------- C:\Documents and Settings\amanda
2008-04-02 08:38 . 2008-04-02 08:38 268 --ah----- C:\sqmdata00.sqm
2008-04-02 08:38 . 2008-04-02 08:38 244 --ah----- C:\sqmnoopt00.sqm
2008-04-02 08:34 . 2008-04-02 08:34 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-02 08:30 . 2008-04-10 15:14 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2008-04-02 08:30 . 2008-04-10 15:14 <DIR> d-------- C:\Program Files\Symantec
2008-04-02 08:30 . 2008-04-02 08:33 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-02 08:30 . 2008-04-10 15:14 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-02 08:30 . 2008-04-10 15:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-02 08:29 . 2008-04-02 08:33 <DIR> d-------- C:\Program Files\Windows Live
2008-04-02 08:29 . 2008-04-02 08:29 <DIR> d-------- C:\Program Files\RealPopup
2008-04-02 08:29 . 2008-04-02 08:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-02 08:29 . 2008-04-02 08:29 <DIR> d-------- C:\Documents and Settings\Administrator.GOODGUYS\Application Data\OnlineAVL
2008-04-02 08:28 . 2008-04-02 08:29 <DIR> d-------- C:\WINDOWS\Excheqr
2008-04-02 08:28 . 2008-04-02 08:28 <DIR> d-------- C:\Program Files\Navman
2008-04-02 08:28 . 2004-03-31 11:05 296,448 --a------ C:\WINDOWS\system32\midas.dll
2008-04-02 08:28 . 1995-07-11 09:50 57,328 --a------ C:\WINDOWS\system32\OLE2CONV.DLL
2008-04-02 08:28 . 1994-10-10 20:05 51,712 --a------ C:\WINDOWS\system32\OLE2PROX.DLL
2008-04-02 08:28 . 1995-08-15 00:00 28,113 --a------ C:\WINDOWS\system32\OLE2.REG
2008-04-02 08:28 . 2006-03-24 11:58 14,020 --a------ C:\WINDOWS\system32\AVLServer.tlb
2008-04-02 08:28 . 2008-04-02 08:28 0 --a------ C:\MKDEWE.TRN
2008-04-02 07:59 . 2008-03-14 13:37 <DIR> d-------- C:\Documents and Settings\Administrator.GOODGUYS\Application Data\InstallShield
2008-04-02 07:59 . 2008-04-11 08:52 <DIR> d-------- C:\Documents and Settings\Administrator.GOODGUYS
2008-04-01 04:37 . 2001-08-18 09:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-04-01 04:37 . 2001-08-18 10:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-03-31 13:39 . 2008-03-31 13:39 <DIR> d-------- C:\Program Files\Program Shortcuts
2008-03-30 18:17 . 2008-03-30 18:19 <DIR> d-------- C:\recovery
2008-03-30 17:42 . 2008-03-30 17:42 <DIR> d--hs---- C:\System Recovery
2008-03-30 17:41 . 2008-03-30 17:41 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-03-30 17:41 . 2008-03-30 17:41 <DIR> d-------- C:\Users
2008-03-30 17:41 . 2008-03-30 17:41 <DIR> d-------- C:\ProgramData
2008-03-30 17:41 . 2006-02-28 14:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 21:25 --------- d-----w C:\Program Files\PDF Complete
2008-04-10 22:35 --------- d-----w C:\Program Files\XoftSpySE
2008-04-07 05:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-04-02 21:17 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-01 20:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:40 1,845,888 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-14 01:46 1,812 --sha-r C:\WINDOWS\system32\drivers\103C_HP_WS_HP xw4600 Workstation_YW_0xw_QSGH811_E11017434910100_48WS_I0AA0h_SHP_V_B786F3 v01.06_T080129_WXP2_L409_M2048_J160_7Intel_8Core2 Quad Q6600_92.4_#080313_N14E4167B_()_X_CD6_Z_2_G10DE040F.MRK
2008-03-14 01:46 --------- d-----w C:\Program Files\Hewlett-Packard
2008-03-14 01:43 --------- d-----w C:\Program Files\Hewlett-Packard Company
2008-03-14 01:43 --------- d-----w C:\Program Files\Broadcom
2008-03-14 01:42 --------- d-----w C:\Program Files\Intel
2008-03-14 01:42 --------- d-----w C:\Program Files\HPQ
2008-03-14 01:42 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-03-14 01:41 --------- d-----w C:\Program Files\Roxio
2008-03-14 01:41 --------- d-----w C:\Program Files\HP
2008-03-14 01:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio
2008-03-14 01:40 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-03-14 01:38 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-03-14 01:38 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-03-14 01:37 --------- d-----w C:\Program Files\InterVideo
2008-03-14 01:37 --------- d-----w C:\Program Files\Common Files\InterVideo
2008-03-14 01:37 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-14 01:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-03-14 01:36 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-03-14 01:36 --------- d-----w C:\Program Files\Realtek
2008-03-14 01:32 --------- d-----w C:\Program Files\Java
2008-03-14 01:32 --------- d-----w C:\Program Files\Common Files\Java
2008-03-14 01:22 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-01 06:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 18:49 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 18:49 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:52 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:19 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-08 06:37 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
.

((((((((((((((((((((((((((((( [email protected]_17.26.06.34 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-14 05:22:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-14 05:59:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-14 04:53:43 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-14 06:00:03 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-14 04:53:43 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-14 06:00:03 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-14 06:00:03 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-14 05:25:19 64,576 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-14 05:39:55 64,576 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-14 05:25:19 409,562 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-14 05:39:55 409,562 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EC38A732-31D4-4ACD-824F-90E12F4C491E}]
2000-04-10 09:55 270336 --a------ C:\WINDOWS\system32\qoMebYpN.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-20 09:26 484904]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 14:00 15360]
"RealPopup"="C:\Program Files\RealPopup\RealPopup.exe" [2003-04-24 00:08 200704]
"rhsfoyrc"="C:\WINDOWS\system32\hedujitw.exe" [2000-04-10 09:50 98304]
"xfrybzve"="C:\WINDOWS\system32\xgvmdezm.exe" [2008-04-14 16:49 94208]
"kfuxcynp"="C:\WINDOWS\system32\pubotevq.exe" [2008-04-14 17:24 102400]
"kfevyvie"="C:\WINDOWS\system32\evcnalsp.exe" [2008-04-14 17:37 102400]
"igxshwnw"="C:\WINDOWS\system32\wlotqhox.exe" [2008-04-14 18:00 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-07-21 06:57 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-07-21 06:57 8466432]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-21 02:38 16384512 C:\WINDOWS\RTHDCPL.exe]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-10-31 05:00 1116920]
"PDF Complete"="C:\Program Files\PDF Complete\pdfsty.exe" [2007-08-11 15:30 331288]
"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2006-05-13 09:50 1138688]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2006-04-01 11:44 761856]
"Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" [2006-07-11 07:53 872448]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 18:58 856064]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 14:00 15360]

C:\Documents and Settings\amanda\Start Menu\Programs\Startup\
RealPopup.lnk - C:\Program Files\RealPopup\RealPopup.exe [2003-04-24 00:08:40 200704]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-04-02 09:08:36 25214]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"qXSSfprdOv"= C:\Documents and Settings\All Users\Application Data\zgpwjytk\lencpgri.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIApmk]
rqRIApmk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\qoMebYpN

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SMINST\\Scheduler.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2007-02-09 16:05]
R2 pdfcDispatcher;PDF Document Manager;C:\Program Files\PDF Complete\pdfsvc.exe [2007-08-11 15:30]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 VirtDisk;XSS Virtual Disk Driver;c:\windows\sminst\VirtDisk.sys [2007-03-28 03:16]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae04a308-01b8-11dd-a161-001e0bb290a1}]
\Shell\AutoRun\command - G:\setupSNK.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 06:00:05 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-04-10 22:08:19 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 18:00:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="C:\Program Files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-04-14 18:01:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-14 06:01:50
ComboFix2.txt 2008-04-14 05:26:40

Pre-Run: 133,777,580,032 bytes free
Post-Run: 131,615,993,856 bytes free
.
2008-04-14 05:34:02 --- E O F ---

Edited by DAYUM, 14 April 2008 - 12:08 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP