Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help with laptop [RESOLVED]


  • This topic is locked This topic is locked

#1
Alex_McIntosh

Alex_McIntosh

    Member

  • Member
  • PipPipPip
  • 277 posts
It has been running slow, then i scan with AVG and find out why

It has over 160 threates including IEtoolbar and some other trojans

Here is my HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:36:17, on 13/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\Program Files\Toshiba\Toshiba Applet\tpwrsave.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\Program Files\Handy Password\HandyPassword.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Handy Password - {B2DE56E2-907A-4080-AE06-5C2A7BD4364E} - C:\Program Files\Handy Password\handypasswordtoolbar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [TPWRSAVE] C:\Program Files\Toshiba\Toshiba Applet\tpwrsave.exe -S
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [HandyPassword] C:\Program Files\Handy Password\HandyPassword.exe /Tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Monitor.lnk = ?
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: PC Health.lnk = C:\Program Files\Toshiba\TOSHIBA Management Console\TOSHealthLocalS.vbs
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Handy Password: Autosubmit - res://C:\Program Files\Handy Password\handypasswordtoolbar.dll/menu_autologin.html
O8 - Extra context menu item: Handy Password: Fill - res://C:\Program Files\Handy Password\handypasswordtoolbar.dll/menu_fill.html
O8 - Extra context menu item: Handy Password: Fill with - res://C:\Program Files\Handy Password\handypasswordtoolbar.dll/menu_fillwith.html
O8 - Extra context menu item: Handy Password: Lock/Unlock - res://C:\Program Files\Handy Password\handypasswordtoolbar.dll/menu_lock.html
O8 - Extra context menu item: Handy Password: Save - res://C:\Program Files\Handy Password\handypasswordtoolbar.dll/menu_save.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll,avgrsstx.dll,
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TOSHIBA Bluetooth Service - Unknown owner - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9302 bytes


Please help me.

Edited by Alex_McIntosh, 13 June 2008 - 07:06 AM.

  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Download and install SUPERAntiSpyware at http://www.superanti...ANTISPYWAREFREE

- Run SUPERAntiSpyware and click the Check for Updates button.
- Once the update has finished, click the Scan your Computer button.
- Click on Perform Complete Scan and then click Next.
- SUPERAntiSpyware will now scan your computer and when it’s finished it will list all the infections it has found.
- Make sure that they all have a check next to them, and then click Next.
- Click Finish and you will be taken back to the main interface.
- It could be possible that it will ask you to reboot your computer in order to delete some files.
- I'll need a log afterwards of what has been found.
- To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
- Please post the results of the SUPERAntiSpyware log file in your next reply.


Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.


1. Download combofix at http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
Alex_McIntosh

Alex_McIntosh

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 277 posts
Wow, once again my hero steps in lol :)

Remember me from last october? Your the reason that i started learning how to do your job here at GTG lol :)

Thanks for the reply, i'll get to work this second.
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
LOL....no problem Alex. Glad to see you join GeekU :)
  • 0

#5
Alex_McIntosh

Alex_McIntosh

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 277 posts
sorry i took so long, my brother has spilt coffe on my laptop and now the keyboard acts weird, ill press "A" and it will insert a ": @L" for example lol. I will connect an external keyboard when i get in and try to finish off your instructions...

Just to say though, i use ATF cleaner, i have it in my scheduled tasks for when i boot so i can clean my computer with it before going onto doing my work.

Panda online scan won't connect, in any browser i try it still wont :). I do know that kaspersky works though, i have been helping people using that to and it works on my machines... Want me to do that instead?

And i think that SUPERantispyware came back clean, strange? I do however still need to run combofix.

Sorry again mate, i'll get back to you soon :).

Edited by Alex_McIntosh, 20 June 2008 - 03:00 AM.

  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem. Run Kaspersky instead. Will be awaiting for the logs :)
  • 0

#7
Alex_McIntosh

Alex_McIntosh

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 277 posts
That is strange, kaspersky is clean to :S...

Combofix is rebooting my laptop now, i'll get back to you in a sec with what that says.

(This is my 200th post WOOOOOOOOOOO)
  • 0

#8
Alex_McIntosh

Alex_McIntosh

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 277 posts
ComboFix 08-06-16.3 - Alex 2008-06-22 12:14:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.178 [GMT 1:00]
Running from: C:\Documents and Settings\Alex\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-22 to 2008-06-22 )))))))))))))))))))))))))))))))
.

2008-06-17 18:50 . 2008-06-17 18:50 <DIR> d-------- C:\Program Files\Panda Security
2008-06-17 16:17 . 2008-06-17 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-17 16:16 . 2008-06-17 16:16 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-17 16:16 . 2008-06-17 16:16 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\SUPERAntiSpyware.com
2008-06-12 20:07 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-06-12 19:55 . 2008-06-12 19:55 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-12 19:55 . 2008-06-12 19:55 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-12 19:55 . 2008-06-12 19:55 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-12 19:55 . 2008-06-12 19:55 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-12 19:48 . 2008-06-12 19:56 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-12 19:23 . 2008-04-14 01:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-06-12 19:22 . 2008-04-14 01:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2008-06-12 19:21 . 2008-04-14 01:10 102,912 -----c--- C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-06-12 19:21 . 2008-04-14 01:11 61,440 --------- C:\WINDOWS\system32\kmsvc.dll
2008-06-12 19:21 . 2008-04-14 01:09 24,064 -----c--- C:\WINDOWS\system32\dllcache\pidgen.dll
2008-06-12 19:21 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdpash.dll
2008-06-12 19:21 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdnepr.dll
2008-06-12 19:21 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdiultn.dll
2008-06-12 19:21 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdbhc.dll
2008-06-12 19:19 . 2008-04-14 01:11 516,768 --------- C:\WINDOWS\system32\ativvaxx.dll
2008-06-11 23:07 . 2008-06-13 12:05 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 23:07 . 2008-06-13 12:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 23:07 . 2008-05-08 15:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-10 11:05 . 2008-06-10 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-10 11:05 . 2008-06-10 11:05 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\Malwarebytes
2008-06-10 11:05 . 2008-06-09 20:13 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-10 11:05 . 2008-06-09 20:13 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-10 11:04 . 2008-06-10 11:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-29 16:30 . 2008-05-29 16:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-29 16:25 . 2008-05-29 16:25 <DIR> d-------- C:\Program Files\Bonjour
2008-05-29 13:15 . 2008-05-29 13:15 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-22 12:26 . 2008-05-22 13:13 <DIR> d--h----- C:\$AVG8.VAULT$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 15:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-08 02:48 --------- d-----w C:\Program Files\Miranda IM
2008-05-30 17:20 87,056 ----a-w C:\WINDOWS\system32\drivers\cmdGuard.sys
2008-05-30 17:20 24,208 ----a-w C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-05-29 21:27 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-24 00:46 --------- d-----w C:\Program Files\eMule
2008-05-18 15:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-05-18 15:56 --------- d-----w C:\Program Files\Sony Ericsson
2008-05-18 15:56 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-05-17 22:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-17 22:01 --------- d-----w C:\Program Files\Ubisoft
2008-05-17 22:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-05-17 22:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-17 21:59 1 ----a-w C:\Documents and Settings\Alex\SI.bin
2008-05-17 21:55 --------- d--h--r C:\Documents and Settings\Alex\Application Data\SecuROM
2008-05-17 20:04 --------- d-----w C:\Documents and Settings\Alex\Application Data\Teleca
2008-05-17 19:53 --------- d-----w C:\Documents and Settings\Alex\Application Data\Sony Ericsson
2008-05-17 19:49 --------- d-----w C:\Program Files\Disc2Phone
2008-05-17 19:04 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-17 19:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-17 19:04 --------- d-----w C:\Documents and Settings\Alex\Application Data\AVGTOOLBAR
2008-05-17 19:03 --------- d-----w C:\Program Files\AVG
2008-05-17 19:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-05-17 14:56 --------- d-----w C:\Program Files\Synergy
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-05 21:49 --------- d-----w C:\Program Files\Apple Software Update
2008-05-05 21:46 --------- d-----w C:\Program Files\iTunes
2008-05-05 21:46 --------- d-----w C:\Program Files\iPod
2008-05-05 21:43 --------- d-----w C:\Program Files\QuickTime
2008-05-04 15:05 --------- d-----w C:\Program Files\Belarc
2008-05-04 14:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 34,816 ----a-w C:\WINDOWS\Help\sniffpol.dll
2008-04-14 00:12 33,280 ----a-w C:\WINDOWS\Help\sstub.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 279,040 ----a-w C:\WINDOWS\Help\tshoot.dll
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 00:11 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 00:11 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 00:11 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 00:11 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 00:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
2007-09-12 10:19 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-09-12 10:22 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2003-03-10 10:52 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-02-13 22:00 294912]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2003-04-01 12:40 290816]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-12-25 17:38 159744]
"NDSTray.exe"="NDSTray.exe" []
"PRONoMgr.exe"="C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 03:36 86016]
"DpUtil"="C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe" [2003-12-19 13:10 155648]
"TPWRSAVE"="C:\Program Files\Toshiba\Toshiba Applet\tpwrsave.exe" [2004-09-15 11:29 1024000]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-05-31 14:16 1655552]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-17 20:04 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 01:12 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Monitor.lnk - C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe [10/30/2007 2:30:01 AM 53248]
EZ-DUB Finder.lnk - C:\Program Files\EZ-DUB\EZ-DUB.exe [9/13/2005 8:47:52 PM 266240]
PC Health.lnk - C:\Program Files\Toshiba\TOSHIBA Management Console\TOSHealthLocalS.vbs [10/30/2007 2:09:41 AM 3531]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-10-18 21:47 75064 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 2003-12-16 09:32 110592 C:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"THKEYS"=2 (0x2)
"LogMeIn"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"C:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"C:\\Program Files\\Miranda IM\\miranda32.exe"=
"C:\\Program Files\\Macromedia\\Flash MX\\Flash.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26811:TCP"= 26811:TCP:BitComet 26811 TCP
"26811:UDP"= 26811:UDP:BitComet 26811 UDP

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-17 20:04]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-05-30 18:20]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-05-30 18:20]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-17 20:03]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-09-12 11:20]
R3 EMCR;EMCR;C:\WINDOWS\system32\DRIVERS\EMCR7SK.sys [2004-11-08 14:05]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys []
S3 iscFlash;iscFlash;C:\DOCUME~1\Alex\LOCALS~1\Temp\isc39Atmp\iscflash.sys []
S3 r2mdkxga;Xircom RealPort2 CardBus Modem 56 Win-GlobalACCESS Driver;C:\WINDOWS\system32\DRIVERS\r2mdkxga.sys [2001-08-17 14:28]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-28 13:38:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-22 11:40:46 C:\WINDOWS\Tasks\ATF-Cleaner.job"
- C:\Documents and Settings\Alex\Desktop\ATF-Cleaner.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 12:37:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-06-22 12:45:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-22 11:44:29

Pre-Run: 48,810,225,664 bytes free
Post-Run: 48,755,560,448 bytes free

210 --- E O F --- 2008-06-21 19:15:11
  • 0

#9
Alex_McIntosh

Alex_McIntosh

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 277 posts
I havn't been entirley satisfied with the programs returning nothing lol so i scanned with AVG again (What found them) and it still came up with them, i looked into it further...

They are all (197) "potentially dangerous" and all are residing in the registry. They was all ActiveX Objects.

I asked AVG to get rid of them all, rebooted the machine and now the reports from AVG are coming clean...

I don't know if you want to declare this closed now mate since it is running good after that:P Could you tell me though, did i get these from going on a website? then they installed on my computer themselves? My sister has the same ActiveX problems on her machine and i would like to know how we got them... Any clues? Or could it just be random... :)

Thanks for all the help mate though, seriously, and taking the time to reveiw my log :)
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
You mean you didn't tell AVG to remove it in the initial scan?

You could have gotten infected from various ways. It could be as simple as visiting a site with malicious code and not having the proper security programs on your computer to opening up a malicious executable file on your computer. I see that you are using eMule there. I don't recommend using any file sharing programs as they may contribute to malware infections.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Driver::
iscFlash
Folder::
C:\WINDOWS\system32\scripting
C:\WINDOWS\system32\en
C:\WINDOWS\system32\bits
C:\WINDOWS\l2schemas
C:\WINDOWS\ServicePackFiles

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is it running so far?

Edited by greyknight17, 22 June 2008 - 03:49 PM.

  • 0

#11
Alex_McIntosh

Alex_McIntosh

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 277 posts
Here you go mate, and its running like normal now thanks :)

ComboFix 08-06-20.4 - Alex 2008-06-23 18:22:46.2 - NTFSx86
Running from: C:\Documents and Settings\Alex\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Alex\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\en :#:
C:\WINDOWS\system32\bits :#:
C:\WINDOWS\l2schemas :#:
C:\WINDOWS\ServicePackFiles :#:
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\scripting
C:\WINDOWS\system32\scripting\cscript.exe.mui
C:\WINDOWS\system32\scripting\jscript.dll.mui
C:\WINDOWS\system32\scripting\msscript.ocx.mui
C:\WINDOWS\system32\scripting\scrobj.dll.mui
C:\WINDOWS\system32\scripting\scrrun.dll.mui
C:\WINDOWS\system32\scripting\vbscript.dll.mui
C:\WINDOWS\system32\scripting\wscript.exe.mui
C:\WINDOWS\system32\scripting\wshext.dll.mui
C:\WINDOWS\system32\scripting\wshom.ocx.mui

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ISCFLASH
-------\Service_iscFlash


((((((((((((((((((((((((( Files Created from 2008-05-23 to 2008-06-23 )))))))))))))))))))))))))))))))
.

2008-06-22 17:25 . 2008-06-22 17:25 <DIR> d-------- C:\Program Files\Opera
2008-06-17 18:50 . 2008-06-22 17:12 <DIR> d-------- C:\Program Files\Panda Security
2008-06-17 16:17 . 2008-06-17 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-17 16:16 . 2008-06-22 17:13 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-17 16:16 . 2008-06-22 17:13 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\SUPERAntiSpyware.com
2008-06-12 20:07 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-06-12 19:55 . 2008-06-12 19:55 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-12 19:55 . 2008-06-12 19:55 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-12 19:55 . 2008-06-12 19:55 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-12 19:48 . 2008-06-12 19:56 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-12 19:23 . 2008-04-14 01:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-06-12 19:22 . 2008-04-14 01:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2008-06-12 19:21 . 2008-04-14 01:10 102,912 -----c--- C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-06-12 19:21 . 2008-04-14 01:11 61,440 --------- C:\WINDOWS\system32\kmsvc.dll
2008-06-12 19:21 . 2008-04-14 01:09 24,064 -----c--- C:\WINDOWS\system32\dllcache\pidgen.dll
2008-06-12 19:21 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdpash.dll
2008-06-12 19:21 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdnepr.dll
2008-06-12 19:21 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdiultn.dll
2008-06-12 19:21 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdbhc.dll
2008-06-12 19:19 . 2008-04-14 01:11 516,768 --------- C:\WINDOWS\system32\ativvaxx.dll
2008-06-11 23:07 . 2008-06-13 12:05 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 23:07 . 2008-06-13 12:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 23:07 . 2008-05-08 15:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-10 11:05 . 2008-06-10 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-10 11:05 . 2008-06-10 11:05 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\Malwarebytes
2008-05-29 16:30 . 2008-05-29 16:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-29 16:25 . 2008-05-29 16:25 <DIR> d-------- C:\Program Files\Bonjour
2008-05-29 13:15 . 2008-05-29 13:15 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 16:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-22 16:10 --------- d-----w C:\Program Files\eMule
2008-06-08 02:48 --------- d-----w C:\Program Files\Miranda IM
2008-05-30 17:20 87,056 ----a-w C:\WINDOWS\system32\drivers\cmdGuard.sys
2008-05-30 17:20 24,208 ----a-w C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-05-29 21:27 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-18 15:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-05-18 15:56 --------- d-----w C:\Program Files\Sony Ericsson
2008-05-18 15:56 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-05-17 22:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-17 22:01 --------- d-----w C:\Program Files\Ubisoft
2008-05-17 22:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-05-17 22:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-17 21:59 1 ----a-w C:\Documents and Settings\Alex\SI.bin
2008-05-17 21:55 --------- d--h--r C:\Documents and Settings\Alex\Application Data\SecuROM
2008-05-17 20:04 --------- d-----w C:\Documents and Settings\Alex\Application Data\Teleca
2008-05-17 19:53 --------- d-----w C:\Documents and Settings\Alex\Application Data\Sony Ericsson
2008-05-17 19:04 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-17 19:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-17 19:04 --------- d-----w C:\Documents and Settings\Alex\Application Data\AVGTOOLBAR
2008-05-17 19:03 --------- d-----w C:\Program Files\AVG
2008-05-17 19:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-05-17 14:56 --------- d-----w C:\Program Files\Synergy
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-05 21:49 --------- d-----w C:\Program Files\Apple Software Update
2008-05-05 21:46 --------- d-----w C:\Program Files\iTunes
2008-05-05 21:46 --------- d-----w C:\Program Files\iPod
2008-05-05 21:43 --------- d-----w C:\Program Files\QuickTime
2008-05-04 15:05 --------- d-----w C:\Program Files\Belarc
2008-05-04 14:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2007-09-12 10:19 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-09-12 10:22 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((( [email protected]_12.43.52.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-22 11:24:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-23 17:29:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2000-08-31 07:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 07:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
- 2008-06-12 19:07:42 1,556,936 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-06-23 16:59:13 1,556,992 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360]
"HandyPassword"="C:\Program Files\Handy Password\HandyPassword.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2003-03-10 10:52 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-02-13 22:00 294912]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2003-04-01 12:40 290816]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-12-25 17:38 159744]
"NDSTray.exe"="NDSTray.exe" []
"PRONoMgr.exe"="C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 03:36 86016]
"DpUtil"="C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe" [2003-12-19 13:10 155648]
"TPWRSAVE"="C:\Program Files\Toshiba\Toshiba Applet\tpwrsave.exe" [2004-09-15 11:29 1024000]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-05-31 14:16 1655552]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-17 20:04 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 01:12 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Monitor.lnk - C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe [10/30/2007 2:30:01 AM 53248]
EZ-DUB Finder.lnk - C:\Program Files\EZ-DUB\EZ-DUB.exe [9/13/2005 8:47:52 PM 266240]
PC Health.lnk - C:\Program Files\Toshiba\TOSHIBA Management Console\TOSHealthLocalS.vbs [10/30/2007 2:09:41 AM 3531]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-10-18 21:47 75064 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 2003-12-16 09:32 110592 C:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"THKEYS"=2 (0x2)
"LogMeIn"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"C:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"C:\\Program Files\\Miranda IM\\miranda32.exe"=
"C:\\Program Files\\Macromedia\\Flash MX\\Flash.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26811:TCP"= 26811:TCP:BitComet 26811 TCP
"26811:UDP"= 26811:UDP:BitComet 26811 UDP

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-17 20:04]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-05-30 18:20]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-05-30 18:20]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-17 20:03]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-09-12 11:20]
R3 EMCR;EMCR;C:\WINDOWS\system32\DRIVERS\EMCR7SK.sys [2004-11-08 14:05]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys []
S3 r2mdkxga;Xircom RealPort2 CardBus Modem 56 Win-GlobalACCESS Driver;C:\WINDOWS\system32\DRIVERS\r2mdkxga.sys [2001-08-17 14:28]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-28 13:38:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-23 17:34:11 C:\WINDOWS\Tasks\ATF-Cleaner.job"
- C:\Documents and Settings\Alex\Desktop\ATF-Cleaner.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 18:34:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-06-23 18:42:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-23 17:41:37
ComboFix2.txt 2008-06-22 11:45:29

Pre-Run: 49,174,654,976 bytes free
Post-Run: 49,159,041,024 bytes free

223 --- E O F --- 2008-06-21 19:15:11
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#13
Alex_McIntosh

Alex_McIntosh

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 277 posts
Nope its going good now :) Thanks for the help mate :)

Just to say, you thought of redesigning your web page to add some functionality and appearance?

Just looks a little, white :) I'm a web designer, feel free to PM me or something i can probably help you out :)
  • 0

#14
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem. Glad it resolved the issue.

Sure, I'm open to any suggestions. It is very plain :)
  • 0

#15
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP