Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I can't believe how messed up my computer is! [RESOLVED]

Started by ajdedo , Jun 10 2008 01:35 PM

  • This topic is locked This topic is locked

#1
ajdedo
Posted 10 June 2008 - 01:35 PM

ajdedo

    Member

  • Member
  • PipPip
  • 12 posts
First off - I'd like to thank you for all your help. I'm not sure what I'd do. I'd probably just format my entire C: drive and lose years of desktop perfection! Thanks. :-)

Step 1 - ATF Cleaner:

Result - ATF CLeaner would not run. When I double-clicked on the exe, it would flash on screen for
a second then dissapear.

Step 2 - Create a Restore point:

Result - Windows would not let me create or return to a restore point.

Step 3 - Malwarebytes' Anti-Malware:

Result -

Malwarebytes' Anti-Malware 1.16
Database version: 845

10:55:30 PM 6/9/2008
mbam-log-6-9-2008 (22-55-30).txt

Scan type: Quick Scan
Objects scanned: 55255
Time elapsed: 7 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\mule_st_key (Trojan.Agent) ->
Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\PeDevice (Adware.Popups) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\PeDevice\pae_url.xml (Adware.Popups) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\srosa.sys (Rootkit.Bagle) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\hldrrr.exe (Rootkit.Agent) -> Delete on reboot.
C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

Step 4 - Returned to Step 1 - ATF Cleaner:

Result - Successful

Step 5 - SUPERAntiSpyware Home Edition:

Result -

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/10/2008 at 00:18 AM

Application Version : 4.15.1000

Core Rules Database Version : 3478
Trace Rules Database Version: 1469

Scan type : Complete Scan
Total Scan Time : 01:03:34

Memory items scanned : 337
Memory threats detected : 0
Registry items scanned : 6825
Registry threats detected : 0
File items scanned : 134722
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\Guest Account\Cookies\guest [email protected][2].txt

Trojan.Downloader-Gen
C:\WINDOWS\SYSTEM32\DRIVERS\MDELK.EXE

Trojan.Downloader-Gen/Win
C:\WINDOWS\SYSTEM32\UNSVCHOSTS.LZMA

Step 6 - Online Panda Activescan:

Result -

;*************************************************************
ANALYSIS: 2008-06-10 11:30:11
PROTECTIONS: 1
MALWARE: 15
SUSPECTS: 0
;*************************************************************
PROTECTIONS
Description Version Active Updated
;======================================================
ESET NOD32 antivirus system 2.70 2.70 Yes Yes
;======================================================
MALWARE
Id Description Type Active Severity Disinfectable
Disinfected Location
;======================================================
00101945 HackTool/Samdump HackTools No 0 No
No C:\Andrew's new Desktop\Portable Apps March
08\PortableApps\RockXP\RockXP4.exe[pwdump2\samdump.dll]
00101946 HackTool/Samdump HackTools No 0 No
No C:\Andrew's new Desktop\Portable Apps March
08\PortableApps\RockXP\RockXP4.exe[pwdump2\pwdump2.exe]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes
No C:\Andrew's new Desktop\Portable Apps March
08\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes
No C:\Andrew's new Desktop\Portable Apps March
08\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.atdmt.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes
No C:\Andrew's new Desktop\Portable Apps March
08\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.tribalfusion.com/]
00159881 Application/Pskill.A HackTools No 0 Yes
No D:\Z - Sony HD and Recovery\Current Sony HD\WINDOWS\system32\pskill.exe
00288208 Application/HideWindow.S HackTools No 0 Yes
No D:\Z - Sony HD and Recovery\Current Sony HD\WINDOWS\system32\cmdow.exe
00321319 HackTool/RockXp4 HackTools No 1 No
No C:\Andrew's new Desktop\Portable Apps March
08\PortableApps\RockXP\RockXP4.exe[RockXP4_.exe]
02002613 Trj/Keylog.LH Virus/Trojan No 1 Yes
Yes C:\System Volume
Information\_restore{9F6EEA46-37AE-4F1F-AA1C-ACAF08232234}\RP564\A1093985.dll
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes
Yes C:\WINDOWS\system32\drivers\downld\157203.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes
Yes C:\WINDOWS\system32\drivers\downld\143968.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes
Yes C:\WINDOWS\system32\drivers\downld\128750.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes
Yes C:\WINDOWS\system32\drivers\downld\132375.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes
Yes C:\WINDOWS\system32\drivers\downld\141281.exe
02898935 W32/Bagle.RP.worm Virus/Worm No 0 Yes
Yes C:\System Volume
Information\_restore{9F6EEA46-37AE-4F1F-AA1C-ACAF08232234}\RP564\A1094014.sys
02898935 W32/Bagle.RP.worm Virus/Worm No 0 Yes
Yes C:\System Volume
Information\_restore{9F6EEA46-37AE-4F1F-AA1C-ACAF08232234}\RP564\A1094038.sys
02898935 W32/Bagle.RP.worm Virus/Worm No 0 Yes
Yes C:\System Volume
Information\_restore{9F6EEA46-37AE-4F1F-AA1C-ACAF08232234}\RP564\A1094059.sys
02901938 HackTool/RockXp4 HackTools No 1 Yes
No C:\Andrew's new Desktop\Portable Apps March 08\PortableApps\RockXP\RockXP4.exe
02913360 W32/Bagle.SP.worm Virus/Worm No 1 Yes
Yes C:\WINDOWS\system32\drivers\downld\122531.exe
02913360 W32/Bagle.SP.worm Virus/Worm No 1 Yes
Yes C:\System Volume
Information\_restore{9F6EEA46-37AE-4F1F-AA1C-ACAF08232234}\RP564\A1093987.exe
02913360 W32/Bagle.SP.worm Virus/Worm No 1 Yes
Yes C:\System Volume
Information\_restore{9F6EEA46-37AE-4F1F-AA1C-ACAF08232234}\RP564\A1093992.exe
02913360 W32/Bagle.SP.worm Virus/Worm No 1 Yes
Yes C:\WINDOWS\system32\drivers\downld\125671.exe
02927698 W32/Bagle.KV.worm Virus/Worm No 1 Yes
Yes C:\WINDOWS\system32\drivers\downld\130015.exe
02927698 W32/Bagle.KV.worm Virus/Worm No 1 Yes
Yes C:\WINDOWS\system32\drivers\downld\126359.exe
03053909 W32/Bagle.KV.worm Virus/Worm No 1 Yes
Yes C:\System Volume
Information\_restore{9F6EEA46-37AE-4F1F-AA1C-ACAF08232234}\RP564\A1093984.exe
03053909 W32/Bagle.KV.worm Virus/Worm No 1 Yes
Yes C:\System Volume
Information\_restore{9F6EEA46-37AE-4F1F-AA1C-ACAF08232234}\RP564\A1094147.exe
;======================================================
SUSPECTS
Sent Location


;======================================================
;======================================================
VULNERABILITIES
Id Severity Description


;======================================================
182048 HIGH MS07-069
176382 HIGH MS07-057
170906 HIGH MS07-045
170904 HIGH MS07-043
164913 HIGH MS07-033
160623 HIGH MS07-027

;======================================================

Step 7 - Reboot:

Result - Computer still showing problems. Anti-Virus and Firewall would not run. Various .exe
disabled.

Step 8 - Hijack This:

Result -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:57 AM, on 6/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\PerfectDisk2008\PD91Agent.exe
C:\Program Files\Advanced SmartCheck\Client\SmCh_svc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sentinel Web\OPTISAFE_Service.Exe
C:\WINDOWS\system32\cchservice.exe
C:\Program Files\Sentinel Web\UPSInt.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Sentinel Web\Sentinel.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\cc32\webtmr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Clock Tray Skins\ClockTraySkins.exe
C:\Program Files\Save My Work\SaveMyWork.exe
C:\WINDOWS\Tray\wintmr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HDD Temperature\DTemp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://us.f539.mail....e...=Inbox&YN=1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI
RoboForm\roboform.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber
Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series
Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [UPSMON] C:\Program Files\Sentinel Web\Sentinel.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Enterra Icon Keeper] "C:\Program Files\Enterra Icon Keeper\IcnKeepr.exe" ssp /s
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader
8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ChicoSys] C:\WINDOWS\system32\cc32\webtmr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Clock Tray Skins\ClockTraySkins.exe
O4 - HKCU\..\Run: [SaveMyWork] C:\Program Files\Save My Work\SaveMyWork.exe
O4 - HKCU\..\Run: [CCWinTray] C:\WINDOWS\Tray\wintmr.exe
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common
Files\Ahead\Lib\NMFirstStart.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common
Files\Ahead\Lib\NMFirstStart.exe (User 'NETWORK SERVICE')
O4 - Startup: DTEMP.lnk = C:\Program Files\HDD Temperature\DTemp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: Add all items to the auction list - res://C:\Program
Files\RKD\AuctionNavigator\BidCtxtClick.dll/202
O8 - Extra context menu item: Add this item to the auction list - res://C:\Program
Files\RKD\AuctionNavigator\BidCtxtClick.dll/201
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} -
file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} -
file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI
Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} -
file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -
{85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: InterCasino £££ - {03588886-5C50-4645-BD5D-F105F84417DE} -
http://www.intercasino.co.uk/ (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino £££ - {03588886-5C50-4645-BD5D-F105F84417DE} -
http://www.intercasino.co.uk/ (file missing) (HKCU)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) -
http://www.creative....030/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -
http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) -
http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program
Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) -
http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
http://download.bitd...can8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -
http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.mi...b?1189976167406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://www.update.mi...b?1189976126937
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) -
http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) -
http://www.seagate.c.../npseatools.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) -
http://www.creative....15030/CTPID.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) -
https://secure.logme...ivex/RACtrl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware
2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems
Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple
Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries,
Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd -
C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -
C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DirectX Service (DirectJicg) - Unknown owner - C:\WINDOWS\system32\directx.exe
(file missing)
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - C:\Program
Files\DynDNS Updater\DynDNS.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common
Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) -
Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program
Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common
Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Engine.exe
O23 - Service: SmartCheck service (SmartCheckSvc) - URL Toy Software - C:\Program Files\Advanced
SmartCheck\Client\SmCh_svc.exe
O23 - Service: UPSMONService - Unknown owner - C:\Program Files\Sentinel Web\OPTISAFE_Service.Exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows-CCHook-Service - Salfeld Computer - C:\WINDOWS\system32\cchservice.exe

--
End of file - 13094 bytes

Step 9 - Uninstall Log:

Result -

ABBYY FineReader 5.0 Sprint
AccessDiver v4.301
Ad-Aware 2007
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Common File Installer
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Fonts All
Adobe Help Center 1.0
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS2
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Preview
Adobe Premiere Pro CS3 Preview
Adobe Reader 8.1.2
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Stock Photos 1.0
Adobe Stock Photos CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
Advanced SmartCheck Client
Album Cover Art Downloader 1.6.0
All Media Fixer 7.0
Allway Sync version 6.2.2
AnyDVD
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Decoder
ATI Display Driver
ATI Multimedia Center 9.16
ATI Remote Wonder 3.04
Auto Gordian Knot 2.45
AviSynth 2.5
AVIVO Codecs
Azureus Vuze
BOINC
Brother MFL-Pro Suite
CC File Transfer 2.5
CCleaner (remove only)
CD Check 3.0.1.43
Cheat Solitare
Child Control
Clock Tray Skins 3.8
CloneDVD 4.0
Cool MP3 Splitter
Core Center
Creative Jukebox Driver
Creative MediaSource 5
DaemonScript
DAO
DFE-538TX
Directory Printer 3.71
D-Link PCI Fast Ethernet Adapter
dMC AccurateRip
DVD Decrypter (Remove Only)
DVD Ripper Platinum 4
DynDNS Updater 3.1
eBay Auction Sniper and Auto Search 3.1
eMulev0.49a.-MorphXTv11.0
EncSpot Pro 2.1
Enterra Icon Keeper 1.0.0.2
EPSON Copy Utility 3
EPSON Perf 2480 - 2580 Guide
EPSON Scan
EPSON Smart Panel
ESET Online Scanner
Everest Ultimate Edition 3.00.626
Exact Audio Copy 0.95b4
Fantasy Wars
Final Draft 7
Flash Favorite 1.5
getPlus®_ocx
GoodSync
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HashTab 2.0.5
HD Tach version 3
HDD Regenerator
HeavyLoad 2.1
Heroes of Might and Magic V Collector Edition
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows XP (KB929120)
iCF Skin Pack
iColorFolder
InfoView
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 9
Kaspersky Online Scanner
K-Lite Mega Codec Pack 3.8.0
LAN Utility
LiveUpdate 2.6 (Symantec Corporation)
Logitech G15 Keyboard Software 1.04
LogMeIn
Magic File Renamer 6.12 Professional Edition
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MP3 Splitter & Joiner
Mp3tag v2.39
MPEG Encoder 3
MPEG Joiner
MSI Live Update 3
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nero 7 Ultra Edition
neroxml
NOD32 antivirus system
NOD32 FiX
Norton PartitionMagic 8.0
Notmad Explorer (remove only)
Now3D
Omni Encoder
OPTI-SAFE Sentinel Web for Windows
Panda ActiveScan 2.0
Paragon Drive Backup 8.5 Professional
PeerGuardian 2.0
PerfectDisk 2008 Professional
PerformanceTest v6.1
Piky Basket 2.0
QuickTime
RAMTester Utility 2005
Reasonable NoClone 2007 Enterprise
Reasonable NoClone 2007 Enterprise
Recommended Tools Pack
RegVac Registry Cleaner 4.02 (Trial Version)
Save My Work 1.0.45
ScanToWeb
Seagate SeaTools English Online
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Shutdown Monster 4.0.5.2
SolveigMM Video Splitter
SoulSeek Client 156c
SoulSeekkor's TQ Defiler
SplitMovie 1.4
Stress Prime 2004 0.40.95.13
Stress Test Tool Box August 2007
SUPERAntiSpyware Free Edition
SurfOffline (remove only)
ThumbsPlus version 7 SP2
Titan Quest
Titan Quest Immortal Throne
TitanTV Client components for ATI
TQVault 2.11
TuneUp Utilities 2007
Turbo Lister 2
UltimateDefrag
UltraISO V7.65 ME
Unlocker 1.8.5
v3.9.8.5128
ViceVersa Pro 2 (Build 2014)
VobSub v2.23 (Remove Only)
Winamp
Windows Imaging Component
Windows Installer Clean Up
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
WinRAR archiver
WinZip 10 Pro
Wisdom-soft ScreenHunter 5.0 Free
XviD MPEG4 Video Codec (remove only)
Yahoo! Mail Quick Select Tool (PhotoMail)
Yahoo! Toolbar
YouTube Downloader 2.2
ZoneAlarm Pro

Edited by ajdedo, 10 June 2008 - 01:36 PM.

  • 0

Advertisements

#2
Rorschach112
Posted 13 June 2008 - 06:21 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  • 0

#3
ajdedo
Posted 13 June 2008 - 10:41 PM

ajdedo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thanks for your help. Here are the reports......

ComboFix Log

ComboFix 08-06-12.2 - Andrew 2008-06-13 21:09:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.627 [GMT -7:00]
Running from: C:\Andrew's new Desktop\Combo-Fix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - svchost.exe: deleted 228 bytes in 1 streams.
ADS - ntoskrnl.exe: deleted 100 bytes in 1 streams.
ADS - explorer.exe: deleted 164 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\nfo
C:\Documents and Settings\All Users\Application Data\nfo\arch\1001.dfn
C:\Documents and Settings\Andrew\Application Data\m
C:\Documents and Settings\Andrew\Application Data\m\list.oct
C:\Documents and Settings\Andrew\Application Data\m\shared
C:\Documents and Settings\Andrew\Application Data\m\srvlist.oct
C:\lswmv.ini
C:\Program Files\Common Files\{30B38~1
C:\Program Files\Common Files\{90B38~1
C:\Program Files\Common Files\uninstall information
C:\WINDOWS\system32\bnrfil.dll
C:\WINDOWS\system32\bsnlst.dll
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\downld\120593.exe
C:\WINDOWS\system32\drivers\downld\129375.exe
C:\WINDOWS\system32\drivers\downld\132296.exe
C:\WINDOWS\system32\drivers\downld\135515.exe
C:\WINDOWS\system32\drivers\downld\139343.exe
C:\WINDOWS\system32\drivers\downld\142453.exe
C:\WINDOWS\system32\drivers\downld\153375.exe
C:\WINDOWS\system32\drivers\downld\154031.exe
C:\WINDOWS\system32\drivers\downld\159718.exe
C:\WINDOWS\system32\drivers\downld\160390.exe
C:\WINDOWS\system32\drivers\downld\167328.exe
C:\WINDOWS\system32\drivers\downld\168390.exe
C:\WINDOWS\system32\drivers\downld\168890.exe
C:\WINDOWS\system32\drivers\downld\171500.exe
C:\WINDOWS\system32\drivers\downld\171781.exe
C:\WINDOWS\system32\drivers\downld\173125.exe
C:\WINDOWS\system32\drivers\downld\173187.exe
C:\WINDOWS\system32\drivers\downld\174218.exe
C:\WINDOWS\system32\drivers\downld\182984.exe
C:\WINDOWS\system32\drivers\downld\187250.exe
C:\WINDOWS\system32\drivers\downld\196406.exe
C:\WINDOWS\system32\drivers\downld\201234.exe
C:\WINDOWS\system32\drivers\downld\218468.exe
C:\WINDOWS\system32\drivers\downld\229953.exe
C:\WINDOWS\system32\drivers\downld\240203.exe
C:\WINDOWS\system32\drivers\downld\245765.exe
C:\WINDOWS\system32\drivers\downld\252750.exe
C:\WINDOWS\system32\drivers\downld\254390.exe
C:\WINDOWS\system32\drivers\downld\259281.exe
C:\WINDOWS\system32\drivers\downld\269328.exe
C:\WINDOWS\system32\drivers\downld\274453.exe
C:\WINDOWS\system32\drivers\downld\279421.exe
C:\WINDOWS\system32\drivers\downld\282750.exe
C:\WINDOWS\system32\drivers\downld\295531.exe
C:\WINDOWS\system32\drivers\downld\297171.exe
C:\WINDOWS\system32\drivers\downld\301500.exe
C:\WINDOWS\system32\drivers\downld\301703.exe
C:\WINDOWS\system32\drivers\downld\303953.exe
C:\WINDOWS\system32\drivers\downld\307468.exe
C:\WINDOWS\system32\drivers\downld\320812.exe
C:\WINDOWS\system32\drivers\downld\333421.exe
C:\WINDOWS\system32\drivers\downld\334875.exe
C:\WINDOWS\system32\drivers\downld\340453.exe
C:\WINDOWS\system32\drivers\downld\342171.exe
C:\WINDOWS\system32\drivers\downld\351312.exe
C:\WINDOWS\system32\drivers\downld\351562.exe
C:\WINDOWS\system32\drivers\downld\363296.exe
C:\WINDOWS\system32\drivers\downld\368625.exe
C:\WINDOWS\system32\drivers\downld\369875.exe
C:\WINDOWS\system32\drivers\downld\376921.exe
C:\WINDOWS\system32\drivers\downld\399203.exe
C:\WINDOWS\system32\drivers\downld\411484.exe
C:\WINDOWS\system32\drivers\downld\431718.exe
C:\WINDOWS\system32\drivers\downld\438046.exe
C:\WINDOWS\system32\drivers\downld\445671.exe
C:\WINDOWS\system32\drivers\downld\493031.exe
C:\WINDOWS\system32\drivers\downld\519796.exe
C:\WINDOWS\system32\drivers\downld\572640.exe
C:\WINDOWS\system32\drivers\downld\587187.exe
C:\WINDOWS\system32\drivers\downld\604187.exe
C:\WINDOWS\system32\drivers\downld\610828.exe
C:\WINDOWS\system32\igefil.dll
C:\WINDOWS\system32\lastupdate.dll
C:\WINDOWS\system32\macfil.dll
C:\WINDOWS\system32\mp3fil.dll
C:\WINDOWS\system32\nfil.dll
C:\WINDOWS\system32\picsfil.dll
C:\WINDOWS\system32\snetfil.dll
C:\WINDOWS\system32\srchfrgn.dll
C:\WINDOWS\system32\srchout.dll
C:\WINDOWS\system32\swctl.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA
-------\Service_srosa


((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-10 11:36 . 2008-06-10 11:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-09 14:04 . 2008-06-09 14:04 <DIR> d-------- C:\Program Files\Panda Security
2008-06-09 13:30 . 2008-06-09 13:30 <DIR> d-------- C:\Temp
2008-06-09 12:59 . 2008-06-09 23:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-09 12:59 . 2008-06-09 12:59 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\SUPERAntiSpyware.com
2008-06-09 12:59 . 2008-06-09 12:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-09 12:10 . 2008-06-09 22:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-09 12:10 . 2008-06-09 12:10 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-09 12:10 . 2008-06-09 12:10 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\Malwarebytes
2008-06-09 12:10 . 2008-06-09 12:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-09 12:10 . 2008-06-09 20:13 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-09 12:10 . 2008-06-09 20:13 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-08 23:52 . 2008-06-08 23:52 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-08 23:52 . 2008-06-08 23:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-08 23:29 . 2008-06-08 23:30 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-06-08 23:25 . 2008-06-08 23:28 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-06-08 23:14 . 2008-06-08 23:42 <DIR> d-------- C:\Documents and Settings\Andrew\.housecall6.6
2008-06-08 15:14 . 2008-06-08 15:21 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\GoodSync
2008-06-04 20:50 . 2002-12-31 05:00 12,440 ---h----- C:\net.ini
2008-06-04 20:49 . 2008-06-04 21:03 <DIR> d-------- C:\WINDOWS\tray
2008-06-04 20:49 . 2008-06-13 21:17 <DIR> d-------- C:\WINDOWS\system32\wdrv
2008-06-04 20:49 . 2008-06-04 21:03 <DIR> d-------- C:\WINDOWS\system32\cc32
2008-06-04 20:49 . 2008-06-04 20:49 <DIR> d-------- C:\Program Files\Salfeld
2008-06-04 20:49 . 2008-06-04 21:03 <DIR> d-------- C:\Program Files\Common Files\Tray
2008-06-04 20:49 . 2008-06-04 20:50 <DIR> d-------- C:\Program Files\Common Files\System Shared
2008-06-04 20:49 . 2008-06-04 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\System
2008-06-04 20:49 . 2002-12-31 05:00 5,196,917 --a------ C:\WINDOWS\system32\httpsurl.dat
2008-06-04 20:49 . 2002-12-31 05:00 965,808 --a------ C:\WINDOWS\system32\cchservice.exe
2008-06-04 20:49 . 2002-12-31 05:00 362,160 --a------ C:\WINDOWS\system32\wdrvprg.dll
2008-06-04 20:49 . 2002-12-31 05:00 358,576 --a------ C:\WINDOWS\system32\wdrvhook.dll
2008-06-04 20:49 . 2002-12-31 05:00 345,088 --a------ C:\WINDOWS\system32\wdrvtask.dll
2008-06-04 20:49 . 2002-12-31 05:00 501 --a------ C:\WINDOWS\system32\nochook.ini
2008-06-04 20:49 . 2002-12-31 05:00 143 ---h----- C:\WINDOWS\system32\ctlsw.ini
2008-06-04 01:45 . 2008-06-04 01:45 <DIR> d-------- C:\Documents and Settings\Guest Account_2\Application Data\ParentalControl
2008-06-03 18:17 . 2008-06-04 20:40 <DIR> d-------- C:\Program Files\Parental Control
2008-06-03 18:17 . 2008-06-03 18:17 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\ParentalControl
2008-06-03 13:57 . 2008-06-03 16:19 8,628 --ah----- C:\WINDOWS\CSV9.GID
2008-06-02 22:20 . 2008-06-03 14:07 <DIR> d-------- C:\Program Files\parentalcontrol
2008-06-02 18:53 . 2008-06-02 18:53 <DIR> d-------- C:\Documents and Settings\Guest Account_2\Application Data\Conceptworld
2008-06-02 18:50 . 2008-06-02 18:50 <DIR> d-------- C:\Documents and Settings\Guest Account_2\Application Data\ATI
2008-06-02 18:49 . 2008-06-04 20:39 <DIR> d-------- C:\Documents and Settings\Guest Account_2
2008-06-02 17:42 . 2008-06-06 22:46 <DIR> d-------- C:\Documents and Settings\Guest Account
2008-06-02 16:56 . 1999-09-09 11:28 446,464 --a------ C:\WINDOWS\system32\HHActiveX.dll
2008-06-02 16:56 . 2008-06-02 17:07 119 --a------ C:\WINDOWS\NNS.INI
2008-05-30 16:30 . 2008-05-30 16:30 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-30 16:30 . 2008-05-30 16:30 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-30 16:30 . 2008-05-30 16:30 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-05-24 19:35 . 2008-05-24 19:35 <DIR> d-------- C:\Documents and Settings\Juliana\Application Data\Conceptworld
2008-05-24 18:30 . 2008-05-24 18:30 <DIR> d-------- C:\Documents and Settings\Juliana\Application Data\ATI
2008-05-24 18:29 . 2008-06-02 18:05 <DIR> d-------- C:\Documents and Settings\Juliana
2008-05-21 15:00 . 2008-06-08 18:14 <DIR> d-------- C:\Program Files\eMule
2008-05-17 15:23 . 2008-05-17 15:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2099-03-01 12:19 2,370,560 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2099-03-01 12:18 3,348,992 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-06-14 04:17 --------- d-----w C:\Program Files\Sentinel Web
2008-06-14 04:15 15,976 ----a-w C:\WINDOWS\system32\Temp.tmp
2008-06-14 00:36 --------- d-----w C:\Program Files\Fantasy Wars
2008-06-14 00:33 --------- d-----w C:\Program Files\DynDNS Updater
2008-06-14 00:32 --------- d-----w C:\Program Files\LogMeIn
2008-06-10 01:54 --------- d-----w C:\Program Files\PeerGuardian2
2008-06-09 19:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-09 01:26 --------- d-----w C:\Program Files\ESET
2008-06-08 22:14 --------- d-----w C:\Program Files\Siber Systems
2008-06-08 01:56 --------- d-----w C:\Documents and Settings\Andrew\Application Data\Azureus
2008-06-05 03:39 3,082,240 ----a-w C:\WINDOWS\Internet Logs\xDB68.tmp
2008-06-03 23:17 5,692 ----a-w C:\WINDOWS\system32\wfileu.drv
2008-06-03 19:42 6,107,648 ----a-w C:\WINDOWS\Internet Logs\xDB67.tmp
2008-06-03 19:42 3,250,176 ----a-w C:\WINDOWS\Internet Logs\xDB66.tmp
2008-06-03 00:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-01 20:06 --------- d-----w C:\Program Files\Google
2008-05-29 08:46 --------- d-----w C:\Program Files\Age of Wonders Shadow Magic
2008-05-27 03:06 25,229,036 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-25 21:03 2,980,352 ----a-w C:\WINDOWS\Internet Logs\xDB65.tmp
2008-05-21 22:35 114 ----a-w C:\sccfg.sys
2008-05-21 21:41 6,046,720 ----a-w C:\WINDOWS\Internet Logs\xDB64.tmp
2008-05-21 21:41 3,332,096 ----a-w C:\WINDOWS\Internet Logs\xDB63.tmp
2008-05-17 22:22 --------- d-----w C:\Program Files\Azureus
2008-05-13 20:06 --------- d-----w C:\Program Files\Save My Work
2008-05-09 19:57 --------- d-----w C:\Program Files\Soulseek
2008-05-09 19:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-09 19:38 --------- d-----w C:\Program Files\QuickTime
2008-05-09 19:35 --------- d-----w C:\Program Files\Apple Software Update
2008-05-09 19:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-08 21:34 3,749,376 ----a-w C:\WINDOWS\Internet Logs\xDB62.tmp
2008-05-08 19:32 --------- d-----w C:\Program Files\Turbo Lister2
2008-04-28 18:22 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-04-28 18:22 --------- d--h--r C:\Documents and Settings\Andrew\Application Data\SecuROM
2008-04-28 03:38 --------- d-----w C:\Program Files\Ubisoft
2008-04-22 17:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-04-21 03:29 278,728 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-04-21 03:29 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2008-04-20 06:12 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-04-20 06:12 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-04-20 06:12 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-04-16 18:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-16 18:04 --------- d-----w C:\Program Files\Lavasoft
2008-04-16 18:00 --------- d-----w C:\Documents and Settings\Andrew\Application Data\Lavasoft
2008-04-05 18:50 3,308,032 ----a-w C:\WINDOWS\Internet Logs\xDB61.tmp
2008-03-25 03:51 11,114 ----a-w C:\Documents and Settings\All Users\Application Data\MainApp.dll
2008-03-21 06:25 43,698 ----a-w C:\WINDOWS\system32\xvid-uninstall.exe
2008-03-16 22:56 1,371,136 ----a-w C:\WINDOWS\Internet Logs\xDB60.tmp
2007-06-24 01:32 81,920 ----a-w C:\Documents and Settings\Andrew\Application Data\ezpinst.exe
2007-06-24 01:32 47,360 ----a-w C:\Documents and Settings\Andrew\Application Data\pcouffin.sys
2005-09-10 03:55 7,155,864 ----a-w C:\Program Files\NGhost10.msi
2005-09-10 03:55 37,766,164 ----a-w C:\Program Files\Data1.cab
2005-09-10 03:55 35 ----a-w C:\Program Files\SCSSDist.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-03 10:53 68856]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-01-18 13:12 160592]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2006-10-31 22:24 57344]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2006-04-05 23:03 1622016]
"SkinClock"="C:\Program Files\Clock Tray Skins\ClockTraySkins.exe" [2007-08-23 18:27 459264]
"SaveMyWork"="C:\Program Files\Save My Work\SaveMyWork.exe" [2004-12-10 04:52 487424]
"CCWinTray"="C:\WINDOWS\Tray\wintmr.exe" [2008-04-30 14:15 4400312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch LGDCore"="C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-26 17:22 1132056]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 10:34 851968]
"UPSMON"="C:\Program Files\Sentinel Web\Sentinel.exe" [2005-07-15 14:12 429568]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 10:20 63048]
"Enterra Icon Keeper"="C:\Program Files\Enterra Icon Keeper\IcnKeepr.exe" [2006-08-18 17:32 57344]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-06-09 22:33 919016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-06-09 22:33 949376]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"ChicoSys"="C:\WINDOWS\system32\cc32\webtmr.exe" [2008-04-30 14:15 3986616]

C:\Documents and Settings\Andrew\Start Menu\Programs\Startup\
DTEMP.lnk - C:\Program Files\HDD Temperature\DTemp.exe [2008-01-23 18:11:02 60416]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableClock"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuFavorites"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)
"NoMultiIE"= 0 (0x0)
"LWA"= 0 (0x0)
"LWB"= 0 (0x0)
"LWC"= 0 (0x0)
"LWD"= 0 (0x0)
"LWE"= 0 (0x0)
"LWF"= 0 (0x0)
"LWG"= 0 (0x0)
"LWH"= 0 (0x0)
"LWI"= 0 (0x0)
"LWJ"= 0 (0x0)
"LWK"= 0 (0x0)
"LWL"= 0 (0x0)
"LWM"= 0 (0x0)
"LWN"= 0 (0x0)
"LWO"= 0 (0x0)
"LWP"= 0 (0x0)
"LWQ"= 0 (0x0)
"LWR"= 0 (0x0)
"LWS"= 0 (0x0)
"LWT"= 0 (0x0)
"LWU"= 0 (0x0)
"LWV"= 0 (0x0)
"LWW"= 0 (0x0)
"LWX"= 0 (0x0)
"LWY"= 0 (0x0)
"LWZ"= 0 (0x0)
"RestrictRun"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-06-09 23:03 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-06-09 23:03 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 12:21 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-10-04 06:12 90112 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 16:07 49263 C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
"SetDefPrt"=C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
"Launch LCDMon"="C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Notmad Explorer\\notmgr.exe"=
"C:\\Program Files\\eMule\\emule.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-02-21 17:15]
R1 Klmc;Klmc;C:\WINDOWS\system32\drivers\klmc.sys [2006-02-28 06:11]
R2 DynDNS_Updater_Service;DynDNS Updater Service;C:\Program Files\DynDNS Updater\DynDNS.exe [2006-09-17 11:32]
R2 LANPkt;Realtek LANPkt Protocol;C:\WINDOWS\system32\DRIVERS\LANPkt.sys [2003-09-17 15:57]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-09-12 10:21]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-09-12 10:20]
R2 PD91Agent;PD91Agent;"C:\Program Files\PerfectDisk2008\PD91Agent.exe" [2008-02-28 10:44]
R2 SmartCheckSvc;SmartCheck service;C:\Program Files\Advanced SmartCheck\Client\SmCh_svc.exe [2006-12-03 16:21]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2002-12-31 05:00]
R2 Windows-CCHook-Service;Windows-CCHook-Service;C:\WINDOWS\system32\cchservice.exe [2002-12-31 05:00]
R3 radpms;Driver for RADPMS Device;C:\WINDOWS\system32\DRIVERS\radpms.sys [2007-09-12 10:20]
S2 DirectJicg;DirectX Service;C:\WINDOWS\system32\directx.exe []
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-06-09 20:13]
S3 PD91Engine;PD91Engine;"C:\Program Files\PerfectDisk2008\PD91Engine.exe" [2008-02-29 14:08]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1664acf7-ce47-11dc-ba0d-00179a7e83bb}]
\Shell\AutoRun\command - K:\autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 00:32:48 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 21:17:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Sentinel Web\OPTISAFE_Service.exe
C:\Program Files\Sentinel Web\UPSInt.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-06-13 21:28:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-14 04:28:12

Pre-Run: 11,115,323,392 bytes free
Post-Run: 11,113,213,952 bytes free

376

HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:35 PM, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\PerfectDisk2008\PD91Agent.exe
C:\Program Files\Advanced SmartCheck\Client\SmCh_svc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sentinel Web\OPTISAFE_Service.Exe
C:\WINDOWS\system32\cchservice.exe
C:\Program Files\Sentinel Web\UPSInt.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Sentinel Web\Sentinel.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\cc32\webtmr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Clock Tray Skins\ClockTraySkins.exe
C:\Program Files\Save My Work\SaveMyWork.exe
C:\WINDOWS\Tray\wintmr.exe
C:\Program Files\HDD Temperature\DTemp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f539.mail....e...=Inbox&YN=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [UPSMON] C:\Program Files\Sentinel Web\Sentinel.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Enterra Icon Keeper] "C:\Program Files\Enterra Icon Keeper\IcnKeepr.exe" ssp /s
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ChicoSys] C:\WINDOWS\system32\cc32\webtmr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Clock Tray Skins\ClockTraySkins.exe
O4 - HKCU\..\Run: [SaveMyWork] C:\Program Files\Save My Work\SaveMyWork.exe
O4 - HKCU\..\Run: [CCWinTray] C:\WINDOWS\Tray\wintmr.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'NETWORK SERVICE')
O4 - Startup: DTEMP.lnk = C:\Program Files\HDD Temperature\DTemp.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: Add all items to the auction list - res://C:\Program Files\RKD\AuctionNavigator\BidCtxtClick.dll/202
O8 - Extra context menu item: Add this item to the auction list - res://C:\Program Files\RKD\AuctionNavigator\BidCtxtClick.dll/201
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: InterCasino £££ - {03588886-5C50-4645-BD5D-F105F84417DE} - http://www.intercasino.co.uk/ (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino £££ - {03588886-5C50-4645-BD5D-F105F84417DE} - http://www.intercasino.co.uk/ (file missing) (HKCU)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....030/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189976167406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189976126937
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.c.../npseatools.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15030/CTPID.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DirectX Service (DirectJicg) - Unknown owner - C:\WINDOWS\system32\directx.exe (file missing)
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - C:\Program Files\DynDNS Updater\DynDNS.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Engine.exe
O23 - Service: SmartCheck service (SmartCheckSvc) - URL Toy Software - C:\Program Files\Advanced SmartCheck\Client\SmCh_svc.exe
O23 - Service: UPSMONService - Unknown owner - C:\Program Files\Sentinel Web\OPTISAFE_Service.Exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows-CCHook-Service - Salfeld Computer - C:\WINDOWS\system32\cchservice.exe

--
End of file - 12866 bytes
  • 0

#4
Rorschach112
Posted 14 June 2008 - 06:21 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Post all these logs together, may need two posts for it

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
K:\autorun.exe
Folder::

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1664acf7-ce47-11dc-ba0d-00179a7e83bb}]

Sysrst::

Driver::
DirectJicg


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



Click here to use the F-Secure Online Scanner
  • Then click the Start Scanning button below.
  • You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and copy and paste what's present under results in your next reply.

  • 0

#5
ajdedo
Posted 14 June 2008 - 09:23 PM

ajdedo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
ComboFix

ComboFix 08-06-12.2 - Andrew 2008-06-14 11:26:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.619 [GMT -7:00]
Running from: C:\Andrew's new Desktop\Combo-Fix.exe
Command switches used :: C:\Andrew's new Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
K:\autorun.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\swctl.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DIRECTJICG
-------\Service_DirectJicg


((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-14 11:33 . 2008-06-14 11:33 90 --a------ C:\WINDOWS\system32\swctl.dll
2008-06-10 11:36 . 2008-06-10 11:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-09 14:04 . 2008-06-09 14:04 <DIR> d-------- C:\Program Files\Panda Security
2008-06-09 13:30 . 2008-06-09 13:30 <DIR> d-------- C:\Temp
2008-06-09 12:59 . 2008-06-09 23:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-09 12:59 . 2008-06-09 12:59 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\SUPERAntiSpyware.com
2008-06-09 12:59 . 2008-06-09 12:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-09 12:10 . 2008-06-09 22:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-09 12:10 . 2008-06-09 12:10 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-09 12:10 . 2008-06-09 12:10 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\Malwarebytes
2008-06-09 12:10 . 2008-06-09 12:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-09 12:10 . 2008-06-09 20:13 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-09 12:10 . 2008-06-09 20:13 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-08 23:52 . 2008-06-08 23:52 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-08 23:52 . 2008-06-08 23:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-08 23:29 . 2008-06-08 23:30 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-06-08 23:25 . 2008-06-08 23:28 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-06-08 23:14 . 2008-06-08 23:42 <DIR> d-------- C:\Documents and Settings\Andrew\.housecall6.6
2008-06-08 15:14 . 2008-06-08 15:21 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\GoodSync
2008-06-04 20:50 . 2002-12-31 05:00 12,440 ---h----- C:\net.ini
2008-06-04 20:49 . 2008-06-04 21:03 <DIR> d-------- C:\WINDOWS\tray
2008-06-04 20:49 . 2008-06-14 11:33 <DIR> d-------- C:\WINDOWS\system32\wdrv
2008-06-04 20:49 . 2008-06-04 21:03 <DIR> d-------- C:\WINDOWS\system32\cc32
2008-06-04 20:49 . 2008-06-04 20:49 <DIR> d-------- C:\Program Files\Salfeld
2008-06-04 20:49 . 2008-06-04 21:03 <DIR> d-------- C:\Program Files\Common Files\Tray
2008-06-04 20:49 . 2008-06-04 20:50 <DIR> d-------- C:\Program Files\Common Files\System Shared
2008-06-04 20:49 . 2008-06-04 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\System
2008-06-04 20:49 . 2002-12-31 05:00 5,196,917 --a------ C:\WINDOWS\system32\httpsurl.dat
2008-06-04 20:49 . 2002-12-31 05:00 965,808 --a------ C:\WINDOWS\system32\cchservice.exe
2008-06-04 20:49 . 2002-12-31 05:00 362,160 --a------ C:\WINDOWS\system32\wdrvprg.dll
2008-06-04 20:49 . 2002-12-31 05:00 358,576 --a------ C:\WINDOWS\system32\wdrvhook.dll
2008-06-04 20:49 . 2002-12-31 05:00 345,088 --a------ C:\WINDOWS\system32\wdrvtask.dll
2008-06-04 20:49 . 2002-12-31 05:00 501 --a------ C:\WINDOWS\system32\nochook.ini
2008-06-04 20:49 . 2002-12-31 05:00 143 ---h----- C:\WINDOWS\system32\ctlsw.ini
2008-06-04 01:45 . 2008-06-04 01:45 <DIR> d-------- C:\Documents and Settings\Guest Account_2\Application Data\ParentalControl
2008-06-03 18:17 . 2008-06-04 20:40 <DIR> d-------- C:\Program Files\Parental Control
2008-06-03 18:17 . 2008-06-03 18:17 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\ParentalControl
2008-06-03 13:57 . 2008-06-03 16:19 8,628 --ah----- C:\WINDOWS\CSV9.GID
2008-06-02 22:20 . 2008-06-03 14:07 <DIR> d-------- C:\Program Files\parentalcontrol
2008-06-02 18:53 . 2008-06-02 18:53 <DIR> d-------- C:\Documents and Settings\Guest Account_2\Application Data\Conceptworld
2008-06-02 18:50 . 2008-06-02 18:50 <DIR> d-------- C:\Documents and Settings\Guest Account_2\Application Data\ATI
2008-06-02 18:49 . 2008-06-04 20:39 <DIR> d-------- C:\Documents and Settings\Guest Account_2
2008-06-02 17:42 . 2008-06-06 22:46 <DIR> d-------- C:\Documents and Settings\Guest Account
2008-06-02 16:56 . 1999-09-09 11:28 446,464 --a------ C:\WINDOWS\system32\HHActiveX.dll
2008-06-02 16:56 . 2008-06-02 17:07 119 --a------ C:\WINDOWS\NNS.INI
2008-05-30 16:30 . 2008-05-30 16:30 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-30 16:30 . 2008-05-30 16:30 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-30 16:30 . 2008-05-30 16:30 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-05-24 19:35 . 2008-05-24 19:35 <DIR> d-------- C:\Documents and Settings\Juliana\Application Data\Conceptworld
2008-05-24 18:30 . 2008-05-24 18:30 <DIR> d-------- C:\Documents and Settings\Juliana\Application Data\ATI
2008-05-24 18:29 . 2008-06-02 18:05 <DIR> d-------- C:\Documents and Settings\Juliana
2008-05-21 15:00 . 2008-06-08 18:14 <DIR> d-------- C:\Program Files\eMule
2008-05-17 15:23 . 2008-05-17 15:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2099-03-01 12:19 2,370,560 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2099-03-01 12:18 3,348,992 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-06-14 18:32 --------- d-----w C:\Program Files\Sentinel Web
2008-06-14 18:31 15,976 ----a-w C:\WINDOWS\system32\Temp.tmp
2008-06-14 18:22 --------- d-----w C:\Program Files\DynDNS Updater
2008-06-14 18:21 --------- d-----w C:\Program Files\LogMeIn
2008-06-14 00:36 --------- d-----w C:\Program Files\Fantasy Wars
2008-06-10 01:54 --------- d-----w C:\Program Files\PeerGuardian2
2008-06-09 19:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-09 01:26 --------- d-----w C:\Program Files\ESET
2008-06-08 22:14 --------- d-----w C:\Program Files\Siber Systems
2008-06-08 01:56 --------- d-----w C:\Documents and Settings\Andrew\Application Data\Azureus
2008-06-05 03:39 3,082,240 ----a-w C:\WINDOWS\Internet Logs\xDB68.tmp
2008-06-03 23:17 5,692 ----a-w C:\WINDOWS\system32\wfileu.drv
2008-06-03 19:42 6,107,648 ----a-w C:\WINDOWS\Internet Logs\xDB67.tmp
2008-06-03 19:42 3,250,176 ----a-w C:\WINDOWS\Internet Logs\xDB66.tmp
2008-06-03 00:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-01 20:06 --------- d-----w C:\Program Files\Google
2008-05-29 08:46 --------- d-----w C:\Program Files\Age of Wonders Shadow Magic
2008-05-27 03:06 25,229,036 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-25 21:03 2,980,352 ----a-w C:\WINDOWS\Internet Logs\xDB65.tmp
2008-05-21 22:35 114 ----a-w C:\sccfg.sys
2008-05-21 21:41 6,046,720 ----a-w C:\WINDOWS\Internet Logs\xDB64.tmp
2008-05-21 21:41 3,332,096 ----a-w C:\WINDOWS\Internet Logs\xDB63.tmp
2008-05-17 22:22 --------- d-----w C:\Program Files\Azureus
2008-05-13 20:06 --------- d-----w C:\Program Files\Save My Work
2008-05-09 19:57 --------- d-----w C:\Program Files\Soulseek
2008-05-09 19:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-09 19:38 --------- d-----w C:\Program Files\QuickTime
2008-05-09 19:35 --------- d-----w C:\Program Files\Apple Software Update
2008-05-09 19:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-08 21:34 3,749,376 ----a-w C:\WINDOWS\Internet Logs\xDB62.tmp
2008-05-08 19:32 --------- d-----w C:\Program Files\Turbo Lister2
2008-04-28 18:22 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-04-28 18:22 --------- d--h--r C:\Documents and Settings\Andrew\Application Data\SecuROM
2008-04-28 03:38 --------- d-----w C:\Program Files\Ubisoft
2008-04-22 17:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-04-21 03:29 278,728 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-04-21 03:29 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2008-04-20 06:12 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-04-20 06:12 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-04-20 06:12 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-04-16 18:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-16 18:04 --------- d-----w C:\Program Files\Lavasoft
2008-04-16 18:00 --------- d-----w C:\Documents and Settings\Andrew\Application Data\Lavasoft
2008-04-05 18:50 3,308,032 ----a-w C:\WINDOWS\Internet Logs\xDB61.tmp
2008-03-25 03:51 11,114 ----a-w C:\Documents and Settings\All Users\Application Data\MainApp.dll
2008-03-21 06:25 43,698 ----a-w C:\WINDOWS\system32\xvid-uninstall.exe
2008-03-16 22:56 1,371,136 ----a-w C:\WINDOWS\Internet Logs\xDB60.tmp
2007-06-24 01:32 81,920 ----a-w C:\Documents and Settings\Andrew\Application Data\ezpinst.exe
2007-06-24 01:32 47,360 ----a-w C:\Documents and Settings\Andrew\Application Data\pcouffin.sys
2005-09-10 03:55 7,155,864 ----a-w C:\Program Files\NGhost10.msi
2005-09-10 03:55 37,766,164 ----a-w C:\Program Files\Data1.cab
2005-09-10 03:55 35 ----a-w C:\Program Files\SCSSDist.ini
.

((((((((((((((((((((((((((((( snapshot@2008-06-13_21.25.13.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-14 04:17:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-14 18:32:26 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-03 10:53 68856]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-01-18 13:12 160592]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2006-10-31 22:24 57344]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2006-04-05 23:03 1622016]
"SkinClock"="C:\Program Files\Clock Tray Skins\ClockTraySkins.exe" [2007-08-23 18:27 459264]
"SaveMyWork"="C:\Program Files\Save My Work\SaveMyWork.exe" [2004-12-10 04:52 487424]
"CCWinTray"="C:\WINDOWS\Tray\wintmr.exe" [2008-04-30 14:15 4400312]

C:\Documents and Settings\Andrew\Start Menu\Programs\Startup\
DTEMP.lnk - C:\Program Files\HDD Temperature\DTemp.exe [2008-01-23 18:11:02 60416]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableClock"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuFavorites"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)
"NoMultiIE"= 0 (0x0)
"LWA"= 0 (0x0)
"LWB"= 0 (0x0)
"LWC"= 0 (0x0)
"LWD"= 0 (0x0)
"LWE"= 0 (0x0)
"LWF"= 0 (0x0)
"LWG"= 0 (0x0)
"LWH"= 0 (0x0)
"LWI"= 0 (0x0)
"LWJ"= 0 (0x0)
"LWK"= 0 (0x0)
"LWL"= 0 (0x0)
"LWM"= 0 (0x0)
"LWN"= 0 (0x0)
"LWO"= 0 (0x0)
"LWP"= 0 (0x0)
"LWQ"= 0 (0x0)
"LWR"= 0 (0x0)
"LWS"= 0 (0x0)
"LWT"= 0 (0x0)
"LWU"= 0 (0x0)
"LWV"= 0 (0x0)
"LWW"= 0 (0x0)
"LWX"= 0 (0x0)
"LWY"= 0 (0x0)
"LWZ"= 0 (0x0)
"RestrictRun"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-06-09 23:03 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-06-09 23:03 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 12:21 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-10-04 06:12 90112 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 16:07 49263 C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
"SetDefPrt"=C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
"Launch LCDMon"="C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Notmad Explorer\\notmgr.exe"=
"C:\\Program Files\\eMule\\emule.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-02-21 17:15]
R1 Klmc;Klmc;C:\WINDOWS\system32\drivers\klmc.sys [2006-02-28 06:11]
R2 DynDNS_Updater_Service;DynDNS Updater Service;C:\Program Files\DynDNS Updater\DynDNS.exe [2006-09-17 11:32]
R2 LANPkt;Realtek LANPkt Protocol;C:\WINDOWS\system32\DRIVERS\LANPkt.sys [2003-09-17 15:57]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-09-12 10:21]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-09-12 10:20]
R2 PD91Agent;PD91Agent;"C:\Program Files\PerfectDisk2008\PD91Agent.exe" [2008-02-28 10:44]
R2 SmartCheckSvc;SmartCheck service;C:\Program Files\Advanced SmartCheck\Client\SmCh_svc.exe [2006-12-03 16:21]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2002-12-31 05:00]
R2 Windows-CCHook-Service;Windows-CCHook-Service;C:\WINDOWS\system32\cchservice.exe [2002-12-31 05:00]
R3 radpms;Driver for RADPMS Device;C:\WINDOWS\system32\DRIVERS\radpms.sys [2007-09-12 10:20]
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-06-09 20:13]
S3 PD91Engine;PD91Engine;"C:\Program Files\PerfectDisk2008\PD91Engine.exe" [2008-02-29 14:08]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 00:32:48 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 11:33:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\swctl.dll 90 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Sentinel Web\OPTISAFE_Service.exe
C:\Program Files\Sentinel Web\UPSInt.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Sentinel Web\Sentinel.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\cc32\webtmr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2008-06-14 11:42:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-14 18:41:53
ComboFix2.txt 2008-06-14 04:28:31

Pre-Run: 11,089,354,752 bytes free
Post-Run: 11,076,018,176 bytes free

292

KASPERSKY

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, June 14, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, June 14, 2008 18:54:46
Records in database: 863939
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
N:\
Z:\

Scan statistics:
Files scanned: 172956
Threat name: 13
Infected objects: 27
Suspicious objects: 0
Duration of the scan: 03:06:02


File name / Threat name / Threats count
C:\Andrew's new Desktop\HFS File Server.exe Infected: not-a-virus:Server-FTP.Win32.SFH.d 1
C:\Andrew's new Desktop\NetTools5.0.70.zip Infected: not-a-virus:NetTool.MSIL.Sniffer.a 1
C:\Andrew's new Desktop\Portable Apps March 08\PortableApps\HTTP File Server\HFS File Server.exe Infected: not-a-virus:Server-FTP.Win32.SFH.d 1
C:\Andrew's new Desktop\Portable Apps March 08\PortableApps\RockXP\RockXP4.exe Infected: not-a-virus:PSWTool.Win32.PWDump.2 2
C:\Andrew's new Desktop\Portable Apps March 08\PortableApps\RockXP\RockXP4.exe Infected: not-a-virus:PSWTool.Win32.RAS.a 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\120593.exe.vir Infected: Backdoor.Win32.Hupigon.cjai 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\129375.exe.vir Infected: Backdoor.Win32.Hupigon.cjai 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\132296.exe.vir Infected: Backdoor.Win32.Hupigon.cjai 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\135515.exe.vir Infected: Backdoor.Win32.Hupigon.cjai 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\139343.exe.vir Infected: Backdoor.Win32.Hupigon.cjai 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\142453.exe.vir Infected: Backdoor.Win32.Hupigon.cjai 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\174218.exe.vir Infected: Backdoor.Win32.Hupigon.cjai 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\187250.exe.vir Infected: Backdoor.Win32.Hupigon.cjai 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\252750.exe.vir Infected: Backdoor.Win32.Hupigon.cjai 1
C:\QooBox\Quarantine\Registry_backups\Service_srosa.reg.dat Infected: Trojan-Downloader.Win32.Bagle.hp 1
C:\WINDOWS\psshutdown.exe Infected: not-a-virus:RiskTool.Win32.PsKill.au 1
D:\Appz\Windows - Unattended\LastXP\Lastxp 17 Dvd.iso Infected: not-a-virus:PSWTool.Win32.IEPassView.h 1
D:\Appz\Windows - Unattended\LastXP\Lastxp 17 Dvd.iso Infected: not-a-virus:PSWTool.Win32.MPR.015 2
D:\Appz\Windows - Unattended\LastXP\Lastxp 17 Dvd.iso Infected: not-a-virus:PSWTool.Win32.RAS.a 2
D:\Appz\Windows - Unattended\WinBorgXP\WinBorg XP (Nov07) DVD.iso Infected: not-a-virus:Client-IRC.Win32.mIRC.63 1
D:\Appz\Windows - Unattended\WinBorgXP\WinBorg XP (Nov07) DVD.iso Infected: Backdoor.Win32.Delf.dnc 1
D:\Appz\Windows - Unattended\WinBorgXP\WinBorgXP (Mar08 DVD).iso Infected: not-a-virus:Client-IRC.Win32.mIRC.63 1
D:\Z - Sony HD and Recovery\Current Sony HD\WINDOWS\system32\cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows 1
D:\Z - Sony HD and Recovery\Current Sony HD\WINDOWS\system32\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 1

The selected area was scanned.

F-Secure

A problem arose because I loose my internet connection after 5 or 10 minutes. I was able to start and run F-Secure, however when the program finished it's scan, then next page that appeared was the generic ->

The page cannot be displayed

The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.

I can only run online scans that do not require an internet connection when they finish.

Edited by ajdedo, 14 June 2008 - 09:25 PM.

  • 0

#6
Rorschach112
Posted 15 June 2008 - 06:17 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::

Rootkit::
C:\WINDOWS\system32\swctl.dll

Sysrst::

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.


Also post a new HijackThis log
  • 0

#7
ajdedo
Posted 15 June 2008 - 03:02 PM

ajdedo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi, I'm not sure if I should delete the files found by Dr. Web. They seem to be mostly the virus scanners I was instructed to download. The program is still waiting for my input.

Here are the logs you requested.

ComboFix

ComboFix 08-06-12.2 - Andrew 2008-06-15 11:04:34.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.615 [GMT -7:00]
Running from: C:\Andrew's new Desktop\Combo-Fix.exe
Command switches used :: C:\Andrew's new Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\swctl.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-14 18:35 . 2008-06-14 18:35 <DIR> d-------- C:\fsaua.data
2008-06-10 11:36 . 2008-06-10 11:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-09 14:04 . 2008-06-09 14:04 <DIR> d-------- C:\Program Files\Panda Security
2008-06-09 13:30 . 2008-06-09 13:30 <DIR> d-------- C:\Temp
2008-06-09 12:59 . 2008-06-09 23:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-09 12:59 . 2008-06-09 12:59 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\SUPERAntiSpyware.com
2008-06-09 12:59 . 2008-06-09 12:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-09 12:10 . 2008-06-09 22:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-09 12:10 . 2008-06-09 12:10 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-09 12:10 . 2008-06-09 12:10 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\Malwarebytes
2008-06-09 12:10 . 2008-06-09 12:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-09 12:10 . 2008-06-09 20:13 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-09 12:10 . 2008-06-09 20:13 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-08 23:52 . 2008-06-08 23:52 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-08 23:52 . 2008-06-08 23:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-08 23:29 . 2008-06-08 23:30 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-06-08 23:25 . 2008-06-08 23:28 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-06-08 23:14 . 2008-06-08 23:42 <DIR> d-------- C:\Documents and Settings\Andrew\.housecall6.6
2008-06-08 15:14 . 2008-06-08 15:21 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\GoodSync
2008-06-04 20:50 . 2002-12-31 05:00 12,440 ---h----- C:\net.ini
2008-06-04 20:49 . 2008-06-04 21:03 <DIR> d-------- C:\WINDOWS\tray
2008-06-04 20:49 . 2008-06-15 11:11 <DIR> d-------- C:\WINDOWS\system32\wdrv
2008-06-04 20:49 . 2008-06-04 21:03 <DIR> d-------- C:\WINDOWS\system32\cc32
2008-06-04 20:49 . 2008-06-04 20:49 <DIR> d-------- C:\Program Files\Salfeld
2008-06-04 20:49 . 2008-06-04 21:03 <DIR> d-------- C:\Program Files\Common Files\Tray
2008-06-04 20:49 . 2008-06-04 20:50 <DIR> d-------- C:\Program Files\Common Files\System Shared
2008-06-04 20:49 . 2008-06-04 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\System
2008-06-04 20:49 . 2002-12-31 05:00 5,196,917 --a------ C:\WINDOWS\system32\httpsurl.dat
2008-06-04 20:49 . 2002-12-31 05:00 965,808 --a------ C:\WINDOWS\system32\cchservice.exe
2008-06-04 20:49 . 2002-12-31 05:00 362,160 --a------ C:\WINDOWS\system32\wdrvprg.dll
2008-06-04 20:49 . 2002-12-31 05:00 358,576 --a------ C:\WINDOWS\system32\wdrvhook.dll
2008-06-04 20:49 . 2002-12-31 05:00 345,088 --a------ C:\WINDOWS\system32\wdrvtask.dll
2008-06-04 20:49 . 2002-12-31 05:00 501 --a------ C:\WINDOWS\system32\nochook.ini
2008-06-04 20:49 . 2002-12-31 05:00 143 ---h----- C:\WINDOWS\system32\ctlsw.ini
2008-06-04 01:45 . 2008-06-04 01:45 <DIR> d-------- C:\Documents and Settings\Guest Account_2\Application Data\ParentalControl
2008-06-03 18:17 . 2008-06-04 20:40 <DIR> d-------- C:\Program Files\Parental Control
2008-06-03 18:17 . 2008-06-03 18:17 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\ParentalControl
2008-06-03 13:57 . 2008-06-03 16:19 8,628 --ah----- C:\WINDOWS\CSV9.GID
2008-06-02 22:20 . 2008-06-03 14:07 <DIR> d-------- C:\Program Files\parentalcontrol
2008-06-02 18:53 . 2008-06-02 18:53 <DIR> d-------- C:\Documents and Settings\Guest Account_2\Application Data\Conceptworld
2008-06-02 18:50 . 2008-06-02 18:50 <DIR> d-------- C:\Documents and Settings\Guest Account_2\Application Data\ATI
2008-06-02 18:49 . 2008-06-04 20:39 <DIR> d-------- C:\Documents and Settings\Guest Account_2
2008-06-02 17:42 . 2008-06-06 22:46 <DIR> d-------- C:\Documents and Settings\Guest Account
2008-06-02 16:56 . 1999-09-09 11:28 446,464 --a------ C:\WINDOWS\system32\HHActiveX.dll
2008-06-02 16:56 . 2008-06-02 17:07 119 --a------ C:\WINDOWS\NNS.INI
2008-05-30 16:30 . 2008-05-30 16:30 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-30 16:30 . 2008-05-30 16:30 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-30 16:30 . 2008-05-30 16:30 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-05-24 19:35 . 2008-05-24 19:35 <DIR> d-------- C:\Documents and Settings\Juliana\Application Data\Conceptworld
2008-05-24 18:30 . 2008-05-24 18:30 <DIR> d-------- C:\Documents and Settings\Juliana\Application Data\ATI
2008-05-24 18:29 . 2008-06-02 18:05 <DIR> d-------- C:\Documents and Settings\Juliana
2008-05-21 15:00 . 2008-06-08 18:14 <DIR> d-------- C:\Program Files\eMule
2008-05-17 15:23 . 2008-05-17 15:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2099-03-01 12:19 2,370,560 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2099-03-01 12:18 3,348,992 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-06-15 18:10 --------- d-----w C:\Program Files\Sentinel Web
2008-06-15 18:08 15,976 ----a-w C:\WINDOWS\system32\Temp.tmp
2008-06-15 18:00 --------- d-----w C:\Program Files\DynDNS Updater
2008-06-15 17:59 --------- d-----w C:\Program Files\LogMeIn
2008-06-14 00:36 --------- d-----w C:\Program Files\Fantasy Wars
2008-06-10 01:54 --------- d-----w C:\Program Files\PeerGuardian2
2008-06-09 19:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-09 01:26 --------- d-----w C:\Program Files\ESET
2008-06-08 22:14 --------- d-----w C:\Program Files\Siber Systems
2008-06-08 01:56 --------- d-----w C:\Documents and Settings\Andrew\Application Data\Azureus
2008-06-05 03:39 3,082,240 ----a-w C:\WINDOWS\Internet Logs\xDB68.tmp
2008-06-03 23:17 5,692 ----a-w C:\WINDOWS\system32\wfileu.drv
2008-06-03 19:42 6,107,648 ----a-w C:\WINDOWS\Internet Logs\xDB67.tmp
2008-06-03 19:42 3,250,176 ----a-w C:\WINDOWS\Internet Logs\xDB66.tmp
2008-06-03 00:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-01 20:06 --------- d-----w C:\Program Files\Google
2008-05-29 08:46 --------- d-----w C:\Program Files\Age of Wonders Shadow Magic
2008-05-27 03:06 25,229,036 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-25 21:03 2,980,352 ----a-w C:\WINDOWS\Internet Logs\xDB65.tmp
2008-05-21 22:35 114 ----a-w C:\sccfg.sys
2008-05-21 21:41 6,046,720 ----a-w C:\WINDOWS\Internet Logs\xDB64.tmp
2008-05-21 21:41 3,332,096 ----a-w C:\WINDOWS\Internet Logs\xDB63.tmp
2008-05-17 22:22 --------- d-----w C:\Program Files\Azureus
2008-05-13 20:06 --------- d-----w C:\Program Files\Save My Work
2008-05-09 19:57 --------- d-----w C:\Program Files\Soulseek
2008-05-09 19:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-09 19:38 --------- d-----w C:\Program Files\QuickTime
2008-05-09 19:35 --------- d-----w C:\Program Files\Apple Software Update
2008-05-09 19:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-08 21:34 3,749,376 ----a-w C:\WINDOWS\Internet Logs\xDB62.tmp
2008-05-08 19:32 --------- d-----w C:\Program Files\Turbo Lister2
2008-04-28 18:22 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-04-28 18:22 --------- d--h--r C:\Documents and Settings\Andrew\Application Data\SecuROM
2008-04-28 03:38 --------- d-----w C:\Program Files\Ubisoft
2008-04-22 17:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-04-21 03:29 278,728 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-04-21 03:29 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2008-04-20 06:12 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-04-20 06:12 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-04-20 06:12 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-04-16 18:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-16 18:04 --------- d-----w C:\Program Files\Lavasoft
2008-04-16 18:00 --------- d-----w C:\Documents and Settings\Andrew\Application Data\Lavasoft
2008-04-05 18:50 3,308,032 ----a-w C:\WINDOWS\Internet Logs\xDB61.tmp
2008-03-25 03:51 11,114 ----a-w C:\Documents and Settings\All Users\Application Data\MainApp.dll
2008-03-21 06:25 43,698 ----a-w C:\WINDOWS\system32\xvid-uninstall.exe
2008-03-16 22:56 1,371,136 ----a-w C:\WINDOWS\Internet Logs\xDB60.tmp
2007-06-24 01:32 81,920 ----a-w C:\Documents and Settings\Andrew\Application Data\ezpinst.exe
2007-06-24 01:32 47,360 ----a-w C:\Documents and Settings\Andrew\Application Data\pcouffin.sys
2005-09-10 03:55 7,155,864 ----a-w C:\Program Files\NGhost10.msi
2005-09-10 03:55 37,766,164 ----a-w C:\Program Files\Data1.cab
2005-09-10 03:55 35 ----a-w C:\Program Files\SCSSDist.ini
.

((((((((((((((((((((((((((((( snapshot@2008-06-13_21.25.13.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-14 04:17:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-15 18:10:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-02-27 22:59:28 290,816 ----a-w C:\WINDOWS\Downloaded Program Files\auc_lib.dll
+ 2008-02-27 22:59:28 495,616 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2008-02-27 23:00:12 262,144 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2008-02-27 22:59:16 588,392 ----a-w C:\WINDOWS\Downloaded Program Files\gatelauncher.exe
+ 2002-12-31 12:00:00 3,293,564 ----a-w C:\WINDOWS\system32\wdrv\wdrvdb.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-03 10:53 68856]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-01-18 13:12 160592]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2006-10-31 22:24 57344]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2006-04-05 23:03 1622016]
"SkinClock"="C:\Program Files\Clock Tray Skins\ClockTraySkins.exe" [2007-08-23 18:27 459264]
"SaveMyWork"="C:\Program Files\Save My Work\SaveMyWork.exe" [2004-12-10 04:52 487424]
"CCWinTray"="C:\WINDOWS\Tray\wintmr.exe" [2008-04-30 14:15 4400312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch LGDCore"="C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-26 17:22 1132056]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 10:34 851968]
"UPSMON"="C:\Program Files\Sentinel Web\Sentinel.exe" [2005-07-15 14:12 429568]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 10:20 63048]
"Enterra Icon Keeper"="C:\Program Files\Enterra Icon Keeper\IcnKeepr.exe" [2006-08-18 17:32 57344]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-06-09 22:33 919016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-06-09 22:33 949376]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"ChicoSys"="C:\WINDOWS\system32\cc32\webtmr.exe" [2008-04-30 14:15 3986616]

C:\Documents and Settings\Andrew\Start Menu\Programs\Startup\
DTEMP.lnk - C:\Program Files\HDD Temperature\DTemp.exe [2008-01-23 18:11:02 60416]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableClock"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuFavorites"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)
"NoMultiIE"= 0 (0x0)
"LWA"= 0 (0x0)
"LWB"= 0 (0x0)
"LWC"= 0 (0x0)
"LWD"= 0 (0x0)
"LWE"= 0 (0x0)
"LWF"= 0 (0x0)
"LWG"= 0 (0x0)
"LWH"= 0 (0x0)
"LWI"= 0 (0x0)
"LWJ"= 0 (0x0)
"LWK"= 0 (0x0)
"LWL"= 0 (0x0)
"LWM"= 0 (0x0)
"LWN"= 0 (0x0)
"LWO"= 0 (0x0)
"LWP"= 0 (0x0)
"LWQ"= 0 (0x0)
"LWR"= 0 (0x0)
"LWS"= 0 (0x0)
"LWT"= 0 (0x0)
"LWU"= 0 (0x0)
"LWV"= 0 (0x0)
"LWW"= 0 (0x0)
"LWX"= 0 (0x0)
"LWY"= 0 (0x0)
"LWZ"= 0 (0x0)
"RestrictRun"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-06-09 23:03 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-06-09 23:03 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:21 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-10-04 06:12 90112 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 16:07 49263 C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
"SetDefPrt"=C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
"Launch LCDMon"="C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Notmad Explorer\\notmgr.exe"=
"C:\\Program Files\\eMule\\emule.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-02-21 17:15]
R1 Klmc;Klmc;C:\WINDOWS\system32\drivers\klmc.sys [2006-02-28 06:11]
R2 DynDNS_Updater_Service;DynDNS Updater Service;C:\Program Files\DynDNS Updater\DynDNS.exe [2006-09-17 11:32]
R2 LANPkt;Realtek LANPkt Protocol;C:\WINDOWS\system32\DRIVERS\LANPkt.sys [2003-09-17 15:57]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-09-12 10:21]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-09-12 10:20]
R2 PD91Agent;PD91Agent;"C:\Program Files\PerfectDisk2008\PD91Agent.exe" [2008-02-28 10:44]
R2 SmartCheckSvc;SmartCheck service;C:\Program Files\Advanced SmartCheck\Client\SmCh_svc.exe [2006-12-03 16:21]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2002-12-31 05:00]
R2 Windows-CCHook-Service;Windows-CCHook-Service;C:\WINDOWS\system32\cchservice.exe [2002-12-31 05:00]
R3 radpms;Driver for RADPMS Device;C:\WINDOWS\system32\DRIVERS\radpms.sys [2007-09-12 10:20]
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-06-09 20:13]
S3 PD91Engine;PD91Engine;"C:\Program Files\PerfectDisk2008\PD91Engine.exe" [2008-02-29 14:08]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 00:32:48 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 11:11:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Sentinel Web\OPTISAFE_Service.exe
C:\Program Files\Sentinel Web\UPSInt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Sentinel Web\EventMessage.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
.
**************************************************************************
.
Completion time: 2008-06-15 11:15:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 18:15:15
ComboFix2.txt 2008-06-14 18:42:59
ComboFix3.txt 2008-06-14 04:28:31

Pre-Run: 14,323,011,584 bytes free
Post-Run: 14,423,515,136 bytes free

301

Dr. Web

Combo-Fix.exe\327882R2FWJFW\FIND3M.bat;C:\Andrew's new Desktop\Combo-Fix.exe;Probably SCRIPT.Virus;;
Combo-Fix.exe\327882R2FWJFW\psexec.cfexe;C:\Andrew's new Desktop\Combo-Fix.exe;Program.PsExec.171;;
Combo-Fix.exe;C:\Andrew's new Desktop;Archive contains infected objects;Moved.;
RockXP4.exe\pwdump2\pwdump2.exe;C:\Andrew's new Desktop\Portable Apps March 08\PortableApps\RockXP\RockXP4.exe;Tool.Pwdump;;
RockXP4.exe\pwdump2\samdump.dll;C:\Andrew's new Desktop\Portable Apps March 08\PortableApps\RockXP\RockXP4.exe;Tool.Pwdump;;
RockXP4.exe;C:\Andrew's new Desktop\Portable Apps March 08\PortableApps\RockXP;Archive contains infected objects;Moved.;
mbam.exe;C:\Program Files\Malwarebytes' Anti-Malware;Probably BACKDOOR.Trojan;;
paragon_pm_esd_en.iso\USR\BIN\VIM_ENHANCED.;D:\Appz\Paragon Partition Manager Pro v7.00.000.1057 (Recovery Cd)\setup.exe\paragon_pm_esd_en.iso;Linux.Rootkit.18;;
paragon_pm_esd_en.iso;D:\Appz\Paragon Partition Manager Pro v7.00.000.1057 (Recovery Cd)\setup.exe;Archive contains infected objects;;
setup.exe;D:\Appz\Paragon Partition Manager Pro v7.00.000.1057 (Recovery Cd);Archive contains infected objects;Moved.;
psexec.exe;D:\Z - Sony HD and Recovery\Current Sony HD\WINDOWS\system32;Program.PsExec.180;;
pskill.exe;D:\Z - Sony HD and Recovery\Current Sony HD\WINDOWS\system32;Program.PsKill.101;;

HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:53:49 PM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\PerfectDisk2008\PD91Agent.exe
C:\Program Files\Advanced SmartCheck\Client\SmCh_svc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sentinel Web\OPTISAFE_Service.Exe
C:\WINDOWS\system32\cchservice.exe
C:\Program Files\Sentinel Web\UPSInt.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Sentinel Web\Sentinel.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\cc32\webtmr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Clock Tray Skins\ClockTraySkins.exe
C:\Program Files\Save My Work\SaveMyWork.exe
C:\WINDOWS\Tray\wintmr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HDD Temperature\DTemp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Andrew's new Desktop\drweb-cureit.exe
C:\DOCUME~1\Andrew\LOCALS~1\Temp\RarSFX0\_start.exe
C:\DOCUME~1\Andrew\LOCALS~1\Temp\RarSFX0\setup.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f539.mail....e...=Inbox&YN=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [UPSMON] C:\Program Files\Sentinel Web\Sentinel.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Enterra Icon Keeper] "C:\Program Files\Enterra Icon Keeper\IcnKeepr.exe" ssp /s
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ChicoSys] C:\WINDOWS\system32\cc32\webtmr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Clock Tray Skins\ClockTraySkins.exe
O4 - HKCU\..\Run: [SaveMyWork] C:\Program Files\Save My Work\SaveMyWork.exe
O4 - HKCU\..\Run: [CCWinTray] C:\WINDOWS\Tray\wintmr.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'NETWORK SERVICE')
O4 - Startup: DTEMP.lnk = C:\Program Files\HDD Temperature\DTemp.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: Add all items to the auction list - res://C:\Program Files\RKD\AuctionNavigator\BidCtxtClick.dll/202
O8 - Extra context menu item: Add this item to the auction list - res://C:\Program Files\RKD\AuctionNavigator\BidCtxtClick.dll/201
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: InterCasino £££ - {03588886-5C50-4645-BD5D-F105F84417DE} - http://www.intercasino.co.uk/ (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino £££ - {03588886-5C50-4645-BD5D-F105F84417DE} - http://www.intercasino.co.uk/ (file missing) (HKCU)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....030/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189976167406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189976126937
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.c.../npseatools.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15030/CTPID.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - C:\Program Files\DynDNS Updater\DynDNS.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Engine.exe
O23 - Service: SmartCheck service (SmartCheckSvc) - URL Toy Software - C:\Program Files\Advanced SmartCheck\Client\SmCh_svc.exe
O23 - Service: UPSMONService - Unknown owner - C:\Program Files\Sentinel Web\OPTISAFE_Service.Exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows-CCHook-Service - Salfeld Computer - C:\WINDOWS\system32\cchservice.exe

--
End of file - 13080 bytes
  • 0

#8
Rorschach112
Posted 15 June 2008 - 03:10 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
One more final scan


Please download and unzip Icesword to its own folder on your desktop


If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.


Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.


Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.


Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.


Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.



Now post all of the data collected under the headings for :

Processes
Win32 Services
Startup
SSDT
Message Hooks



Also tell me how your PC is running
  • 0

#9
ajdedo
Posted 15 June 2008 - 03:26 PM

ajdedo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Should I clean the files that Dr.Web pointed out? They include Combo-fix, malware-bytes, Partition majic?

Also, can I reboot my computer to re-establish internet connection?

Edited by ajdedo, 15 June 2008 - 03:27 PM.

  • 0

#10
Rorschach112
Posted 15 June 2008 - 03:27 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Sorry, no leave those. Dr. Web is aggressive but it is worth using for the infection you had

So just go on with the other steps there
  • 0

Advertisements

#11
ajdedo
Posted 15 June 2008 - 04:35 PM

ajdedo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Processes - none
Win32 Services - none
Startup - none
SSDT - (several entries with the name) ->
\SystemRoot\System32\vsdatant.sys (several entries)
sptd.sys (several entries)
Message Hooks - none

As for the computer.... Well, neither my NOD32 or my Zone Alarm will load. I still get "NOD32.exe is not a valid Win32 application" when I try manually.

I also get a strange thing when I startup. An image of the mouse pointer with the hour-glass darts across the bottom of my screen several time before appearing in the middle of my desktop. This only started happening after I got infected.
  • 0

#12
Rorschach112
Posted 15 June 2008 - 04:39 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Can you post the logs from

Processes
Win32 Services
Startup

Try reinstall Nod and ZoneAlarm
  • 0

#13
ajdedo
Posted 15 June 2008 - 05:09 PM

ajdedo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Process:

System Idle Process
System
C:\WINDOWS\system32\cchservice.exe
C:\WINDOWS\system32\cc32\webtmr.exe
C:\Program Files\HDD Temperature\DTemp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\ATI Multimedia\main\atidtct.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
C:\Program Files\Sentinel Web\UPSInt.exe
C:\Program Files\Clock Tray Skins\ClockTraySkins.exe
C:\Program Files\Save My Work\SaveMyWork.exe
C:\WINDOWS\tray\wintmr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\PerfectDisk2008\PD91Agent.exe
C:\Program Files\Advanced SmartCheck\Client\SmCh_svc.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Sentinel Web\OPTISAFE_Service.exe
C:\Program Files\Sentinel Web\Sentinel.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\system32\alg.exe
C:\Andrew's new Desktop\ISW\IceSword122en\IceSword.exe

Started Service:

Service Name:aawservice Display Name:Ad-Aware 2007 Service
Service Name:ALG Display Name:Application Layer Gateway Service
Service Name:AudioSrv Display Name:Windows Audio
Service Name:Bonjour Service Display Name:##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##
Service Name:brmfrmps Display Name:Brother Popup Suspend service for Resource manager
Service Name:Brother XP spl Service Display Name:BrSplService
Service Name:Browser Display Name:Computer Browser
Service Name:Creative Service for CDROM Access Display Name:Creative Service for CDROM Access
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:dmserver Display Name:Logical Disk Manager
Service Name:Dnscache Display Name:DNS Client
Service Name:DynDNS_Updater_Service Display Name:DynDNS Updater Service
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Event Log
Service Name:EventSystem Display Name:COM+ Event System
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:helpsvc Display Name:Help and Support
Service Name:HidServ Display Name:HID Input Service
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:LightScribeService Display Name:LightScribeService Direct Disc Labeling Service
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:LMIMaint Display Name:LogMeIn Maintenance Service
Service Name:LogMeIn Display Name:LogMeIn
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:PD91Agent Display Name:PD91Agent
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:seclogon Display Name:Secondary Logon
Service Name:SENS Display Name:System Event Notification
Service Name:SharedAccess Display Name:Windows Firewall/Internet Connection Sharing (ICS)
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:SmartCheckSvc Display Name:SmartCheck service
Service Name:Spooler Display Name:Print Spooler
Service Name:srservice Display Name:System Restore Service
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:stisvc Display Name:Windows Image Acquisition (WIA)
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:UPSMONService Display Name:UPSMONService
Service Name:UxTuneUp Display Name:TuneUp Theme Extension
Service Name:W32Time Display Name:Windows Time
Service Name:Windows-CCHook-Service Display Name:Windows-CCHook-Service
Service Name:winmgmt Display Name:Windows Management Instrumentation
Service Name:wscsvc Display Name:Security Center
Service Name:wuauserv Display Name:Automatic Updates


Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Launch LGDCore
"C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ControlCenter2.0
C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UPSMON
C:\Program Files\Sentinel Web\Sentinel.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogMeIn GUI
"C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Enterra Icon Keeper
"C:\Program Files\Enterra Icon Keeper\IcnKeepr.exe" ssp /s

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ZoneAlarm Client
"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Reader Speed Launcher
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
StartCCC
"C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nod32kui
"C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ChicoSys
C:\WINDOWS\system32\cc32\webtmr.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
swg
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
RoboForm
"C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ATI DeviceDetect
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ATI Remote Control
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
SkinClock
C:\Program Files\Clock Tray Skins\ClockTraySkins.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
SaveMyWork
C:\Program Files\Save My Work\SaveMyWork.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
CCWinTray
C:\WINDOWS\Tray\wintmr.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\Andrew\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\Andrew\Start Menu\Programs\Startup
DTEMP.lnk
%PROGRAMFILES%\HDD Temperature\DTemp.exe (Remark£º)
  • 0

#14
Rorschach112
Posted 15 June 2008 - 05:13 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean


Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here




Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#15
ajdedo
Posted 15 June 2008 - 08:51 PM

ajdedo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi, Thanks.

There are still some things that are acting funny.

1) I still get that mouse pointer darting across the bottom of my screen over and over when I log on.
2) My ATI video driver fails to load
3) I installed Kaspersky and it repeatedly tells me there is a riskware invader attempting to modify a file

detected: riskware Invader Running process: C:\WINDOWS\system32\winlogon.exe
detected: riskware Invader Running process: C:\WINDOWS\system32\userinit.exe
detected: riskware Invader Running process: C:\WINDOWS\explorer.exe
detected: riskware Invader Running process: C:\Program Files\Brother\ControlCenter2\brctrcen.exe
detected: riskware Invader Running process: C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
detected: riskware Invader Running process: C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
detected: riskware Invader Running process: C:\WINDOWS\Explorer.EXE

4) Also, my computer spontaneously rebooted during the Kaspersky scan.

I'm running it again. Thanks :-)

UPDATE

I managed to run Kaspersky until the end, and here are the results

detected: adware not-a-virus:AdWare.Win32.WeatherBug.f File: C:\Andrew's new Desktop\Portable Apps March 08\PortableApps\Roboform\RoboForm\AiRoboForm-Portable.bin
detected: Trojan program Trojan.Win32.VB.dkn File: C:\Program Files\Common Files\Wise Installation Wizard\WIS78D62D17D97042DAB8CF5E5576293B33_7_0_0_33.MSI//Icon78D62D171.exe
detected: Trojan program Backdoor.Win32.Hupigon.cjai File: C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\120593.exe.vir
detected: Trojan program Backdoor.Win32.Hupigon.cjai File: C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\129375.exe.vir
detected: Trojan program Backdoor.Win32.Hupigon.cjai File: C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\132296.exe.vir
detected: Trojan program Backdoor.Win32.Hupigon.cjai File: C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\135515.exe.vir
detected: Trojan program Backdoor.Win32.Hupigon.cjai File: C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\139343.exe.vir
detected: Trojan program Backdoor.Win32.Hupigon.cjai File: C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\142453.exe.vir
detected: Trojan program Backdoor.Win32.Hupigon.cjai File: C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\174218.exe.vir
detected: Trojan program Backdoor.Win32.Hupigon.cjai File: C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\187250.exe.vir
detected: Trojan program Backdoor.Win32.Hupigon.cjai File: C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\252750.exe.vir
detected: Trojan program Trojan-Downloader.Win32.Bagle.hp File: C:\QooBox\Quarantine\Registry_backups\Service_srosa.reg.dat
detected: Trojan program Trojan.Win32.VB.dkn File: C:\WINDOWS\Installer\4e36f33.msi//Icon78D62D171.exe

I sill have the above issues with the mouse pointer and video driver, as well as countless "detected: riskware Invader" warnings.

Thanks :-)

Edited by ajdedo, 16 June 2008 - 01:05 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP