Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

another victim of ... http://viruswebprotect.com , please help. [RES

Started by jtsirnik , Apr 24 2008 07:16 AM

  • This topic is locked This topic is locked

#1
jtsirnik
Posted 24 April 2008 - 07:16 AM

jtsirnik

    Member

  • Member
  • PipPip
  • 10 posts
hi everyone im having some trouble getting this pesky malware out i was hoping one of u might be able to help me since im at a dead end. i have read some of the other topics in the past concerning this malware, but it seems to be diffeent for everyone so ill post my hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:58 AM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
I:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
I:\Program Files\Common Files\AOL\1163796153\ee\services\safetyCore\ver2_5_4_1\aolavupd.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
I:\Program Files\Bonjour\mDNSResponder.exe
I:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
I:\WINDOWS\system32\svchost.exe
I:\PROGRA~1\mcafee.com\ANTIVI~1\OasClnt.exe
I:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
I:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
I:\Program Files\QuickTime\qttask.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
I:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
I:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
I:\Program Files\Mozilla Firefox\firefox.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - I:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - I:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - I:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [ATIPTA] I:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "I:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = I:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: GARO Status Monitor.lnk = I:\Program Files\Canon\GAROStatusMonitor\cnwism.exe
O8 - Extra context menu item: &AOL Toolbar search - res://I:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - I:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-w...agi3.0.84.2.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecu...asyInstallX.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{16056A8A-A030-421B-89AA-8A06C99C9F36}: NameServer = 24.29.99.35,24.29.99.36
O20 - Winlogon Notify: wvUKdASM - I:\WINDOWS\
O21 - SSODL: DriveSys - {05255934-854f-4cb7-971c-f47e5da4ba5c} - I:\WINDOWS\Resources\DriveSys.dll (file missing)
O21 - SSODL: omlbpkaw - {AEF16746-7092-4428-AF72-C98DAAC55411} - I:\WINDOWS\omlbpkaw.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - I:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - I:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - I:\Program Files\Common Files\AOL\1163796153\ee\services\safetyCore\ver2_5_4_1\aolavupd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - I:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - I:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - I:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - I:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - I:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - I:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - I:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: Symantec Core LC - Unknown owner - I:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: Privacy Protection - file:///I:\WINDOWS\privacy_danger\index.htm

--
End of file - 9172 bytes



thanx in advance.

Edited by jtsirnik, 24 April 2008 - 07:24 AM.

  • 0

Advertisements

#2
greyknight17
Posted 24 April 2008 - 07:26 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

Download SmitfraudFix at http://siri.urz.free...mitfraudFix.zip and extract the content (a folder named SmitfraudFix) to your desktop.

Open the SmitfraudFix folder. Double-click on smitfraudfix.cmd and select option #1 - Search by typing 1 and press Enter. A text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 or any other option until you are directed to do so!

NOTE: process.exe is detected by some antivirus programs as a Risk Tool. It is not a virus. If you get this detected, ignore it.
  • 0

#3
jtsirnik
Posted 24 April 2008 - 07:55 AM

jtsirnik

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
ok all finished here ya go.


ComboFix 08-04-22.5 - CNA 2008-04-24 9:37:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.962 [GMT -4:00]
Running from: I:\Documents and Settings\CNA\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

I:\Documents and Settings\CNA\Desktop\Error Cleaner.url
I:\Documents and Settings\CNA\Desktop\Privacy Protector.url
I:\Documents and Settings\CNA\Desktop\Spyware&Malware Protection.url
I:\Documents and Settings\CNA\Favorites\Error Cleaner.url
I:\Documents and Settings\CNA\Favorites\Privacy Protector.url
I:\Documents and Settings\CNA\Favorites\Spyware&Malware Protection.url
I:\Program Files\autorun.inf
I:\WINDOWS\cookies.ini
I:\WINDOWS\privacy_danger
I:\WINDOWS\privacy_danger\images\capt.gif
I:\WINDOWS\privacy_danger\images\danger.jpg
I:\WINDOWS\privacy_danger\images\down.gif
I:\WINDOWS\privacy_danger\images\spacer.gif
I:\WINDOWS\privacy_danger\index.htm
I:\WINDOWS\system32\iOrXwGgh.ini
I:\WINDOWS\system32\iOrXwGgh.ini2
I:\WINDOWS\system32\mlUvyccf.ini
I:\WINDOWS\system32\mlUvyccf.ini2
I:\WINDOWS\system32\moXyHRqr.ini
I:\WINDOWS\system32\moXyHRqr.ini2
I:\WINDOWS\system32bdn.com
I:\WINDOWS\system32hxiwlgpm.dat
I:\WINDOWS\system32ssvchost.com
I:\WINDOWS\system32taack.dat
I:\WINDOWS\system32VBIEWER.OCX

.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-24 08:55 . 2008-04-24 08:55 <DIR> d-------- I:\Program Files\Trend Micro
2008-04-23 17:32 . 2008-04-23 17:32 <DIR> d-------- I:\Documents and Settings\CNA\Application Data\Symantec
2008-04-23 17:29 . 2008-04-23 17:29 <DIR> d-------- I:\Program Files\Windows Sidebar
2008-04-23 17:28 . 2008-04-23 17:30 <DIR> d-------- I:\Program Files\Norton Internet Security
2008-04-23 17:26 . 2008-04-23 17:30 <DIR> d-------- I:\Program Files\Symantec
2008-04-23 17:26 . 2008-04-23 17:51 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\Symantec
2008-04-23 17:26 . 2008-04-23 17:30 123,952 --a------ I:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-23 17:26 . 2008-04-23 17:30 60,800 --a------ I:\WINDOWS\system32\S32EVNT1.DLL
2008-04-23 17:26 . 2008-04-23 17:30 10,563 --a------ I:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-04-23 17:26 . 2008-04-23 17:30 805 --a------ I:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-04-23 17:20 . 2008-04-24 09:39 <DIR> d-------- I:\Program Files\Common Files\Symantec Shared
2008-04-23 17:15 . 2008-04-23 17:15 <DIR> d-------- I:\Documents and Settings\All Users\Symantec Temporary Files
2008-04-23 16:16 . 2008-04-23 16:16 <DIR> d-------- I:\WINDOWS\system32\Kaspersky Lab
2008-04-23 16:16 . 2008-04-23 16:16 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-22 10:47 . 2008-04-22 11:19 10,752 --a------ I:\WINDOWS\DCEBoot.exe
2008-04-22 10:33 . 2008-04-23 16:19 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\Trend Micro
2008-04-22 09:44 . 2008-04-22 10:23 <DIR> d-------- I:\Documents and Settings\CNA\.housecall6.6
2008-04-21 07:47 . 2008-04-21 16:25 611 --a------ I:\WINDOWS\wininit.ini
2008-04-21 07:25 . 2008-04-24 09:31 <DIR> d-------- I:\Program Files\Spybot - Search & Destroy
2008-04-21 07:25 . 2008-04-24 09:31 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-21 07:07 . 2008-04-21 07:21 1,540,918 --ahs---- I:\WINDOWS\system32\htkmaaqu.ini
2008-04-18 08:58 . 2008-04-23 14:17 <DIR> d-------- I:\Program Files\CCleaner
2008-04-18 08:53 . 2008-04-21 07:06 1,540,737 --ahs---- I:\WINDOWS\system32\lhlyadvg.ini
2008-04-18 08:51 . 2008-04-24 09:37 <DIR> d-------- I:\Documents and Settings\CNA\Application Data\TmpRecentIcons
2008-04-17 14:20 . 2008-04-23 17:24 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\pavmpopo
2008-04-17 14:20 . 2008-04-17 12:11 221,184 --a------ I:\WINDOWS\omlbpkaw.dll
2008-04-17 14:20 . 2008-04-17 12:11 94,208 --a------ I:\WINDOWS\npqtsrak.exe
2008-04-17 09:29 . 2008-04-17 09:29 <DIR> d-------- I:\WINDOWS\system32\LogFiles
2008-04-05 07:43 . 2008-02-22 02:33 69,632 --a------ I:\WINDOWS\system32\javacpl.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 15:55 --------- d-----w I:\Program Files\Sony
2008-04-18 13:10 --------- d-----w I:\Program Files\Pure Networks
2008-04-18 12:55 --------- d-----w I:\Program Files\CADDee.com
2008-04-14 11:28 --------- d-----w I:\Documents and Settings\CNA\Application Data\LimeWire
2008-04-14 11:27 --------- d-----w I:\Program Files\LimeWire
2008-04-05 11:43 --------- d-----w I:\Program Files\Java
2008-03-07 01:32 706 ----a-w I:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 01:32 23,904 ----a-w I:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 01:32 10,537 ----a-w I:\WINDOWS\system32\drivers\coh_mon.cat
2008-03-05 13:05 --------- d-----w I:\Documents and Settings\All Users\Application Data\WinZip
2008-03-05 12:50 --------- d-----w I:\Program Files\Microsoft ActiveSync
2008-02-26 15:11 --------- d-----w I:\Program Files\iTunes
2008-02-26 15:10 --------- d-----w I:\Program Files\iPod
2008-02-26 15:09 --------- d-----w I:\Program Files\QuickTime
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2008-02-07 00:05 349552 --a------ I:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-04-23 17:29 116088 --a------ I:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "I:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll" [2008-02-07 00:05 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= I:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll [2008-02-07 00:05 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="I:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:18 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="I:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-06 14:01 335872]
"SunJavaUpdateSched"="I:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ccApp"="I:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 21:47 51048]
"osCheck"="I:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-07 02:49 718704]
"QuickTime Task"="I:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]

I:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
AutoCAD LT Startup Accelerator.lnk - I:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 09:18:22 10872]
GARO Status Monitor.lnk - I:\Program Files\Canon\GAROStatusMonitor\cnwism.exe [2006-12-01 11:29:44 344064]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///I:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DriveSys"= {05255934-854f-4cb7-971c-f47e5da4ba5c} - I:\WINDOWS\Resources\DriveSys.dll [ ]
"omlbpkaw"= {AEF16746-7092-4428-AF72-C98DAAC55411} - I:\WINDOWS\omlbpkaw.dll [2008-04-17 12:11 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUKdASM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-07 00:46 57344 I:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2003-05-23 11:43 88363 I:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2006-10-23 08:50 71216 I:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLSPScheduler]
--a------ 2006-09-07 11:29 8784 I:\Program Files\Common Files\AOL\1163796153\ee\services\safetyCore\ver2_5_4_1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CnwiDeviceAgent]
--a------ 2005-08-11 20:14 65536 I:\Program Files\Canon\GAROStatusMonitor\cnwida.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-12 09:18 15360 I:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EmailScan]
--a------ 2005-10-19 13:13 460336 I:\Program Files\mcafee.com\antivirus\mcvsescn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gvhssnoy]
I:\WINDOWS\system32\ynenizof.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 14:39 1289000 I:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-25 20:52 50736 I:\Program Files\Common Files\AOL\1163796153\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ifhawcmg]
I:\WINDOWS\system32\tizqrcbo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 14:10 267048 I:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
--a------ 2005-08-18 17:57 116272 I:\Program Files\mcafee.com\antivirus\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 I:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rslibrry]
I:\WINDOWS\system32\jsjadkrs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-01-28 11:43 2097488 I:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sscRun]
--a------ 2006-09-07 11:29 153168 I:\Program Files\Common Files\AOL\1163796153\ee\SSCRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-10-30 14:27 185632 I:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"I:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"I:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"I:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"I:\\Program Files\\America Online 9.0\\waol.exe"=
"I:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"I:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"I:\\Program Files\\Common Files\\AOL\\1163796153\\EE\\AOLServiceHost.exe"=
"I:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"I:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"I:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"I:\\Program Files\\Canon\\GAROStatusMonitor\\cnwism.exe"=
"I:\\Program Files\\Canon\\GAROStatusMonitor\\cnwida.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"I:\\Program Files\\Canon\\Network ScanGear\\SgTool.exe"=
"I:\\Program Files\\Common Files\\AOL\\1163796153\\EE\\aolsoftware.exe"=
"I:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"I:\\Program Files\\LimeWire\\LimeWire.exe"=
"I:\\Program Files\\iTunes\\iTunes.exe"=
"I:\Program Files\Microsoft ActiveSync\rapimgr.exe"= I:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"I:\Program Files\Microsoft ActiveSync\wcescomm.exe"= I:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"I:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= I:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 LiveUpdate Notice;LiveUpdate Notice;"I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
S3 COH_Mon;COH_Mon;I:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-09 14:26:01 I:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- I:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-23 21:32:33 I:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - CNA.job"
- I:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 09:41:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
I:\WINDOWS\system32\ati2evxx.exe
I:\WINDOWS\system32\ati2evxx.exe
I:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
I:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
I:\Program Files\Common Files\AOL\1163796153\EE\services\safetyCore\ver2_5_4_1\aolavupd.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
I:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
I:\Program Files\Bonjour\mDNSResponder.exe
I:\PROGRA~1\mcafee.com\ANTIVI~1\McShield.exe
.
**************************************************************************
.
Completion time: 2008-04-24 9:45:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 13:44:53

Pre-Run: 232,650,768,384 bytes free
Post-Run: 233,456,197,632 bytes free

231 --- E O F --- 2008-04-09 19:01:27

SmitFraudFix v2.318

Scan done at 9:54:35.85, Thu 04/24/2008
Run from I:\Documents and Settings\CNA\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
I:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
I:\Program Files\Common Files\AOL\1163796153\ee\services\safetyCore\ver2_5_4_1\aolavupd.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
I:\Program Files\Bonjour\mDNSResponder.exe
I:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
I:\WINDOWS\system32\svchost.exe
I:\PROGRA~1\mcafee.com\ANTIVI~1\OasClnt.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
I:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
I:\Program Files\QuickTime\qttask.exe
I:\WINDOWS\explorer.exe
I:\WINDOWS\system32\notepad.exe
I:\Program Files\Common Files\AOL\1163796153\ee\aolsoftware.exe
I:\Program Files\Common Files\AOL\1163796153\ee\aolsoftware.exe
i:\program files\common files\aol\1163796153\ee\services\safetyCore\ver2_5_4_1\AOLSP Scheduler.exe
I:\Program Files\Mozilla Firefox\firefox.exe
I:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» I:\


»»»»»»»»»»»»»»»»»»»»»»»» I:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» I:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» I:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» I:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» I:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» I:\Documents and Settings\CNA


»»»»»»»»»»»»»»»»»»»»»»»» I:\Documents and Settings\CNA\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» I:\DOCUME~1\CNA\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» I:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///I:\\WINDOWS\\privacy_danger\\index.htm"
"SubscribedURL"=""
"FriendlyName"="Privacy Protection"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

[!] Suspicious: omlbpkaw.dll
SSODL: omlbpkaw - {AEF16746-7092-4428-AF72-C98DAAC55411}


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="I:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 24.29.99.35
DNS Server Search Order: 24.29.99.36

HKLM\SYSTEM\CCS\Services\Tcpip\..\{16056A8A-A030-421B-89AA-8A06C99C9F36}: NameServer=24.29.99.35,24.29.99.36
HKLM\SYSTEM\CS1\Services\Tcpip\..\{16056A8A-A030-421B-89AA-8A06C99C9F36}: NameServer=24.29.99.35,24.29.99.36
HKLM\SYSTEM\CS2\Services\Tcpip\..\{16056A8A-A030-421B-89AA-8A06C99C9F36}: NameServer=24.29.99.35,24.29.99.36


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#4
greyknight17
Posted 24 April 2008 - 08:46 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Open up I:\WINDOWS\wininit.ini in notepady by double clicking on that file. Then delete all the contents. Copy and paste the following two lines back into that file and save it:

[rename]
nul=


Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O24 - Desktop Component 0: Privacy Protection - file:///I:\WINDOWS\privacy_danger\index.htm

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
I:\WINDOWS\system32\htkmaaqu.ini
I:\WINDOWS\system32\lhlyadvg.ini
I:\WINDOWS\omlbpkaw.dll
I:\WINDOWS\npqtsrak.exe
I:\WINDOWS\omlbpkaw.dll
I:\WINDOWS\system32\ynenizof.exe
I:\WINDOWS\system32\tizqrcbo.exe
I:\WINDOWS\system32\jsjadkrs.exe
Folder::
I:\Documents and Settings\CNA\Application Data\TmpRecentIcons
I:\Documents and Settings\All Users\Application Data\pavmpopo
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DriveSys"=-
"omlbpkaw"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUKdASM]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gvhssnoy]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ifhawcmg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rslibrry]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is it running so far?
  • 0

#5
jtsirnik
Posted 24 April 2008 - 09:01 AM

jtsirnik

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
here ya go... thanx again



ComboFix 08-04-22.5 - CNA 2008-04-24 10:58:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1009 [GMT -4:00]
Running from: I:\Documents and Settings\CNA\Desktop\ComboFix.exe
Command switches used :: I:\Documents and Settings\CNA\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

I:\Documents and Settings\All Users\Application Data\pavmpopo
I:\Documents and Settings\CNA\Application Data\TmpRecentIcons
I:\Documents and Settings\CNA\Application Data\TmpRecentIcons\CCleaner.lnk
I:\Documents and Settings\CNA\Application Data\TmpRecentIcons\HijackThis.lnk
I:\Documents and Settings\CNA\Application Data\TmpRecentIcons\LimeWire 4.16.6.lnk
I:\Documents and Settings\CNA\Application Data\TmpRecentIcons\Microsoft Project.lnk
I:\Documents and Settings\CNA\Application Data\TmpRecentIcons\Shortcut to Norton Internet Security 2008.lnk
I:\Documents and Settings\CNA\Application Data\TmpRecentIcons\Spybot - Search & Destroy.lnk

.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-24 09:54 . 2007-09-06 00:22 289,144 --a------ I:\WINDOWS\system32\VCCLSID.exe
2008-04-24 09:54 . 2006-04-27 17:49 288,417 --a------ I:\WINDOWS\system32\SrchSTS.exe
2008-04-24 09:54 . 2008-04-24 08:10 86,528 --a------ I:\WINDOWS\system32\VACFix.exe
2008-04-24 09:54 . 2008-04-23 22:14 82,944 --a------ I:\WINDOWS\system32\IEDFix.exe
2008-04-24 09:54 . 2008-04-23 22:14 82,944 --a------ I:\WINDOWS\system32\404Fix.exe
2008-04-24 09:54 . 2003-06-05 21:13 53,248 --a------ I:\WINDOWS\system32\Process.exe
2008-04-24 09:54 . 2004-07-31 18:50 51,200 --a------ I:\WINDOWS\system32\dumphive.exe
2008-04-24 09:54 . 2007-10-04 00:36 25,600 --a------ I:\WINDOWS\system32\WS2Fix.exe
2008-04-24 09:54 . 2008-04-24 09:54 1,872 --a------ I:\WINDOWS\system32\tmp.reg
2008-04-24 08:55 . 2008-04-24 08:55 <DIR> d-------- I:\Program Files\Trend Micro
2008-04-23 17:32 . 2008-04-23 17:32 <DIR> d-------- I:\Documents and Settings\CNA\Application Data\Symantec
2008-04-23 17:29 . 2008-04-23 17:29 <DIR> d-------- I:\Program Files\Windows Sidebar
2008-04-23 17:28 . 2008-04-23 17:30 <DIR> d-------- I:\Program Files\Norton Internet Security
2008-04-23 17:26 . 2008-04-23 17:30 <DIR> d-------- I:\Program Files\Symantec
2008-04-23 17:26 . 2008-04-23 17:51 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\Symantec
2008-04-23 17:26 . 2008-04-23 17:30 123,952 --a------ I:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-23 17:26 . 2008-04-23 17:30 60,800 --a------ I:\WINDOWS\system32\S32EVNT1.DLL
2008-04-23 17:26 . 2008-04-23 17:30 10,563 --a------ I:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-04-23 17:26 . 2008-04-23 17:30 805 --a------ I:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-04-23 17:20 . 2008-04-24 09:39 <DIR> d-------- I:\Program Files\Common Files\Symantec Shared
2008-04-23 17:15 . 2008-04-23 17:15 <DIR> d-------- I:\Documents and Settings\All Users\Symantec Temporary Files
2008-04-23 16:16 . 2008-04-23 16:16 <DIR> d-------- I:\WINDOWS\system32\Kaspersky Lab
2008-04-23 16:16 . 2008-04-23 16:16 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-22 10:47 . 2008-04-22 11:19 10,752 --a------ I:\WINDOWS\DCEBoot.exe
2008-04-22 10:33 . 2008-04-23 16:19 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\Trend Micro
2008-04-22 09:44 . 2008-04-22 10:23 <DIR> d-------- I:\Documents and Settings\CNA\.housecall6.6
2008-04-21 07:47 . 2008-04-24 10:54 18 --a------ I:\WINDOWS\wininit.ini
2008-04-21 07:25 . 2008-04-24 09:31 <DIR> d-------- I:\Program Files\Spybot - Search & Destroy
2008-04-21 07:25 . 2008-04-24 09:31 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-21 07:07 . 2008-04-21 07:21 1,540,918 --ahs---- I:\WINDOWS\system32\htkmaaqu.ini
2008-04-18 08:58 . 2008-04-23 14:17 <DIR> d-------- I:\Program Files\CCleaner
2008-04-18 08:53 . 2008-04-21 07:06 1,540,737 --ahs---- I:\WINDOWS\system32\lhlyadvg.ini
2008-04-17 14:20 . 2008-04-17 12:11 221,184 --a------ I:\WINDOWS\omlbpkaw.dll
2008-04-17 14:20 . 2008-04-17 12:11 94,208 --a------ I:\WINDOWS\npqtsrak.exe
2008-04-17 09:29 . 2008-04-17 09:29 <DIR> d-------- I:\WINDOWS\system32\LogFiles
2008-04-05 07:43 . 2008-02-22 02:33 69,632 --a------ I:\WINDOWS\system32\javacpl.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 15:55 --------- d-----w I:\Program Files\Sony
2008-04-18 13:10 --------- d-----w I:\Program Files\Pure Networks
2008-04-18 12:55 --------- d-----w I:\Program Files\CADDee.com
2008-04-14 11:28 --------- d-----w I:\Documents and Settings\CNA\Application Data\LimeWire
2008-04-14 11:27 --------- d-----w I:\Program Files\LimeWire
2008-04-05 11:43 --------- d-----w I:\Program Files\Java
2008-03-19 09:47 1,845,248 ----a-w I:\WINDOWS\system32\win32k.sys
2008-03-07 01:32 706 ----a-w I:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 01:32 23,904 ----a-w I:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 01:32 10,537 ----a-w I:\WINDOWS\system32\drivers\coh_mon.cat
2008-03-05 13:05 --------- d-----w I:\Documents and Settings\All Users\Application Data\WinZip
2008-03-05 12:50 --------- d-----w I:\Program Files\Microsoft ActiveSync
2008-03-01 13:06 826,368 ----a-w I:\WINDOWS\system32\wininet.dll
2008-02-26 15:11 --------- d-----w I:\Program Files\iTunes
2008-02-26 15:10 --------- d-----w I:\Program Files\iPod
2008-02-26 15:09 --------- d-----w I:\Program Files\QuickTime
2008-02-20 06:51 282,624 ----a-w I:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w I:\WINDOWS\system32\dnsrslvr.dll
2008-02-06 21:43 579,464 ----a-w I:\WINDOWS\system32\SymNeti.dll
2008-02-06 21:43 207,240 ----a-w I:\WINDOWS\system32\SymRedir.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2008-02-07 00:05 349552 --a------ I:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-04-23 17:29 116088 --a------ I:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "I:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll" [2008-02-07 00:05 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= I:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll [2008-02-07 00:05 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="I:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:18 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="I:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-06 14:01 335872]
"SunJavaUpdateSched"="I:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ccApp"="I:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 21:47 51048]
"osCheck"="I:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-07 02:49 718704]
"QuickTime Task"="I:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]

I:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
AutoCAD LT Startup Accelerator.lnk - I:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 09:18:22 10872]
GARO Status Monitor.lnk - I:\Program Files\Canon\GAROStatusMonitor\cnwism.exe [2006-12-01 11:29:44 344064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-07 00:46 57344 I:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2003-05-23 11:43 88363 I:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2006-10-23 08:50 71216 I:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLSPScheduler]
--a------ 2006-09-07 11:29 8784 I:\Program Files\Common Files\AOL\1163796153\ee\services\safetyCore\ver2_5_4_1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CnwiDeviceAgent]
--a------ 2005-08-11 20:14 65536 I:\Program Files\Canon\GAROStatusMonitor\cnwida.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-12 09:18 15360 I:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EmailScan]
--a------ 2005-10-19 13:13 460336 I:\Program Files\mcafee.com\antivirus\mcvsescn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 14:39 1289000 I:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-25 20:52 50736 I:\Program Files\Common Files\AOL\1163796153\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 14:10 267048 I:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
--a------ 2005-08-18 17:57 116272 I:\Program Files\mcafee.com\antivirus\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 I:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-01-28 11:43 2097488 I:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sscRun]
--a------ 2006-09-07 11:29 153168 I:\Program Files\Common Files\AOL\1163796153\ee\SSCRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-10-30 14:27 185632 I:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"I:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"I:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"I:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"I:\\Program Files\\America Online 9.0\\waol.exe"=
"I:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"I:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"I:\\Program Files\\Common Files\\AOL\\1163796153\\EE\\AOLServiceHost.exe"=
"I:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"I:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"I:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"I:\\Program Files\\Canon\\GAROStatusMonitor\\cnwism.exe"=
"I:\\Program Files\\Canon\\GAROStatusMonitor\\cnwida.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"I:\\Program Files\\Canon\\Network ScanGear\\SgTool.exe"=
"I:\\Program Files\\Common Files\\AOL\\1163796153\\EE\\aolsoftware.exe"=
"I:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"I:\\Program Files\\LimeWire\\LimeWire.exe"=
"I:\\Program Files\\iTunes\\iTunes.exe"=
"I:\Program Files\Microsoft ActiveSync\rapimgr.exe"= I:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"I:\Program Files\Microsoft ActiveSync\wcescomm.exe"= I:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"I:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= I:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 LiveUpdate Notice;LiveUpdate Notice;"I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
S3 COH_Mon;COH_Mon;I:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-09 14:26:01 I:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- I:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-23 21:32:33 I:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - CNA.job"
- I:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 11:00:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-24 11:00:54
ComboFix-quarantined-files.txt 2008-04-24 15:00:40
ComboFix2.txt 2008-04-24 13:45:02

Pre-Run: 233,421,733,888 bytes free
Post-Run: 233,411,534,848 bytes free

201 --- E O F --- 2008-04-09 19:01:27
  • 0

#6
greyknight17
Posted 24 April 2008 - 09:37 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Let's try this again:

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

KILLALL::
File::
I:\WINDOWS\system32\htkmaaqu.ini
I:\WINDOWS\system32\lhlyadvg.ini
I:\WINDOWS\omlbpkaw.dll
I:\WINDOWS\npqtsrak.exe

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

Is there any improvement?
  • 0

#7
jtsirnik
Posted 24 April 2008 - 10:01 AM

jtsirnik

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
yes thinngs are working great the icons have gone away and pop ups have stopped. my machine is running alot better. does it look like we are getting close to being rid of all malware? here is the recent log



ComboFix 08-04-22.5 - CNA 2008-04-24 11:52:38.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1064 [GMT -4:00]
Running from: I:\Documents and Settings\CNA\Desktop\ComboFix.exe
Command switches used :: I:\Documents and Settings\CNA\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
I:\WINDOWS\npqtsrak.exe
I:\WINDOWS\omlbpkaw.dll
I:\WINDOWS\system32\htkmaaqu.ini
I:\WINDOWS\system32\lhlyadvg.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

I:\WINDOWS\npqtsrak.exe
I:\WINDOWS\omlbpkaw.dll
I:\WINDOWS\system32\htkmaaqu.ini
I:\WINDOWS\system32\lhlyadvg.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-24 09:54 . 2007-09-06 00:22 289,144 --a------ I:\WINDOWS\system32\VCCLSID.exe
2008-04-24 09:54 . 2006-04-27 17:49 288,417 --a------ I:\WINDOWS\system32\SrchSTS.exe
2008-04-24 09:54 . 2008-04-24 08:10 86,528 --a------ I:\WINDOWS\system32\VACFix.exe
2008-04-24 09:54 . 2008-04-23 22:14 82,944 --a------ I:\WINDOWS\system32\IEDFix.exe
2008-04-24 09:54 . 2008-04-23 22:14 82,944 --a------ I:\WINDOWS\system32\404Fix.exe
2008-04-24 09:54 . 2003-06-05 21:13 53,248 --a------ I:\WINDOWS\system32\Process.exe
2008-04-24 09:54 . 2004-07-31 18:50 51,200 --a------ I:\WINDOWS\system32\dumphive.exe
2008-04-24 09:54 . 2007-10-04 00:36 25,600 --a------ I:\WINDOWS\system32\WS2Fix.exe
2008-04-24 09:54 . 2008-04-24 09:54 1,872 --a------ I:\WINDOWS\system32\tmp.reg
2008-04-24 08:55 . 2008-04-24 08:55 <DIR> d-------- I:\Program Files\Trend Micro
2008-04-23 17:32 . 2008-04-23 17:32 <DIR> d-------- I:\Documents and Settings\CNA\Application Data\Symantec
2008-04-23 17:29 . 2008-04-23 17:29 <DIR> d-------- I:\Program Files\Windows Sidebar
2008-04-23 17:28 . 2008-04-23 17:30 <DIR> d-------- I:\Program Files\Norton Internet Security
2008-04-23 17:26 . 2008-04-23 17:30 <DIR> d-------- I:\Program Files\Symantec
2008-04-23 17:26 . 2008-04-23 17:51 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\Symantec
2008-04-23 17:26 . 2008-04-23 17:30 123,952 --a------ I:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-23 17:26 . 2008-04-23 17:30 60,800 --a------ I:\WINDOWS\system32\S32EVNT1.DLL
2008-04-23 17:26 . 2008-04-23 17:30 10,563 --a------ I:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-04-23 17:26 . 2008-04-23 17:30 805 --a------ I:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-04-23 17:20 . 2008-04-24 11:09 <DIR> d-------- I:\Program Files\Common Files\Symantec Shared
2008-04-23 17:15 . 2008-04-23 17:15 <DIR> d-------- I:\Documents and Settings\All Users\Symantec Temporary Files
2008-04-23 16:16 . 2008-04-23 16:16 <DIR> d-------- I:\WINDOWS\system32\Kaspersky Lab
2008-04-23 16:16 . 2008-04-23 16:16 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-22 10:47 . 2008-04-22 11:19 10,752 --a------ I:\WINDOWS\DCEBoot.exe
2008-04-22 10:33 . 2008-04-23 16:19 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\Trend Micro
2008-04-22 09:44 . 2008-04-22 10:23 <DIR> d-------- I:\Documents and Settings\CNA\.housecall6.6
2008-04-21 07:47 . 2008-04-24 10:54 18 --a------ I:\WINDOWS\wininit.ini
2008-04-21 07:25 . 2008-04-24 09:31 <DIR> d-------- I:\Program Files\Spybot - Search & Destroy
2008-04-21 07:25 . 2008-04-24 09:31 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-18 08:58 . 2008-04-23 14:17 <DIR> d-------- I:\Program Files\CCleaner
2008-04-17 09:29 . 2008-04-17 09:29 <DIR> d-------- I:\WINDOWS\system32\LogFiles
2008-04-05 07:43 . 2008-02-22 02:33 69,632 --a------ I:\WINDOWS\system32\javacpl.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 15:55 --------- d-----w I:\Program Files\Sony
2008-04-18 13:10 --------- d-----w I:\Program Files\Pure Networks
2008-04-18 12:55 --------- d-----w I:\Program Files\CADDee.com
2008-04-14 11:28 --------- d-----w I:\Documents and Settings\CNA\Application Data\LimeWire
2008-04-14 11:27 --------- d-----w I:\Program Files\LimeWire
2008-04-05 11:43 --------- d-----w I:\Program Files\Java
2008-03-07 01:32 706 ----a-w I:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 01:32 23,904 ----a-w I:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 01:32 10,537 ----a-w I:\WINDOWS\system32\drivers\coh_mon.cat
2008-03-05 13:05 --------- d-----w I:\Documents and Settings\All Users\Application Data\WinZip
2008-03-05 12:50 --------- d-----w I:\Program Files\Microsoft ActiveSync
2008-02-26 15:11 --------- d-----w I:\Program Files\iTunes
2008-02-26 15:10 --------- d-----w I:\Program Files\iPod
2008-02-26 15:09 --------- d-----w I:\Program Files\QuickTime
.

((((((((((((((((((((((((((((( snapshot@2008-04-24_ 9.44.34.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-24 13:40:45 2,048 --s-a-w I:\WINDOWS\bootstat.dat
+ 2008-04-24 15:55:35 2,048 --s-a-w I:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2008-02-07 00:05 349552 --a------ I:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-04-23 17:29 116088 --a------ I:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "I:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll" [2008-02-07 00:05 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= I:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll [2008-02-07 00:05 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="I:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:18 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="I:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-06 14:01 335872]
"SunJavaUpdateSched"="I:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ccApp"="I:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 21:47 51048]
"osCheck"="I:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-07 02:49 718704]
"QuickTime Task"="I:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]

I:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
AutoCAD LT Startup Accelerator.lnk - I:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 09:18:22 10872]
GARO Status Monitor.lnk - I:\Program Files\Canon\GAROStatusMonitor\cnwism.exe [2006-12-01 11:29:44 344064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-07 00:46 57344 I:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2003-05-23 11:43 88363 I:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2006-10-23 08:50 71216 I:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLSPScheduler]
--a------ 2006-09-07 11:29 8784 I:\Program Files\Common Files\AOL\1163796153\ee\services\safetyCore\ver2_5_4_1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CnwiDeviceAgent]
--a------ 2005-08-11 20:14 65536 I:\Program Files\Canon\GAROStatusMonitor\cnwida.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-12 09:18 15360 I:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EmailScan]
--a------ 2005-10-19 13:13 460336 I:\Program Files\mcafee.com\antivirus\mcvsescn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 14:39 1289000 I:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-25 20:52 50736 I:\Program Files\Common Files\AOL\1163796153\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 14:10 267048 I:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
--a------ 2005-08-18 17:57 116272 I:\Program Files\mcafee.com\antivirus\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 I:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-01-28 11:43 2097488 I:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sscRun]
--a------ 2006-09-07 11:29 153168 I:\Program Files\Common Files\AOL\1163796153\ee\SSCRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-10-30 14:27 185632 I:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"I:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"I:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"I:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"I:\\Program Files\\America Online 9.0\\waol.exe"=
"I:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"I:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"I:\\Program Files\\Common Files\\AOL\\1163796153\\EE\\AOLServiceHost.exe"=
"I:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"I:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"I:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"I:\\Program Files\\Canon\\GAROStatusMonitor\\cnwism.exe"=
"I:\\Program Files\\Canon\\GAROStatusMonitor\\cnwida.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"I:\\Program Files\\Canon\\Network ScanGear\\SgTool.exe"=
"I:\\Program Files\\Common Files\\AOL\\1163796153\\EE\\aolsoftware.exe"=
"I:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"I:\\Program Files\\LimeWire\\LimeWire.exe"=
"I:\\Program Files\\iTunes\\iTunes.exe"=
"I:\Program Files\Microsoft ActiveSync\rapimgr.exe"= I:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"I:\Program Files\Microsoft ActiveSync\wcescomm.exe"= I:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"I:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= I:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 LiveUpdate Notice;LiveUpdate Notice;"I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
S3 COH_Mon;COH_Mon;I:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-09 14:26:01 I:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- I:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-23 21:32:33 I:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - CNA.job"
- I:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 11:56:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
I:\WINDOWS\system32\ati2evxx.exe
I:\WINDOWS\system32\ati2evxx.exe
I:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
I:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
I:\Program Files\Common Files\AOL\1163796153\EE\services\safetyCore\ver2_5_4_1\aolavupd.exe
I:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
I:\Program Files\Bonjour\mDNSResponder.exe
I:\PROGRA~1\mcafee.com\ANTIVI~1\McShield.exe
.
**************************************************************************
.
Completion time: 2008-04-24 11:59:46 - machine was rebooted [CNA]
ComboFix-quarantined-files.txt 2008-04-24 15:59:39
ComboFix2.txt 2008-04-24 15:00:55
ComboFix3.txt 2008-04-24 13:45:02

Pre-Run: 233,413,955,584 bytes free
Post-Run: 233,401,114,624 bytes free

212 --- E O F --- 2008-04-09 19:01:27
  • 0

#8
greyknight17
Posted 24 April 2008 - 10:03 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
We're all done :)

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run and copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#9
jtsirnik
Posted 24 April 2008 - 10:13 AM

jtsirnik

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks alot, Norton wasnt able to do what u just did. i spent all day yesterday with them trying to figure it out and no good. This was more daring but it got that job done.

i will be posting later tonight or tomorrow morning from my home computer with a different issue on that computer.

is there anyway for me to show my gratitude for your help? Donations(small one)?
  • 0

#10
jtsirnik
Posted 24 April 2008 - 10:21 AM

jtsirnik

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
i just read the tutorial on keeping spyware out ... can i run those progs along side norton internet security? are they needed considering i have norton already?
  • 0

#11
greyknight17
Posted 24 April 2008 - 08:56 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
If you want, you may make a donation to me via Paypal (see link in my signature).

Those other antispyware prevention programs are used to help keep spyware infection afar. If Norton Internet Security comes with it's own antispyware program with real-time protection, you don't need the antispyware scanners (like SuperAntiSpyware or AVG AntiSpyware). But you should still get the other stand-alone tools like the modified hosts file, SpywareBlaster, etc. Those have their own uses.

If there are no further problems/questions, post back once more and I will mark this topic as solved :)
  • 0

#12
greyknight17
Posted 03 May 2008 - 06:24 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP