Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

help with outerinfo/malware infection [RESOLVED]

Started by tanaleefive , Apr 20 2008 03:22 PM

  • This topic is locked This topic is locked

#1
tanaleefive
Posted 20 April 2008 - 03:22 PM

tanaleefive

    New Member

  • Member
  • Pip
  • 5 posts
Hello!

Last week my computer was infected with an outerinfo infection. As a result of this my computer was operaing very slowly (almost not at all). I experienced multiple crashed and was getting "transferagent.exe" error messages and debugger messages. Logging onto the internet was a nightmare and I was getting more pop ups than my patience could tolerate. Initially, I attempted to do a system restore (prior to finding your site), but did not have any restore dates to go back to. The problem was getting worse and I was beginning to think my computer was toast. At that time, I was fortunate enough to find your site and went through the process to clean my computer. This has actually taken several days as I have a lot of files and all of the scans took a long time.

I will list out the complete steps I have taken, including all reqested logs below. Each requested log will be listed below each step. *******I have had to come in and add an edit, as the last half of my post (with the remaining requested steps) has been cut off. As I do not want to "bump" my topic or add a reply", I will wait for you to respond. I will resubmit the Malwarebytes scan, the Panda Activescan, the Trend Micro virus scan, and the Hijack log at that time. Also my note on the Windows update was also lost. I was unable to add it as I already have Service Pack2. also did the reboot test. Things appear to be much better and running more smoothly, but I get a lot of Internet Explorer pop ups (and I use Firefox as my browser). I also have been getting the following message: "Error loading C:\WNDOWS\system3hrhjmau.dll. The specified module cannot be found. Please advise. I appreciate all of your help and will be patient during this process. As such I will check in daily for posts. Please let me know what I should do next. Thanks!

Renea (AKA tanaleefive)

1. I have run the outerinfo uninstaller.

2. I have downloaded and installed ComboFix and run the program (a copy of the log is below).

ComboFix 08-04-17.1 - Renea 2008-04-18 18:40:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1.#QNAN [GMT -7:00]
Running from: C:\Documents and Settings\Renea\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Renea\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Renea\My Documents\ICROSO~1
C:\Documents and Settings\Renea\My Documents\ICROSO~1\?icrosoft\
C:\Documents and Settings\Renea\My Documents\ICROSO~1\wuaclt.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\mantec~1
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\gnibjoyu.dll
C:\WINDOWS\SYSTEM32\iixidxcw.ini
C:\WINDOWS\system32\lftqxbjt.dll
C:\WINDOWS\system32\mantec~1
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ttgthmnl.dll
C:\WINDOWS\SYSTEM32\uyojbing.ini
C:\WINDOWS\system32\wcxdixii.dll
C:\WINDOWS\system32\ylgbmvrq.dll
C:\WINDOWS\SYSTEM32\yxbeffhk.ini
C:\WINDOWS\SYSTEM32\yxbeffhk.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NETWORK_MONITOR
-------\Service_TnIDriver


((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-18 19:13 . 2008-04-18 19:13 345 --ahs---- C:\WINDOWS\SYSTEM32\orutwxyb.ini
2008-04-18 19:12 . 2008-04-18 19:13 274,432 --a------ C:\WINDOWS\SYSTEM32\byxwturo.dll
2008-04-18 19:08 . 2008-04-18 19:08 22 --a------ C:\WINDOWS\pskt.ini
2008-04-17 23:42 . 2008-04-18 18:22 <DIR> d-------- C:\Documents and Settings\Renea\Application Data\AdwareAlert
2008-04-17 23:27 . 2008-04-17 23:27 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2008-04-17 23:27 . 2008-03-31 12:42 22,512 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\adwarealert.sys
2008-04-17 23:02 . 2008-04-17 23:04 <DIR> d-------- C:\Documents and Settings\Stephen Snodgrass\Application Data\AdwareAlert
2008-04-17 23:00 . 2008-04-17 23:00 <DIR> d-------- C:\Program Files\AdwareAlert
2008-04-17 22:16 . 2008-04-17 22:24 1,529,413 ---hs---- C:\WINDOWS\SYSTEM32\bcxyuxto.ini
2008-04-15 21:14 . 2008-04-15 21:14 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-04-15 20:59 . 2008-04-15 20:59 110,623 --a------ C:\WINDOWS\SYSTEM32\bgxwcnev.dll
2008-04-15 20:54 . 2008-04-17 21:39 1,529,249 ---hs---- C:\WINDOWS\SYSTEM32\gsjyynuc.ini
2008-04-15 20:50 . 2008-04-15 20:50 105,561 --a------ C:\WINDOWS\SYSTEM32\cttcvajb.dll
2008-04-15 18:49 . 2008-04-15 20:07 <DIR> d-------- C:\Program Files\Outerinfo(2)
2008-04-15 18:09 . 2008-04-15 18:09 34,099 --a------ C:\WINDOWS\SYSTEM32\efcbbcbx.dll
2008-04-15 18:05 . 2008-04-15 18:05 396,267 --a------ C:\WINDOWS\SYSTEM32\khffebxy.dll
2008-04-15 18:01 . 2008-04-15 21:45 <DIR> d--hs---- C:\WINDOWS\U3RlcGhlbiAgU25vZGdyYXNz
2008-04-15 18:01 . 2008-04-15 21:01 63,839 --a------ C:\WINDOWS\SYSTEM32\{9a7dd64f-1c4b-6df0-faf7-0310516cb0f1}.dll-uninst.exe
2008-04-15 18:00 . 2008-04-15 18:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\sFi
2008-04-15 18:00 . 2008-04-15 20:59 <DIR> d-------- C:\WINDOWS\SYSTEM32\pinz1
2008-04-15 18:00 . 2008-04-15 18:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\IDE2
2008-04-15 18:00 . 2008-04-15 18:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\ExTmp
2008-04-15 18:00 . 2008-04-15 18:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\bharebio01
2008-04-15 18:00 . 2008-04-15 18:00 <DIR> d-------- C:\TEMP\wdlw14
2008-04-15 18:00 . 2008-04-15 18:00 34,099 --a------ C:\WINDOWS\SYSTEM32\fcccbabc.dll
2008-04-10 08:17 . 2008-04-10 08:17 330,752 --a------ C:\WINDOWS\SYSTEM32\{9a7dd64f-1c4b-6df0-faf7-0310516cb0f1}.dll
2008-03-20 08:14 . 2004-05-31 03:59 <DIR> d--h----- C:\Documents and Settings\TEMP\WLANProfiles
2008-03-20 08:14 . 2008-03-20 08:15 <DIR> d-------- C:\Documents and Settings\TEMP
2008-03-20 08:14 . 2008-04-18 18:36 1,024 --ah----- C:\Documents and Settings\TEMP\ntuser.dat.LOG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 05:10 --------- d-----w C:\Program Files\Plaxo
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-03-07 00:34 --------- d-----w C:\Documents and Settings\Renea\Application Data\CyberLink
2008-03-02 01:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2005-06-01 21:18 483,401 ----a-w C:\Documents and Settings\Stephen Snodgrass\gotomypc.exe
2005-07-29 23:24 472 --sha-r C:\WINDOWS\U3RlcGhlbiAgU25vZGdyYXNz\oal5w315v2E0oZcSt3xVsrhW.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52e4403d-459d-3737-2fa2-bfb78657be67}]
2008-04-10 08:17 330752 --a------ C:\WINDOWS\system32\{9a7dd64f-1c4b-6df0-faf7-0310516cb0f1}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B99C882-F7B5-48DF-9950-0245D04BE81B}]
2008-04-18 19:13 274432 --a------ C:\WINDOWS\system32\byxwturo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AECDF9CC-D471-4320-8F83-EAD7BFA9B4DA}]
2008-04-15 18:05 396267 --a------ C:\WINDOWS\system32\khffebxy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d693195b-e520-4990-a6b3-0917f1b9879d}]
2008-04-18 19:22 94784 --a------ C:\WINDOWS\system32\rixvubha.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}]
2008-04-15 18:00 34099 --a------ C:\WINDOWS\system32\fcccbabc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-09 15:35 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 14:46 135168]
"AdwareAlert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" [2008-04-17 13:35 7173360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-02-02 13:32 155648]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 14:24 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 11:30 335872]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-14 23:04 122933]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 23:01 110592]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2004-03-04 18:59 487424]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 15:32 86016]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 08:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-12-12 12:22 217088]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 08:05 53248]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-10-06 08:05 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48 32881]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 16:41 163840]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-12 12:01 180269]
"bgsmsnd.exe"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe" [2005-06-30 14:56 114688]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2005-11-02 23:32 372813]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-18 21:39 282624]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"BM175e83d4"="C:\WINDOWS\system32\wmbhqhhh.dll" [2008-04-18 19:18 96320]
"146db048"="C:\WINDOWS\system32\lbchyjio.dll" [2008-04-18 19:19 87616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

C:\Documents and Settings\Stephen Snodgrass\Start Menu\Programs\Startup\
logon.bat [2006-04-10 11:50:55 33]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-08-03 23:18:27 113664]
Amazon Unbox.lnk - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2007-07-11 17:25:20 97320]
eFax Live Menu 3.3.lnk - C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe [2004-07-23 00:46:42 17408]
eFax Tray Menu 3.3.lnk - C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe [2004-07-23 00:44:32 40960]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08 471040]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}"= C:\WINDOWS\system32\fcccbabc.dll [2008-04-15 18:00 34099]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcccbabc]
fcccbabc.dll 2008-04-15 18:00 34099 C:\WINDOWS\SYSTEM32\fcccbabc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2004-01-12 04:55 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\byxwturo

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sybase\\SQL Anywhere 7\\win32\\dbeng7.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Sybase\\SQL Anywhere 9\\win32\\dbeng9.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{14b757d2-9545-11dc-8478-00038a000015}]
\Shell\AutoRun\command - E:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{641e3920-abb3-11db-83fc-00038a000015}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 02:10:57 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2008-04-19 02:26:55 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-18 19:07:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\byxwturo.dll 274432 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
-> C:\WINDOWS\system32\fcccbabc.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\lbchyjio.dll
-> C:\WINDOWS\system32\wmbhqhhh.dll
-> C:\WINDOWS\system32\byxwturo.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\SYSTEM32\S24EvMon.exe
C:\WINDOWS\SYSTEM32\scardsvr.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\etlisrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$OASIS\Binn\sqlservr.exe
C:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe
C:\WINDOWS\SYSTEM32\RegSrvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\SYSTEM32\ZCfgSvc.exe
C:\WINDOWS\SYSTEM32\1XConfig.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\Temp\II455D.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WinZip\WZQKPICK.EXE
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-04-18 19:30:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-19 02:29:26

Pre-Run: 21,239,816,192 bytes free
Post-Run: 22,551,789,568 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
.
2008-04-18 04:47:41 --- E O F ---



3. I have installed the Windows XP Recovery Console (this was done prior to running the combofix scan).


4. I have downloaded, installed and run the SuperAntiSpyware Home edition, scanned my system, and quarantined the results (a copy of the log is below).

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/19/2008 at 12:57 PM

Application Version : 4.0.1154

Core Rules Database Version : 3442
Trace Rules Database Version: 1434

Scan type : Custom Scan
Total Scan Time : 04:29:53

Memory items scanned : 578
Memory threats detected : 12
Registry items scanned : 7171
Registry threats detected : 125
File items scanned : 82341
File threats detected : 261

Trojan.Vundo-Variant/F
C:\WINDOWS\SYSTEM32\FCCCBABC.DLL
C:\WINDOWS\SYSTEM32\FCCCBABC.DLL
C:\WINDOWS\SYSTEM32\SSQOPOLI.DLL
C:\WINDOWS\SYSTEM32\SSQOPOLI.DLL
C:\WINDOWS\SYSTEM32\XXYWTQNN.DLL
C:\WINDOWS\SYSTEM32\XXYWTQNN.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\fcccbabc
C:\WINDOWS\SYSTEM32\DBVGQHSI.DLL
C:\WINDOWS\SYSTEM32\EFCBBCBX.DLL
C:\WINDOWS\SYSTEM32\WMBHQHHH.DLL

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\KHFFEBXY.DLL
C:\WINDOWS\SYSTEM32\KHFFEBXY.DLL

Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\HRHWJMAU.DLL
C:\WINDOWS\SYSTEM32\HRHWJMAU.DLL
HKLM\Software\Classes\CLSID\{d2de688a-ab9a-4a7e-8d5a-91f5114afd91}
HKCR\CLSID\{D2DE688A-AB9A-4A7E-8D5A-91F5114AFD91}
HKCR\CLSID\{D2DE688A-AB9A-4A7E-8D5A-91F5114AFD91}\InprocServer32
HKCR\CLSID\{D2DE688A-AB9A-4A7E-8D5A-91F5114AFD91}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\MBPIFABP.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2de688a-ab9a-4a7e-8d5a-91f5114afd91}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP727\A0123300.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP731\A0125331.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP731\A0125332.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP731\A0125333.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP731\A0125334.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP731\A0125335.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP734\A0127299.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP736\A0127343.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP736\A0127344.DLL
C:\WINDOWS\SYSTEM32\LBCHYJIO.DLL
C:\WINDOWS\SYSTEM32\RIXVUBHA.DLL

Adware.Adservs
C:\WINDOWS\U3RLCGHLBIAGU25VZGDYYXNZ\ASAPPSRV.DLL
C:\WINDOWS\U3RLCGHLBIAGU25VZGDYYXNZ\ASAPPSRV.DLL
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP723\A0122226.DLL
C:\WINDOWS\SYSTEM32\EXTMP\BMV35GUI.EXE
C:\WINDOWS\SYSTEM32\ITMP\VBA35GUI.EXE

Trojan.Unclassified/BrowserDriver
C:\WINDOWS\SYSTEM32\RWWNW64D.EXE
C:\WINDOWS\SYSTEM32\RWWNW64D.EXE
[{DB-B0-0E-E7-DW}] C:\WINDOWS\SYSTEM32\RWWNW64D.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP722\A0121243.EXE
C:\WINDOWS\SYSTEM32\TRCTMP\KMDMNS2.EXE

Trojan.NetMon/DNSChange
C:\PROGRAM FILES\NETWORK MONITOR\NETMON.EXE
C:\PROGRAM FILES\NETWORK MONITOR\NETMON.EXE
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#Type
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#Start
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000\Control#*NewlyCreated*
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000\Control#ActiveService
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#Contact
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoRemove
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#UninstallString
C:\Program Files\Network Monitor
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP723\A0121255.EXE

Unclassified.Unknown Origin
C:\WINDOWS\U3RLCGHLBIAGU25VZGDYYXNZ\COMMAND.EXE
C:\WINDOWS\U3RLCGHLBIAGU25VZGDYYXNZ\COMMAND.EXE
HKLM\Software\Classes\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}
HKCR\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}
HKCR\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}
HKCR\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}#AppID
HKCR\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\InprocServer32
HKCR\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\InprocServer32#ThreadingModel
HKCR\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\ProgID
HKCR\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\Programmable
HKCR\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\TypeLib
HKCR\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\VersionIndependentProgID
C:\PROGRAM FILES\CPV\CPV8.DLL
HKLM\Software\Classes\CLSID\{3D87B50D-542A-45b6-96E9-F03CFAA8C962}
HKCR\CLSID\{3D87B50D-542A-45B6-96E9-F03CFAA8C962}
HKCR\CLSID\{3D87B50D-542A-45B6-96E9-F03CFAA8C962}
HKCR\CLSID\{3D87B50D-542A-45B6-96E9-F03CFAA8C962}\Implemented Categories
HKCR\CLSID\{3D87B50D-542A-45B6-96E9-F03CFAA8C962}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{3D87B50D-542A-45B6-96E9-F03CFAA8C962}\InprocServer32
HKCR\CLSID\{3D87B50D-542A-45B6-96E9-F03CFAA8C962}\InprocServer32#ThreadingModel
HKCR\CLSID\{3D87B50D-542A-45B6-96E9-F03CFAA8C962}\Programmable
C:\WINDOWS\SYSTEM32\MYSS_SB.DLL
HKLM\Software\Classes\CLSID\{6156A32A-C512-4e23-AA9A-2315F4265681}
HKCR\CLSID\{6156A32A-C512-4E23-AA9A-2315F4265681}
HKCR\CLSID\{6156A32A-C512-4E23-AA9A-2315F4265681}
HKCR\CLSID\{6156A32A-C512-4E23-AA9A-2315F4265681}\InprocServer32
HKCR\CLSID\{6156A32A-C512-4E23-AA9A-2315F4265681}\InprocServer32#ThreadingModel
HKCR\CLSID\{6156A32A-C512-4E23-AA9A-2315F4265681}\Programmable
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6156A32A-C512-4e23-AA9A-2315F4265681}
HKU\S-1-5-21-2691493660-4031562367-1574305365-1008\Software\Microsoft\Internet Explorer\Explorer Bars\{3D87B50D-542A-45b6-96E9-F03CFAA8C962}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP723\A0121256.EXE

Adware.DeeWoo/ThinkAdz
C:\WINDOWS\SYSTEM32\SCNTSKDN.EXE
C:\WINDOWS\SYSTEM32\SCNTSKDN.EXE

Trojan.Downloader-Gen/FakeAlert-A
C:\DOCUMENTS AND SETTINGS\RENEA\APPLICATION DATA\MICROSOFT\WINDOWS\RAYIOU.EXE
C:\DOCUMENTS AND SETTINGS\RENEA\APPLICATION DATA\MICROSOFT\WINDOWS\RAYIOU.EXE

Trojan.Net-Wintouch/V2
C:\DOCUMENTS AND SETTINGS\RENEA\APPLICATION DATA\WINTOUCH\WINTOUCH.EXE
C:\DOCUMENTS AND SETTINGS\RENEA\APPLICATION DATA\WINTOUCH\WINTOUCH.EXE
[WinTouch] C:\DOCUMENTS AND SETTINGS\RENEA\APPLICATION DATA\WINTOUCH\WINTOUCH.EXE

Trojan.Downloader-Gen/MROFIN
[runner1] C:\WINDOWS\MROFINU572.EXE
C:\WINDOWS\MROFINU572.EXE
C:\QOOBOX\QUARANTINE\C\WINDOWS\MROFINU572.EXE.TMP.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\MROFINU572.EXE.VIR
C:\WINDOWS\MROFINU1000106.EXE
C:\WINDOWS\MROFINU572.EXE.TMP

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}
HKCR\CLSID\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}
HKCR\CLSID\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}\InprocServer32
HKCR\CLSID\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}
HKCR\CLSID\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}

Adware.AdRotate/System
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52e4403d-459d-3737-2fa2-bfb78657be67}
HKCR\CLSID\{52E4403D-459D-3737-2FA2-BFB78657BE67}
HKCR\CLSID\{52E4403D-459D-3737-2FA2-BFB78657BE67}
HKCR\CLSID\{52E4403D-459D-3737-2FA2-BFB78657BE67}\InProcServer32
HKCR\CLSID\{52E4403D-459D-3737-2FA2-BFB78657BE67}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\{9A7DD64F-1C4B-6DF0-FAF7-0310516CB0F1}.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP718\A0121162.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP721\A0121213.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP722\A0121246.DLL

Trojan.Vundo-Variant/G
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9ACC364-C196-4467-9EA4-63BA78DB641A}
HKCR\CLSID\{F9ACC364-C196-4467-9EA4-63BA78DB641A}
HKCR\CLSID\{F9ACC364-C196-4467-9EA4-63BA78DB641A}\InprocServer32
HKCR\CLSID\{F9ACC364-C196-4467-9EA4-63BA78DB641A}\InprocServer32#ThreadingModel

Adware.Tracking Cookie
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\renea@insightexpressai[1].txt
C:\Documents and Settings\Renea\Cookies\renea@doubleclick[1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\renea@adrevolver[2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@apmebf[1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\renea@gomyhit[4].txt
C:\Documents and Settings\Renea\Cookies\renea@clicksor[2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@exitexchange[2].txt
C:\Documents and Settings\Renea\Cookies\renea@atdmt[2].txt
C:\Documents and Settings\Renea\Cookies\renea@adnetserver[1].txt
C:\Documents and Settings\Renea\Cookies\renea@realmedia[2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][3].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@casalemedia[2].txt
C:\Documents and Settings\Renea\Cookies\renea@questionmarket[2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@interclick[2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@azjmp[2].txt
C:\Documents and Settings\Renea\Cookies\renea@indiads[1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@tribalfusion[1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@shopica[1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@fastclick[2].txt
C:\Documents and Settings\Renea\Cookies\renea@serving-sys[1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@precisionclick[1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\renea@overture[1].txt
C:\Documents and Settings\Renea\Cookies\renea@media6degrees[2].txt
C:\Documents and Settings\Renea\Cookies\renea@tacoda[2].txt
C:\Documents and Settings\Renea\Cookies\renea@adecn[2].txt
C:\Documents and Settings\Renea\Cookies\renea@avsystemcare[2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@gomyhit[1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\renea@eyewonder[1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\renea@247realmedia[1].txt
C:\Documents and Settings\Renea\Cookies\renea@trafficmp[1].txt
C:\Documents and Settings\Renea\Cookies\renea@imrworldwide[2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\renea@antispywaremaster[1].txt
C:\Documents and Settings\Renea\Cookies\renea@advertising[1].txt
C:\Documents and Settings\Renea\Cookies\renea@zedo[1].txt
C:\Documents and Settings\Renea\Cookies\renea@antispywaresuite[1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@mediaplex[1].txt
C:\Documents and Settings\Renea\Cookies\renea@gomyhit[3].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@statcounter[1].txt
C:\Documents and Settings\Renea\Cookies\renea@adbrite[2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][2].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\renea@specificclick[2].txt
C:\Documents and Settings\Renea\Cookies\renea@adlegend[2].txt
C:\Documents and Settings\Renea\Cookies\renea@findwhat[1].txt
C:\Documents and Settings\LocalService\Cookies\system@advertising[2].txt
C:\Documents and Settings\LocalService\Cookies\system@atwola[2].txt
C:\Documents and Settings\LocalService\Cookies\system@clickagents[1].txt
C:\Documents and Settings\LocalService\Cookies\system@crossmediaservices[1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\LocalService\Cookies\system@enhance[2].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\system@findwhat[1].txt
C:\Documents and Settings\LocalService\Cookies\system@mediatraffic[1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\system@realmedia[2].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\Renea\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@247realmedia[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@2o7[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@2o7[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@adbrite[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@adlegend[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@adrevolver[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@advertising[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@atdmt[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@atwola[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@bizrate[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@casalemedia[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@centralmediaserver[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@discountgolfshoes[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@doubleclick[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@eyewonder[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@fastclick[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@hitbox[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@imrworldwide[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@insightexpressai[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@kontera[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][3].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@mediaplex[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@nextag[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@overture[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@partner2profit[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@questionmarket[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@realmedia[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@revenue[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@revsci[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@roiservice[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][3].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@specificclick[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@statcounter[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@tacoda[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@trafficmp[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@tribalfusion[1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][3].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\[email protected][4].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@youporn[2].txt
C:\Documents and Settings\Stephen Snodgrass\Cookies\stephens@zedo[1].txt

Adware.ClickSpring
HKLM\Software\ClickSpring
HKLM\Software\ClickSpring#UBWKR
C:\DOCUMENTS AND SETTINGS\RENEA\APPLICATION DATA\ADWAREALERT\QUARANTINE\17-04-2008-23-48-51\692.QIT
C:\QOOBOX\QUARANTINE\C\DOCUMENTS AND SETTINGS\RENEA\MY DOCUMENTS\ICROSO~1\WUACLT.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP718\A0121164.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP720\A0121182.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP721\A0121238.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP723\A0121257.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP723\A0121258.EXE

Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Services\cmdService
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Type
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Start
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#NextInstance
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#Contact
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoRemove
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#UninstallString
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000\Control#*NewlyCreated*
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000\Control#ActiveService

Trojan.ZenoSearch
C:\WINDOWS\system32\msnav32.ax

Trojan.Unknown Origin
HKLM\Software\xpre
HKLM\Software\xpre#execount
C:\DOCUMENTS AND SETTINGS\RENEA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\C9M7KX6B\INSTALLER[1].EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP724\A0122247.VBS
C:\WINDOWS\SYSTEM32\SFI\CSEE145.EXE
C:\WINDOWS\U3RLCGHLBIAGU25VZGDYYXNZ\OAL5W315V2E0OZCST3XVSRHW.VBS
C:\WINDOWS\UNINSTALL_NMON.VBS

Trojan.Downloader-Gen/RetAd
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#runner1 [ C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139 ]

RootKit.TnCore/Trace
C:\WINDOWS\system32\drivers\core.cache.dsk

Rogue.SysCleaner
HKU\S-1-5-21-2691493660-4031562367-1574305365-1008\Software\WinTouch
HKU\S-1-5-21-2691493660-4031562367-1574305365-1008\Software\Microsoft\Windows\CurrentVersion\Run#WinTouch [ C:\Documents and Settings\Renea\Application Data\WinTouch\WinTouch.exe ]

Adware.WinTouch/XInside
C:\Documents and Settings\Renea\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Renea\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\Renea\Application Data\WinTouch

Trojan.Unclassified/NVCOI
C:\Program Files\CPV
C:\Program Files\Temporary

Rogue.AntiSpywareMaster
C:\Program Files\AntiSpywareMaster
C:\DOCUMENTS AND SETTINGS\RENEA\LOCAL SETTINGS\TEMP\WINVSNET.EXE
C:\DOCUMENTS AND SETTINGS\RENEA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\C9M7KX6B\WINVSNET[1].EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP721\A0121221.EXE

Adware.OuterInfo-Installer
C:\DOCUMENTS AND SETTINGS\RENEA\DESKTOP\OIUNINSTALLER.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP721\A0121206.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP735\A0127316.EXE

Adware.Yazzle-Installer
C:\DOCUMENTS AND SETTINGS\RENEA\LOCAL SETTINGS\TEMP\YAZZSNET.EXE
C:\DOCUMENTS AND SETTINGS\RENEA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\KPABW9QF\YAZZSNET[1].EXE

Trojan.Unclassified/Dropper
C:\DOCUMENTS AND SETTINGS\RENEA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\8DARKL23\WTREC.PROD.V10006.11DEC2007.EXE[1].C516A643C558A4D4DAA4EFAFD47EFF15
C:\DOCUMENTS AND SETTINGS\RENEA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\KPABW9QF\WTUNINSTALLER.PROD.V10008.28DEC2007.EXE[1].6E13E72A172C38497DBF3A6E4FA179D5

Adware.WinTouch-Installer
C:\DOCUMENTS AND SETTINGS\RENEA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\C9M7KX6B\WINTOUCHINSTALLER[1].EXE

Malware.LocusSoftware Inc/Gen
C:\DOCUMENTS AND SETTINGS\RENEA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\KPABW9QF\INSTALL_EN[2].EXE

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP727\A0123299.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP734\A0127298.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP736\A0128298.DLL

Trojan.Downloader-Gen/Bundle Installer
C:\WINDOWS\B155.EXE
C:\WINDOWS\B156.EXE

Adware.ClickSpring/Yazzle
C:\WINDOWS\PREFETCH\YAZZLE1281OINADMIN.EXE-27312430.PF
C:\WINDOWS\PREFETCH\YAZZLE1281OINUNINSTALLER.EXE-21B1415A.PF

Adware.Dropper/BHAREBIO
C:\WINDOWS\SYSTEM32\BHAREBIO01\BHAREBIO011065.EXE

Rootkit.TNCore-Variant/A
C:\WINDOWS\SYSTEM32\DRIVERS\NTFSS.SYS

Rootkit.TNCore-Installer
C:\WINDOWS\SYSTEM32\IDE2\MDLLCOM2.EXE
C:\WINDOWS\SYSTEM32\SLNEW\GPEDIRE1.EXE

Adware.Unknown Origin
C:\WINDOWS\SYSTEM32\ZXDNT3D.CFG

Trojan.SVCHost/Fake
C:\WINDOWS\STEM~1\SVCHOST.EXE




5. I have downloaded the ATF cleaner and cleaned the Firefox browser and the Explorer browser. (no log produced)


6. I created a system restore checkpoint.


7. I have downloaded, installed and run the Malwarebytes' Anti-Malware Free Version (a copy of the log is below).

Malwarebytes' Anti-Malware 1.11
Database version: 656

Scan type: Quick Scan
Objects scanned: 35594
Time elapsed: 46 minute(s), 8 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 3
Registry Keys Infected: 43
Registry Values Infected: 8
Registry Data Items Infected: 0
Folders Infected: 46
Files Infected: 1791

Memory Processes Infected:
c:\program files\Twain\Twain.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Program Files\AdwareAlert\AdwareAlert.exe (Rogue.AdwareAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\AdwareAlert\SpyCleaner.dll (Rogue.AdwareAlert) -> Unloaded module successfully.
C:\Program Files\AdwareAlert\TCL.dll (Rogue.AdwareAlert) -> Unloaded module successfully.
C:\Program Files\AdwareAlert\zlib.dll (Rogue.AdwareAlert) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{8d71eeb8-a1a7-4733-8fa2-1cac015c967d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT

Edited by tanaleefive, 20 April 2008 - 03:33 PM.

  • 0

Advertisements

#2
greyknight17
Posted 20 April 2008 - 07:42 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Do you know what this file is for -> C:\Documents and Settings\Stephen Snodgrass\Start Menu\Programs\Startup\logon.bat If not, right click on it and choose Edit. Copy & paste the contents of that file here.

Uninstall AdwareAlert via the Add/Remove Programs panel.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

KILLALL::
Rootkit::
C:\WINDOWS\system32\byxwturo.dll
File::
C:\WINDOWS\SYSTEM32\orutwxyb.ini
C:\WINDOWS\SYSTEM32\byxwturo.dll
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\bcxyuxto.ini
C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
C:\WINDOWS\SYSTEM32\bgxwcnev.dll
C:\WINDOWS\SYSTEM32\gsjyynuc.ini
C:\WINDOWS\SYSTEM32\cttcvajb.dll
C:\WINDOWS\SYSTEM32\efcbbcbx.dll
C:\WINDOWS\SYSTEM32\{9a7dd64f-1c4b-6df0-faf7-0310516cb0f1}.dll-uninst.exe
C:\WINDOWS\SYSTEM32\fcccbabc.dll
C:\WINDOWS\SYSTEM32\DRIVERS\adwarealert.sys
C:\WINDOWS\system32\wmbhqhhh.dll
C:\WINDOWS\system32\lbchyjio.dll
C:\WINDOWS\SYSTEM32\fcccbabc.dll
C:\WINDOWS\system32\{9a7dd64f-1c4b-6df0-faf7-0310516cb0f1}.dll
C:\WINDOWS\system32\khffebxy.dll
C:\WINDOWS\system32\rixvubha.dll
Folder::
C:\WINDOWS\U3RlcGhlbiAgU25vZGdyYXNz
C:\WINDOWS\SYSTEM32\sFi
C:\WINDOWS\SYSTEM32\pinz1
C:\WINDOWS\SYSTEM32\IDE2
C:\WINDOWS\SYSTEM32\ExTmp
C:\WINDOWS\SYSTEM32\bharebio01
C:\TEMP\wdlw14
C:\Program Files\Outerinfo(2)
C:\Documents and Settings\Renea\Application Data\AdwareAlert
C:\Documents and Settings\Stephen Snodgrass\Application Data\AdwareAlert
C:\Program Files\AdwareAlert
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52e4403d-459d-3737-2fa2-bfb78657be67}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B99C882-F7B5-48DF-9950-0245D04BE81B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AECDF9CC-D471-4320-8F83-EAD7BFA9B4DA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d693195b-e520-4990-a6b3-0917f1b9879d}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM175e83d4"=-
"146db048"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcccbabc]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

Edited by greyknight17, 20 April 2008 - 07:42 PM.

  • 0

#3
tanaleefive
Posted 21 April 2008 - 09:53 PM

tanaleefive

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hello!

I am not sure what the file you asked me about is. The contents of that file are:

//aagserver/ofcscan/autopcc.exe


I have uninstalled AdwareAlert.

I ran combofix as instructed. The results are:

ComboFix 08-04-17.1 - Renea 2008-04-21 20:14:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.273 [GMT -7:00]
Running from: C:\Documents and Settings\Renea\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Renea\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\{9a7dd64f-1c4b-6df0-faf7-0310516cb0f1}.dll
C:\WINDOWS\SYSTEM32\{9a7dd64f-1c4b-6df0-faf7-0310516cb0f1}.dll-uninst.exe
C:\WINDOWS\SYSTEM32\bcxyuxto.ini
C:\WINDOWS\SYSTEM32\bgxwcnev.dll
C:\WINDOWS\SYSTEM32\byxwturo.dll
C:\WINDOWS\SYSTEM32\cttcvajb.dll
C:\WINDOWS\SYSTEM32\DRIVERS\adwarealert.sys
C:\WINDOWS\SYSTEM32\efcbbcbx.dll
C:\WINDOWS\SYSTEM32\fcccbabc.dll
C:\WINDOWS\SYSTEM32\gsjyynuc.ini
C:\WINDOWS\system32\khffebxy.dll
C:\WINDOWS\system32\lbchyjio.dll
C:\WINDOWS\SYSTEM32\orutwxyb.ini
C:\WINDOWS\system32\rixvubha.dll
C:\WINDOWS\system32\wmbhqhhh.dll
C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Outerinfo(2)
C:\Program Files\Outerinfo(2)\FF(2)\components(2)\OuterinfoAds.xpt
C:\Program Files\Outerinfo(2)\FF(2)\install.rdf
C:\Program Files\Outerinfo(2)\Terms.rtf
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\TEMP\wdlw14
C:\TEMP\wdlw14\maxN1bo.log
C:\WINDOWS\pskt.ini
C:\WINDOWS\stem~1
C:\WINDOWS\SYSTEM32\{9a7dd64f-1c4b-6df0-faf7-0310516cb0f1}.dll-uninst.exe
C:\WINDOWS\SYSTEM32\bcxyuxto.ini
C:\WINDOWS\SYSTEM32\bgxwcnev.dll
C:\WINDOWS\SYSTEM32\bharebio01
C:\WINDOWS\system32\byxwturo.dll
C:\WINDOWS\SYSTEM32\cttcvajb.dll
C:\WINDOWS\SYSTEM32\DRIVERS\adwarealert.sys
C:\WINDOWS\SYSTEM32\gsjyynuc.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\yxbeffhk.ini
C:\WINDOWS\SYSTEM32\yxbeffhk.ini2
C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
C:\WINDOWS\U3RlcGhlbiAgU25vZGdyYXNz

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_adwarealert
-------\adwarealert


((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-19 15:23 . 2008-04-19 15:23 <DIR> d-------- C:\Program Files\Panda Security
2008-04-19 14:09 . 2008-04-19 14:09 <DIR> d-------- C:\Documents and Settings\Renea\Application Data\Malwarebytes
2008-04-19 14:08 . 2008-04-19 14:08 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-19 14:08 . 2008-04-19 14:08 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-19 14:08 . 2008-04-19 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-19 06:52 . 2008-04-19 06:52 400,645 --a------ C:\WINDOWS\SYSTEM32\g10.exe
2008-04-19 01:08 . 2008-04-19 01:08 10 --a------ C:\Program Files\.autoreg
2008-04-19 00:51 . 2008-04-19 00:51 298,311 --a------ C:\WINDOWS\SYSTEM32\gside.exe
2008-04-19 00:49 . 2008-04-19 00:50 <DIR> d-------- C:\TEMP\berDrv11
2008-04-19 00:47 . 2008-04-19 00:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-19 00:47 . 2008-04-19 00:47 <DIR> d-------- C:\Documents and Settings\Renea\Application Data\SUPERAntiSpyware.com
2008-04-19 00:47 . 2008-04-19 00:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-19 00:42 . 2008-04-19 00:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-18 22:53 . 2008-04-19 08:20 1,541,261 ---hs---- C:\WINDOWS\SYSTEM32\uamjwhrh.ini
2008-04-18 19:29 . 2008-04-19 00:28 109,785 --a------ C:\WINDOWS\BM175e83d4.xml
2008-04-18 19:19 . 2008-04-18 22:54 1,540,737 ---hs---- C:\WINDOWS\SYSTEM32\oijyhcbl.ini
2008-04-17 23:27 . 2008-04-17 23:27 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 03:06 --------- d-----w C:\Documents and Settings\Stephen Snodgrass\Application Data\Lavasoft
2008-04-20 20:21 --------- d-----w C:\Program Files\Trend Micro
2008-04-18 05:10 --------- d-----w C:\Program Files\Plaxo
2008-03-07 00:34 --------- d-----w C:\Documents and Settings\Renea\Application Data\CyberLink
2005-06-01 21:18 483,401 ----a-w C:\Documents and Settings\Stephen Snodgrass\gotomypc.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-18_19.25.38.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-19 02:00:56 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-22 03:21:54 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-19 15:24:12 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-04-19 15:24:13 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2006-05-09 20:00:40 4,739 ----a-w C:\WINDOWS\mozver.dat
+ 2008-04-19 22:23:03 6,089 ----a-w C:\WINDOWS\mozver.dat
+ 2004-08-04 07:56:55 33,280 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rundll32.exe
- 2008-04-16 03:08:47 46,568 ----a-w C:\WINDOWS\SYSTEM32\Restore\rstrlog.dat
+ 2008-04-19 05:42:01 34,724 ----a-w C:\WINDOWS\SYSTEM32\Restore\rstrlog.dat
+ 2005-11-03 06:30:32 172,099 ----a-w C:\WINDOWS\Temp\DE2E93.EXE
+ 2008-04-22 03:22:18 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-09 15:35 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 14:46 135168]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-02-02 13:32 155648]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 14:24 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 11:30 335872]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-14 23:04 122933]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 23:01 110592]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2004-03-04 18:59 487424]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 15:32 86016]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 08:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-12-12 12:22 217088]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 08:05 53248]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-10-06 08:05 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48 32881]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 16:41 163840]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-12 12:01 180269]
"bgsmsnd.exe"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe" [2005-06-30 14:56 114688]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2005-11-02 23:32 372813]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-18 21:39 282624]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

C:\Documents and Settings\Stephen Snodgrass\Start Menu\Programs\Startup\
logon.bat [2006-04-10 11:50:55 33]
rqstfrg2g.txt [2008-04-21 20:13:11 33]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-08-03 23:18:27 113664]
Amazon Unbox.lnk - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2007-07-11 17:25:20 97320]
eFax Live Menu 3.3.lnk - C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe [2004-07-23 00:46:42 17408]
eFax Tray Menu 3.3.lnk - C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe [2004-07-23 00:44:32 40960]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08 471040]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2004-01-12 04:55 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sybase\\SQL Anywhere 7\\win32\\dbeng7.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Sybase\\SQL Anywhere 9\\win32\\dbeng9.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 Isecdrv;ISECDRV;C:\WINDOWS\System32\drivers\Isecdrv.sys [1999-12-14 16:25]
R2 MSSQL$OASIS;MSSQL$OASIS;C:\Program Files\Microsoft SQL Server\MSSQL$OASIS\Binn\sqlservr.exe [2002-12-17 17:26]
S1 ntfss;ntfss;C:\WINDOWS\system32\drivers\ntfss.sys []
S3 LxrSG20d;LxrSG20d;C:\WINDOWS\system32\Drivers\LxrSG20d.sys [2005-04-03 17:55]
S3 SQLAgent$OASIS;SQLAgent$OASIS;C:\Program Files\Microsoft SQL Server\MSSQL$OASIS\Binn\sqlagent.EXE [2002-12-17 17:23]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2004-12-18 20:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{14b757d2-9545-11dc-8478-00038a000015}]
\Shell\AutoRun\command - E:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{641e3920-abb3-11db-83fc-00038a000015}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 20:56:31 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2008-04-22 03:25:09 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 20:24:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [4092] 0x827C4408

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\TMP000000299EBFAF3107DD305F

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\SYSTEM32\S24EvMon.exe
C:\WINDOWS\SYSTEM32\scardsvr.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\etlisrv.exe
C:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe
C:\WINDOWS\SYSTEM32\RegSrvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\Temp\DE2E93.EXE
C:\WINDOWS\SYSTEM32\ZCfgSvc.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\1XConfig.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WinZip\WZQKPICK.EXE
.
**************************************************************************
.
Completion time: 2008-04-21 20:38:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-22 03:38:19
ComboFix2.txt 2008-04-19 02:31:07

Pre-Run: 22,334,005,248 bytes free
Post-Run: 22,382,804,992 bytes free
.
2008-04-18 04:47:41 --- E O F ---


I believe I have completed everything you requested. If I have missed something, please let me know. And thank you for your help! I appreciate it.

Renea :)
  • 0

#4
greyknight17
Posted 22 April 2008 - 04:33 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Renea, just a few more removals and you should be set to go :)

Do the same thing like you did earlier...right click on this file -> C:\Program Files\.autoreg and choose Edit. Copy and paste the contents of that file here.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

Driver::
ntfss
File::
C:\WINDOWS\SYSTEM32\g10.exe
C:\WINDOWS\SYSTEM32\gside.exe
C:\WINDOWS\SYSTEM32\uamjwhrh.ini
C:\WINDOWS\BM175e83d4.xml
C:\WINDOWS\SYSTEM32\oijyhcbl.ini
C:\Documents and Settings\Stephen Snodgrass\Start Menu\Programs\Startup\rqstfrg2g.txt
C:\WINDOWS\TEMP\TMP000000299EBFAF3107DD305F
C:\WINDOWS\system32\drivers\ntfss.sys
Folder::
C:\TEMP\berDrv11
C:\WINDOWS\TEMP\TMP000000299EBFAF3107DD305F

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is the computer running so far?
  • 0

#5
tanaleefive
Posted 22 April 2008 - 06:57 PM

tanaleefive

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hello again!

I right clicked on the requested file and but it did not give me the edit option. I tried to copy the file and paste it; however, it came out blank. I also tried to open it. but I got an error message saying it could not locate the program that created the file (and that it could look for the program on the internet). What would you advise?

Here is the new ComboFix log:



ComboFix 08-04-17.1 - Renea 2008-04-22 17:12:25.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.163 [GMT -7:00]
Running from: C:\Documents and Settings\Renea\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Renea\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Stephen Snodgrass\Start Menu\Programs\Startup\rqstfrg2g.txt
C:\WINDOWS\BM175e83d4.xml
C:\WINDOWS\system32\drivers\ntfss.sys
C:\WINDOWS\SYSTEM32\g10.exe
C:\WINDOWS\SYSTEM32\gside.exe
C:\WINDOWS\SYSTEM32\oijyhcbl.ini
C:\WINDOWS\SYSTEM32\uamjwhrh.ini
C:\WINDOWS\TEMP\TMP000000299EBFAF3107DD305F
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\Renea\Local Settings\Temporary Internet Files\CPV.stt
C:\TEMP\berDrv11
C:\TEMP\berDrv11\fxpNbu.log
C:\WINDOWS\BM175e83d4.xml
C:\WINDOWS\SYSTEM32\g10.exe
C:\WINDOWS\SYSTEM32\gside.exe
C:\WINDOWS\SYSTEM32\oijyhcbl.ini
C:\WINDOWS\SYSTEM32\uamjwhrh.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NTFSS
-------\Service_ntfss


((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-19 15:23 . 2008-04-19 15:23 <DIR> d-------- C:\Program Files\Panda Security
2008-04-19 14:09 . 2008-04-19 14:09 <DIR> d-------- C:\Documents and Settings\Renea\Application Data\Malwarebytes
2008-04-19 14:08 . 2008-04-19 14:08 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-19 14:08 . 2008-04-19 14:08 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-19 14:08 . 2008-04-19 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-19 01:08 . 2008-04-19 01:08 10 --a------ C:\Program Files\.autoreg
2008-04-19 00:47 . 2008-04-19 00:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-19 00:47 . 2008-04-19 00:47 <DIR> d-------- C:\Documents and Settings\Renea\Application Data\SUPERAntiSpyware.com
2008-04-19 00:47 . 2008-04-19 00:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-19 00:42 . 2008-04-19 00:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-17 23:27 . 2008-04-17 23:27 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 03:06 --------- d-----w C:\Documents and Settings\Stephen Snodgrass\Application Data\Lavasoft
2008-04-20 20:21 --------- d-----w C:\Program Files\Trend Micro
2008-04-18 05:10 --------- d-----w C:\Program Files\Plaxo
2008-03-07 00:34 --------- d-----w C:\Documents and Settings\Renea\Application Data\CyberLink
2005-06-01 21:18 483,401 ----a-w C:\Documents and Settings\Stephen Snodgrass\gotomypc.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-18_19.25.38.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-19 02:00:56 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-23 00:19:35 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-19 15:24:12 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-04-19 15:24:13 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2006-05-09 20:00:40 4,739 ----a-w C:\WINDOWS\mozver.dat
+ 2008-04-19 22:23:03 6,089 ----a-w C:\WINDOWS\mozver.dat
+ 2004-08-04 07:56:55 33,280 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rundll32.exe
- 2008-04-16 03:08:47 46,568 ----a-w C:\WINDOWS\SYSTEM32\Restore\rstrlog.dat
+ 2008-04-19 05:42:01 34,724 ----a-w C:\WINDOWS\SYSTEM32\Restore\rstrlog.dat
+ 2005-11-03 06:30:32 172,099 ----a-w C:\WINDOWS\Temp\OC3DCA.EXE
+ 2008-04-23 00:19:50 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_638.dat
+ 2008-04-23 00:26:41 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_8b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-09 15:35 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 14:46 135168]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-02-02 13:32 155648]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 14:24 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 11:30 335872]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-14 23:04 122933]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 23:01 110592]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2004-03-04 18:59 487424]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 15:32 86016]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 08:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-12-12 12:22 217088]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 08:05 53248]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-10-06 08:05 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48 32881]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 16:41 163840]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-12 12:01 180269]
"bgsmsnd.exe"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe" [2005-06-30 14:56 114688]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2005-11-02 23:32 372813]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-18 21:39 282624]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

C:\Documents and Settings\Stephen Snodgrass\Start Menu\Programs\Startup\
logon.bat [2006-04-10 11:50:55 33]
rqstfrg2g.txt [2008-04-21 20:13:11 33]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-08-03 23:18:27 113664]
Amazon Unbox.lnk - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2007-07-11 17:25:20 97320]
eFax Live Menu 3.3.lnk - C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe [2004-07-23 00:46:42 17408]
eFax Tray Menu 3.3.lnk - C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe [2004-07-23 00:44:32 40960]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08 471040]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2004-01-12 04:55 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sybase\\SQL Anywhere 7\\win32\\dbeng7.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Sybase\\SQL Anywhere 9\\win32\\dbeng9.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 Isecdrv;ISECDRV;C:\WINDOWS\System32\drivers\Isecdrv.sys [1999-12-14 16:25]
R2 MSSQL$OASIS;MSSQL$OASIS;C:\Program Files\Microsoft SQL Server\MSSQL$OASIS\Binn\sqlservr.exe [2002-12-17 17:26]
S3 LxrSG20d;LxrSG20d;C:\WINDOWS\system32\Drivers\LxrSG20d.sys [2005-04-03 17:55]
S3 SQLAgent$OASIS;SQLAgent$OASIS;C:\Program Files\Microsoft SQL Server\MSSQL$OASIS\Binn\sqlagent.EXE [2002-12-17 17:23]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2004-12-18 20:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{14b757d2-9545-11dc-8478-00038a000015}]
\Shell\AutoRun\command - E:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{641e3920-abb3-11db-83fc-00038a000015}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 20:56:31 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2008-04-23 00:23:02 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 17:21:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\SYSTEM32\S24EvMon.exe
C:\WINDOWS\SYSTEM32\scardsvr.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\WINDOWS\SYSTEM32\ZCfgSvc.exe
C:\WINDOWS\SYSTEM32\1XConfig.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\etlisrv.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe
C:\WINDOWS\SYSTEM32\RegSrvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\Temp\OC3DCA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WinZip\WZQKPICK.EXE
.
**************************************************************************
.
Completion time: 2008-04-22 17:36:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-23 00:35:42
ComboFix2.txt 2008-04-22 03:39:00
ComboFix3.txt 2008-04-19 02:31:07

Pre-Run: 22,362,038,272 bytes free
Post-Run: 22,353,743,872 bytes free
.
2008-04-18 04:47:41 --- E O F ---



The computer has been running so much better! I am very pleased! Thank you! Thank you!

Renea :)
  • 0

#6
greyknight17
Posted 22 April 2008 - 07:40 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Delete that file (C:\Program Files\.autoreg).

Open this one up:

C:\Documents and Settings\Stephen Snodgrass\Start Menu\Programs\Startup\rqstfrg2g.txt

What are the contents inside?

This is the last file that I find suspicious in the log, so we should almost be done now :)
  • 0

#7
tanaleefive
Posted 22 April 2008 - 08:11 PM

tanaleefive

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hello!

I deleted the first file. The second file looks like the original file you asked me about. I copied the contents of that file into a notepad text for ease of finding it to paste it here. I do not remember saving it there though, but I think I just his save and did not pay attention to where it was saved at. Should I delete it?

Renea
  • 0

#8
greyknight17
Posted 22 April 2008 - 08:16 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
So you know what it's for then right? If so, it's fine.

Any other problems/questions before I mark this topic as solved? If it's all clear, go to Start->Run and copy/paste in combofix /u to remove Combofix.
  • 0

#9
tanaleefive
Posted 22 April 2008 - 08:31 PM

tanaleefive

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Everything seems to be great! I am in class now taking notes and the computer is running fantastically! I am very pleased!

I have uninstalled combofix and I really want to thank you again for all of your help!!!! Your help is truly appreciated and I am very grateful! I don't know what I would have done if I hadn't found "Geeks To Go"! I only wish I was able to donate more for your time! Thank you again!!


Renea :)
  • 0

#10
greyknight17
Posted 23 April 2008 - 07:08 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP