Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Task manager disabled, pop ups, wallpaper changed [RESOLVED]

Started by qckslvr546 , Apr 21 2008 04:06 PM

  • This topic is locked This topic is locked

#1
qckslvr546
Posted 21 April 2008 - 04:06 PM

qckslvr546

    New Member

  • Member
  • Pip
  • 6 posts
Hi, when I try to Ctrl+Alt+Del I get a message saying it has been disabled by the administrator, but im the only one that uses my computer. Also my wallpaper has been changed to some bogus spyware removal notice and I am getting constant fake pop ups and bubbles about spyware. I've read some of the other topics that had has this problem and tried theirs but it hasnt worked for me. So I wanted to upload my Hijackthis log and find out what to do next. Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:01 PM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\winself.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: BTjunkie Toolbar - {1a71246c-3eb0-4d6c-af77-3ab756017c3a} - C:\Program Files\BTjunkie\tbBTju.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 5110 bytes
  • 0

Advertisements

#2
greyknight17
Posted 21 April 2008 - 06:29 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Download Malwarebytes ' Anti-Malware at http://www.besttechi.../mbam-setup.exe or http://www.majorgeek...ware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

Download SmitfraudFix at http://siri.urz.free...mitfraudFix.zip and extract the content (a folder named SmitfraudFix) to your desktop.

Open the SmitfraudFix folder. Double-click on smitfraudfix.cmd and select option #1 - Search by typing 1 and press Enter. A text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 or any other option until you are directed to do so!

NOTE: process.exe is detected by some antivirus programs as a Risk Tool. It is not a virus. If you get this detected, ignore it.
  • 0

#3
qckslvr546
Posted 21 April 2008 - 07:46 PM

qckslvr546

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Malwarebytes' Anti-Malware 1.11
Database version: 599

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 140821
Time elapsed: 1 hour(s), 7 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 39

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d} (Adware.123Mania) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352} (Fake.Dropped.Malware.Renos) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489} (Fake.Dropped.Malware.Renos) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31} (Fake.Dropped.Malware.Renos) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} (Fake.Dropped.Malware.Renos) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware.Renos) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b} (Fake.Dropped.Malware.Renos) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966} (Fake.Dropped.Malware.Renos) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware.Renos) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1} (Fake.Dropped.Malware.Renos) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware.Renos) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c} (Fake.Dropped.Malware.Renos) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\QdrDrive (Adware.AdBand) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\jkkKcYPJ.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\JPYcKkkj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive\QdrDrive15.dll (Adware.AdBand) -> Quarantined and deleted successfully.
C:\WINDOWS\avifile32.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINDOWS\avisynthex32.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINDOWS\aviwrap32.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINDOWS\bjam.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINDOWS\bokja.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINDOWS\browserad.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cdsm32.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINDOWS\changeurl_30.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINDOWS\msa64chk.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msapasrc.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mspphe.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINDOWS\123messenger.per (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mssvr.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINDOWS\ntnut.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\saiemod.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\stcloader.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINDOWS\swin32.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINDOWS\voiceip.dll (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINDOWS\winsb.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\2020search.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\2020search2.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\apphelp32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asferror32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asycfilt32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\athprxy32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvaa32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvag32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\audiosrv32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\autodisc32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\licencia.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\telefonos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\textos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qomJdeFu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
  • 0

#4
qckslvr546
Posted 21 April 2008 - 08:31 PM

qckslvr546

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
ComboFix 08-04-20.5 - Alex 2008-04-21 19:15:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.599 [GMT -7:00]
Running from: C:\Documents and Settings\Alex\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Alex\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Alex\Application Data\macromedia\Flash Player\#SharedObjects\D86KUP8J\www.broadcaster.com
C:\Documents and Settings\Alex\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Alex\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\123messenger.per
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\lfn.exe
C:\WINDOWS\licencia.txt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\ntnut.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\kgpllesj.dll
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll
C:\WINDOWS\winself.exe

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MsSecurity1.209.4
-------\Service_MsSecurity1.209.4


((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-21 11:13 . 2008-04-21 11:13 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\Malwarebytes
2008-04-21 11:12 . 2008-04-21 17:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-21 11:12 . 2008-04-21 11:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-21 11:10 . 2008-04-21 11:10 <DIR> d-------- C:\_OTMoveIt
2008-04-21 11:02 . 2008-04-21 11:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-21 10:59 . 2008-04-21 10:59 <DIR> d-------- C:\Program Files\ERUNT
2008-04-20 21:03 . 2008-04-20 21:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-04-20 21:02 . 2004-11-15 20:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-20 21:02 . 2004-11-15 22:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-04-20 21:02 . 2001-04-04 02:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2008-04-20 21:02 . 2004-11-15 22:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-20 21:02 . 2004-11-15 21:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-04-20 21:02 . 2004-11-15 23:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2008-04-20 21:02 . 2004-11-15 22:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-04-20 21:02 . 2004-11-15 22:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-04-20 21:02 . 2008-04-20 21:02 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-20 21:02 . 2008-04-21 19:13 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-20 20:57 . 2008-04-21 10:43 1,246 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-20 20:55 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-20 20:55 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-20 20:55 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-20 20:55 . 2008-04-20 00:38 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-20 20:55 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-20 20:55 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-20 20:55 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-20 20:41 . 2008-04-20 20:41 <DIR> d-------- C:\Program Files\backups
2008-04-20 20:35 . 2008-04-20 20:35 401,720 --a------ C:\Program Files\HiJackThis.exe
2008-04-20 17:12 . 2008-04-21 10:58 109,798 --a------ C:\WINDOWS\BMb78e940f.xml
2008-04-20 12:20 . 2008-04-21 12:21 138 -r-hs---- C:\WINDOWS\mainms.vpi
2008-04-20 12:20 . 2008-04-21 19:09 33 -r-hs---- C:\WINDOWS\muotr.so
2008-04-20 12:20 . 2008-04-21 19:07 4 --------- C:\WINDOWS\megavid.cdt
2008-04-20 12:19 . 2008-04-20 12:19 398 --a------ C:\WINDOWS\system32\LB1C4.tmp
2008-04-20 12:19 . 2008-04-20 12:19 398 --a------ C:\WINDOWS\system32\LB0DD.tmp
2008-04-20 12:19 . 2008-04-20 12:19 398 --a------ C:\WINDOWS\system32\LAD8A.tmp
2008-04-20 12:19 . 2008-04-20 12:19 398 --a------ C:\WINDOWS\system32\LA8B0.tmp
2008-04-13 16:55 . 2008-04-13 16:55 <DIR> d-------- C:\WINDOWS\system32\COD4MW Screensaver dir
2008-04-13 16:55 . 2008-04-13 16:55 203,264 --a------ C:\WINDOWS\system32\COD4MW Screensaver.scr
2008-04-10 20:52 . 2008-04-19 16:09 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-05 21:27 . 2008-04-05 21:27 38 --a------ C:\WINDOWS\AviSplitter.INI
2008-04-04 20:49 . 2008-04-04 20:49 <DIR> d-------- C:\Program Files\iTunes
2008-04-04 20:49 . 2008-04-04 20:49 <DIR> d-------- C:\Program Files\iPod
2008-04-04 20:46 . 2008-04-04 20:46 <DIR> d-------- C:\Program Files\QuickTime
2008-03-31 19:15 . 2008-04-20 17:18 <DIR> d-------- C:\Program Files\VirtuaWin
2008-03-31 19:15 . 2008-03-31 19:15 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\VirtuaWin
2008-03-31 19:11 . 2008-03-31 19:11 <DIR> d-------- C:\Program Files\Techlogg.com ToneShop
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-26 14:26 . 2008-03-26 14:26 <DIR> d-------- C:\Program Files\Western Digital Technologies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 03:42 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-20 19:23 --------- d-----w C:\Documents and Settings\Alex\Application Data\Azureus
2008-04-20 02:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-19 03:41 --------- d-----w C:\Program Files\Apple Software Update
2008-04-17 23:11 --------- d-----w C:\Program Files\Azureus
2008-04-11 06:23 --------- d-----w C:\Program Files\VideoLAN
2008-03-23 16:01 --------- d-----w C:\Documents and Settings\Alex\Application Data\Tunebite
2008-03-23 15:59 --------- d-----w C:\Program Files\Google
2008-03-23 15:59 --------- d-----w C:\Program Files\Bulk Rename Utility
2008-03-18 00:22 --------- d-----w C:\Program Files\Conduit
2008-03-18 00:22 --------- d-----w C:\Program Files\BTjunkie
2008-03-13 14:06 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-12 23:54 --------- d-----w C:\Documents and Settings\Alex\Application Data\Apple Computer
2008-03-12 02:19 --------- d-----w C:\Program Files\Illustrate
2008-03-12 02:19 --------- d-----w C:\Documents and Settings\Alex\Application Data\AccurateRip
2008-03-12 01:29 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-03 04:28 --------- d-----w C:\Program Files\IrfanView
2008-02-25 21:36 --------- d-----w C:\Documents and Settings\Alex\Application Data\Any Video Converter
2008-02-22 08:35 --------- d-----w C:\Program Files\MSBuild
2008-02-22 08:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-22 08:19 --------- d-----w C:\Program Files\Microsoft XNA
2008-02-22 08:06 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-02-22 07:13 --------- d-----w C:\Documents and Settings\Alex\Application Data\RTPlayer
2008-02-22 07:10 --------- d-----w C:\Program Files\PixiePack Codec Pack
2008-02-22 07:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\RapidSolution
2008-02-22 07:07 --------- d-----w C:\Program Files\RapidSolution
2008-02-22 06:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-17 23:11 12,288 ----a-w C:\WINDOWS\impborl.dll
2003-08-27 22:19 36,963 -c--a-r C:\Program Files\Common Files\SM1updtr.dll
2007-11-19 22:12 2 --shatr C:\WINDOWS\winstart.bat
2007-11-19 22:24 438,440 -csha-w C:\WINDOWS\system32\cehkj.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1a71246c-3eb0-4d6c-af77-3ab756017c3a}]
2008-03-13 10:30 1524248 --a------ C:\Program Files\BTjunkie\tbBTju.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{1A71246C-3EB0-4D6C-AF77-3AB756017C3A}"= C:\Program Files\BTjunkie\tbBTju.dll [2008-03-13 10:30 1524248]

[HKEY_CLASSES_ROOT\clsid\{1a71246c-3eb0-4d6c-af77-3ab756017c3a}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

C:\Documents and Settings\Alex\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 11:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"C:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"C:\\Documents and Settings\\Alex\\Desktop\\MySpaceMp3Gopher.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"41952:TCP"= 41952:TCP:tyversityport


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e27fb7b0-e1a1-11db-a85b-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 03:41:36 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 19:20:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-21 19:26:54 - machine was rebooted [Alex]
ComboFix-quarantined-files.txt 2008-04-22 02:26:49

Pre-Run: 19,770,658,816 bytes free
Post-Run: 20,135,043,072 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

239 --- E O F --- 2008-04-21 17:18:53
  • 0

#5
qckslvr546
Posted 21 April 2008 - 08:35 PM

qckslvr546

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
SmitFraudFix v2.315

Scan done at 19:34:12.44, Mon 04/21/2008
Run from C:\Documents and Settings\Alex\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Alex


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Alex\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Alex\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Marvell Yukon 88E8036 PCI-E Fast Ethernet Controller - Packet Scheduler Miniport
DNS Server Search Order: 66.75.160.63
DNS Server Search Order: 66.75.160.64

HKLM\SYSTEM\CCS\Services\Tcpip\..\{C448D229-F63D-4E2A-827A-D6DE12C0CB0F}: DhcpNameServer=66.75.160.63 66.75.160.64
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C448D229-F63D-4E2A-827A-D6DE12C0CB0F}: DhcpNameServer=66.75.160.63 66.75.160.64
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C448D229-F63D-4E2A-827A-D6DE12C0CB0F}: DhcpNameServer=66.75.160.63 66.75.160.64
HKLM\SYSTEM\CS3\Services\Tcpip\..\{C448D229-F63D-4E2A-827A-D6DE12C0CB0F}: DhcpNameServer=66.75.160.63 66.75.160.64
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=66.75.160.63 66.75.160.64
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=66.75.160.63 66.75.160.64
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=66.75.160.63 66.75.160.64
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=66.75.160.63 66.75.160.64


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#6
qckslvr546
Posted 21 April 2008 - 09:36 PM

qckslvr546

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hey, I think it worked. I havent had any pop ups and I can open my task manager. Is there anything else I should do to make sure its all fixed? And thank you so much.
  • 0

#7
greyknight17
Posted 22 April 2008 - 04:23 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Not quite done yet....

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\WINDOWS\BMb78e940f.xml
C:\WINDOWS\mainms.vpi
C:\WINDOWS\muotr.so
C:\WINDOWS\megavid.cdt
C:\WINDOWS\system32\LB1C4.tmp
C:\WINDOWS\system32\LB0DD.tmp
C:\WINDOWS\system32\LAD8A.tmp
C:\WINDOWS\system32\LA8B0.tmp
C:\WINDOWS\impborl.dll
C:\WINDOWS\winstart.bat
C:\WINDOWS\system32\cehkj.ini2

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is it running now? Hopefully still problem free :)
  • 0

#8
qckslvr546
Posted 22 April 2008 - 04:41 PM

qckslvr546

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Yeah, still running good. A little slow sometimes but I think a defrag and disk cleanup should fix it. Heres the log.


ComboFix 08-04-20.5 - Alex 2008-04-22 15:35:21.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.575 [GMT -7:00]
Running from: C:\Documents and Settings\Alex\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Alex\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMb78e940f.xml
C:\WINDOWS\impborl.dll
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\system32\cehkj.ini2
C:\WINDOWS\system32\LA8B0.tmp
C:\WINDOWS\system32\LAD8A.tmp
C:\WINDOWS\system32\LB0DD.tmp
C:\WINDOWS\system32\LB1C4.tmp
C:\WINDOWS\winstart.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Alex\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\WINDOWS\BMb78e940f.xml
C:\WINDOWS\impborl.dll
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\system32\cehkj.ini2
C:\WINDOWS\system32\LA8B0.tmp
C:\WINDOWS\system32\LAD8A.tmp
C:\WINDOWS\system32\LB0DD.tmp
C:\WINDOWS\system32\LB1C4.tmp
C:\WINDOWS\winstart.bat

.
((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-21 11:13 . 2008-04-21 11:13 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\Malwarebytes
2008-04-21 11:12 . 2008-04-21 17:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-21 11:12 . 2008-04-21 11:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-21 11:10 . 2008-04-21 11:10 <DIR> d-------- C:\_OTMoveIt
2008-04-21 11:02 . 2008-04-21 11:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-21 10:59 . 2008-04-21 10:59 <DIR> d-------- C:\Program Files\ERUNT
2008-04-20 21:03 . 2008-04-20 21:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-04-20 21:02 . 2004-11-15 20:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-20 21:02 . 2004-11-15 22:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-04-20 21:02 . 2001-04-04 02:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2008-04-20 21:02 . 2004-11-15 22:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-20 21:02 . 2004-11-15 21:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-04-20 21:02 . 2004-11-15 23:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2008-04-20 21:02 . 2004-11-15 22:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-04-20 21:02 . 2004-11-15 22:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-04-20 21:02 . 2008-04-20 21:02 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-20 21:02 . 2008-04-21 19:13 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-20 20:57 . 2008-04-21 19:34 1,092 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-20 20:41 . 2008-04-20 20:41 <DIR> d-------- C:\Program Files\backups
2008-04-20 20:35 . 2008-04-20 20:35 401,720 --a------ C:\Program Files\HiJackThis.exe
2008-04-13 16:55 . 2008-04-13 16:55 <DIR> d-------- C:\WINDOWS\system32\COD4MW Screensaver dir
2008-04-13 16:55 . 2008-04-13 16:55 203,264 --a------ C:\WINDOWS\system32\COD4MW Screensaver.scr
2008-04-10 20:52 . 2008-04-19 16:09 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-05 21:27 . 2008-04-05 21:27 38 --a------ C:\WINDOWS\AviSplitter.INI
2008-04-04 20:49 . 2008-04-04 20:49 <DIR> d-------- C:\Program Files\iTunes
2008-04-04 20:49 . 2008-04-04 20:49 <DIR> d-------- C:\Program Files\iPod
2008-04-04 20:46 . 2008-04-04 20:46 <DIR> d-------- C:\Program Files\QuickTime
2008-03-31 19:15 . 2008-04-20 17:18 <DIR> d-------- C:\Program Files\VirtuaWin
2008-03-31 19:15 . 2008-03-31 19:15 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\VirtuaWin
2008-03-31 19:11 . 2008-03-31 19:11 <DIR> d-------- C:\Program Files\Techlogg.com ToneShop
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-26 14:26 . 2008-03-26 14:26 <DIR> d-------- C:\Program Files\Western Digital Technologies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 04:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-21 03:42 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-20 19:23 --------- d-----w C:\Documents and Settings\Alex\Application Data\Azureus
2008-04-19 03:41 --------- d-----w C:\Program Files\Apple Software Update
2008-04-17 23:11 --------- d-----w C:\Program Files\Azureus
2008-04-11 06:23 --------- d-----w C:\Program Files\VideoLAN
2008-03-23 16:01 --------- d-----w C:\Documents and Settings\Alex\Application Data\Tunebite
2008-03-23 15:59 --------- d-----w C:\Program Files\Google
2008-03-23 15:59 --------- d-----w C:\Program Files\Bulk Rename Utility
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-18 00:22 --------- d-----w C:\Program Files\Conduit
2008-03-18 00:22 --------- d-----w C:\Program Files\BTjunkie
2008-03-13 14:06 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-12 23:54 --------- d-----w C:\Documents and Settings\Alex\Application Data\Apple Computer
2008-03-12 02:21 1,071,480 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2008-03-12 02:19 --------- d-----w C:\Program Files\Illustrate
2008-03-12 02:19 --------- d-----w C:\Documents and Settings\Alex\Application Data\AccurateRip
2008-03-12 01:29 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-03 04:28 --------- d-----w C:\Program Files\IrfanView
2008-02-25 21:36 --------- d-----w C:\Documents and Settings\Alex\Application Data\Any Video Converter
2008-02-22 08:35 --------- d-----w C:\Program Files\MSBuild
2008-02-22 08:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-22 08:19 --------- d-----w C:\Program Files\Microsoft XNA
2008-02-22 08:06 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-02-22 07:13 --------- d-----w C:\Documents and Settings\Alex\Application Data\RTPlayer
2008-02-22 07:10 --------- d-----w C:\Program Files\PixiePack Codec Pack
2008-02-22 07:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\RapidSolution
2008-02-22 07:07 --------- d-----w C:\Program Files\RapidSolution
2008-02-22 06:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-01 11:21 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2008-01-29 19:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2003-08-27 22:19 36,963 -c--a-r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1a71246c-3eb0-4d6c-af77-3ab756017c3a}]
2008-03-13 10:30 1524248 --a------ C:\Program Files\BTjunkie\tbBTju.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{1A71246C-3EB0-4D6C-AF77-3AB756017C3A}"= C:\Program Files\BTjunkie\tbBTju.dll [2008-03-13 10:30 1524248]

[HKEY_CLASSES_ROOT\clsid\{1a71246c-3eb0-4d6c-af77-3ab756017c3a}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-08-10 07:37 61440]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]

C:\Documents and Settings\Alex\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 11:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"C:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"C:\\Documents and Settings\\Alex\\Desktop\\MySpaceMp3Gopher.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"41952:TCP"= 41952:TCP:tyversityport


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e27fb7b0-e1a1-11db-a85b-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 03:41:36 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 15:37:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-04-22 15:39:40
ComboFix-quarantined-files.txt 2008-04-22 22:38:38
ComboFix2.txt 2008-04-22 02:26:55

Pre-Run: 19,967,246,336 bytes free
Post-Run: 20,112,723,968 bytes free

178 --- E O F --- 2008-04-21 17:18:53
  • 0

#9
greyknight17
Posted 22 April 2008 - 07:32 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Go to Start->Run and copy/paste in combofix /u to remove it. You should be set to go.
  • 0

#10
greyknight17
Posted 22 April 2008 - 07:32 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP