Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

explorer.exe will not load on startup [RESOLVED]


  • This topic is locked This topic is locked

#31
MuffinsCanFly

MuffinsCanFly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
i ran the online scan again as an administrator in normal mode.

but the file is the same size. actually slightly bigger. its 33.9mb now not 33.7. haha

but this time i saved the report as .html and .txt so the txt file is only 16.3mb and not in html format. yay

i just looked at the file report since i was able to get it open without it crashing on me within a minute. i guess it listed every file on my computer and marked most of them as "skipped" and the viruses or infected files as "infected"

so i decided to crtl+f infected and post all those results on here. since im guessing everything thing else does not matter?

i will still upload the whole file on the same server: it will be


http://www.nu11.org/...nlogs/may11.txt

(ill get that up later because i cannot seem to log in via ftp for some reason.)



The infected files are below: (I find it weird that the system volume information is not on my local hard drive "C" its on my "F' drive. i didn't know the backups were saved there? or did the virus make a folder on the wrong drive?)




-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, May 11, 2008 12:29:42 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/05/2008
Kaspersky Anti-Virus database records: 755297
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 309482
Number of viruses found: 7
Number of infected objects: 156
Number of suspicious objects: 0
Duration of the scan process: 03:15:30

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\Mark\Local Settings\Temporary Internet

Files\Content.IE5\O4BJE0D6\t-37190-Your-computer-is-infected-Windows-has-detected-spyware-inf

ection[1].htm Object is locked skipped

C:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP735\A0139245.exe Infected:

Trojan.Win32.Obfuscated.tf skipped

C:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP735\A0139247.dll Infected:

Trojan-Downloader.Win32.Agent.lsw skipped

C:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP735\A0139248.dll Infected:

Trojan-Downloader.Win32.Agent.lsw skipped

C:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP735\A0139249.exe Infected:

Trojan-Downloader.Win32.Small.ivo skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139503.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139503.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139503.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139503.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139503.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139503.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139504.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139504.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139504.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139504.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139504.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139504.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139505.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139505.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139505.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139505.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139505.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139505.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139506.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139506.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139506.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139506.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139506.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139506.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139507.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139507.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139507.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139507.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139507.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139507.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139508.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139508.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139508.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139508.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139508.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139508.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139509.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139509.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139509.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139509.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139509.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139509.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139510.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139510.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139510.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139510.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139510.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139510.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139511.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139511.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139511.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139511.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139511.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139511.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139512.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139512.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139512.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139512.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139512.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139512.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139513.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139513.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139513.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139513.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139513.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139513.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139514.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139514.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume
Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139514.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139514.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139514.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139514.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139515.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139515.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139515.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139515.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139515.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139515.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139516.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139516.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139516.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139516.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139516.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139516.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139517.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139517.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139517.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139517.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139517.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139517.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139518.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139518.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139518.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139518.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139518.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139518.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139519.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139519.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139519.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139519.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139519.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139519.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139520.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139520.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139520.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139520.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139520.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139520.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139521.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139521.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139521.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139521.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139521.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139521.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139522.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139522.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139522.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139522.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139522.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139522.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139523.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139523.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139523.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139523.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139523.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139523.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139524.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139524.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139524.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139524.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139524.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139524.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139525.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139525.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139525.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139525.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139525.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139525.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139526.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139526.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139526.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139526.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139526.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139526.exe

WiseSFXDropper: infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139527.exe/WISE0014.BIN

Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139527.exe/WISE0015.BIN

Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139527.exe/WISE0016.BIN/WI

SE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139527.exe/WISE0016.BIN

Infected: not-a-virus:AdWare.Win32.Accoona.b skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139527.exe WiseSFX:

infected - 4 skipped

F:\System Volume

Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP738\A0139527.exe

WiseSFXDropper: infected - 4 skipped

G:\dtop\Shortcuts programs\spywaredetector.exe/file59 Infected:

not-a-virus:FraudTool.Win32.SpywareDetector.d skipped

G:\dtop\Shortcuts programs\spywaredetector.exe Inno: infected - 1 skipped



Scan process completed.
  • 0

Advertisements


#32
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
(I find it weird that the system volume information is not on my local hard drive "C" its on my "F' drive. i didn't know the backups were saved there? or did the virus make a folder on the wrong drive?)
That is malware in your system resotre cache. You have System Restore on for c: and F:. We will remove all that in the last step. As long as you do not use System Restore those files are ok as they are right now.
How is your computer running now?



1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\O4BJE0D6\
G:\dtop\Shortcuts programs\spywaredetector.exe



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#33
MuffinsCanFly

MuffinsCanFly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
my computer starts up and runs with no real problems. but it seems a little laggy when loggin in or changing users. thats all that i have noticed so far.

ComboFix 08-05-11.1 - Administrator 2008-05-11 22:22:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.847 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\O4BJE0D6\
G:\dtop\Shortcuts programs\spywaredetector.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Muffin\Local Settings\Temporary Internet Files\
G:\dtop\Shortcuts programs\spywaredetector.exe

----- BITS: Possible infected sites -----

hxxp://resources.zune.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP


((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-11 14:12 . 2008-05-11 14:13 45 --a------ C:\TEST.XML
2008-05-09 13:32 . 2008-05-09 13:32 221,187 --a------ C:\Serena-1-try.gif
2008-05-09 13:29 . 2008-05-09 13:29 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-05-09 13:29 . 2008-05-11 13:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\FileZilla
2008-05-09 13:27 . 2008-05-09 13:27 <DIR> d-------- C:\Program Files\FileZilla Server
2008-05-04 22:52 . 2008-05-05 21:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6
2008-05-04 21:06 . 2008-05-04 21:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-04 21:06 . 2008-05-04 21:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2008-05-04 10:05 . 2008-05-04 10:05 <DIR> d-------- C:\Program Files\WOT
2008-05-04 09:32 . 2008-02-15 23:39 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-04 09:32 . 2008-02-15 23:39 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-05-04 09:32 . 2008-02-15 23:39 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-05-04 09:21 . 2008-05-04 09:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avg7
2008-05-02 13:35 . 2008-05-06 13:01 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-02 12:28 . 2008-05-07 11:40 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-02 12:28 . 2008-05-02 12:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-05-02 12:28 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-02 12:28 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-02 12:28 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-02 12:28 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-02 12:21 . 2008-05-04 22:45 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-05-02 11:05 . 2008-05-04 09:22 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-02 11:05 . 2008-05-04 09:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-04-28 01:16 . 2003-02-11 08:18 102,400 -ra------ C:\WINDOWS\system32\drivers\ianswxp.sys
2008-04-28 00:54 . 2003-03-04 13:56 145,408 -ra------ C:\WINDOWS\system32\drivers\e100b325.sys
2008-04-28 00:54 . 2003-03-04 13:56 145,408 --a--c--- C:\WINDOWS\system32\dllcache\e100b325.sys
2008-04-28 00:54 . 2003-03-03 17:26 118,784 -ra------ C:\WINDOWS\system32\Prounstl.exe
2008-04-28 00:54 . 2002-12-29 06:00 24,064 -ra------ C:\WINDOWS\system32\IntelNic.dll
2008-04-28 00:54 . 2003-02-03 07:26 12,288 -ra------ C:\WINDOWS\system32\e100bmsg.dll
2008-04-28 00:54 . 2002-06-27 07:53 5,110 -ra------ C:\WINDOWS\system32\e100b325.din
2008-04-27 22:38 . 2008-04-27 22:38 11 --a------ C:\AuResult.ini
2008-04-26 22:20 . 2008-04-26 22:20 147 --a------ C:\WINDOWS\TmProxy.ini
2008-04-26 22:20 . 2008-04-26 22:20 147 --a------ C:\WINDOWS\TmPfw.ini
2008-04-26 20:33 . 2004-08-04 05:00 18,944 --a------ C:\WINDOWS\system32\simptcp.dll
2008-04-26 20:33 . 2004-08-04 05:00 18,944 --a--c--- C:\WINDOWS\system32\dllcache\simptcp.dll
2008-04-26 20:32 . 2004-08-04 05:00 35,328 --a------ C:\WINDOWS\system32\iprip.dll
2008-04-26 20:32 . 2004-08-04 05:00 35,328 --a--c--- C:\WINDOWS\system32\dllcache\iprip.dll
2008-04-25 10:35 . 2008-04-25 10:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2008-04-19 19:38 . 2008-04-19 19:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-19 19:37 . 2008-04-19 19:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-19 19:31 . 2008-04-19 19:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2008-04-19 19:28 . 2008-04-19 19:28 <DIR> d--h----- C:\Documents and Settings\Administrator\InstallAnywhere
2008-04-18 11:13 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-04-18 11:12 . 2008-04-18 11:12 <DIR> d-------- C:\Deckard
2008-04-18 11:10 . 2008-04-18 11:10 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-18 10:55 . 2008-04-18 10:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 05:27 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-05-11 21:16 --------- d-----w C:\Program Files\TGTSoft
2008-05-07 18:44 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-05-07 00:06 230,432 ----a-w C:\PA7311.DAT
2008-05-06 07:39 --------- d-----w C:\Documents and Settings\Galdys\Application Data\uTorrent
2008-05-06 07:16 --------- d-----w C:\Documents and Settings\Galdys\Application Data\Yahoo!
2008-05-06 07:12 --------- d-----w C:\Program Files\Google
2008-05-04 16:32 --------- d-----w C:\Program Files\Trend Micro
2008-05-04 16:31 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2008-04-28 08:15 --------- d-----w C:\Program Files\Intel
2008-04-20 02:28 --------- d--h--w C:\Program Files\Zero G Registry
2008-04-20 02:27 --------- d-----w C:\Program Files\Common Files\Real
2008-04-20 02:27 --------- d-----w C:\Program Files\Canon
2008-04-20 02:18 --------- d-----w C:\Program Files\Nikon
2008-04-20 02:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-20 02:16 --------- d-----w C:\Program Files\Total Video Converter
2008-04-20 02:13 --------- d-----w C:\Program Files\Skype
2008-04-20 02:13 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2008-04-20 02:02 --------- d-----w C:\Program Files\Macromedia
2008-04-20 01:58 --------- d-----w C:\Program Files\Greeting Card Creator 32
2008-04-20 01:55 --------- d-----w C:\Program Files\Corel
2008-04-03 05:02 --------- d-----w C:\Program Files\FLAC Converter
2008-03-31 22:54 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2008-03-31 02:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-31 02:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-31 01:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-03-30 02:40 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\pupovghm
2008-03-25 00:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-22 22:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-22 22:27 --------- d-----w C:\Program Files\Micro Innovations
2008-03-22 22:27 --------- d-----w C:\Program Files\Common Files\PAC7311
2008-03-14 04:27 --------- d-----w C:\Program Files\Common Files\Macromedia Shared
2008-03-14 04:19 --------- d-----w C:\Program Files\Common Files\Macromedia
2007-08-07 06:22 76 ---ha-w C:\Program Files\Desktop.ini
2007-08-02 04:37 20 ---h--w C:\DOCUME~1\ALLUSE~1\APPLIC~1\PKP_DLec.DAT
2007-08-02 04:37 20 ---h--w C:\DOCUME~1\ALLUSE~1\APPLIC~1\PKP_DLds.DAT
2007-03-20 04:13 0 ---ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2007-01-12 19:37 323 ---ha-w C:\Documents and Settings\Joey\hpothb07.dat
2007-01-08 04:58 0 ---ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2006-12-01 23:52 0 ---ha-w C:\Documents and Settings\Friend\hpothb07.dat
2006-09-28 04:21 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2003-03-21 20:37 16,056 ----a-w C:\Program Files\owcstp16.dll
2006-09-15 16:02 88 --sh--r C:\WINDOWS\system32\5C41811987.sys
2006-08-09 18:16 104 --sh--r C:\WINDOWS\system32\871981415C.sys
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2006-09-15 16:02 5,224 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{71576546-354D-41C9-AAE8-31F2EC22BF0D}"= "C:\Program Files\WOT\WOT.dll" [2008-04-21 10:59 2249376]

[HKEY_CLASSES_ROOT\clsid\{71576546-354d-41c9-aae8-31f2ec22bf0d}]
[HKEY_CLASSES_ROOT\WOT.WOTBar.1]
[HKEY_CLASSES_ROOT\WOT.WOTBar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{71576546-354D-41C9-AAE8-31F2EC22BF0D}"= C:\Program Files\WOT\WOT.dll [2008-04-21 10:59 2249376]

[HKEY_CLASSES_ROOT\clsid\{71576546-354d-41c9-aae8-31f2ec22bf0d}]
[HKEY_CLASSES_ROOT\WOT.WOTBar.1]
[HKEY_CLASSES_ROOT\WOT.WOTBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-02-15 23:39 492808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"HP Software Update"="G:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41 45056]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24 86016]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
"PAC7311_Monitor"="C:\WINDOWS\PixArt\PAC7311\Monitor.exe" [2006-11-03 11:01 319488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 20:29 39264]

C:\Documents and Settings\Joey\Start Menu\Programs\Startup\
Shortcut to NetPerSec.lnk - H:\Downloads\NetPerSec\NetPerSec.exe [2005-08-13 14:41:25 192512]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - G:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20 73728]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2007-06-21 16:22:26 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= G:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
G:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 G:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Muffin^Start Menu^Programs^Startup^SpywareGuard.lnk]
path=C:\Documents and Settings\Muffin\Start Menu\Programs\Startup\SpywareGuard.lnk
backup=C:\WINDOWS\pss\SpywareGuard.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
--a------ 2004-02-23 04:16 144896 G:\Program Files\AIM\\DeadAIM.ocm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]
--a------ 2007-12-25 14:25 937984 C:\Program Files\FileZilla Server\FileZilla Server Interface.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2005-04-14 16:56 1957888 C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 G:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
--a------ 2007-11-15 22:51 166304 c:\Program Files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"Macromedia Licensing Service"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"FileZilla Server"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\InterVideo\\MSIPVS\\WinDvr.exe"=
"G:\\Program Files\\AIM\\aim.exe"=
"G:\\Games\\Steam\\steamapps\\[email protected]\\day of defeat\\hl.exe"=
"G:\\Games\\Steam\\steamapps\\[email protected]\\counter-strike\\hl.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"G:\\Program Files\\3CServer.exe"=
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"G:\\Games\\Lionhead Studios\\runblack.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"G:\\Games\\Guild Wars\\Gw.exe"=
"G:\\Games\\Microsoft\\Age of Empires III\\age3.exe"=
"G:\\Games\\Microsoft\\Age of Empires III\\age3x.exe"=
"G:\\Games\\Microsoft\\Age of Empires III\\age3y.exe"=
"G:\\Games\\Microsoft\\Age Of Empires II\\age2_x1\\AGE2_X1.ICD"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"G:\\Games\\Steam\\Steam.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"6112:TCP"= 6112:TCP:battle.net
"6112:UDP"= 6112:UDP:battle.net 2
"6113:TCP"= 6113:TCP:*:Disabled:Starcraft

R1 NEOFLTR_530_11531;Juniper Networks TDI Filter Driver (NEOFLTR_530_11531);C:\WINDOWS\system32\Drivers\NEOFLTR_530_11531.SYS [2007-01-29 22:43]
R2 sshd;CYGWIN sshd;C:\cygwin\bin\cygrunsrv.exe [2006-06-19 02:43]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 22:38]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-15 22:51]
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 14:05]
S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys []
S2 nvtvSND;MSI8928 nVidia WDM TVAudio Crossbar;C:\WINDOWS\system32\DRIVERS\nvtvsnd.sys []
S3 jfdcd;jfdcd;C:\DOCUME~1\Muffin\LOCALS~1\Temp\jfdcd.sys []
S3 MPCSYS;MPCSYS;C:\WINDOWS\system32\DRIVERS\mpcsys.sys [2006-06-24 20:32]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-28 17:01]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 05:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 05:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 05:00]
S3 PAC7311;Webcam;C:\WINDOWS\system32\DRIVERS\PA707UCM.SYS [2007-03-14 10:57]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 05:00]
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 14:05]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-15 22:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2008-05-11 23:00:00 C:\WINDOWS\Tasks\A89A0A709399B8AC.job"
- c:\docume~1\muffin\applic~1\loadvi~1\SettingsBoobSixth.exe
"2008-05-12 05:11:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-05-03 01:49:06 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 22:28:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\cygwin\usr\sbin\sshd.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
G:\Program Files\Intel\Intel® Active Monitor\imonNT.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
G:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2008-05-11 22:33:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-12 05:33:07
ComboFix2.txt 2008-05-02 05:33:19

Pre-Run: 42,130,178,048 bytes free
Post-Run: 43,208,249,344 bytes free

298 --- E O F --- 2008-05-02 17:41:57






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:47 PM, on 5/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\cygwin\bin\cygrunsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\cygwin\usr\sbin\sshd.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
G:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
G:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\PixArt\PAC7311\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
G:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
G:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - G:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] G:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [PAC7311_Monitor] C:\WINDOWS\PixArt\PAC7311\Monitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = G:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - G:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - https://h20364.www2....DataManager.CAB
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1151277926046
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.0.253...sCamControl.ocx
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://connect.aaa-...perSetupSP1.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.h.../qdiagh.cab?326
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - Winlogon Notify: !SASWinLogon - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - G:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: CYGWIN sshd (sshd) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 10588 bytes
  • 0

#34
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
jfdcd

File::
C:\DOCUME~1\Muffin\LOCALS~1\Temp\jfdcd.sys



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#35
MuffinsCanFly

MuffinsCanFly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
i ran the panda active scan as well to see if it found the same things as the other online scan. i posted the log if its any help.

i also have a quick question. how come files names that usually aren't in all caps are sometimes in all caps and they don't finish the name but instead have a "~" at the end?

like
\PROGRA~1\TRENDM~1\INTERN~3\
or
DOCUME~1\Muffin\LOCALS~1\.

ive never understood this, but ive seen it more than a few times. maybe you know?

here are the logs:


ComboFix 08-05-11.1 - Administrator 2008-05-14 7:08:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.842 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\DOCUME~1\Muffin\LOCALS~1\Temp\jfdcd.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Muffin\Local Settings\Temporary Internet Files\

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JFDCD
-------\Service_jfdcd


((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-12 19:44 . 2008-05-12 19:44 <DIR> d-------- C:\Program Files\Panda Security
2008-05-11 14:12 . 2008-05-11 14:13 45 --a------ C:\TEST.XML
2008-05-09 13:32 . 2008-05-09 13:32 221,187 --a------ C:\Serena-1-try.gif
2008-05-09 13:29 . 2008-05-09 13:29 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-05-09 13:29 . 2008-05-11 22:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\FileZilla
2008-05-04 22:52 . 2008-05-05 21:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6
2008-05-04 21:06 . 2008-05-04 21:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-04 21:06 . 2008-05-04 21:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2008-05-04 10:05 . 2008-05-04 10:05 <DIR> d-------- C:\Program Files\WOT
2008-05-04 09:32 . 2008-02-15 23:39 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-04 09:32 . 2008-02-15 23:39 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-05-04 09:32 . 2008-02-15 23:39 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-05-04 09:21 . 2008-05-04 09:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avg7
2008-05-02 13:35 . 2008-05-06 13:01 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-02 12:28 . 2008-05-07 11:40 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-02 12:28 . 2008-05-02 12:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-05-02 12:28 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-02 12:28 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-02 12:28 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-02 12:28 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-02 12:21 . 2008-05-04 22:45 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-05-02 11:05 . 2008-05-04 09:22 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-02 11:05 . 2008-05-04 09:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-04-28 01:16 . 2003-02-11 08:18 102,400 -ra------ C:\WINDOWS\system32\drivers\ianswxp.sys
2008-04-28 00:54 . 2003-03-04 13:56 145,408 -ra------ C:\WINDOWS\system32\drivers\e100b325.sys
2008-04-28 00:54 . 2003-03-04 13:56 145,408 --a--c--- C:\WINDOWS\system32\dllcache\e100b325.sys
2008-04-28 00:54 . 2003-03-03 17:26 118,784 -ra------ C:\WINDOWS\system32\Prounstl.exe
2008-04-28 00:54 . 2002-12-29 06:00 24,064 -ra------ C:\WINDOWS\system32\IntelNic.dll
2008-04-28 00:54 . 2003-02-03 07:26 12,288 -ra------ C:\WINDOWS\system32\e100bmsg.dll
2008-04-28 00:54 . 2002-06-27 07:53 5,110 -ra------ C:\WINDOWS\system32\e100b325.din
2008-04-27 22:38 . 2008-04-27 22:38 11 --a------ C:\AuResult.ini
2008-04-26 22:20 . 2008-04-26 22:20 147 --a------ C:\WINDOWS\TmProxy.ini
2008-04-26 22:20 . 2008-04-26 22:20 147 --a------ C:\WINDOWS\TmPfw.ini
2008-04-26 20:33 . 2004-08-04 05:00 18,944 --a------ C:\WINDOWS\system32\simptcp.dll
2008-04-26 20:33 . 2004-08-04 05:00 18,944 --a--c--- C:\WINDOWS\system32\dllcache\simptcp.dll
2008-04-26 20:32 . 2004-08-04 05:00 35,328 --a------ C:\WINDOWS\system32\iprip.dll
2008-04-26 20:32 . 2004-08-04 05:00 35,328 --a--c--- C:\WINDOWS\system32\dllcache\iprip.dll
2008-04-25 10:35 . 2008-04-25 10:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2008-04-19 19:38 . 2008-04-19 19:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-19 19:37 . 2008-04-19 19:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-19 19:31 . 2008-04-19 19:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2008-04-19 19:28 . 2008-04-19 19:28 <DIR> d--h----- C:\Documents and Settings\Administrator\InstallAnywhere
2008-04-18 11:13 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-04-18 11:12 . 2008-04-18 11:12 <DIR> d-------- C:\Deckard
2008-04-18 11:10 . 2008-04-18 11:10 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-18 10:55 . 2008-04-18 10:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 14:14 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-05-11 21:16 --------- d-----w C:\Program Files\TGTSoft
2008-05-07 18:44 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-05-07 00:06 230,432 ----a-w C:\PA7311.DAT
2008-05-06 07:39 --------- d-----w C:\Documents and Settings\Galdys\Application Data\uTorrent
2008-05-06 07:16 --------- d-----w C:\Documents and Settings\Galdys\Application Data\Yahoo!
2008-05-06 07:12 --------- d-----w C:\Program Files\Google
2008-05-04 16:32 --------- d-----w C:\Program Files\Trend Micro
2008-05-04 16:31 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2008-04-28 08:15 --------- d-----w C:\Program Files\Intel
2008-04-20 02:28 --------- d--h--w C:\Program Files\Zero G Registry
2008-04-20 02:27 --------- d-----w C:\Program Files\Common Files\Real
2008-04-20 02:27 --------- d-----w C:\Program Files\Canon
2008-04-20 02:18 --------- d-----w C:\Program Files\Nikon
2008-04-20 02:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-20 02:16 --------- d-----w C:\Program Files\Total Video Converter
2008-04-20 02:13 --------- d-----w C:\Program Files\Skype
2008-04-20 02:13 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2008-04-20 02:02 --------- d-----w C:\Program Files\Macromedia
2008-04-20 01:58 --------- d-----w C:\Program Files\Greeting Card Creator 32
2008-04-20 01:55 --------- d-----w C:\Program Files\Corel
2008-04-03 05:02 --------- d-----w C:\Program Files\FLAC Converter
2008-03-31 22:54 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2008-03-31 02:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-31 02:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-31 01:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-03-30 02:40 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\pupovghm
2008-03-25 00:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-22 22:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-22 22:27 --------- d-----w C:\Program Files\Micro Innovations
2008-03-22 22:27 --------- d-----w C:\Program Files\Common Files\PAC7311
2008-03-14 04:27 --------- d-----w C:\Program Files\Common Files\Macromedia Shared
2008-03-14 04:19 --------- d-----w C:\Program Files\Common Files\Macromedia
2007-08-07 06:22 76 ---ha-w C:\Program Files\Desktop.ini
2007-08-02 04:37 20 ---h--w C:\DOCUME~1\ALLUSE~1\APPLIC~1\PKP_DLec.DAT
2007-08-02 04:37 20 ---h--w C:\DOCUME~1\ALLUSE~1\APPLIC~1\PKP_DLds.DAT
2007-03-20 04:13 0 ---ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2007-01-12 19:37 323 ---ha-w C:\Documents and Settings\Joey\hpothb07.dat
2007-01-08 04:58 0 ---ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2006-12-01 23:52 0 ---ha-w C:\Documents and Settings\Friend\hpothb07.dat
2006-09-28 04:21 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2003-03-21 20:37 16,056 ----a-w C:\Program Files\owcstp16.dll
2006-09-15 16:02 88 --sh--r C:\WINDOWS\system32\5C41811987.sys
2006-08-09 18:16 104 --sh--r C:\WINDOWS\system32\871981415C.sys
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2006-09-15 16:02 5,224 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((( [email protected]_22.32.43.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-12 05:27:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 14:14:25 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-12-11 22:18:14 6,326 ----a-w C:\WINDOWS\mozver.dat
+ 2008-05-13 02:44:33 7,688 ----a-w C:\WINDOWS\mozver.dat
- 2008-05-12 05:27:21 228,884 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-05-14 14:18:37 228,887 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-05-14 14:14:43 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_408.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{71576546-354D-41C9-AAE8-31F2EC22BF0D}"= "C:\Program Files\WOT\WOT.dll" [2008-04-21 10:59 2249376]

[HKEY_CLASSES_ROOT\clsid\{71576546-354d-41c9-aae8-31f2ec22bf0d}]
[HKEY_CLASSES_ROOT\WOT.WOTBar.1]
[HKEY_CLASSES_ROOT\WOT.WOTBar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{71576546-354D-41C9-AAE8-31F2EC22BF0D}"= C:\Program Files\WOT\WOT.dll [2008-04-21 10:59 2249376]

[HKEY_CLASSES_ROOT\clsid\{71576546-354d-41c9-aae8-31f2ec22bf0d}]
[HKEY_CLASSES_ROOT\WOT.WOTBar.1]
[HKEY_CLASSES_ROOT\WOT.WOTBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-02-15 23:39 492808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"HP Software Update"="G:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41 45056]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24 86016]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
"PAC7311_Monitor"="C:\WINDOWS\PixArt\PAC7311\Monitor.exe" [2006-11-03 11:01 319488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 20:29 39264]

C:\Documents and Settings\Joey\Start Menu\Programs\Startup\
Shortcut to NetPerSec.lnk - H:\Downloads\NetPerSec\NetPerSec.exe [2005-08-13 14:41:25 192512]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - G:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20 73728]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2007-06-21 16:22:26 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= G:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
G:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 G:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Muffin^Start Menu^Programs^Startup^SpywareGuard.lnk]
path=C:\Documents and Settings\Muffin\Start Menu\Programs\Startup\SpywareGuard.lnk
backup=C:\WINDOWS\pss\SpywareGuard.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
--a------ 2004-02-23 04:16 144896 G:\Program Files\AIM\\DeadAIM.ocm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]
C:\Program Files\FileZilla Server\FileZilla Server Interface.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2005-04-14 16:56 1957888 C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 G:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
--a------ 2007-11-15 22:51 166304 c:\Program Files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"Macromedia Licensing Service"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"FileZilla Server"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\InterVideo\\MSIPVS\\WinDvr.exe"=
"G:\\Program Files\\AIM\\aim.exe"=
"G:\\Games\\Steam\\steamapps\\[email protected]\\day of defeat\\hl.exe"=
"G:\\Games\\Steam\\steamapps\\[email protected]\\counter-strike\\hl.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"G:\\Program Files\\3CServer.exe"=
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"G:\\Games\\Lionhead Studios\\runblack.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"G:\\Games\\Guild Wars\\Gw.exe"=
"G:\\Games\\Microsoft\\Age of Empires III\\age3.exe"=
"G:\\Games\\Microsoft\\Age of Empires III\\age3x.exe"=
"G:\\Games\\Microsoft\\Age of Empires III\\age3y.exe"=
"G:\\Games\\Microsoft\\Age Of Empires II\\age2_x1\\AGE2_X1.ICD"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"G:\\Games\\Steam\\Steam.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"6112:TCP"= 6112:TCP:battle.net
"6112:UDP"= 6112:UDP:battle.net 2
"6113:TCP"= 6113:TCP:*:Disabled:Starcraft

R1 NEOFLTR_530_11531;Juniper Networks TDI Filter Driver (NEOFLTR_530_11531);C:\WINDOWS\system32\Drivers\NEOFLTR_530_11531.SYS [2007-01-29 22:43]
R2 sshd;CYGWIN sshd;C:\cygwin\bin\cygrunsrv.exe [2006-06-19 02:43]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 22:38]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-15 22:51]
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 14:05]
S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys []
S2 nvtvSND;MSI8928 nVidia WDM TVAudio Crossbar;C:\WINDOWS\system32\DRIVERS\nvtvsnd.sys []
S3 MPCSYS;MPCSYS;C:\WINDOWS\system32\DRIVERS\mpcsys.sys [2006-06-24 20:32]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-28 17:01]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 05:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 05:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 05:00]
S3 PAC7311;Webcam;C:\WINDOWS\system32\DRIVERS\PA707UCM.SYS [2007-03-14 10:57]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 05:00]
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 14:05]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-15 22:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 14:00:00 C:\WINDOWS\Tasks\A89A0A709399B8AC.job"
- c:\docume~1\muffin\applic~1\loadvi~1\SettingsBoobSixth.exe
"2008-05-14 14:11:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-05-03 01:49:06 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 07:17:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\cygwin\usr\sbin\sshd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
G:\Program Files\Intel\Intel® Active Monitor\imonNT.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\ati2evxx.exe
G:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Trend Micro\Internet Security\UfUpdUi.exe
C:\Program Files\Trend Micro\Internet Security\SfFnUp.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Trend Micro\Internet Security\Patch.exe
.
**************************************************************************
.
Completion time: 2008-05-14 7:22:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-14 14:21:42
ComboFix2.txt 2008-05-12 05:33:17
ComboFix3.txt 2008-05-02 05:33:19

Pre-Run: 43,787,337,728 bytes free
Post-Run: 43,650,756,608 bytes free

307 --- E O F --- 2008-05-02 17:41:57






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:38 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\cygwin\bin\cygrunsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\cygwin\usr\sbin\sshd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
G:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
G:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\PixArt\PAC7311\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
G:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
G:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - G:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] G:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [PAC7311_Monitor] C:\WINDOWS\PixArt\PAC7311\Monitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = G:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - G:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - https://h20364.www2....DataManager.CAB
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1151277926046
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.0.253...sCamControl.ocx
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://connect.aaa-...perSetupSP1.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.h.../qdiagh.cab?326
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - Winlogon Notify: !SASWinLogon - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - G:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: CYGWIN sshd (sshd) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 10621 bytes




;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-05-15 08:06:13
PROTECTIONS: 1
MALWARE: 22
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
Trend Micro Internet Security 16.10.1079 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Muffin\Application Data\Mozilla\Firefox\Profiles\71ngg2z7.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Muffin\Application Data\Mozilla\Firefox\Profiles\71ngg2z7.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Muffin\Application Data\Mozilla\Firefox\Profiles\71ngg2z7.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Muffin\Application Data\Mozilla\Firefox\Profiles\71ngg2z7.default\cookies.txt[.casalemedia.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Galdys\Application Data\Mozilla\Firefox\Profiles\57sdigbp.default\cookies.txt[.tribalfusion.com/]
00147824 Cookie/Clickbank TrackingCookie No 0 Yes No C:\Documents and Settings\Diane\Application Data\Mozilla\Firefox\Profiles\ikbctmv4.default\cookies.txt[.clickbank.net/]
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\x86ib5b5.default\cookies.txt[.yadro.ru/]
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\x86ib5b5.default\cookies.txt[.yadro.ru/]
00167677 Cookie/WebPower TrackingCookie No 0 Yes No C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\6xug5cdr.default\cookies.txt[.webpower.com/]
00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\Muffin\Application Data\Mozilla\Firefox\Profiles\71ngg2z7.default\cookies.txt[.toplist.cz/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Galdys\Cookies\[email protected][1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Diane\Application Data\Mozilla\Firefox\Profiles\ikbctmv4.default\cookies.txt[.apmebf.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Muffin\Application Data\Mozilla\Firefox\Profiles\71ngg2z7.default\cookies.txt[.apmebf.com/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Joey\Application Data\Mozilla\Firefox\Profiles\hhjo9mia.default\cookies.txt[server.iad.liveperson.net/hc/61095154]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Galdys\Application Data\Mozilla\Firefox\Profiles\57sdigbp.default\cookies.txt[server.iad.liveperson.net/hc/51911977]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Galdys\Application Data\Mozilla\Firefox\Profiles\57sdigbp.default\cookies.txt[server.iad.liveperson.net/hc/62317343]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Joey\Application Data\Mozilla\Firefox\Profiles\hhjo9mia.default\cookies.txt[server.iad.liveperson.net/hc/419330]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Joey\Application Data\Mozilla\Firefox\Profiles\hhjo9mia.default\cookies.txt[server.iad.liveperson.net/hc/419330]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Muffin\Application Data\Mozilla\Firefox\Profiles\71ngg2z7.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Muffin\Application Data\Mozilla\Firefox\Profiles\71ngg2z7.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Muffin\Application Data\Mozilla\Firefox\Profiles\71ngg2z7.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Muffin\Application Data\Mozilla\Firefox\Profiles\71ngg2z7.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Friend\Application Data\Mozilla\Firefox\Profiles\rf2t3f86.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Galdys\Application Data\Mozilla\Firefox\Profiles\57sdigbp.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Galdys\Application Data\Mozilla\Firefox\Profiles\57sdigbp.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Galdys\Application Data\Mozilla\Firefox\Profiles\57sdigbp.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Galdys\Application Data\Mozilla\Firefox\Profiles\57sdigbp.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Galdys\Application Data\Mozilla\Firefox\Profiles\57sdigbp.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Friend\Application Data\Mozilla\Firefox\Profiles\rf2t3f86.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Friend\Application Data\Mozilla\Firefox\Profiles\rf2t3f86.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Friend\Application Data\Mozilla\Firefox\Profiles\rf2t3f86.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Muffin\Application Data\Mozilla\Firefox\Profiles\71ngg2z7.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Diane\Application Data\Mozilla\Firefox\Profiles\ikbctmv4.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\6xug5cdr.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Joey\Application Data\Mozilla\Firefox\Profiles\hhjo9mia.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Joey\Application Data\Mozilla\Firefox\Profiles\hhjo9mia.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Joey\Application Data\Mozilla\Firefox\Profiles\hhjo9mia.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\6xug5cdr.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Joey\Application Data\Mozilla\Firefox\Profiles\hhjo9mia.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Diane\Application Data\Mozilla\Firefox\Profiles\ikbctmv4.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Diane\Application Data\Mozilla\Firefox\Profiles\ikbctmv4.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Diane\Application Data\Mozilla\Firefox\Profiles\ikbctmv4.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Diane\Application Data\Mozilla\Firefox\Profiles\ikbctmv4.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\6xug5cdr.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Friend\Application Data\Mozilla\Firefox\Profiles\rf2t3f86.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Joey\Application Data\Mozilla\Firefox\Profiles\hhjo9mia.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\6xug5cdr.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\6xug5cdr.default\cookies.txt[.advertising.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Galdys\Cookies\[email protected][2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\x86ib5b5.default\cookies.txt[.realmedia.com/]
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\x86ib5b5.default\cookies.txt[.bravenet.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Friend\Application Data\Mozilla\Firefox\Profiles\rf2t3f86.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Diane\Cookies\[email protected][1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Joey\Application Data\Mozilla\Firefox\Profiles\hhjo9mia.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Joey\Application Data\Mozilla\Firefox\Profiles\hhjo9mia.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Joey\Application Data\Mozilla\Firefox\Profiles\hhjo9mia.default\cookies.txt[.go.com/]
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Joey\Application Data\Mozilla\Firefox\Profiles\hhjo9mia.default\cookies.txt[searchportal.information.com/]
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Friend\Application Data\Mozilla\Firefox\Profiles\rf2t3f86.default\cookies.txt[searchportal.information.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Galdys\Application Data\Mozilla\Firefox\Profiles\57sdigbp.default\cookies.txt[.target.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Joey\Application Data\Mozilla\Firefox\Profiles\hhjo9mia.default\cookies.txt[.target.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Friend\Application Data\Mozilla\Firefox\Profiles\rf2t3f86.default\cookies.txt[.target.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Friend\Application Data\Mozilla\Firefox\Profiles\rf2t3f86.default\cookies.txt[.target.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Joey\Cookies\[email protected][1].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Galdys\Application Data\Mozilla\Firefox\Profiles\57sdigbp.default\cookies.txt[.target.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Joey\Application Data\Mozilla\Firefox\Profiles\hhjo9mia.default\cookies.txt[.target.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Muffin\Application Data\Mozilla\Firefox\Profiles\71ngg2z7.default\cookies.txt[.target.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No I:\Documents and Settings\mark\Cookies\[email protected][1].txt
00995523 Generic Malware Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP698\A0121043.cpl
01048936 Generic Malware Virus/Trojan No 0 Yes Yes G:\Games\GameSpy\Arcade\Services\_common\PortraitLoader.dll
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP749\A0141729.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP748\A0140430.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP733\A0138782.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP749\A0141705.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{B7987165-9E5F-4461-AE24-50D98CAFD597}\RP748\A0140412.sys
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location

Edited by MuffinsCanFly, 15 May 2008 - 09:09 AM.

  • 0

#36
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Bobbi Flekman (another security expert on this site) can explain it better than I could.:

When the PC was invented the operating system was DOS. This OS used discs which end in a colon (:) and directories separated by backslashes (\).

About these discs, the convention was made that a computer could have at most two floppy drives. Therefore the first hard disc was named 'C'. 'A' and 'B' were the two floppy drives. If you had more than one drive these were named consecutively 'D', 'E', etc.

Filenames could be at the most 8 characters, a period (.) and an extension with at most 3 characters. In these filenames you could not use several characters like the space ( ), asterisk (*), backslash,colon or question mark(?). These are valid filenames: a.doc, wp.exe, beep.com. These are invalid: User.manual, where am i.exe, Huh?.doc
Since there are no spaces in file names you can start up a program by entering at the DOS-prompt. c:\windows\win.com

Spaces were regarded as parameters. c:\pkzip\pkzip.exe X beep.zip -y. Meaning that pkzip will be executed with command X (extract) on file beep.zip and assumes yes on all questions (-y).

Those were the old days. Then came Windows 95 and it supported the space! How to do that... Simple, put everything that contains spaces between quotes (") and it is regarded as one parameter. "C:\Program Files\WinWord\winword.exe" will start Word for Windows. On the other hand: C:\Program Files\WinWord\winword.exe will start a program called Program and hand it the parameter Files\Winword\winword.exe. Chances are that you don't have progam.exe in you root directory, so you'll be presented an exception dialog.

In Win95 you also had to support the old 8.3. way of addressing files, so Microsoft pulled a fast one on their users. In effect you always worked on 8.3. files but they are mirrored by LFN-files (LongFileName). These files are filtered by the OS so you don't see them. The existing files are still 8.3. Internally, what happened was that spaces in the LFN got filtered (programfiles) and then cut short at six positions. Appending a tilde(~) and a numeral gave the filename (progra~1). If there were more than one file with the same six characters simply add one (progra~2), etc.


How is your computer running?
  • 0

#37
MuffinsCanFly

MuffinsCanFly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
it seems to be working fine. whats up with the system restore stuff? i know ive never made any backups on this computer so i think its funny there is stuff in there.
  • 0

#38
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
Sorry about the delay, I am very busy at the moment.
System Restore points are made automatically when a driver or software change is made on the computer.

1.
Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


  • Posted Image

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.


2.
Please download OTCleanIt from HERE to your desktop.
Double click to run it. It will clean up the assortment of tools used during malware removal. When it has finnished, it will ask you to reboot so it can remove itself.


Congratulations, your log is now clean. :)

A well protected computer should have at least an Anti Virus and Firewall, an Anti Spyware is also great addition to your computers security. Here is a list of tools I like to recommend to people that will help ensure safe surfing on the internet, and to help you from getting infected again.
Note: DO NOT install more than one antivirus or Firewall program. They will conflict, and provide less protection, not more. Uninstall any existing Anti Virus\Firewall programs if you're going to install a new one.


Free Online Scans:
Free Active X and Java based online scans. You can use these scans from other companies and it will not interfere with your current Anti Virus. If you find that you are infected, post a Hijack This log in the forums.

Free Temp Cleaners:
Use these tools to clean temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. ATF cleaner recommended.

Free Firewall Downloads:
You must have a Firewall installed on your computer. This helps stop anything from leaving or entering your computer without your permission.

Free Anti Spyware Downloads:
An Antispyware is a great tool that can help remove infections along side your Anti Virus. Some include real time protection, scheduled scans and automatic definition updates.

Free Anti Virus Downloads:
A must have for all computers. Avast! recommended.

Other:
  • SpywareGuard
    Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd
    This tool puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • Memtest86
    Great memory testing software.
  • CPU-Z
    This application gives detailed information about your system in a nice layout
  • Speedfan
    Returns and monitors system temperatures.
  • Windows Updates
    It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
You can now Rehide your system files by using the reversal of these instructions HERE



To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read THIS article by Tony Klein.


If you have any other problems or questions be sure to ask. :)
  • 0

#39
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP