Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Winanonymous [RESOLVED]


  • This topic is locked This topic is locked

#1
myles7897

myles7897

    Member

  • Member
  • PipPip
  • 10 posts
So I used Internet Explorer for five minutes and I get prompted to download Winanonymous. Of course, I say no. But thanks to Microsoft it downloads anyway. So I went through on Hijack This figuring I could find and delete it, wrong. I end up not connecting to the Internet, but that is a different problem. So I download Spyware Doctor and ran it, this is what ends up:

application.TrackingCookies
trojan.Virtumonde
Adware.Advertising
Hijacker.affliliated_with_Browser_Hijacker
trojan-Download.Dadobra
adware.maxifiles
trojan-Downloader.Contlook

Then I click fix and it ask me for money. So I say no, and download ComboFix. Here is the log: (hijackthis log follows)

Combofix

mComboFix 08-04-18.3 - Josh 2008-04-19 2:11:35.1 - NTFSx86
Running from: C:\Documents and Settings\Josh.MYCOMPUTER\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cflmjckx.dll
C:\WINDOWS\system32\fccaXRLC.dll
C:\WINDOWS\system32\gphjvamw.dll
C:\WINDOWS\system32\nnnkJyxU.dll
C:\WINDOWS\system32\pxowbyrm.dll
C:\WINDOWS\system32\UxyJknnn.ini
C:\WINDOWS\system32\UxyJknnn.ini2
C:\WINDOWS\system32\winsys.exe
C:\WINDOWS\system32\xkcjmlfc.ini
C:\WINDOWS\system32\xlirjflx.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-19 01:06 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-19 01:06 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-19 01:06 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-19 01:06 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-19 01:05 . 2008-04-19 01:08 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-19 01:05 . 2008-04-19 01:05 <DIR> d-------- C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\PC Tools
2008-04-18 10:18 . 2008-04-18 10:18 109,738 --a------ C:\WINDOWS\BM07b74edd.xml
2008-04-17 10:16 . 2008-04-18 10:16 1,540,677 --ahs---- C:\WINDOWS\system32\qoljgbcb.ini
2008-04-16 22:08 . 2008-04-16 22:08 38,400 --a------ C:\WINDOWS\mrofinu1535.exe.tmp
2008-04-16 22:08 . 2008-04-16 22:08 38,400 --a------ C:\WINDOWS\mrofinu1535.exe
2008-04-16 21:57 . 2008-04-16 21:57 <DIR> d-------- C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\.purple
2008-04-16 21:56 . 2008-04-16 21:59 <DIR> d-------- C:\Program Files\Pidgin
2008-04-16 21:56 . 2008-04-16 21:57 <DIR> d-------- C:\Program Files\Aspell
2008-04-16 17:27 . 2008-04-16 17:27 <DIR> d-------- C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\MixMeister Technology
2008-04-16 14:56 . 2008-04-16 14:56 <DIR> d-------- C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\Pegasys Inc
2008-04-16 14:40 . 2008-04-16 14:56 <DIR> d-------- C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\DivX
2008-04-16 14:39 . 2008-04-16 14:55 <DIR> d-------- C:\Program Files\DivX
2008-04-15 21:55 . 2008-04-15 22:24 <DIR> d-------- C:\Program Files\Sonic Foundry
2008-04-15 21:55 . 2008-04-15 21:55 <DIR> d-------- C:\Program Files\DebugMode
2008-04-14 15:49 . 2008-04-14 15:49 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2008-04-09 21:44 . 2008-04-09 21:45 <DIR> d-------- C:\Program Files\Unlocker
2008-04-09 18:29 . 2008-04-16 12:02 <DIR> d-------- C:\Program Files\Common Files\XULRunner
2008-04-09 18:29 . 2008-04-09 18:29 <DIR> d-------- C:\Program Files\ChatZilla
2008-04-09 18:29 . 2008-04-09 18:29 <DIR> d-------- C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\ChatZilla
2008-04-08 22:25 . 2008-04-08 22:27 <DIR> d-------- C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\leafChat
2008-04-07 22:22 . 2008-04-07 22:22 <DIR> d-------- C:\Program Files\Bonjour
2008-04-06 15:30 . 2008-04-06 15:30 <DIR> d-------- C:\Program Files\iTunes
2008-04-06 15:27 . 2008-04-06 15:28 <DIR> d-------- C:\Program Files\QuickTime
2008-04-02 10:18 . 2008-04-02 10:18 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2008-04-02 10:18 . 2008-04-02 10:18 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2008-04-02 10:18 . 2008-04-02 10:18 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2008-04-02 10:18 . 2008-04-02 10:18 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2008-03-31 22:45 . 2007-12-06 19:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-31 22:45 . 2007-06-30 20:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-31 22:45 . 2007-06-30 20:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-31 22:45 . 2007-12-06 19:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-31 22:45 . 2007-12-06 19:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-31 22:45 . 2007-12-06 19:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-31 22:45 . 2007-12-06 19:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-31 22:45 . 2007-12-06 19:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-31 22:45 . 2007-12-06 04:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-31 14:25 . 2008-03-31 14:25 831,488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 14:25 . 2008-03-31 14:25 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 14:25 . 2008-03-31 14:25 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 14:25 . 2008-03-31 14:25 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 14:25 . 2008-03-31 14:25 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2008-03-31 14:25 . 2008-03-31 14:25 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-26 20:58 . 2008-03-26 20:58 118,784 --a------ C:\WINDOWS\SeaMonkeyUninstall.exe
2008-03-26 20:58 . 2008-03-26 20:58 118,784 --a------ C:\WINDOWS\GREUninstall.exe
2008-03-24 20:20 . 2008-03-24 20:20 <DIR> d-------- C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\InstallShield
2008-03-24 17:31 . 2008-03-24 17:31 <DIR> d-------- C:\Program Files\AlphaZIP
2008-03-24 17:31 . 2007-03-05 11:51 360,580 --a------ C:\WINDOWS\system32\eSellerateEngine.dll
2008-03-24 17:22 . 2008-03-24 17:22 <DIR> d--h----- C:\WINDOWS\system32\CyberInstallerUninstallerSystem
2008-03-24 17:21 . 2008-03-24 17:21 <DIR> d-------- C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\CyberInstaller Studio 2008
2008-03-24 16:56 . 2008-03-26 20:13 <DIR> d-------- C:\Program Files\VideoServiceThief
2008-03-24 12:45 . 2008-03-24 12:45 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-03-23 08:18 . 2008-03-23 08:18 159,376 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-03-22 11:24 . 2008-03-22 11:25 <DIR> d-------- C:\Program Files\Safari
2008-03-21 13:30 . 2008-03-21 13:30 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-03-21 13:30 . 2008-03-21 13:30 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-03-21 13:30 . 2008-03-21 13:30 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-03-21 13:30 . 2008-03-21 13:30 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-03-21 13:28 . 2008-03-21 13:28 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2008-03-21 13:28 . 2008-03-21 13:28 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2008-03-21 13:28 . 2008-03-21 13:28 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2008-03-21 13:28 . 2008-03-21 13:28 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2008-03-21 13:28 . 2008-03-21 13:28 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2008-03-21 13:28 . 2008-03-21 13:28 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 13:28 . 2008-03-21 13:28 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-21 10:25 . 2008-03-21 10:25 <DIR> d-------- C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\Flickr
2008-03-21 10:24 . 2008-03-21 10:52 <DIR> d-------- C:\Program Files\Flickr Uploadr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 04:48 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-19 08:38 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 4
2008-04-19 01:53 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-04-14 22:48 --------- d-----w C:\Program Files\MSECache
2008-04-12 05:07 --------- d-----w C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\gtk-2.0
2008-04-09 05:13 --------- d-----w C:\Program Files\Steam
2008-04-09 02:05 --------- d-----w C:\Program Files\Trillian
2008-04-06 22:30 --------- d-----w C:\Program Files\iPod
2008-04-03 21:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-01 05:44 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-27 17:42 --------- d-----w C:\Program Files\Java
2008-03-27 03:57 --------- d-----w C:\Program Files\mozilla.org
2008-03-25 03:20 --------- d-----w C:\Program Files\D-Link
2008-03-24 19:12 --------- d-----w C:\Program Files\Mozilla Sunbird
2008-03-21 20:30 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-03-21 20:30 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-03-21 20:30 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-03-20 05:01 --------- d-----w C:\Program Files\Spark
2008-03-18 04:25 --------- d-----w C:\Program Files\Nvu
2008-03-18 04:25 --------- d-----w C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\Nvu
2008-03-17 17:49 --------- d-----w C:\Program Files\Global Devtech
2008-03-14 05:26 --------- d-----w C:\Program Files\Texter
2008-03-13 05:02 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2008-03-13 05:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-03-02 23:29 --------- d-----w C:\Program Files\Prism
2008-02-25 06:06 --------- d-----w C:\Program Files\FlameProject
2008-02-25 02:10 --------- d-----w C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\OpenSong
2008-02-25 01:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Softouch
2008-02-25 00:44 --------- d-----w C:\Program Files\Common Files\Borland Shared
2008-02-25 00:44 --------- d-----w C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\Softouch
2007-12-13 23:46 200,864 ----a-w C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\GDIPFONTCACHEV1.DAT
2007-01-08 05:09 350 ---ha-w C:\Documents and Settings\Josh.MYCOMPUTER\hpothb07.dat
2006-03-21 21:25 1,648 ----a-w C:\Program Files\main.ini
2006-03-21 21:25 1,001,064 ----a-w C:\Program Files\aolsetup.exe
2005-07-15 20:15 802,143 ----a-w C:\Program Files\data1.cab
2005-07-15 20:15 416 ----a-w C:\Program Files\layout.bin
2005-07-15 20:15 20,678,531 ----a-w C:\Program Files\data2.cab
2005-07-15 20:15 106,457 ----a-w C:\Program Files\data1.hdr
2005-07-15 20:14 156 ----a-w C:\Program Files\Setup.ini
2005-07-15 20:14 148,141 ----a-w C:\Program Files\setup.inx
2003-12-05 22:26 346,602 ----a-w C:\Program Files\ikernel.ex_
2000-05-16 22:37 46,080 ----a-w C:\Program Files\Setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"LanToucherNetworkChat"="C:\Program Files\Vital Sound Laboratory\LTNC\LTNC.exe" [ ]
"SeaMonkey Quick Launch"="C:\Program Files\mozilla.org\SeaMonkey\SeaMonkey.exe" [2008-03-13 14:57 106496]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-03-29 11:41 1245184]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-01-08 17:20 451896]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2008-01-18 10:32 451896]
"CHotkey"="mHotkey.exe" [2002-07-29 11:54 473088 C:\WINDOWS\mHotkey.exe]
"ledpointer"="CNYHKey.exe" [2002-10-04 09:05 532992 C:\WINDOWS\CNYHKey.exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 00:33 8720384]

C:\Documents and Settings\Josh.MYCOMPUTER\Start Menu\Programs\Startup\
Network Chat AutoStart.lnk - C:\Program Files\Global Devtech\Network Chat\Network Chat.exe [2004-12-20 19:01:40 344064]
Texter.lnk - C:\Program Files\Texter\texter.exe [2007-11-06 16:20:14 377303]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]
NCProTray.lnk - C:\Program Files\SEC\Natural Color Pro\NCProTray.exe [2007-02-22 16:23:19 49220]
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe [2008-03-24 20:20:45 20525056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccaXRLC]
fccaXRLC.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\Xfire\\Xfire.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe"=
"C:\\Program Files\\Common Files\\AOL\\1148783141\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1148783141\\ee\\aim6.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Teamspeak2_RC3\\server_windows.exe"=
"C:\\WINDOWS\\Installer\\{AC76BA86-1033-F400-7760-000000000002}\\SC_Distiller.exe"=
"C:\\Program Files\\Microprose\\Risk II\\RiskII.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\StubInstaller.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
"C:\\Program Files\\Pure Networks\\Network Magic\\WebServer\\bin\\nmraapache.exe"=
"C:\\Westwood\\SUN\\game.exe"=
"C:\\Westwood\\SUN\\PATCHGET.DAT"=
"C:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Global Devtech\\Network Chat\\Network Chat.exe"=
"C:\\Program Files\\Songbird\\songbird.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\Common Files\\XULRunner\\xulrunner.exe"=
"C:\\Program Files\\Mozilla Firefox 3 Beta 4\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 12:38]
R3 ham50;Creatix V.92 HAM Data Fax Modem;C:\WINDOWS\system32\DRIVERS\CTXH51.sys [2002-04-23 12:55]
R3 JSWSCIMD;jswscimd Service;C:\WINDOWS\system32\DRIVERS\jswscimd.sys [2007-07-06 16:30]
R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2007-07-03 11:46]
S2 icas;iTALC Client;"C:\Program Files\iTALC\ica.exe" -service []
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\PLCNDIS5.SYS [2003-05-16 19:18]
S3 SGUARD;SGUARD;C:\WINDOWS\system32\drivers\SGuard.sys [2005-01-21 08:17]
S3 UNDPX2K;UNDPX2K;C:\WINDOWS\system32\drivers\UNDPX2K.SYS []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 17:35:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-19 07:30:01 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1125620970.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-04-19 07:41:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1148056826.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-04-20 04:02:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1168232475.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-04-19 16:24:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1177358978.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-04-19 22:53:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1196293927.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-04-19 11:13:00 C:\WINDOWS\Tasks\{1C119F66-5074-4501-9C76-8CE0B7097DA9}_BOYS_Josh.job"
- C:\WINDOWS\system32\mobsync.exe> /Schedule=
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 21:47:59
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-19 21:53:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-20 04:53:43

Pre-Run: 24,532,639,744 bytes free
Post-Run: 26,009,739,264 bytes free

272 --- E O F --- 2008-04-16 06:20:07



________________________________________________________________________________
_________________________________________________



Hijack This (ran after combo fix)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:04 AM, on 4/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe
C:\Program Files\Texter\texter.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Josh.MYCOMPUTER\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [LanToucherNetworkChat] C:\Program Files\Vital Sound Laboratory\LTNC\LTNC.exe
O4 - HKCU\..\Run: [SeaMonkey Quick Launch] "C:\Program Files\mozilla.org\SeaMonkey\SeaMonkey.exe" -turbo
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Network Chat AutoStart.lnk = C:\Program Files\Global Devtech\Network Chat\Network Chat.exe
O4 - Startup: Texter.lnk = C:\Program Files\Texter\texter.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NCProTray.lnk = ?
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{338D94CA-C169-43E1-B81B-47C5E85DD49A}: NameServer = 4.2.2.2,4.2.2.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{78DA2F96-29D3-4D59-BC63-108D58DA0BE5}: NameServer = 4.2.2.2,4.2.2.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E022728-477F-4B1C-AFED-E9E079FDA479}: NameServer = 4.2.2.2,4.2.2.3
O20 - Winlogon Notify: fccaXRLC - fccaXRLC.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: iTALC Client (icas) - Unknown owner - C:\Program Files\iTALC\ica.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 9062 bytes



After this I ran Spyware Doctor again and it turned up these results:

application.TrackingCookies
trojan.Virtumonde
Adware.Advertising
Hijacker.affliliated_with_Browser_Hijacker
adware.maxifiles
Application.NirCmd
Trojan.Generic

As far as I can tell the Winanonymous is gone. The tracking cookies might be information that I send to Mozilla about Firefox.

Thank You,
myles7897
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Download Malwarebytes ' Anti-Malware at http://www.besttechi.../mbam-setup.exe or http://www.majorgeek...ware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console using the download (not the CD). Skip the rest of the instructions and then do the below:

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\WINDOWS\BM07b74edd.xml
C:\WINDOWS\system32\qoljgbcb.ini
C:\WINDOWS\mrofinu1535.exe.tmp
C:\WINDOWS\mrofinu1535.exe
C:\WINDOWS\system32\fccaXRLC.dll
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccaXRLC]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
myles7897

myles7897

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thank you for the help, greyknight17.

Here is the Malwarebytes' Anti-Malware log.

Malwarebytes' Anti-Malware 1.11
Database version: 663

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 244233
Time elapsed: 1 hour(s), 21 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\fccaXRLC.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\gphjvamw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{78D1843B-3F9C-4EB6-925F-5E983CBF3E9C}\RP607\A0409345.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{78D1843B-3F9C-4EB6-925F-5E983CBF3E9C}\RP608\A0409376.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{78D1843B-3F9C-4EB6-925F-5E983CBF3E9C}\RP609\A0409451.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{78D1843B-3F9C-4EB6-925F-5E983CBF3E9C}\RP612\A0409529.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{78D1843B-3F9C-4EB6-925F-5E983CBF3E9C}\RP612\A0409530.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\mrofinu1535.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\mrofinu1535.exe.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.


________________________________________________________________________________
_____

Here is the ComboFix log.

ComboFix 08-04-20.2 - Josh 2008-04-20 23:03:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.132 [GMT -7:00]
Running from: C:\Documents and Settings\Josh.MYCOMPUTER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Josh.MYCOMPUTER\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BM07b74edd.xml
C:\WINDOWS\mrofinu1535.exe
C:\WINDOWS\mrofinu1535.exe.tmp
C:\WINDOWS\system32\fccaXRLC.dll
C:\WINDOWS\system32\qoljgbcb.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Guest.MYCOMPUTER\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\BM07b74edd.xml
C:\WINDOWS\system32\qoljgbcb.ini
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-20 21:25 . 2008-04-20 21:25 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-20 21:25 . 2008-04-20 21:25 <DIR> d-------- C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\Malwarebytes
2008-04-20 21:25 . 2008-04-20 21:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-20 12:11 . 2008-04-20 12:11 <DIR> d-------- C:\Program Files\Uniblue
2008-04-19 01:06 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-19 01:06 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-19 01:06 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-19 01:06 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-19 01:05 . 2008-04-20 11:26 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-19 01:05 . 2008-04-19 01:05 <DIR> d-------- C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\PC Tools
2008-04-16 21:57 . 2008-04-16 21:57 <DIR> d-------- C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\.purple
2008-04-16 21:56 . 2008-04-16 21:59 <DIR> d-------- C:\Program Files\Pidgin
2008-04-16 21:56 . 2008-04-16 21:57 <DIR> d-------- C:\Program Files\Aspell
2008-04-16 17:27 . 2008-04-16 17:27 <DIR> d-------- C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\MixMeister Technology
2008-04-16 14:56 . 2008-04-16 14:56 <DIR> d-------- C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\Pegasys Inc
2008-04-16 14:40 . 2008-04-16 14:56 <DIR> d-------- C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\DivX
2008-04-16 14:39 . 2008-04-16 14:55 <DIR> d-------- C:\Program Files\DivX
2008-04-15 21:55 . 2008-04-15 22:24 <DIR> d-------- C:\Program Files\Sonic Foundry
2008-04-15 21:55 . 2008-04-15 21:55 <DIR> d-------- C:\Program Files\DebugMode
2008-04-14 15:49 . 2008-04-14 15:49 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2008-04-09 21:44 . 2008-04-09 21:45 <DIR> d-------- C:\Program Files\Unlocker
2008-04-09 18:29 . 2008-04-20 15:28 <DIR> d-------- C:\Program Files\Common Files\XULRunner
2008-04-09 18:29 . 2008-04-09 18:29 <DIR> d-------- C:\Program Files\ChatZilla
2008-04-09 18:29 . 2008-04-09 18:29 <DIR> d-------- C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\ChatZilla
2008-04-08 22:25 . 2008-04-08 22:27 <DIR> d-------- C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\leafChat
2008-04-07 22:22 . 2008-04-07 22:22 <DIR> d-------- C:\Program Files\Bonjour
2008-04-06 15:30 . 2008-04-06 15:30 <DIR> d-------- C:\Program Files\iTunes
2008-04-06 15:27 . 2008-04-06 15:28 <DIR> d-------- C:\Program Files\QuickTime
2008-04-02 10:18 . 2008-04-02 10:18 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2008-04-02 10:18 . 2008-04-02 10:18 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2008-04-02 10:18 . 2008-04-02 10:18 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2008-04-02 10:18 . 2008-04-02 10:18 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2008-03-31 22:45 . 2007-12-06 19:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-31 22:45 . 2007-06-30 20:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-31 22:45 . 2007-06-30 20:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-31 22:45 . 2007-12-06 19:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-31 22:45 . 2007-12-06 19:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-31 22:45 . 2007-12-06 19:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-31 22:45 . 2007-12-06 19:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-31 22:45 . 2007-12-06 19:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-31 22:45 . 2007-12-06 04:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-31 14:25 . 2008-03-31 14:25 831,488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 14:25 . 2008-03-31 14:25 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 14:25 . 2008-03-31 14:25 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 14:25 . 2008-03-31 14:25 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 14:25 . 2008-03-31 14:25 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2008-03-31 14:25 . 2008-03-31 14:25 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-26 20:58 . 2008-03-26 20:58 118,784 --a------ C:\WINDOWS\SeaMonkeyUninstall.exe
2008-03-26 20:58 . 2008-03-26 20:58 118,784 --a------ C:\WINDOWS\GREUninstall.exe
2008-03-24 20:20 . 2008-03-24 20:20 <DIR> d-------- C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\InstallShield
2008-03-24 17:31 . 2008-03-24 17:31 <DIR> d-------- C:\Program Files\AlphaZIP
2008-03-24 17:31 . 2007-03-05 11:51 360,580 --a------ C:\WINDOWS\system32\eSellerateEngine.dll
2008-03-24 17:22 . 2008-03-24 17:22 <DIR> d--h----- C:\WINDOWS\system32\CyberInstallerUninstallerSystem
2008-03-24 17:21 . 2008-03-24 17:21 <DIR> d-------- C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\CyberInstaller Studio 2008
2008-03-24 16:56 . 2008-03-26 20:13 <DIR> d-------- C:\Program Files\VideoServiceThief
2008-03-24 12:45 . 2008-03-24 12:45 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-03-23 08:18 . 2008-03-23 08:18 159,376 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-03-22 11:24 . 2008-03-22 11:25 <DIR> d-------- C:\Program Files\Safari
2008-03-21 13:30 . 2008-03-21 13:30 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-03-21 13:30 . 2008-03-21 13:30 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-03-21 13:30 . 2008-03-21 13:30 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-03-21 13:30 . 2008-03-21 13:30 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-03-21 13:28 . 2008-03-21 13:28 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2008-03-21 13:28 . 2008-03-21 13:28 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2008-03-21 13:28 . 2008-03-21 13:28 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2008-03-21 13:28 . 2008-03-21 13:28 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2008-03-21 13:28 . 2008-03-21 13:28 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2008-03-21 13:28 . 2008-03-21 13:28 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 13:28 . 2008-03-21 13:28 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-21 10:25 . 2008-03-21 10:25 <DIR> d-------- C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\Flickr
2008-03-21 10:24 . 2008-03-21 10:52 <DIR> d-------- C:\Program Files\Flickr Uploadr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 06:01 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 4
2008-04-21 04:28 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 22:12 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-04-16 04:46 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-04-16 04:46 262,144 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-04-16 04:40 58,904 ----a-w C:\WINDOWS\system32\azipcontmn.dll
2008-04-14 22:48 --------- d-----w C:\Program Files\MSECache
2008-04-12 05:07 --------- d-----w C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\gtk-2.0
2008-04-09 05:17 58,904 ----a-w C:\WINDOWS\system32\sysfolderazipcnt.dll
2008-04-09 05:13 --------- d-----w C:\Program Files\Steam
2008-04-09 02:05 --------- d-----w C:\Program Files\Trillian
2008-04-06 22:30 --------- d-----w C:\Program Files\iPod
2008-04-03 21:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-01 05:44 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-27 17:42 --------- d-----w C:\Program Files\Java
2008-03-27 03:57 --------- d-----w C:\Program Files\mozilla.org
2008-03-25 03:20 --------- d-----w C:\Program Files\D-Link
2008-03-24 19:12 --------- d-----w C:\Program Files\Mozilla Sunbird
2008-03-21 20:30 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-03-21 20:30 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-03-21 20:30 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-03-21 20:30 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-03-21 20:30 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-03-21 20:30 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-03-20 05:01 --------- d-----w C:\Program Files\Spark
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-18 04:25 --------- d-----w C:\Program Files\Nvu
2008-03-18 04:25 --------- d-----w C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\Nvu
2008-03-17 17:49 --------- d-----w C:\Program Files\Global Devtech
2008-03-14 05:26 --------- d-----w C:\Program Files\Texter
2008-03-13 05:02 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2008-03-13 05:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-03-02 23:29 --------- d-----w C:\Program Files\Prism
2008-02-26 19:57 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-02-26 19:50 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-02-25 06:06 --------- d-----w C:\Program Files\FlameProject
2008-02-25 02:10 --------- d-----w C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\OpenSong
2008-02-25 01:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Softouch
2008-02-25 00:44 --------- d-----w C:\Program Files\Common Files\Borland Shared
2008-02-25 00:44 --------- d-----w C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\Softouch
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-01-29 19:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2007-12-13 23:46 200,864 ----a-w C:\Documents and Settings\Josh.MYCOMPUTER\Application Data\GDIPFONTCACHEV1.DAT
2007-01-08 05:09 350 ---ha-w C:\Documents and Settings\Josh.MYCOMPUTER\hpothb07.dat
2006-03-21 21:25 1,648 ----a-w C:\Program Files\main.ini
2006-03-21 21:25 1,001,064 ----a-w C:\Program Files\aolsetup.exe
2005-07-15 20:15 802,143 ----a-w C:\Program Files\data1.cab
2005-07-15 20:15 416 ----a-w C:\Program Files\layout.bin
2005-07-15 20:15 20,678,531 ----a-w C:\Program Files\data2.cab
2005-07-15 20:15 106,457 ----a-w C:\Program Files\data1.hdr
2005-07-15 20:14 156 ----a-w C:\Program Files\Setup.ini
2005-07-15 20:14 148,141 ----a-w C:\Program Files\setup.inx
2003-12-05 22:26 346,602 ----a-w C:\Program Files\ikernel.ex_
2001-11-23 19:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"LanToucherNetworkChat"="C:\Program Files\Vital Sound Laboratory\LTNC\LTNC.exe" [ ]
"SeaMonkey Quick Launch"="C:\Program Files\mozilla.org\SeaMonkey\SeaMonkey.exe" [2008-03-13 14:57 106496]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15:56 15360]
"Uniblue ProcessQuickLink 2"="C:\Program Files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe" [2008-04-02 09:50 655640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-03-29 11:41 1245184]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-01-08 17:20 451896]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2008-01-18 10:32 451896]
"CHotkey"="mHotkey.exe" [2002-07-29 11:54 473088 C:\WINDOWS\mHotkey.exe]
"ledpointer"="CNYHKey.exe" [2002-10-04 09:05 532992 C:\WINDOWS\CNYHKey.exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 11:55 1103240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 00:33 8720384]

C:\Documents and Settings\Josh.MYCOMPUTER\Start Menu\Programs\Startup\
Network Chat AutoStart.lnk - C:\Program Files\Global Devtech\Network Chat\Network Chat.exe [2004-12-20 19:01:40 344064]
Texter.lnk - C:\Program Files\Texter\texter.exe [2007-11-06 16:20:14 377303]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]
NCProTray.lnk - C:\Program Files\SEC\Natural Color Pro\NCProTray.exe [2007-02-22 16:23:19 49220]
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe [2008-03-24 20:20:45 20525056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"VIDC.TR20"= tr2032.dll
"vidc.vivo"= ivvideo.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\Xfire\\Xfire.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe"=
"C:\\Program Files\\Common Files\\AOL\\1148783141\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1148783141\\ee\\aim6.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Teamspeak2_RC3\\server_windows.exe"=
"C:\\WINDOWS\\Installer\\{AC76BA86-1033-F400-7760-000000000002}\\SC_Distiller.exe"=
"C:\\Program Files\\Microprose\\Risk II\\RiskII.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\StubInstaller.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
"C:\\Program Files\\Pure Networks\\Network Magic\\WebServer\\bin\\nmraapache.exe"=
"C:\\Westwood\\SUN\\game.exe"=
"C:\\Westwood\\SUN\\PATCHGET.DAT"=
"C:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Global Devtech\\Network Chat\\Network Chat.exe"=
"C:\\Program Files\\Songbird\\songbird.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\Common Files\\XULRunner\\xulrunner.exe"=
"C:\\Program Files\\Mozilla Firefox 3 Beta 4\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 12:38]
R3 ham50;Creatix V.92 HAM Data Fax Modem;C:\WINDOWS\system32\DRIVERS\CTXH51.sys [2002-04-23 12:55]
R3 JSWSCIMD;jswscimd Service;C:\WINDOWS\system32\DRIVERS\jswscimd.sys [2007-07-06 16:30]
R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2007-07-03 11:46]
S2 icas;iTALC Client;"C:\Program Files\iTALC\ica.exe" -service []
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\PLCNDIS5.SYS [2003-05-16 19:18]
S3 SGUARD;SGUARD;C:\WINDOWS\system32\drivers\SGuard.sys [2005-01-21 08:17]
S3 UNDPX2K;UNDPX2K;C:\WINDOWS\system32\drivers\UNDPX2K.SYS []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 17:35:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-20 07:30:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1125620970.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-04-20 07:41:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1148056826.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-04-21 04:02:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1168232475.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-04-20 16:24:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1177358978.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-04-20 22:53:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1196293927.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-04-20 11:13:00 C:\WINDOWS\Tasks\{1C119F66-5074-4501-9C76-8CE0B7097DA9}_BOYS_Josh.job"
- C:\WINDOWS\system32\mobsync.exe> /Schedule=
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 23:08:02
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-20 23:14:23
ComboFix-quarantined-files.txt 2008-04-21 06:14:03
ComboFix2.txt 2008-04-20 04:53:51

Pre-Run: 26,029,436,928 bytes free
Post-Run: 26,013,392,896 bytes free

271 --- E O F --- 2008-04-20 19:24:10


Thank you so much.
myles7897

  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run and copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#5
myles7897

myles7897

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thank you, well I ran Spyware Doctor and it came up with:
Trojan.FakeAlert
Application.MirCmd
Trojan.Generic

what are those?
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Does it indicate where these 3 infections are located?
  • 0

#7
myles7897

myles7897

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Yes.

Trojan.FakeAlert
Files:
C:\Documents and Settings\All Users\Start Menu\Programs\System Mechanic 5 Professional\Uninstall System Mechanic 5 Professional.lnk
C:\Program Files\iolo\System Mechanic 5 Professional\UninstallSMPro.exe
Registry Value to Be Repaired:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windoes NT\CurrentVersion\Winlogon, Userinit

Application.NirCmd sorry this is a "n"
File:
C:\System Volume Information\_restore{78D1843B-3F9C-4EB6-925F-5E983CBF3E9C}\RP614\A0409866.exe
C:\System Volume Information\_restore{78D1843B-3F9C-4EB6-925F-5E983CBF3E9C}\RP615\A0409903.EXE
C:\System Volume Information\_restore{78D1843B-3F9C-4EB6-925F-5E983CBF3E9C}\RP616\A0409940.EXE
C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
C:\WINDOWS\erdnt\subs\ERDNT.EXE
C:\WINDOWS\swxcacls.exe
Registry Value:
HKEY_LOCAL_MACHINE\Software\swearware, combofix_wow
HKEY_LOCAL_MACHINE\Software\swearware, Runs
HKEY_LOCAL_MACHINE\Software\swearware, snapshot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Legacy
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, ConfigFlags
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Class
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, ClassGUID
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, DeviceDesc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Capabilities
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContrlSet\Services\catchme, Type
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContrlSet\Services\catchme, ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContrlSet\Services\catchme, Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContrlSet\Services\catchme, ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContrlSet\Services\catchme, Group
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContrlSet\Services\catchme\Enum, 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContrlSet\Services\catchme\Enum, Count
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContrlSet\Services\catchme\Enum, NextInstance
Registry Key:
HKEY_LOCAL_MACHINE\Software\swearware
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContrlSet\Services\catchme\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContrlSet\Services\catchme

Trojan.Generic
Registry Key:
HKEY_USERS\S-1-5-21-1085031214-1177238915-725345543-1005\Software\Wget


That's it. i have a program call Enum Process that detect firewalls, it is not installed it just runs when I click it. I am pretty sure that it is safe, but I am open minded.

Thank you
myles7897
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
The first set of entries are related to System Mechanic. I think they are false positives. If you are concerned, feel free to uninstall it via the Add/Remove Programs panel.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-HKEY_USERS\S-1-5-21-1085031214-1177238915-725345543-1005\Software\Wget]


Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.


Did you run combofix /u from the run window yet to remove it? It should remove most of the entries SpywareDoctor found to be suspicious there.
  • 0

#9
myles7897

myles7897

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
So I did all that and ran the test again. It came up with Application.NirCmd again. This time a little different. Related to the combofix folder in my C drive. I did run the combofix /u and tried it again and an error message said that it could find it. It still has some files left in it and the test showed some registry files. Should I just leave it? I am ok iwht that as long it doesn't cause harm to my computer.


Thank you so much for all your help,
myles7897
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Is Combofix removed now from your desktop? We can take care of the remnants if you want. What else is shown remaining?
  • 0

Advertisements


#11
myles7897

myles7897

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
ComboFix is removed from my desktop.

In C:\ComboFix there is:
CF17695, it is a command shortcut
nircmd, this is an application

The Spyware Doctor results are:

Registery Value
HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow
HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs
HKEY_LOCAL_MACHINE\SOFTWARE\swearware, snapshot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Legacy
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, ConfigFlags
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Class
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, ClassGUID
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, DeviceDesc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Capabilities
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Type
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Group
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum, 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum, Count
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum, NextInstance
Registery Key
HKEY_LOCAL_MACHINE\SOFTWARE\swearware
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000\LogConf
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme
File
C:\ComboFix\CF17695.exe
C:\ComboFix\nircmd.com
Folder
C:\ComboFix\
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Just leftovers by Combofix.....

Download OTMoveIt2 at http://download.blee...r/OTMoveIt2.exe
* Save it to your desktop.
* Double-click OTMoveIt2.exe to run it. (Vista users, right click on OTMoveIt2.exe and select Run as an Administrator).
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow
HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs
HKEY_LOCAL_MACHINE\SOFTWARE\swearware, snapshot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Type
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Group
HKEY_LOCAL_MACHINE\SOFTWARE\swearware
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme
C:\ComboFix\

* Return to OTMoveIt2. Right click in the Paste List of Files/Folders to Move window (under the Yellow bar) and choose Paste.
* Click the red Moveit! button.
* A log of files and folders moved will be created in the C:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
* Close OTMoveIt2.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

See if that takes care of the problem.
  • 0

#13
myles7897

myles7897

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
ok, did all that. here is the log

< HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow\\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs\\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\swearware, snapshot >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\swearware, snapshot\\ not found.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance\\ not found.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Type >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Type\\ not found.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, ErrorControl >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, ErrorControl\\ not found.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Start >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Start\\ not found.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, ImagePath >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, ImagePath\\ not found.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Group >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Group\\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\swearware >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\swearware\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME >
Unable to delete registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\\ .
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\\ deleted successfully.
C:\ComboFix moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04232008_192937



Did that just move the files?

It appears that the last time I ran Spyware Doctor it was not a full scan. So I did a full scan this time and turn up these results:

Trojan.FakeAlert
File
C:\Program Files\iolo\System Mechanic 5 Professional\UninstallSMPro.exe
C:\Documents and Settings\All Users\Start Menu\Programs\System Mechanic 5 Professional\Uninstall System Mechanic 5 Professional.lnk
Registry Value to be Repaired
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrenVersion\Winlogon, Userinit

Application.NirCmd
Registry Value
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Legacy
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, ConfigFlags
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Class
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, ClassGUID
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, DeviceDesc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Capabilities
Registry Key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000\LogConf
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
  • 0

#14
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
It's finding some false positives there...we can ignore it.

For the NirCmd, those are ok to leave alone. It's just a rootkit scanner used by Combofix.

Are there any remaining issues now?
  • 0

#15
myles7897

myles7897

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
no, Thank you very much.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP