Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Spawning iexplore.exe over & over & over [RESOLVED]

Started by gearhead4 , Apr 23 2008 07:49 PM

  • This topic is locked This topic is locked

#1
gearhead4
Posted 23 April 2008 - 07:49 PM

gearhead4

    New Member

  • Member
  • Pip
  • 9 posts
Spawning iexplore.exe ... slowing me to a crawl !!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Multiple instances of iexplore.exe running in my processes with no apps whatsoever running. "End Process" and a new iexplore.exe (or 2) appears hogging sometimes 80,90, 100 Mb's of memory.
I have stepped thru the "READ FIRST" page (ATF, MalwareBytes, SuperAntiSpyware, Panda) and fixed many threats, but iexplore.exe persists. I have also viewed several other users entries who have seen this ailment and it seems a different fix for each has been suggested.

Thanks in advance and please advise on a solution.

Gearhead4
removed e-mail address


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[MaleWareBytesLog]]]]]]]]]]]]]]]]]]]]]]]]
]]]]]]]]]]]]]



Malwarebytes' Anti-Malware 1.11
Database version: 660

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 110652
Time elapsed: 2 hour(s), 12 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{85e0b171-04fa-11d1-b7da-00a0c90348a7} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rightonadz (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\HID_Layer (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\www.host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rightonadz-uninst.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.



[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[ SuperAntiSpyware Log #1 ]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]



SUPERAntiSpyware Scan Log
Generated 04/20/2008 at 05:10 AM

Application Version : 3.6.1000

Core Rules Database Version : 3442
Trace Rules Database Version: 1434

Scan type : Complete Scan
Total Scan Time : 02:09:36

Memory items scanned : 450
Memory threats detected : 0
Registry items scanned : 5657
Registry threats detected : 10
File items scanned : 42122
File threats detected : 10

Adware.AdRotator/RightOnz
HKLM\Software\Classes\CLSID\{10F3E8BD-257A-4702-A2F5-DC02055B068C}
HKCR\CLSID\{10F3E8BD-257A-4702-A2F5-DC02055B068C}
HKCR\CLSID\{10F3E8BD-257A-4702-A2F5-DC02055B068C}
HKCR\CLSID\{10F3E8BD-257A-4702-A2F5-DC02055B068C}\InprocServer32
HKCR\CLSID\{10F3E8BD-257A-4702-A2F5-DC02055B068C}\InprocServer32#ThreadingModel
HKCR\CLSID\{10F3E8BD-257A-4702-A2F5-DC02055B068C}\ProgID
HKCR\CLSID\{10F3E8BD-257A-4702-A2F5-DC02055B068C}\Programmable
HKCR\CLSID\{10F3E8BD-257A-4702-A2F5-DC02055B068C}\TypeLib
HKCR\CLSID\{10F3E8BD-257A-4702-A2F5-DC02055B068C}\VersionIndependentProgID
C:\WINDOWS\SYSTEM32\GZMRT.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#hid_start [ C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrotate.dll" DllVerify ]

Adware.Tracking Cookie
C:\Documents and Settings\ddaniels\Cookies\[email protected][1].txt
C:\Documents and Settings\ddaniels\Cookies\[email protected][2].txt
C:\Documents and Settings\ddaniels\Cookies\ddaniels@tribalfusion[2].txt

Adware.OneStepSearch
C:\SYSTEM VOLUME INFORMATION\_RESTORE{44325D8E-0988-40ED-BB56-355BFFEB7EA3}\RP86\A0034461.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{44325D8E-0988-40ED-BB56-355BFFEB7EA3}\RP86\A0034496.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{44325D8E-0988-40ED-BB56-355BFFEB7EA3}\RP86\A0034497.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{44325D8E-0988-40ED-BB56-355BFFEB7EA3}\RP86\A0034498.EXE

Trojan.Unclassified/NSN-Variant
C:\WINDOWS\SYSTEM32\NSQ7E.DLL

Unclassified.Unknown Origin
D:\DOWNLOAD\SOFTWARE\WORKING MODEL\CRACK\CRACKER.EXE

[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[ SuperAntiSpyware Log #2 ]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

SUPERAntiSpyware Scan Log
Generated 04/20/2008 at 09:01 PM

Application Version : 3.6.1000

Core Rules Database Version : 3442
Trace Rules Database Version: 1434

Scan type : Complete Scan
Total Scan Time : 07:38:23

Memory items scanned : 463
Memory threats detected : 0
Registry items scanned : 5667
Registry threats detected : 0
File items scanned : 77857
File threats detected : 2

Trojan.Unclassified/NSN-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{44325D8E-0988-40ED-BB56-355BFFEB7EA3}\RP115\A0041793.DLL

Unclassified.Unknown Origin
D:\DOWNLOAD\SOFTWARE\WORKING MODEL\CRACK\CRACKER.EXE

[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[ Active Scan Log ]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-04-22 06:06:53
PROTECTIONS: 2
MALWARE: 14
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
Symantec Antivirus Corporate Edition 8.0 No Yes
Norton Antivirus Edition 7.5 No Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00003428 adware/memorywatcher Adware No 0 Yes No hkey_classes_root\vbrad.trayicon
00046757 spyware/bridge Spyware No 1 Yes No hkey_local_machine\software\microsoft\windows\currentversion\run\mswspl
00047257 vbs/psyme.gen Virus/Trojan No 0 No No c:\program files\windows media player\wmplayer.exe.tmp
00118392 Adware/Trymedia Adware No 0 Yes No C:\Downloads\D2elvesSetup-dm[1].exe
00118392 Adware/Trymedia Adware No 0 Yes No C:\Downloads\D2galleanSetup-dm[1].exe
00118392 Adware/Trymedia Adware No 0 Yes No C:\Downloads\D2ProphecySetup-dm[1].exe
00193807 dialer.bny Dialers No 0 Yes No c:\windows\pcconfig.dat
00235342 Adware/IST.ISTBar Adware No 1 Yes No D:\Download\Software\Working Model\crack\WORKING[1].MODEL.2D.2004.V7.0-NiTROUS.ZIP[cracker.exe]
00235342 Adware/IST.ISTBar Adware No 1 Yes No D:\Download\Software\Working Model\crack\cracker.exe
00524419 Application/Altnet HackTools No 0 Yes No D:\Download\Software\Kazzaa\kazaa_lite_202_english.exe
00524419 Application/Altnet HackTools No 0 Yes No D:\Download\Software\Kazzaa\klite_202_b1.zip[first stage/kazaa_lite_202_english.exe]
00527204 Application/PRScheduler HackTools No 0 Yes No C:\DOCUMENTS AND SETTINGS\DDANIELS\START MENU\PROGRAMS\STARTUP\POWERREG SCHEDULER V3.EXE
02409980 Adware/SystemDoctor Adware No 0 Yes No C:\Documents and Settings\Blake\Application Data\16 kind\zutjvkti.exe
02685009 Adware/SystemDoctor Adware No 0 Yes No C:\Documents and Settings\Blake\Application Data\16 kind\smukdinb.exe
02868852 Adware/SystemDoctor Adware No 0 Yes No C:\Documents and Settings\Blake\Application Data\16 kind\tzqjgxut.exe
02881056 Adware/Lop Adware No 0 Yes No C:\Documents and Settings\Jessica\Application Data\16 kind\uounxjhg.exe
02890449 Adware/Lop Adware No 0 Yes No C:\Documents and Settings\All Users\Application Data\Close Noun Junk Logo\GREAT UP.exe
02910946 Adware/Lop Adware No 0 Yes No C:\System Volume Information\_restore{44325D8E-0988-40ED-BB56-355BFFEB7EA3}\RP84\A0030850.exe
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location Cy
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description Cy
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================

[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[ Hijack This Log ]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:47 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\devldr32.exe
D:\Programs\ZONEAL~1\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Real\RealPlayer\trueplay.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8081
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\Programs\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [Memo Dent Junk Readme] C:\Documents and Settings\All Users\Application Data\Plan Team Memo Dent\OwnsFree.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125010856\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [ctwdm32] C:\WINDOWS\system32\ctwdm32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DentIso] C:\DOCUME~1\ddaniels\APPLIC~1\16KIND~1\ExitLogo.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless Configuration Utility HW.14.lnk = C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5883 bytes
  • 0

Advertisements

#2
greyknight17
Posted 23 April 2008 - 07:59 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
gearhead4
Posted 23 April 2008 - 08:56 PM

gearhead4

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanx for the extremely fast response ....... sorry for MY delay, ComboFix hung up upon closing , had to reboot.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ComboFix 08-04-22.5 - ddaniels 2008-04-23 22:14:42.1 - NTFSx86
Running from: D:\Download\Software\SpyWare\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\ddaniels\Application Data\inst.exe
C:\Program Files\Adssite Games Collection
C:\Program Files\Adssite Games Collection\BattlesOfHelicopters.exe
C:\Program Files\Adssite Games Collection\BobAndBill.exe
C:\Program Files\Adssite Games Collection\CrazyBlocks.exe
C:\Program Files\Adssite Games Collection\Lines.exe
C:\Program Files\Adssite Games Collection\uninstall.exe
C:\Program Files\Adssite Games Collection\VideoPool.exe
C:\WINDOWS\system32\CMMGR32.EXE
C:\WINDOWS\system32\fo-remove.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-23 21:39 . 2008-04-23 21:39 142 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-04-23 21:23 . 2008-04-23 21:23 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-21 20:28 . 2008-04-21 20:29 <DIR> d-------- C:\Program Files\Panda Security
2008-04-21 18:56 . 2008-04-22 21:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-21 18:56 . 2008-04-21 18:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-20 02:57 . 2008-04-22 20:37 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-20 02:57 . 2008-04-20 02:57 <DIR> d-------- C:\Documents and Settings\ddaniels\Application Data\SUPERAntiSpyware.com
2008-04-20 02:57 . 2008-04-20 02:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-20 02:56 . 2008-04-20 02:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-19 23:55 . 2008-04-19 23:55 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-19 23:55 . 2008-04-19 23:55 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-19 23:55 . 2008-04-19 23:55 <DIR> d-------- C:\Documents and Settings\ddaniels\Application Data\Malwarebytes
2008-04-19 23:55 . 2008-04-19 23:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-19 16:42 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-04-18 00:27 . 2008-04-18 00:26 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-18 00:27 . 2008-04-18 00:27 2,546 --a------ C:\WINDOWS\unins000.dat
2008-04-16 22:27 . 2008-04-19 17:37 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-14 19:46 . 2007-07-26 22:08 19,072 -ra------ C:\WINDOWS\system32\drivers\ax88772.sys
2008-04-12 10:09 . 2008-04-12 10:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\aim mix proc pure
2008-04-12 10:08 . 2008-04-12 10:08 <DIR> d-------- C:\Program Files\16 kind
2008-04-04 21:00 . 2006-12-26 14:58 189,312 --a------ C:\WINDOWS\system32\drivers\RTL8187B.sys
2008-04-04 20:59 . 2008-04-04 20:59 <DIR> d-------- C:\WINDOWS\OPTIONS
2008-04-04 20:59 . 2008-04-04 20:59 <DIR> d-------- C:\Program Files\TRENDnet
2008-04-04 20:59 . 2008-04-04 20:59 21,035 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-03-28 19:17 . 2008-04-12 10:10 <DIR> d-------- C:\Documents and Settings\ddaniels\Application Data\16 kind
2008-03-25 22:12 . 2007-04-24 16:30 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2008-03-25 22:12 . 2008-03-04 12:33 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-03-25 22:12 . 2008-03-04 12:32 6,144 --a------ C:\WINDOWS\system32\ff_acm.acm
2008-03-25 22:12 . 2007-07-10 17:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-03-25 22:11 . 2008-03-25 22:12 <DIR> d-------- C:\Program Files\ffdshow
2008-03-25 22:07 . 2008-03-25 22:07 <DIR> d-------- C:\Program Files\AVIcodec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 07:37 --------- d-----w C:\Documents and Settings\Jessica\Application Data\16 kind
2008-04-20 03:31 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-20 02:20 --------- d-----w C:\Program Files\Viewpoint
2008-04-20 02:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-20 02:18 --------- d-----w C:\Program Files\KaZaA Lite
2008-04-20 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-18 04:51 3,224,064 ----a-w C:\WINDOWS\Internet Logs\xDB2FB.tmp
2008-04-18 04:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-18 04:31 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-15 05:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-14 17:48 44,544 ----a-w C:\WINDOWS\Internet Logs\xDB2FA.tmp
2008-04-14 17:48 3,167,232 ----a-w C:\WINDOWS\Internet Logs\xDB2F9.tmp
2008-04-11 19:13 34,304 ----a-w C:\WINDOWS\Internet Logs\xDB2F8.tmp
2008-04-11 18:38 3,166,720 ----a-w C:\WINDOWS\Internet Logs\xDB2F7.tmp
2008-04-09 20:30 39,424 ----a-w C:\WINDOWS\Internet Logs\xDB2F6.tmp
2008-04-09 20:17 3,160,064 ----a-w C:\WINDOWS\Internet Logs\xDB2F5.tmp
2008-04-09 03:44 --------- d-----w C:\Program Files\ZoomTown
2008-04-06 03:06 20,992 ----a-w C:\WINDOWS\Internet Logs\xDB2F4.tmp
2008-04-05 19:27 14,848 ----a-w C:\WINDOWS\Internet Logs\xDB2F3.tmp
2008-04-05 19:24 3,148,800 ----a-w C:\WINDOWS\Internet Logs\xDB2F0.tmp
2008-04-05 19:19 50,688 ----a-w C:\WINDOWS\Internet Logs\xDB2EF.tmp
2008-04-05 19:08 3,148,800 ----a-w C:\WINDOWS\Internet Logs\xDB2EE.tmp
2008-04-05 07:31 --------- d-----w C:\Documents and Settings\ddaniels\Application Data\DVD Flick
2008-04-05 01:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-02 04:20 --------- d-----w C:\Documents and Settings\ddaniels\Application Data\uTorrent
2008-04-02 03:58 3,143,680 ----a-w C:\WINDOWS\Internet Logs\xDB2ED.tmp
2008-03-31 13:26 --------- d-----w C:\Documents and Settings\Blake\Application Data\LimeWire
2008-03-31 13:16 3,137,024 ----a-w C:\WINDOWS\Internet Logs\xDB2EB.tmp
2008-03-31 13:11 112,640 ----a-w C:\WINDOWS\Internet Logs\xDB2EC.tmp
2008-03-31 00:04 --------- d-----w C:\Documents and Settings\ddaniels\Application Data\Vso
2008-03-28 02:56 --------- d-----w C:\Documents and Settings\ddaniels\Application Data\DivX
2008-03-28 02:26 --------- d-----w C:\Program Files\Yahoo!
2008-03-28 02:25 --------- d-----w C:\Program Files\Nero
2008-03-28 02:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-03-23 05:22 --------- d-----w C:\Program Files\uTorrent
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 03:48 --------- d-----w C:\Program Files\DivX
2008-03-17 02:21 --------- d-----w C:\Program Files\Giant
2008-03-17 02:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Close Noun Junk Logo
2008-03-16 18:31 --------- d-----w C:\Documents and Settings\ddaniels\Application Data\ImgBurn
2008-03-14 00:00 19,456 ----a-w C:\WINDOWS\Internet Logs\xDB2EA.tmp
2008-03-13 23:10 3,073,024 ----a-w C:\WINDOWS\Internet Logs\xDB2E9.tmp
2008-03-13 19:37 17,920 ----a-w C:\WINDOWS\Internet Logs\xDB2E8.tmp
2008-03-13 19:24 3,073,024 ----a-w C:\WINDOWS\Internet Logs\xDB2E7.tmp
2008-03-13 18:45 55,296 ----a-w C:\WINDOWS\Internet Logs\xDB2E6.tmp
2008-03-13 18:30 3,076,096 ----a-w C:\WINDOWS\Internet Logs\xDB2E5.tmp
2008-03-10 20:54 --------- d-----w C:\Documents and Settings\Jessica\Application Data\Move Networks
2008-03-08 17:21 --------- d-----w C:\Documents and Settings\Jessica\Application Data\ImgBurn
2008-03-08 17:17 --------- d-----w C:\Program Files\ImgBurn
2008-03-08 14:41 3,091,968 ----a-w C:\WINDOWS\Internet Logs\xDB2E3.tmp
2008-03-08 14:36 48,128 ----a-w C:\WINDOWS\Internet Logs\xDB2E4.tmp
2008-03-05 03:35 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-05 01:35 --------- d-----w C:\Program Files\DVDInfoPro
2008-03-03 05:06 3,052,544 ----a-w C:\WINDOWS\Internet Logs\xDB2E1.tmp
2008-03-03 05:06 15,360 ----a-w C:\WINDOWS\Internet Logs\xDB2E2.tmp
2008-03-03 04:24 31,744 ----a-w C:\WINDOWS\Internet Logs\xDB2E0.tmp
2008-03-03 04:19 3,052,544 ----a-w C:\WINDOWS\Internet Logs\xDB2DF.tmp
2008-03-01 20:13 14,848 ----a-w C:\WINDOWS\Internet Logs\xDB2DE.tmp
2008-03-01 20:12 3,052,032 ----a-w C:\WINDOWS\Internet Logs\xDB2DD.tmp
2008-03-01 19:31 59,392 ----a-w C:\WINDOWS\Internet Logs\xDB2DC.tmp
2008-03-01 19:18 3,052,032 ----a-w C:\WINDOWS\Internet Logs\xDB2DB.tmp
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-01 06:18 --------- d-----w C:\Program Files\DVD Flick
2008-03-01 05:16 --------- d-----w C:\Program Files\Xvid
2008-03-01 04:19 --------- d-----w C:\Program Files\Common Files\Ahead
2008-02-27 04:04 22,782 ----a-w C:\WINDOWS\system32\UninstXviDDec.exe
2008-02-27 00:07 16,896 ----a-w C:\WINDOWS\Internet Logs\xDB2DA.tmp
2008-02-26 23:56 3,035,136 ----a-w C:\WINDOWS\Internet Logs\xDB2D9.tmp
2008-02-26 23:47 121,856 ----a-w C:\WINDOWS\Internet Logs\xDB2D8.tmp
2008-02-26 23:46 3,035,136 ----a-w C:\WINDOWS\Internet Logs\xDB2D7.tmp
2008-02-26 04:35 --------- d-----w C:\Documents and Settings\ddaniels\Application Data\Nero
2008-02-26 01:29 --------- d-----w C:\Program Files\ahead
2008-02-21 02:05 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-02-21 02:05 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-02-21 02:05 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-02-21 02:05 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-02-21 02:05 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-02-21 02:05 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-02-21 02:05 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-02-21 02:04 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-02-21 02:04 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-02-21 02:04 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-02-21 02:04 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-02-21 02:04 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-02-21 02:04 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-02-21 02:04 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-02-21 02:04 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-02-21 02:03 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-02-21 02:03 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-13 08:32 43,008 ----a-w C:\WINDOWS\Internet Logs\xDB2D6.tmp
2008-02-13 08:08 3,016,192 ----a-w C:\WINDOWS\Internet Logs\xDB2D4.tmp
2008-02-13 03:35 47,360 ----a-w C:\Documents and Settings\ddaniels\Application Data\pcouffin.sys
2008-02-09 17:10 41,984 ----a-w C:\WINDOWS\Internet Logs\xDB2D3.tmp
2008-02-09 16:51 3,001,856 ----a-w C:\WINDOWS\Internet Logs\xDB2D2.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctwdm32"="C:\WINDOWS\system32\ctwdm32.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"DentIso"="C:\DOCUME~1\ddaniels\APPLIC~1\16KIND~1\ExitLogo.exe" [2008-04-12 10:07 425472]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-04-22 20:37 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 05:21 90112]
"Zone Labs Client"="D:\Programs\ZONEAL~1\zlclient.exe" [2004-02-17 18:01 693528]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-05-04 00:38 180269]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 01:07 61440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NWEReboot"="" []
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [ ]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-10-18 03:00 155648]
"mswspl"="C:\Program Files\Windows Media Player\wmplayer.exe" [2004-08-04 03:56 73728]
"Memo Dent Junk Readme"="C:\Documents and Settings\All Users\Application Data\Plan Team Memo Dent\OwnsFree.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"HostManager"="C:\Program Files\Common Files\AOL\1125010856\ee\AOLHostManager.exe" [ ]

C:\Documents and Settings\ddaniels\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-02-15 15:37:01 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-06 01:07:30 61440]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]
Wireless Configuration Utility HW.14.lnk - C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe [2006-12-22 11:17:32 598016]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-04-22 20:37 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"msacm.avis"= ff_acm.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Download\\Software\\WinMx\\WinMX\\WinMX.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Games\\Ages of Empires\\EMPIRES2.EXE"=
"C:\\StubInstaller.exe"=
"C:\\Documents and Settings\\Jessica\\Desktop\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\TRENDnet\\TEW-424UB\\WlanCU.exe"=

R3 AX88772;ASIX AX88772 USB2.0 to Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ax88772.sys [2007-07-26 22:08]
S3 ELNK3;3Com EtherLink III;C:\WINDOWS\system32\DRIVERS\elnk3.sys [2001-08-17 08:10]
S3 RTL8187B;TRENDnet TEW-424UB Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187B.sys [2006-12-26 14:58]
S3 USB_RNDIS_XP;Westell USB Network Interface;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 02:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ba297b5-cdaf-11db-8ab4-00183a30470b}]
\Shell\AutoRun\command - E:\LaunchU3.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - SASDIFSV
.
Contents of the 'Scheduled Tasks' folder
"2008-04-24 02:00:00 C:\WINDOWS\Tasks\A7DD15A9901E90F5.job"
- c:\docume~1\jessica\applic~1\16kind~1\third tons up.exe
"2008-04-24 02:00:01 C:\WINDOWS\Tasks\AE4F8EE8958C3F88.job"
- c:\docume~1\ddaniels\applic~1\16kind~1\third tons up.exe
"2008-04-14 21:18:16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-24 02:00:01 C:\WINDOWS\Tasks\B2791795982E8EF1.job"
- c:\docume~1\blake\applic~1\16kind~1\third tons up.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 22:20:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
Completion time: 2008-04-23 22:25:01
ComboFix-quarantined-files.txt 2008-04-24 02:24:53

Pre-Run: 7,886,512,128 bytes free
Post-Run: 8,018,030,592 bytes free

245 --- E O F --- 2008-04-09 05:29:01
  • 0

#4
greyknight17
Posted 23 April 2008 - 09:21 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I want you to upload this file (C:\Program Files\Windows Media Player\wmplayer.exe) to http://virusscan.jotti.org and report back what it found.

Download NoLop.exe to your desktop from one of the following mirrors:
http://www.thespykil...=tpmod;dl=get16
http://www.greyknigh...m/spy/NoLop.exe

Close any other programs you have running as this will require a reboot.
Double-click NoLop.exe to run it.
Now click the button labeled Search and Destroy.
When scanning is finished you will be prompted to reboot only if infected. Click OK.
Now click the Reboot button. A message should pop up from NoLop. If not, double-click the program again and it will finish.
Post the contents of C:\NoLop.log here.

If you receive an error mscomctl.ocx or one of its dependencies are not correctly registered, then download the mscomctl.ocx file from http://www.boletrice...ds/mscomctl.ocx to your system32 folder and then rerun the NoLop.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
C:\WINDOWS\Internet Logs\xDB2FB.tmp
C:\WINDOWS\Internet Logs\xDB2FA.tmp
C:\WINDOWS\Internet Logs\xDB2F9.tmp
C:\WINDOWS\Internet Logs\xDB2F8.tmp
C:\WINDOWS\Internet Logs\xDB2F7.tmp
C:\WINDOWS\Internet Logs\xDB2F6.tmp
C:\WINDOWS\Internet Logs\xDB2F5.tmp
C:\WINDOWS\Internet Logs\xDB2F4.tmp
C:\WINDOWS\Internet Logs\xDB2F3.tmp
C:\WINDOWS\Internet Logs\xDB2F0.tmp
C:\WINDOWS\Internet Logs\xDB2EF.tmp
C:\WINDOWS\Internet Logs\xDB2EE.tmp
C:\WINDOWS\Internet Logs\xDB2ED.tmp
C:\WINDOWS\Internet Logs\xDB2EB.tmp
C:\WINDOWS\Internet Logs\xDB2EC.tmp
C:\WINDOWS\Internet Logs\xDB2EA.tmp
C:\WINDOWS\Internet Logs\xDB2E9.tmp
C:\WINDOWS\Internet Logs\xDB2E8.tmp
C:\WINDOWS\Internet Logs\xDB2E7.tmp
C:\WINDOWS\Internet Logs\xDB2E6.tmp
C:\WINDOWS\Internet Logs\xDB2E5.tmp
C:\WINDOWS\Internet Logs\xDB2E3.tmp
C:\WINDOWS\Internet Logs\xDB2E4.tmp
C:\WINDOWS\Internet Logs\xDB2E1.tmp
C:\WINDOWS\Internet Logs\xDB2E2.tmp
C:\WINDOWS\Internet Logs\xDB2E0.tmp
C:\WINDOWS\Internet Logs\xDB2DF.tmp
C:\WINDOWS\Internet Logs\xDB2DE.tmp
C:\WINDOWS\Internet Logs\xDB2DD.tmp
C:\WINDOWS\Internet Logs\xDB2DC.tmp
C:\WINDOWS\Internet Logs\xDB2DB.tmp
C:\WINDOWS\Internet Logs\xDB2DA.tmp
C:\WINDOWS\Internet Logs\xDB2D9.tmp
C:\WINDOWS\Internet Logs\xDB2D8.tmp
C:\WINDOWS\Internet Logs\xDB2D7.tmp
C:\WINDOWS\Internet Logs\xDB2D6.tmp
C:\WINDOWS\Internet Logs\xDB2D4.tmp
C:\WINDOWS\Internet Logs\xDB2D3.tmp
C:\WINDOWS\Internet Logs\xDB2D2.tmp
C:\WINDOWS\Tasks\A7DD15A9901E90F5.job
C:\WINDOWS\Tasks\AE4F8EE8958C3F88.job
C:\WINDOWS\Tasks\B2791795982E8EF1.job
Folder::
c:\docume~1\blake\applic~1\16kind~1\
C:\Documents and Settings\All Users\Application Data\Close Noun Junk Logo
C:\Documents and Settings\All Users\Application Data\aim mix proc pure
C:\Program Files\16 kind
C:\Documents and Settings\ddaniels\Application Data\16 kind
C:\Documents and Settings\Jessica\Application Data\16 kind
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctwdm32"=-
"DentIso"=-

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is it running so far?

Edited by greyknight17, 24 April 2008 - 07:01 AM.

  • 0

#5
gearhead4
Posted 23 April 2008 - 11:54 PM

gearhead4

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
http://www.thespykil...=tpmod;dl=get16
= BAD LINK (downloads HijackThis_199.exe instead of NoLop.exe)

Also, every time ComboFix finishes, Ihave no desktop icons and no task bar .... have to reboot ???

So far only one occurance of iexplore.exe in the task manager .... the one I'm typing in.

Bedtime now ! zzzzzzzz I will further analyze tomorrow.

[[[[[[[[[[[[[[[[[[[[[[[Results from http://virusscan.jotti.org]]]]]]]]]]]]]]]]]]]]]]]]]]]]

Service load:

0% 100%
File: wmplayer.exe Status:
OK MD5: 48cdab5eb8c952534ae2c5aed72ccb70 Packers detected:
- Bit9 reports: No threat detected (more info)
Scanner results Scan taken on 24 Apr 2008 03:28:50 (GMT) A-Squared
Found nothing AntiVir
Found nothing ArcaVir
Found nothing Avast
Found nothing AVG Antivirus
Found nothing BitDefender
Found nothing ClamAV
Found nothing CPsecure
Found nothing Dr.Web
Found nothing F-Prot Antivirus
Found nothing F-Secure Anti-Virus
Found nothing Fortinet
Found nothing Ikarus
Found nothing Kaspersky Anti-Virus
Found nothing NOD32
Found nothing Norman Virus Control
Found nothing Panda Antivirus
Found nothing Sophos Antivirus
Found nothing VirusBuster
Found nothing VBA32
Found nothing


[[[[[[[[[[[[[[[[[[[[[[[[ NoLop log ]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

NoLop! Log by Skate_Punk_21

Please Note: any existing old logs will have now been renamed to NoLop!OLD.log

Fix running from: D:\Download\Software\SpyWare
[4/23/2008]
[11:46:00 PM]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\A7DD15A9901E90F5.job
C:\WINDOWS\tasks\AE4F8EE8958C3F88.job
C:\WINDOWS\tasks\B2791795982E8EF1.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Aim Mix Proc Pure
C:\Documents and Settings\All Users\Application Data\Aol
C:\Documents and Settings\All Users\Application Data\Aol Downloads
C:\Documents and Settings\All Users\Application Data\Aol Ocp
C:\Documents and Settings\All Users\Application Data\Apple
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Arcsoft
C:\Documents and Settings\All Users\Application Data\Close Noun Junk Logo
C:\Documents and Settings\All Users\Application Data\Flexnet
C:\Documents and Settings\All Users\Application Data\Malwarebytes
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Microsoft Games
C:\Documents and Settings\All Users\Application Data\Msn6
C:\Documents and Settings\All Users\Application Data\Nero
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Superantispyware.com
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Trymedia
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Vsosdk
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\Blake\Application Data\16 Kind
C:\Documents and Settings\Blake\Application Data\Adobe
C:\Documents and Settings\Blake\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Blake\Application Data\Aim
C:\Documents and Settings\Blake\Application Data\Apple Computer
C:\Documents and Settings\Blake\Application Data\Arcsoft
C:\Documents and Settings\Blake\Application Data\Ati
C:\Documents and Settings\Blake\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Blake\Application Data\Identities
C:\Documents and Settings\Blake\Application Data\Limewire
C:\Documents and Settings\Blake\Application Data\Macromedia
C:\Documents and Settings\Blake\Application Data\Microsoft
C:\Documents and Settings\Blake\Application Data\Microsoft Games
C:\Documents and Settings\Blake\Application Data\Msn6
C:\Documents and Settings\Blake\Application Data\Real
C:\Documents and Settings\Ddaniels\Application Data\16 Kind
C:\Documents and Settings\Ddaniels\Application Data\Acccore
C:\Documents and Settings\Ddaniels\Application Data\Adobe
C:\Documents and Settings\Ddaniels\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Ddaniels\Application Data\Ahead
C:\Documents and Settings\Ddaniels\Application Data\Aim
C:\Documents and Settings\Ddaniels\Application Data\Apple Computer
C:\Documents and Settings\Ddaniels\Application Data\Arcsoft
C:\Documents and Settings\Ddaniels\Application Data\Ati
C:\Documents and Settings\Ddaniels\Application Data\Divx
C:\Documents and Settings\Ddaniels\Application Data\Dvd Flick
C:\Documents and Settings\Ddaniels\Application Data\Help
C:\Documents and Settings\Ddaniels\Application Data\Identities
C:\Documents and Settings\Ddaniels\Application Data\Imgburn
C:\Documents and Settings\Ddaniels\Application Data\Irfanview
C:\Documents and Settings\Ddaniels\Application Data\Macromedia
C:\Documents and Settings\Ddaniels\Application Data\Malwarebytes
C:\Documents and Settings\Ddaniels\Application Data\Microsoft
C:\Documents and Settings\Ddaniels\Application Data\Microsoft Web Folders -- EMPTY Directory
C:\Documents and Settings\Ddaniels\Application Data\Move Networks
C:\Documents and Settings\Ddaniels\Application Data\Msn6
C:\Documents and Settings\Ddaniels\Application Data\Nero
C:\Documents and Settings\Ddaniels\Application Data\Real
C:\Documents and Settings\Ddaniels\Application Data\Sibelius Software
C:\Documents and Settings\Ddaniels\Application Data\Spampal
C:\Documents and Settings\Ddaniels\Application Data\Sun
C:\Documents and Settings\Ddaniels\Application Data\Superantispyware.com
C:\Documents and Settings\Ddaniels\Application Data\Systenance
C:\Documents and Settings\Ddaniels\Application Data\U3
C:\Documents and Settings\Ddaniels\Application Data\Unh Solutions
C:\Documents and Settings\Ddaniels\Application Data\Utorrent
C:\Documents and Settings\Ddaniels\Application Data\Vso
C:\Documents and Settings\Ddaniels\Application Data\Walgreens
C:\Documents and Settings\Ddaniels\Application Data\Yoclient
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Jessica\Application Data\16 Kind
C:\Documents and Settings\Jessica\Application Data\Adobe
C:\Documents and Settings\Jessica\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Jessica\Application Data\Ahead
C:\Documents and Settings\Jessica\Application Data\Aim
C:\Documents and Settings\Jessica\Application Data\Apple Computer
C:\Documents and Settings\Jessica\Application Data\Arcsoft
C:\Documents and Settings\Jessica\Application Data\Ati
C:\Documents and Settings\Jessica\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Jessica\Application Data\Identities
C:\Documents and Settings\Jessica\Application Data\Imgburn
C:\Documents and Settings\Jessica\Application Data\Irfanview
C:\Documents and Settings\Jessica\Application Data\Macromedia
C:\Documents and Settings\Jessica\Application Data\Microsoft
C:\Documents and Settings\Jessica\Application Data\Microsoft Games
C:\Documents and Settings\Jessica\Application Data\Move Networks
C:\Documents and Settings\Jessica\Application Data\Msn6
C:\Documents and Settings\Jessica\Application Data\Real
C:\Documents and Settings\Jessica\Application Data\Snapfish
C:\Documents and Settings\Jessica\Application Data\Sun
C:\Documents and Settings\Jessica\Application Data\U3
C:\Documents and Settings\Jessica\Application Data\Viewpoint
C:\Documents and Settings\Localservice\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft


[[[[[[[[[[[[[[[[[[[[[[[[[[[ CFScript / ComboFix Log ]]]]]]]]]]]]]]]]]]]]]]]]]

ComboFix 08-04-22.5 - ddaniels 2008-04-24 1:16:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.45 [GMT -4:00]Running from: D:\Download\Software\SpyWare\ComboFix.exe
Command switches used :: D:\Download\Software\SpyWare\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\Internet Logs\xDB2D2.tmp
C:\WINDOWS\Internet Logs\xDB2D3.tmp
C:\WINDOWS\Internet Logs\xDB2D4.tmp
C:\WINDOWS\Internet Logs\xDB2D6.tmp
C:\WINDOWS\Internet Logs\xDB2D7.tmp
C:\WINDOWS\Internet Logs\xDB2D8.tmp
C:\WINDOWS\Internet Logs\xDB2D9.tmp
C:\WINDOWS\Internet Logs\xDB2DA.tmp
C:\WINDOWS\Internet Logs\xDB2DB.tmp
C:\WINDOWS\Internet Logs\xDB2DC.tmp
C:\WINDOWS\Internet Logs\xDB2DD.tmp
C:\WINDOWS\Internet Logs\xDB2DE.tmp
C:\WINDOWS\Internet Logs\xDB2DF.tmp
C:\WINDOWS\Internet Logs\xDB2E0.tmp
C:\WINDOWS\Internet Logs\xDB2E1.tmp
C:\WINDOWS\Internet Logs\xDB2E2.tmp
C:\WINDOWS\Internet Logs\xDB2E3.tmp
C:\WINDOWS\Internet Logs\xDB2E4.tmp
C:\WINDOWS\Internet Logs\xDB2E5.tmp
C:\WINDOWS\Internet Logs\xDB2E6.tmp
C:\WINDOWS\Internet Logs\xDB2E7.tmp
C:\WINDOWS\Internet Logs\xDB2E8.tmp
C:\WINDOWS\Internet Logs\xDB2E9.tmp
C:\WINDOWS\Internet Logs\xDB2EA.tmp
C:\WINDOWS\Internet Logs\xDB2EB.tmp
C:\WINDOWS\Internet Logs\xDB2EC.tmp
C:\WINDOWS\Internet Logs\xDB2ED.tmp
C:\WINDOWS\Internet Logs\xDB2EE.tmp
C:\WINDOWS\Internet Logs\xDB2EF.tmp
C:\WINDOWS\Internet Logs\xDB2F0.tmp
C:\WINDOWS\Internet Logs\xDB2F3.tmp
C:\WINDOWS\Internet Logs\xDB2F4.tmp
C:\WINDOWS\Internet Logs\xDB2F5.tmp
C:\WINDOWS\Internet Logs\xDB2F6.tmp
C:\WINDOWS\Internet Logs\xDB2F7.tmp
C:\WINDOWS\Internet Logs\xDB2F8.tmp
C:\WINDOWS\Internet Logs\xDB2F9.tmp
C:\WINDOWS\Internet Logs\xDB2FA.tmp
C:\WINDOWS\Internet Logs\xDB2FB.tmp
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\Tasks\A7DD15A9901E90F5.job
C:\WINDOWS\Tasks\AE4F8EE8958C3F88.job
C:\WINDOWS\Tasks\B2791795982E8EF1.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\blake\applic~1\16kind~1\
c:\docume~1\blake\applic~1\16kind~1\\0
c:\docume~1\blake\applic~1\16kind~1\\D9C53B4B
c:\docume~1\blake\applic~1\16kind~1\\ebharjig.exe
c:\docume~1\blake\applic~1\16kind~1\\erasfwhq.exe
c:\docume~1\blake\applic~1\16kind~1\\ExitLogo.exe
c:\docume~1\blake\applic~1\16kind~1\\qzlkqqxu.exe
c:\docume~1\blake\applic~1\16kind~1\\smukdinb.exe
c:\docume~1\blake\applic~1\16kind~1\\third tons up.exe
c:\docume~1\blake\applic~1\16kind~1\\tzqjgxut.exe
c:\docume~1\blake\applic~1\16kind~1\\zutjvkti.exe
C:\Documents and Settings\All Users\Application Data\aim mix proc pure
C:\Documents and Settings\All Users\Application Data\aim mix proc pure\bat soap.exe
C:\Documents and Settings\All Users\Application Data\Close Noun Junk Logo
C:\Documents and Settings\All Users\Application Data\Close Noun Junk Logo\GREAT UP.exe
C:\Documents and Settings\All Users\Application Data\Close Noun Junk Logo\Help Beep.exe
C:\Documents and Settings\All Users\Application Data\Close Noun Junk Logo\Multi Ball.exe
C:\Documents and Settings\All Users\Application Data\Close Noun Junk Logo\save base.exe
C:\Documents and Settings\All Users\Application Data\Close Noun Junk Logo\Settings Trans.exe
C:\Documents and Settings\ddaniels\Application Data\16 kind
C:\Documents and Settings\ddaniels\Application Data\16 kind\0
C:\Documents and Settings\ddaniels\Application Data\16 kind\ExitLogo.exe
C:\Documents and Settings\ddaniels\Application Data\16 kind\jdelwubx.exe
C:\Documents and Settings\ddaniels\Application Data\16 kind\qxsdvkcu.exe
C:\Documents and Settings\ddaniels\Application Data\16 kind\third tons up.exe
C:\Documents and Settings\Jessica\Application Data\16 kind
C:\Documents and Settings\Jessica\Application Data\16 kind\0
C:\Documents and Settings\Jessica\Application Data\16 kind\afiineel.exe
C:\Documents and Settings\Jessica\Application Data\16 kind\bwdeglec.exe
C:\Documents and Settings\Jessica\Application Data\16 kind\etyumquk.exe
C:\Documents and Settings\Jessica\Application Data\16 kind\ExitLogo.exe
C:\Documents and Settings\Jessica\Application Data\16 kind\third tons up.exe
C:\Documents and Settings\Jessica\Application Data\16 kind\uounxjhg.exe
C:\Documents and Settings\Jessica\Application Data\16 kind\wmnhklac.exe
C:\Documents and Settings\Jessica\Application Data\16 kind\zblufgoa.exe
C:\Program Files\16 kind
C:\WINDOWS\Internet Logs\xDB2D2.tmp
C:\WINDOWS\Internet Logs\xDB2D3.tmp
C:\WINDOWS\Internet Logs\xDB2D4.tmp
C:\WINDOWS\Internet Logs\xDB2D6.tmp
C:\WINDOWS\Internet Logs\xDB2D7.tmp
C:\WINDOWS\Internet Logs\xDB2D8.tmp
C:\WINDOWS\Internet Logs\xDB2D9.tmp
C:\WINDOWS\Internet Logs\xDB2DA.tmp
C:\WINDOWS\Internet Logs\xDB2DB.tmp
C:\WINDOWS\Internet Logs\xDB2DC.tmp
C:\WINDOWS\Internet Logs\xDB2DD.tmp
C:\WINDOWS\Internet Logs\xDB2DE.tmp
C:\WINDOWS\Internet Logs\xDB2DF.tmp
C:\WINDOWS\Internet Logs\xDB2E0.tmp
C:\WINDOWS\Internet Logs\xDB2E1.tmp
C:\WINDOWS\Internet Logs\xDB2E2.tmp
C:\WINDOWS\Internet Logs\xDB2E3.tmp
C:\WINDOWS\Internet Logs\xDB2E4.tmp
C:\WINDOWS\Internet Logs\xDB2E5.tmp
C:\WINDOWS\Internet Logs\xDB2E6.tmp
C:\WINDOWS\Internet Logs\xDB2E7.tmp
C:\WINDOWS\Internet Logs\xDB2E8.tmp
C:\WINDOWS\Internet Logs\xDB2E9.tmp
C:\WINDOWS\Internet Logs\xDB2EA.tmp
C:\WINDOWS\Internet Logs\xDB2EB.tmp
C:\WINDOWS\Internet Logs\xDB2EC.tmp
C:\WINDOWS\Internet Logs\xDB2ED.tmp
C:\WINDOWS\Internet Logs\xDB2EE.tmp
C:\WINDOWS\Internet Logs\xDB2EF.tmp
C:\WINDOWS\Internet Logs\xDB2F0.tmp
C:\WINDOWS\Internet Logs\xDB2F3.tmp
C:\WINDOWS\Internet Logs\xDB2F4.tmp
C:\WINDOWS\Internet Logs\xDB2F5.tmp
C:\WINDOWS\Internet Logs\xDB2F6.tmp
C:\WINDOWS\Internet Logs\xDB2F7.tmp
C:\WINDOWS\Internet Logs\xDB2F8.tmp
C:\WINDOWS\Internet Logs\xDB2F9.tmp
C:\WINDOWS\Internet Logs\xDB2FA.tmp
C:\WINDOWS\Internet Logs\xDB2FB.tmp
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn

.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-23 23:47 . 2008-04-23 23:51 <DIR> d-------- C:\NoLopBackups
2008-04-21 20:28 . 2008-04-21 20:29 <DIR> d-------- C:\Program Files\Panda Security
2008-04-20 02:57 . 2008-04-22 20:37 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-20 02:57 . 2008-04-20 02:57 <DIR> d-------- C:\Documents and Settings\ddaniels\Application Data\SUPERAntiSpyware.com
2008-04-20 02:57 . 2008-04-20 02:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-20 02:56 . 2008-04-20 02:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-19 23:55 . 2008-04-19 23:55 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-19 23:55 . 2008-04-19 23:55 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-19 23:55 . 2008-04-19 23:55 <DIR> d-------- C:\Documents and Settings\ddaniels\Application Data\Malwarebytes
2008-04-19 23:55 . 2008-04-19 23:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-19 16:42 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-04-18 00:27 . 2008-04-18 00:26 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-18 00:27 . 2008-04-18 00:27 2,546 --a------ C:\WINDOWS\unins000.dat
2008-04-16 22:27 . 2008-04-19 17:37 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-14 19:46 . 2007-07-26 22:08 19,072 -ra------ C:\WINDOWS\system32\drivers\ax88772.sys
2008-04-04 21:00 . 2006-12-26 14:58 189,312 --a------ C:\WINDOWS\system32\drivers\RTL8187B.sys
2008-04-04 20:59 . 2008-04-04 20:59 <DIR> d-------- C:\WINDOWS\OPTIONS
2008-04-04 20:59 . 2008-04-04 20:59 <DIR> d-------- C:\Program Files\TRENDnet
2008-04-04 20:59 . 2008-04-04 20:59 21,035 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-03-25 22:12 . 2007-04-24 16:30 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2008-03-25 22:12 . 2008-03-04 12:33 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-03-25 22:12 . 2008-03-04 12:32 6,144 --a------ C:\WINDOWS\system32\ff_acm.acm
2008-03-25 22:12 . 2007-07-10 17:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-03-25 22:11 . 2008-03-25 22:12 <DIR> d-------- C:\Program Files\ffdshow
2008-03-25 22:07 . 2008-03-25 22:07 <DIR> d-------- C:\Program Files\AVIcodec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 03:31 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-20 02:20 --------- d-----w C:\Program Files\Viewpoint
2008-04-20 02:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-20 02:18 --------- d-----w C:\Program Files\KaZaA Lite
2008-04-20 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-18 04:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-18 04:31 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-15 05:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-09 03:44 --------- d-----w C:\Program Files\ZoomTown
2008-04-05 07:31 --------- d-----w C:\Documents and Settings\ddaniels\Application Data\DVD Flick
2008-04-05 01:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-02 04:20 --------- d-----w C:\Documents and Settings\ddaniels\Application Data\uTorrent
2008-03-31 13:26 --------- d-----w C:\Documents and Settings\Blake\Application Data\LimeWire
2008-03-31 00:04 --------- d-----w C:\Documents and Settings\ddaniels\Application Data\Vso
2008-03-28 02:56 --------- d-----w C:\Documents and Settings\ddaniels\Application Data\DivX
2008-03-28 02:26 --------- d-----w C:\Program Files\Yahoo!
2008-03-28 02:25 --------- d-----w C:\Program Files\Nero
2008-03-28 02:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-03-23 05:22 --------- d-----w C:\Program Files\uTorrent
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 03:48 --------- d-----w C:\Program Files\DivX
2008-03-17 02:21 --------- d-----w C:\Program Files\Giant
2008-03-16 18:31 --------- d-----w C:\Documents and Settings\ddaniels\Application Data\ImgBurn
2008-03-10 20:54 --------- d-----w C:\Documents and Settings\Jessica\Application Data\Move Networks
2008-03-08 17:21 --------- d-----w C:\Documents and Settings\Jessica\Application Data\ImgBurn
2008-03-08 17:17 --------- d-----w C:\Program Files\ImgBurn
2008-03-05 03:35 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-05 01:35 --------- d-----w C:\Program Files\DVDInfoPro
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-01 06:18 --------- d-----w C:\Program Files\DVD Flick
2008-03-01 05:16 --------- d-----w C:\Program Files\Xvid
2008-03-01 04:19 --------- d-----w C:\Program Files\Common Files\Ahead
2008-02-27 04:04 22,782 ----a-w C:\WINDOWS\system32\UninstXviDDec.exe
2008-02-26 04:35 --------- d-----w C:\Documents and Settings\ddaniels\Application Data\Nero
2008-02-26 01:29 --------- d-----w C:\Program Files\ahead
2008-02-21 02:05 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-02-21 02:05 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-02-21 02:05 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-02-21 02:05 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-02-21 02:05 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-02-21 02:05 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-02-21 02:05 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-02-21 02:04 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-02-21 02:04 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-02-21 02:04 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-02-21 02:04 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-02-21 02:04 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-02-21 02:04 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-02-21 02:04 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-02-21 02:04 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-02-21 02:03 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-02-21 02:03 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-13 03:35 47,360 ----a-w C:\Documents and Settings\ddaniels\Application Data\pcouffin.sys
2008-02-06 22:03 18,432 ----a-w C:\WINDOWS\Internet Logs\xDB2D1.tmp
2008-02-06 21:35 3,001,344 ----a-w C:\WINDOWS\Internet Logs\xDB2D0.tmp
2008-02-05 21:38 24,064 ----a-w C:\WINDOWS\Internet Logs\xDB2D5.tmp
2008-02-05 21:31 3,001,344 ----a-w C:\WINDOWS\Internet Logs\xDB2CF.tmp
2008-02-04 23:59 46,592 ----a-w C:\WINDOWS\Internet Logs\xDB2CE.tmp
2008-02-04 23:15 3,001,344 ----a-w C:\WINDOWS\Internet Logs\xDB2CB.tmp
2008-02-02 01:46 3,001,344 ----a-w C:\WINDOWS\Internet Logs\xDB2C9.tmp
2008-02-02 01:34 237,568 ----a-w C:\WINDOWS\Internet Logs\xDB2CA.tmp
2007-12-08 19:42 384 ----a-w C:\Documents and Settings\Blake\Application Data\internaldb6334.dat
2007-12-08 18:47 555 ----a-w C:\Documents and Settings\Blake\Application Data\internaldb8467.dat
2007-12-08 18:47 18,432 ----a-w C:\Documents and Settings\Blake\Application Data\internaldb41.dat
2004-04-27 21:57 26,678 ----a-w C:\Program Files\SUNDAE.BMP
2004-04-27 21:57 26,678 ----a-w C:\Program Files\MORNINGB.BMP
.

((((((((((((((((((((((((((((( snapshot@2008-04-23_22.24.21.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-23 00:35:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-24 03:51:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2006-06-19 20:20:42 702,768 ------w C:\WINDOWS\system32\WgaLogon.dll
+ 2007-04-10 18:00:46 236,928 ----a-w C:\WINDOWS\system32\WgaLogon.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 05:21 90112]
"Zone Labs Client"="D:\Programs\ZONEAL~1\zlclient.exe" [2004-02-17 18:01 693528]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-05-04 00:38 180269]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 01:07 61440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NWEReboot"="" []
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [ ]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-10-18 03:00 155648]
"mswspl"="C:\Program Files\Windows Media Player\wmplayer.exe" [2004-08-04 03:56 73728]
"Memo Dent Junk Readme"="C:\Documents and Settings\All Users\Application Data\Plan Team Memo Dent\OwnsFree.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"HostManager"="C:\Program Files\Common Files\AOL\1125010856\ee\AOLHostManager.exe" [ ]

C:\Documents and Settings\ddaniels\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-02-15 15:37:01 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-06 01:07:30 61440]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]
NoLop.exe [2008-04-23 23:35:37 40448]
Wireless Configuration Utility HW.14.lnk - C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe [2006-12-22 11:17:32 598016]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-04-22 20:37 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"msacm.avis"= ff_acm.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Download\\Software\\WinMx\\WinMX\\WinMX.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Games\\Ages of Empires\\EMPIRES2.EXE"=
"C:\\StubInstaller.exe"=
"C:\\Documents and Settings\\Jessica\\Desktop\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\TRENDnet\\TEW-424UB\\WlanCU.exe"=

R3 AX88772;ASIX AX88772 USB2.0 to Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ax88772.sys [2007-07-26 22:08]
S3 ELNK3;3Com EtherLink III;C:\WINDOWS\system32\DRIVERS\elnk3.sys [2001-08-17 08:10]
S3 RTL8187B;TRENDnet TEW-424UB Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187B.sys [2006-12-26 14:58]
S3 USB_RNDIS_XP;Westell USB Network Interface;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 02:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ba297b5-cdaf-11db-8ab4-00183a30470b}]
\Shell\AutoRun\command - E:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 21:18:16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 01:23:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
Completion time: 2008-04-24 1:27:41
ComboFix-quarantined-files.txt 2008-04-24 05:27:34
ComboFix2.txt 2008-04-24 02:25:02

Pre-Run: 9,300,475,904 bytes free
Post-Run: 9,242,619,904 bytes free

322 --- E O F --- 2008-04-09 05:29:01


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • 0

#6
greyknight17
Posted 24 April 2008 - 07:06 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Thanks. Will take note of that and change the link accordingly :)

Combofix should restart the computer for you. If you see a blue screen, it's probably still running. It should be showing you the stage that it's up to (43 stages total).

Delete these:

C:\WINDOWS\Internet Logs\xDB2D1.tmp
C:\WINDOWS\Internet Logs\xDB2D0.tmp
C:\WINDOWS\Internet Logs\xDB2D5.tmp
C:\WINDOWS\Internet Logs\xDB2CF.tmp
C:\WINDOWS\Internet Logs\xDB2CE.tmp
C:\WINDOWS\Internet Logs\xDB2CB.tmp
C:\WINDOWS\Internet Logs\xDB2C9.tmp
C:\WINDOWS\Internet Logs\xDB2CA.tmp
C:\Documents and Settings\Blake\Application Data\internaldb6334.dat
C:\Documents and Settings\Blake\Application Data\internaldb8467.dat
C:\Documents and Settings\Blake\Application Data\internaldb41.dat

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run and copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#7
gearhead4
Posted 26 April 2008 - 12:42 PM

gearhead4

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
All is well with my machine ...... you guys are MAGIC !!!
Much appreciate the help and I can't get over the extremely prompt responses from your team.
Will read and live by the "Anti-Spyware tutorial" and hope for the best.

Thanx Again,
GEARHEAD4
  • 0

#8
greyknight17
Posted 26 April 2008 - 06:44 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP