Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan Horse Dwonloaded.Delf.12.AN [RESOLVED]


  • This topic is locked This topic is locked

#1
CnCWebDesigns

CnCWebDesigns

    New Member

  • Member
  • Pip
  • 8 posts
This trojan has been identified by my AVG (Version 7 and 8) as a number of different names over the past few months I have tried to get rid of it. It always points to the c:\windows\system32\datim.dll file. I have identified it as a BHO and have disabled the Browser Helper Object in IE. I have tried a number of things to remove it, but it just keeps coming back. I even booted the computer in "DOS" mode and erased the file and it returned, so it looks like there may be some other item replacing the file. I also noticed in the Panda Antivirus log file that there is a Trj/WmaDownloader.G in the recycler - so it looks like it might be in a system restore image as well? I have been fighting this little bugger for a number of months. It will be nice to finally kill it off! There is a LOT of stuff on this system - I hope you guys (and gals) can weed it out.

Thanks in advance.

***********************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:55 AM, on 6/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\WinFast\WFTVFM\WFFM.exe
C:\Documents and Settings\Charlie\Desktop\4-HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: altamontchamber Toolbar - {ea8447cd-7127-4469-8902-5ee9b2d1588a} - C:\Program Files\altamontchamber\tbalt0.dll
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {E4BDF31B-20CA-4B40-923B-4E8877CAD045} - C:\WINDOWS\system32\datim.dll
O2 - BHO: altamontchamber Toolbar - {ea8447cd-7127-4469-8902-5ee9b2d1588a} - C:\Program Files\altamontchamber\tbalt0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: altamontchamber Toolbar - {ea8447cd-7127-4469-8902-5ee9b2d1588a} - C:\Program Files\altamontchamber\tbalt0.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://209.107.231.2...sCamControl.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://echat.us.dell...t/TLIEFlash.CAB
O16 - DPF: {958FCAB0-616B-11D3-A63F-00001B322780} (TimetickerLittleHelpers.usfServer) - http://www.timeticke...t/TcpServer.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8684 bytes
***********************************************
;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-06-27 07:37:29
PROTECTIONS: 1
MALWARE: 17
SUSPECTS: 1
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
AVG Anti-Virus Free 8.0 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00123310 HackTool/SRunner.B HackTools No 0 Yes No C:\WINDOWS\system32\instsrv.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\LocalService\My Documents\ComboFix.exe[nircmd.exe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\LocalService\My Documents\ComboFix.exe[nircmd.cfexe]
02918367 Generic Trojan Virus/Trojan No 0 Yes No C:\WINDOWS\system32\datim.dll
02941684 Trj/WmaDownloader.G Virus/Trojan No 0 Yes No C:\RECYCLER\S-1-5-21-2052111302-1425521274-725345543-1005\Dc90.wma
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location l
;===============================================================================
=================================================================================
=================== l
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description l
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
****************************************************
Uninstall Log
1Click DVD Copy 4.1
1st Page 2000 2.00 Free
ActivePerl 5.8.0 Build 806
Adobe After Effects 7.0
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Illustrator 9.0
Adobe Illustrator CS2
Adobe Photoshop 7.0.1
Adobe Product/Adobe Studio Update 10/2001
Adobe Reader 7.0.8
Adobe Streamline 4.0
Adobe SVG Viewer 3.0
Age of Mythology Gold
altamontchamber Toolbar
AnyDVD
AoA DVD Ripper
Apple Software Update
Art Explosion Greeting Card Factory
Attribute Changer 5.23
Audacity 1.2.3
Auralia 2.1
AvantGo Client
AVG Free 8.0
BitTornado 0.3.7
BookWorm Deluxe 1.0y
Camera Driver
CardRd81
CCleaner (remove only)
CCScore
Civilization III
Compatibility Pack for the 2007 Office system
Conexant HSF V92 56K RTAD Speakerphone PCI Modem
Connection Point Update Utility
CopyToDVD
Corel Painter Essentials 2
CoreVorbis Audio Decoder (remove only)
CR2
CSE HTML Validator Lite v6.52
Dell ResourceCD
Demolition Champions
Direct Show Ogg Vorbis Filter (remove only)
Disney's Toontown Online
DivX Codec 3.1alpha release
DivX Content Uploader
DivX Player
DivX Web Player
DVD Shrink 3.2
DVDXCopy Xpress 2.5.4 Trial
EA.com Update
Easy CD Creator 5 Basic
Eazy VCD 1.15a
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
ESSTUTOR
ESSvpaht
ESSvpot
Evrsoft First Page 2006
ExtraTorrent Toolbar v2.0
ffdshow (remove only)
Finale NotePad 2003a
FinePrint pdfFactory
FLV Player 1.3.3
Free RM to MP3 Converter 1.12
Gallery Remote
Google Earth
Google Toolbar for Internet Explorer
Haali Media Splitter
HijackThis 2.0.2
HLPIndex
HLPPDOCK
HLPRFO
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
hp instant support
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
Icy Tower v1.3.1
Intel® PRO Ethernet Adapter and Software
Ipswitch WS_FTP Pro
IrfanView (remove only)
J2SE Runtime Environment 5.0
Job Timer 2 Invoice
Job Timer 2 V2.4.52
KODAK DC3200
Kodak EasyShare software
KSU
Lame ACM MP3 Codec
LimeWire 4.16.6
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Matroska Pack - Lazy Man's MKV 0.9.7
MediaCoder 0.5.1
Microsoft .NET Compact Framework 1.0 SP2
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft ActiveSync 4.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Outlook 2002
Microsoft RalliSport Challenge
Microsoft Reader for Pocket PC
Microsoft Tool Web Package:WntIpcfg.exe
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Morgan Stream Switcher
Mozilla Firefox (2.0.0.8)
MrSID GeoViewer
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML4 Parser
MySQL Servers and Clients 3.23.52
MySQL Tools for 5.0
NASCAR® Racing 2003 Season
Nero 7 Demo
NHL 2002
nik Color Efex Pro 2.0 GE
Notifier
NVIDIA Drivers
Olympus USB Reader Ver 1.01
OTtBP
OTtBPSDK
Panda ActiveScan 2.0
PDF Split & Merge 1.02
PDFCreator 0.8.0
PicturePlayer V3
poEdit 1.3.6
Pop-up Excel Calendar 1.2.2
PowerDVD
PrintMaster
QuarkXPress 5.0
QuickBooks Pro 2002
QuickTime
RealPlayer
Return to Castle Wolfenstein
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
SFR
SHASTA
Shockwave
SKIN0001
SKINXSDK
Skype™ 3.8
Skype™ for Pocket PC 2.0
SnadBoy's Revelation v2
Sound Blaster Live!
Spybot - Search & Destroy 1.3 (beta 6)
Stellarium 0.8.0
Super DVD Ripper (remove only)
SUPERAntiSpyware Free Edition
SWFRIP 0.4
SWiSH Video3
SWiSHmax
Tablet
TCPMP
Theme Generator V2
TightVNC 1.2.9
Time Zone Data Update Tool for Microsoft Office Outlook
Trillian
Truck Dismount (remove only)
Ulead VideoStudio 9.0
Unicorn Rainbow 2.0 Screensaver
Unlocker 1.8.5
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Viewpoint Media Player (Remove Only)
VNC 3.3.7
VobSub v2.23 (Remove Only)
VPRINTOL
WebDialogs Unyte
WinAce Archiver
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinFast PVR
WinFast® TV2000 XP / TV2000 XP Expert / VC100 XP(WDM Driver)
WinHTTrack Website Copier 3.30
WinPcap 4.0
WinSCP 3.7.1
WIRELESS
WM Recorder 11.3
Worms 3D
Worms Armageddon
Worms for Pocket PC
Xenu's Link Sleuth
XviD 1.1 final uninstall
************************************************************************
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#3
CnCWebDesigns

CnCWebDesigns

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks again for the help and the QUICK response. I was a bit squemish about running combofix - it looks like it can do some real damage if things go wrong - but it looks like mine went fine. Hope this kills this trojan - like I said it has been beating me for a few months now. Here is the log:

ComboFix 08-06-20.4 - Charlie 2008-06-27 11:15:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.459 [GMT -5:00]
Running from: C:\Documents and Settings\Charlie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Charlie\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Charlie\Application Data\macromedia\Flash Player\#SharedObjects\MYPG5UCL\www.broadcaster.com
C:\Documents and Settings\Charlie\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Charlie\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Shelby\Application Data\macromedia\Flash Player\#SharedObjects\NXXTJ4UD\www.broadcaster.com
C:\Documents and Settings\Shelby\Application Data\macromedia\Flash Player\#SharedObjects\NXXTJ4UD\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Shelby\Application Data\macromedia\Flash Player\#SharedObjects\NXXTJ4UD\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Shelby\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Shelby\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\system32\mdm.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-27 to 2008-06-27 )))))))))))))))))))))))))))))))
.

2008-06-26 17:52 . 2008-06-26 17:52 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-26 17:52 . 2008-06-26 17:53 <DIR> d-------- C:\Program Files\Panda Security
2008-06-26 06:20 . 2008-06-26 06:20 <DIR> d--hs---- C:\found.001
2008-06-25 23:27 . 2008-06-25 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-25 23:26 . 2008-06-27 09:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-25 23:26 . 2008-06-25 23:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-25 23:26 . 2008-06-25 23:26 <DIR> d-------- C:\Documents and Settings\Charlie\Application Data\SUPERAntiSpyware.com
2008-06-24 23:26 . 2008-06-24 23:27 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-24 23:26 . 2008-06-24 23:26 <DIR> d-------- C:\Documents and Settings\Charlie\Application Data\Malwarebytes
2008-06-24 23:26 . 2008-06-24 23:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-24 23:26 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-24 23:26 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-24 23:25 . 2008-06-24 23:25 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-22 20:04 . 2008-06-22 20:04 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-22 20:03 . 2008-06-22 20:03 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-06-22 13:07 . 2008-06-22 13:07 <DIR> d-------- C:\ProgramData
2008-06-22 13:07 . 2008-06-22 16:09 1,474 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2008-06-22 13:01 . 2008-06-22 13:01 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-06-21 09:48 . 2008-06-21 09:48 <DIR> d-------- C:\Deckard
2008-06-14 20:16 . 2008-06-14 20:25 <DIR> d-------- C:\Documents and Settings\Shelby\Application Data\AVGTOOLBAR
2008-06-12 19:16 . 2008-06-27 08:16 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-12 17:26 . 2008-06-27 09:13 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-12 17:26 . 2008-06-12 21:01 <DIR> d-------- C:\Documents and Settings\Charlie\Application Data\AVGTOOLBAR
2008-06-12 17:26 . 2008-06-12 17:26 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-12 17:26 . 2008-06-12 17:26 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-12 17:25 . 2008-06-12 17:25 <DIR> d-------- C:\Program Files\AVG
2008-06-12 17:25 . 2008-06-12 17:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-10 20:32 . 2008-06-13 08:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 16:22 --------- d-----w C:\Documents and Settings\Charlie\Application Data\Skype
2008-06-27 13:09 --------- d-----w C:\Documents and Settings\Charlie\Application Data\skypePM
2008-06-25 01:51 --------- d-----w C:\Documents and Settings\Shelby\Application Data\Skype
2008-06-25 00:20 --------- d-----w C:\Documents and Settings\Shelby\Application Data\skypePM
2008-06-22 21:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-22 03:00 --------- d-----w C:\Documents and Settings\Shelby\Application Data\LimeWire
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 02:24 --------- d-----w C:\Program Files\Evrsoft First Page 2006
2008-06-12 22:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-27 22:11 --------- d-----w C:\Program Files\Return to Castle Wolfenstein
2008-05-24 18:49 --------- d-----w C:\Program Files\Apple Software Update
2008-05-24 18:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-10 00:12 --------- d-----w C:\Documents and Settings\Shelby\Application Data\AdobeUM
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-03 03:31 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-02 05:38 70 ----a-w C:\Documents and Settings\Charlie\pinger.bat
2006-09-13 15:04 20,480 ----a-w C:\Program Files\yaiy.dll
2004-07-15 03:23 18 ----a-w C:\Program Files\Intellicast.ini
2004-06-01 05:42 364,544 ----a-w C:\Program Files\Intellicast.exe
2004-05-23 00:00 22,016 ----a-w C:\Program Files\shootthemessenger.exe
2003-11-09 19:55 1,569 ----a-w C:\Program Files\uninstal.log
2003-11-02 04:44 77 ----a-w C:\Documents and Settings\Charlie\check.bat
2003-02-12 09:54 415,232 ----a-w C:\Program Files\EditPad.exe
2005-02-05 00:08 141 --sha-r C:\WINDOWS\Regbak.dat
2006-07-05 06:14 56 --sh--r C:\WINDOWS\system32\39DC0A51D4.sys
2006-07-05 06:14 11,270 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4BDF31B-20CA-4B40-923B-4E8877CAD045}]
2008-03-04 13:42 98048 --a------ C:\WINDOWS\system32\datim.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ea8447cd-7127-4469-8902-5ee9b2d1588a}]
2007-12-10 14:46 1510424 --a------ C:\Program Files\altamontchamber\tbalt0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EA8447CD-7127-4469-8902-5EE9B2D1588A}"= "C:\Program Files\altamontchamber\tbalt0.dll" [2007-12-10 14:46 1510424]

[HKEY_CLASSES_ROOT\clsid\{ea8447cd-7127-4469-8902-5ee9b2d1588a}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EA8447CD-7127-4469-8902-5EE9B2D1588A}"= C:\Program Files\altamontchamber\tbalt0.dll [2007-12-10 14:46 1510424]

[HKEY_CLASSES_ROOT\clsid\{ea8447cd-7127-4469-8902-5ee9b2d1588a}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-05-30 15:54 21718312]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 19:44 1200128]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFast Schedule"="C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" [2003-05-23 11:38 159744]
"pdfFactory Dispatcher v1"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe" [2003-07-22 22:03 380928]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 12:19 15872]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-12 17:25 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 23:21 68856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12 28672]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-06-30 14:55:38 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"MSACM.CEGSM"= mobilev.acm
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"VIDC.YV12"= xl_yv12.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"VIDC.HFYU"= huffyuv.dll
"vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax
"VIDC.D263"= xl_x263dec.dll
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PayPal Plug-In for Outlook Express.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PayPal Plug-In for Outlook Express.lnk
backup=C:\WINDOWS\pss\PayPal Plug-In for Outlook Express.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2002 Delivery Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks 2002 Delivery Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks 2002 Delivery Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
--a------ 2002-04-03 01:01 135264 C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hours2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hours2L]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hours3l]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NGServer]
C:\Program Files\Symantec\Ghost\ngserver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-01-26 23:51 36972 C:\Program Files\Java\jre1.5.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-18 23:21 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysme]
C:\WINDOWS\System32\sysme.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-12-24 19:47 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YellowTipWS_mysql"=2 (0x2)
"YellowTipWS_Apache"=2 (0x2)
"AWHelpServer"=3 (0x3)
"NGServer"=2 (0x2)
"ngdbserv"=3 (0x3)
"rpcapd"=3 (0x3)
"NVSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\WS_FTP Pro\\wsftppro.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 gxadsyrc;gxadsyrc;C:\WINDOWS\system32\drivers\csrvdhpe.dat []
R0 PenClass;Pen Class;C:\WINDOWS\system32\Drivers\PenClass.sys [2005-11-29 16:50]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-12 17:26]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-12 17:25]
R2 BT848;WinFast TV2000 XP WDM Video Capture;C:\WINDOWS\system32\drivers\wf2kvcap.sys [2002-06-24 11:57]
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;C:\WINDOWS\system32\drivers\wf2ktunr.sys [2002-06-24 11:57]
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;C:\WINDOWS\system32\drivers\wf2kxbar.sys [2002-06-24 11:57]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 01:01]
R3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS [2003-01-07 10:16]
S0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys []
S2 P1C1394;Phase One 1394 Camera Driver;C:\WINDOWS\system32\Drivers\p1c1394.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 12:31]
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 13:53]
S3 XIRLINK;Veo PC Camera;C:\WINDOWS\system32\DRIVERS\ucdnt.sys [2002-04-08 11:57]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{674cc746-ba55-11dc-b219-0007e9bb4c07}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
*Newly Created Service* - RKPAVPROC
.
Contents of the 'Scheduled Tasks' folder
"2008-06-21 03:16:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-27 07:05:39 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-06-27 15:44:14 C:\WINDOWS\Tasks\User_Feed_Synchronization-{5001D6A3-BD16-4CA9-920B-990C326F32F2}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 11:21:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\gxadsyrc]
"ImagePath"="system32\drivers\csrvdhpe.dat"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld.exe"
.
Completion time: 2008-06-27 11:30:58
ComboFix-quarantined-files.txt 2008-06-27 16:30:54

Pre-Run: 12,180,283,392 bytes free
Post-Run: 12,675,465,216 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

273 --- E O F --- 2008-06-24 18:33:25
  • 0

#4
CnCWebDesigns

CnCWebDesigns

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Just a note to others that may be going through the same process. I noticed that when I got the Windows recovery console it listed XP / WPSP1 and XPSP2. It looks like there is not a download for the XP recovery console for Service Pack 3 (yet?)
  • 0

#5
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Looking at your system now, one or more of the identified infections is a backdoor Trojan.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.




1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.geekstogo...AN-t203114.html

Collect::
C:\WINDOWS\system32\datim.dll

Suspect::

File::
C:\WINDOWS\System32\sysme.exe
G:\LaunchU3.exe

Folder::
C:\found.001

Driver::
gxadsyrc

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hours2]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hours2L]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hours3l]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysme]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{674cc746-ba55-11dc-b219-0007e9bb4c07}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. Additonally, ComboFix will generate the following files on your desktop
  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm
6. ComboFix may need to reboot to finish its work. Let it.

7. When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

8. If CF-Submit.htm is detected, ComboFix will generate this message box:

Posted Image

Clicking OK will cause the machine's browser to load CF-Submit.htm

Posted Image

9. Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"
10. Once the file has been submitted, please DELETE both files on your desktop.

11. Post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log (run after ComboFix has finished its work.)



Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\Documents and Settings\Charlie\pinger.bat

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.


Repeat that for this file

C:\Program Files\yaiy.dll
  • 0

#6
CnCWebDesigns

CnCWebDesigns

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here are the files after the second ComboFix run. Looks like it found the datim.dll and the file is still there but now my AVG does not indicate that is is a virus, but VirusTotal does. I will complete the other steps.
On the pinger.bat - that is a file I wrote to "monitor" a web server that had the internet connection going on / off/ on / off etc. I had to show the ISP that it WAS going on and off and WHEN it was going on and off. I submitted it to TotalVirus anyway. (Neat site - I will have to remember that one!)

ComboFix 08-06-20.4 - Charlie 2008-06-27 13:48:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503 [GMT -5:00]
Running from: C:\Documents and Settings\Charlie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Charlie\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\System32\sysme.exe
G:\LaunchU3.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\found.001
C:\found.001\file0000.chk
C:\WINDOWS\system32\datim.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GXADSYRC
-------\Service_gxadsyrc


((((((((((((((((((((((((( Files Created from 2008-05-27 to 2008-06-27 )))))))))))))))))))))))))))))))
.

2008-06-26 17:52 . 2008-06-26 17:53 <DIR> d-------- C:\Program Files\Panda Security
2008-06-25 23:27 . 2008-06-25 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-25 23:26 . 2008-06-27 09:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-25 23:26 . 2008-06-25 23:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-25 23:26 . 2008-06-25 23:26 <DIR> d-------- C:\Documents and Settings\Charlie\Application Data\SUPERAntiSpyware.com
2008-06-24 23:26 . 2008-06-24 23:27 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-24 23:26 . 2008-06-24 23:26 <DIR> d-------- C:\Documents and Settings\Charlie\Application Data\Malwarebytes
2008-06-24 23:26 . 2008-06-24 23:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-24 23:26 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-24 23:26 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-24 23:25 . 2008-06-24 23:25 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-22 20:04 . 2008-06-22 20:04 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-22 20:03 . 2008-06-22 20:03 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-06-22 13:07 . 2008-06-22 13:07 <DIR> d-------- C:\ProgramData
2008-06-22 13:07 . 2008-06-22 16:09 1,474 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2008-06-22 13:01 . 2008-06-22 13:01 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-06-21 09:48 . 2008-06-21 09:48 <DIR> d-------- C:\Deckard
2008-06-14 20:16 . 2008-06-14 20:25 <DIR> d-------- C:\Documents and Settings\Shelby\Application Data\AVGTOOLBAR
2008-06-12 19:16 . 2008-06-27 08:16 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-12 17:26 . 2008-06-27 09:13 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-12 17:26 . 2008-06-12 21:01 <DIR> d-------- C:\Documents and Settings\Charlie\Application Data\AVGTOOLBAR
2008-06-12 17:26 . 2008-06-12 17:26 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-12 17:26 . 2008-06-12 17:26 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-12 17:25 . 2008-06-12 17:25 <DIR> d-------- C:\Program Files\AVG
2008-06-12 17:25 . 2008-06-12 17:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-10 20:32 . 2008-06-13 08:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 18:59 --------- d-----w C:\Documents and Settings\Charlie\Application Data\Skype
2008-06-27 18:10 --------- d-----w C:\Program Files\Evrsoft First Page 2006
2008-06-27 13:09 --------- d-----w C:\Documents and Settings\Charlie\Application Data\skypePM
2008-06-25 01:51 --------- d-----w C:\Documents and Settings\Shelby\Application Data\Skype
2008-06-25 00:20 --------- d-----w C:\Documents and Settings\Shelby\Application Data\skypePM
2008-06-22 21:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-22 03:00 --------- d-----w C:\Documents and Settings\Shelby\Application Data\LimeWire
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 22:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-27 22:11 --------- d-----w C:\Program Files\Return to Castle Wolfenstein
2008-05-24 18:49 --------- d-----w C:\Program Files\Apple Software Update
2008-05-24 18:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-10 00:12 --------- d-----w C:\Documents and Settings\Shelby\Application Data\AdobeUM
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-03-03 03:31 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-02 05:38 70 ----a-w C:\Documents and Settings\Charlie\pinger.bat
2006-09-13 15:04 20,480 ----a-w C:\Program Files\yaiy.dll
2004-07-15 03:23 18 ----a-w C:\Program Files\Intellicast.ini
2004-06-01 05:42 364,544 ----a-w C:\Program Files\Intellicast.exe
2004-05-23 00:00 22,016 ----a-w C:\Program Files\shootthemessenger.exe
2003-11-09 19:55 1,569 ----a-w C:\Program Files\uninstal.log
2003-11-02 04:44 77 ----a-w C:\Documents and Settings\Charlie\check.bat
2003-02-12 09:54 415,232 ----a-w C:\Program Files\EditPad.exe
2005-02-05 00:08 141 --sha-r C:\WINDOWS\Regbak.dat
2006-07-05 06:14 56 --sh--r C:\WINDOWS\system32\39DC0A51D4.sys
2006-07-05 06:14 11,270 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_11.30.35.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-26 11:21:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-27 21:46:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2008-06-26 11:22:18 16,100 ----a-w C:\WINDOWS\system32\tablet.dat
+ 2008-06-27 21:47:19 16,100 ----a-w C:\WINDOWS\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4BDF31B-20CA-4B40-923B-4E8877CAD045}]
2008-03-04 13:42 98048 --a------ C:\WINDOWS\system32\datim.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ea8447cd-7127-4469-8902-5ee9b2d1588a}]
2007-12-10 14:46 1510424 --a------ C:\Program Files\altamontchamber\tbalt0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EA8447CD-7127-4469-8902-5EE9B2D1588A}"= "C:\Program Files\altamontchamber\tbalt0.dll" [2007-12-10 14:46 1510424]

[HKEY_CLASSES_ROOT\clsid\{ea8447cd-7127-4469-8902-5ee9b2d1588a}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EA8447CD-7127-4469-8902-5EE9B2D1588A}"= C:\Program Files\altamontchamber\tbalt0.dll [2007-12-10 14:46 1510424]

[HKEY_CLASSES_ROOT\clsid\{ea8447cd-7127-4469-8902-5ee9b2d1588a}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-05-30 15:54 21718312]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 19:44 1200128]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFast Schedule"="C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" [2003-05-23 11:38 159744]
"pdfFactory Dispatcher v1"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe" [2003-07-22 22:03 380928]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 12:19 15872]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-12 17:25 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 23:21 68856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12 28672]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-06-30 14:55:38 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"MSACM.CEGSM"= mobilev.acm
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"VIDC.YV12"= xl_yv12.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"VIDC.HFYU"= huffyuv.dll
"vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax
"VIDC.D263"= xl_x263dec.dll
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PayPal Plug-In for Outlook Express.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PayPal Plug-In for Outlook Express.lnk
backup=C:\WINDOWS\pss\PayPal Plug-In for Outlook Express.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2002 Delivery Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks 2002 Delivery Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks 2002 Delivery Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
--a------ 2002-04-03 01:01 135264 C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NGServer]
C:\Program Files\Symantec\Ghost\ngserver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-01-26 23:51 36972 C:\Program Files\Java\jre1.5.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-18 23:21 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-12-24 19:47 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YellowTipWS_mysql"=2 (0x2)
"YellowTipWS_Apache"=2 (0x2)
"AWHelpServer"=3 (0x3)
"NGServer"=2 (0x2)
"ngdbserv"=3 (0x3)
"rpcapd"=3 (0x3)
"NVSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\WS_FTP Pro\\wsftppro.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 gxadsyrc;gxadsyrc;C:\WINDOWS\system32\drivers\csrvdhpe.dat []
R0 PenClass;Pen Class;C:\WINDOWS\system32\Drivers\PenClass.sys [2005-11-29 16:50]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-12 17:26]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-12 17:25]
R2 BT848;WinFast TV2000 XP WDM Video Capture;C:\WINDOWS\system32\drivers\wf2kvcap.sys [2002-06-24 11:57]
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;C:\WINDOWS\system32\drivers\wf2ktunr.sys [2002-06-24 11:57]
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;C:\WINDOWS\system32\drivers\wf2kxbar.sys [2002-06-24 11:57]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 01:01]
R3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS [2003-01-07 10:16]
S0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys []
S2 P1C1394;Phase One 1394 Camera Driver;C:\WINDOWS\system32\Drivers\p1c1394.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 12:31]
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 13:53]
S3 XIRLINK;Veo PC Camera;C:\WINDOWS\system32\DRIVERS\ucdnt.sys [2002-04-08 11:57]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-21 03:16:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-27 21:50:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-06-27 21:52:33 C:\WINDOWS\Tasks\User_Feed_Synchronization-{5001D6A3-BD16-4CA9-920B-990C326F32F2}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 16:51:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gxadsyrc]
"ImagePath"="system32\drivers\csrvdhpe.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Unlocker\UnlockerHook.dll
-> C:\Program Files\WS_FTP Pro\nsftpch.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\LexBceS.exe
C:\WINDOWS\system32\Lexpps.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-06-27 17:06:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-27 22:06:28
ComboFix2.txt 2008-06-27 16:30:59

Pre-Run: 13,129,297,920 bytes free
Post-Run: 13,041,049,600 bytes free

283 --- E O F --- 2008-06-24 18:33:25


************************************************************************

File pinger.bat received on 06.28.2008 00:16:03 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/31 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 37 and 53 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.6.27.1 2008.06.27 -
AntiVir 7.8.0.59 2008.06.27 -
Authentium 5.1.0.4 2008.06.27 -
Avast 4.8.1195.0 2008.06.27 -
BitDefender 7.2 2008.06.27 -
CAT-QuickHeal 9.50 2008.06.26 -
ClamAV 0.93.1 2008.06.27 -
DrWeb 4.44.0.09170 2008.06.27 -
eSafe 7.0.17.0 2008.06.26 -
eTrust-Vet 31.6.5911 2008.06.27 -
Ewido 4.0 2008.06.27 -
F-Prot 4.4.4.56 2008.06.27 -
F-Secure 7.60.13501.0 2008.06.26 -
Fortinet 3.14.0.0 2008.06.28 -
GData 2.0.7306.1023 2008.06.27 -
Ikarus T3.1.1.26.0 2008.06.27 -
Kaspersky 7.0.0.125 2008.06.28 -
McAfee 5327 2008.06.27 -
Microsoft 1.3704 2008.06.27 -
NOD32v2 3224 2008.06.27 -
Norman 5.80.02 2008.06.27 -
Panda 9.0.0.4 2008.06.27 -
Rising 20.50.42.00 2008.06.27 -
Sophos 4.30.0 2008.06.27 -
Sunbelt 3.0.1176.1 2008.06.26 -
Symantec 10 2008.06.28 -
TheHacker 6.2.96.362 2008.06.27 -
TrendMicro 8.700.0.1004 2008.06.27 -
VBA32 3.12.6.8 2008.06.27 -
VirusBuster 4.5.11.0 2008.06.23 -
Webwasher-Gateway 6.6.2 2008.06.27 -
Additional information
File size: 57 bytes
MD5...: 5b5d58c63446fcbbabd24869c543791e
SHA1..: 60d3cac1a0e65435c224ae1c06361f5d850183f5
SHA256: 6d7935f1d437a3d49417e8fa3ff82c351eb61a342286e1c61693b5b1515c727e
SHA512: 4d9a713e01dc9c9e1b45f08d2d958830e0fb8b7288cde65c99b9709614265c1e
f4e4c48cdf08b122d77fd4390aa857e589079d0fffe3c69361c6efca668c21eb
PEiD..: -
PEInfo: -


***************************************
The file had already been analyzed - here are the results.
File yaiy.dll received on 10.11.2007 05:10:13 (CET)
Current status: finished

Result: 2/32 (6.25%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - Win32:SdBot-gen44
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
FileAdvisor - - -
Fortinet - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - Backdoor.PHP.PhPen
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
MD5: d49475a1a6606ef5f41a34466d1f0d8d
SHA1: c9617d20d1103e5073ff398ccba569a8efd3830f
SHA256: 62de4bd943e8a6aa0cf25ba9989849e62671c012052f9cb538ea1cead9032de6
SHA512: 6bde89eca5c89eb7646dc7e40ea289cd07889d6bf1e55fe00f79b01803a7216294c9633aad6d3341
74290a64fad9334445703a9e718ffb0f89b5ff68a7a16db1
****************************************
I know you did not ask for it, but I wanted to scan the file that I have been trying to erradicate datim.dll. It came up positive: as TR/Trash.Gen


File datim.dll received on 06.28.2008 00:23:47 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 2/33 (6.07%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 37 and 53 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.6.27.1 2008.06.27 -
AntiVir 7.8.0.59 2008.06.27 TR/Trash.Gen
Authentium 5.1.0.4 2008.06.27 -
Avast 4.8.1195.0 2008.06.27 -
AVG 7.5.0.516 2008.06.27 -
BitDefender 7.2 2008.06.27 -
CAT-QuickHeal 9.50 2008.06.26 -
ClamAV 0.93.1 2008.06.27 -
DrWeb 4.44.0.09170 2008.06.27 -
eSafe 7.0.17.0 2008.06.26 -
eTrust-Vet 31.6.5911 2008.06.27 -
Ewido 4.0 2008.06.27 -
F-Prot 4.4.4.56 2008.06.27 -
F-Secure 7.60.13501.0 2008.06.26 -
Fortinet 3.14.0.0 2008.06.28 -
GData 2.0.7306.1023 2008.06.27 -
Ikarus T3.1.1.26.0 2008.06.27 -
Kaspersky 7.0.0.125 2008.06.28 -
McAfee 5327 2008.06.27 -
Microsoft 1.3704 2008.06.28 -
NOD32v2 3224 2008.06.27 -
Norman 5.80.02 2008.06.27 -
Panda 9.0.0.4 2008.06.27 -
Prevx1 V2 2008.06.28 -
Rising 20.50.42.00 2008.06.27 -
Sophos 4.30.0 2008.06.27 -
Sunbelt 3.0.1176.1 2008.06.26 -
Symantec 10 2008.06.28 -
TheHacker 6.2.96.362 2008.06.27 -
TrendMicro 8.700.0.1004 2008.06.27 -
VBA32 3.12.6.8 2008.06.27 -
VirusBuster 4.5.11.0 2008.06.23 -
Webwasher-Gateway 6.6.2 2008.06.27 Trojan.Trash.Gen
Additional information
File size: 98048 bytes
MD5...: f5c54118e272773923046933b6cb69ad
SHA1..: e2a5d706ba34fea81f50ab2a973a120fa590ffb2
SHA256: c572c49deb02f6bdbc1c2ff953026045876c3bf832414b732c8e5d43fa95a0df
SHA512: 54389089fd0276815c39bfdd0a4000fd372017fd275e61ddafa5d8b4202ec322
aeebf7abdf4bb8862650b183637ed9b40c0c639e357a3bba4f8c5c29ff4f8285
PEiD..: -
PEInfo: -
  • 0

#7
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\datim.dll
C:\Program Files\EditPad.exe
C:\Program Files\yaiy.dll

Drivers to delete:
gxadsyrc


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply



Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\Documents and Settings\Charlie\check.bat

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.
  • 0

#8
CnCWebDesigns

CnCWebDesigns

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
The Datim.dll file seems to be gone now.

Here is the avenger and HijackThis Logs

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\datim.dll" deleted successfully.
File "C:\Program Files\EditPad.exe" deleted successfully.
File "C:\Program Files\yaiy.dll" deleted successfully.
Driver "gxadsyrc" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:14 PM, on 6/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Charlie\Desktop\4-HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: altamontchamber Toolbar - {ea8447cd-7127-4469-8902-5ee9b2d1588a} - C:\Program Files\altamontchamber\tbalt0.dll
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {E4BDF31B-20CA-4B40-923B-4E8877CAD045} - C:\WINDOWS\system32\datim.dll (file missing)
O2 - BHO: altamontchamber Toolbar - {ea8447cd-7127-4469-8902-5ee9b2d1588a} - C:\Program Files\altamontchamber\tbalt0.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: altamontchamber Toolbar - {ea8447cd-7127-4469-8902-5ee9b2d1588a} - C:\Program Files\altamontchamber\tbalt0.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://209.107.231.2...sCamControl.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://echat.us.dell...t/TLIEFlash.CAB
O16 - DPF: {958FCAB0-616B-11D3-A63F-00001B322780} (TimetickerLittleHelpers.usfServer) - http://www.timeticke...t/TcpServer.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8323 bytes
  • 0

#9
CnCWebDesigns

CnCWebDesigns

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is the result of the checker.bat file scan.
BTW - That is another batch file I wrote to "monitor" a web address that was having up / down / ip / down problems.
File check.bat received on 06.28.2008 06:30:24 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/33 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.6.27.1 2008.06.27 -
AntiVir 7.8.0.59 2008.06.27 -
Authentium 5.1.0.4 2008.06.27 -
Avast 4.8.1195.0 2008.06.27 -
AVG 7.5.0.516 2008.06.27 -
BitDefender 7.2 2008.06.28 -
CAT-QuickHeal 9.50 2008.06.26 -
ClamAV 0.93.1 2008.06.27 -
DrWeb 4.44.0.09170 2008.06.27 -
eSafe 7.0.17.0 2008.06.26 -
eTrust-Vet 31.6.5911 2008.06.27 -
Ewido 4.0 2008.06.27 -
F-Prot 4.4.4.56 2008.06.27 -
F-Secure 7.60.13501.0 2008.06.26 -
Fortinet 3.14.0.0 2008.06.28 -
GData 2.0.7306.1023 2008.06.28 -
Ikarus T3.1.1.26.0 2008.06.28 -
Kaspersky 7.0.0.125 2008.06.28 -
McAfee 5327 2008.06.27 -
Microsoft 1.3704 2008.06.28 -
NOD32v2 3224 2008.06.27 -
Norman 5.80.02 2008.06.27 -
Panda 9.0.0.4 2008.06.27 -
Prevx1 V2 2008.06.28 -
Rising 20.50.50.00 2008.06.28 -
Sophos 4.30.0 2008.06.28 -
Sunbelt 3.0.1176.1 2008.06.26 -
Symantec 10 2008.06.28 -
TheHacker 6.2.96.362 2008.06.27 -
TrendMicro 8.700.0.1004 2008.06.27 -
VBA32 3.12.6.8 2008.06.27 -
VirusBuster 4.5.11.0 2008.06.23 -
Webwasher-Gateway 6.6.2 2008.06.28 -
Additional information
File size: 77 bytes
MD5...: c6dd9dd25b2a198989d0c428513cdb02
SHA1..: a5c585d14acfe552a8a75a81eb52fbbdbea02f7b
SHA256: a0f0d3da734636506a8effd879782fa217fdf61650a4ceeabc49636db32abf9a
SHA512: 2b3993f41b00c89111f33100827bfd6332dbf56c34f9140deaf68578d44b48c8
1b3ec068923aab904049fdf241c299c207f0bf950644bc855150f3810d89a61d
PEiD..: -
PEInfo: -
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Nearly done now

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {E4BDF31B-20CA-4B40-923B-4E8877CAD045} - C:\WINDOWS\system32\datim.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\Program Files\altamontchamber\tbalt0.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.




Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Also post a new HijackThis log
  • 0

#11
CnCWebDesigns

CnCWebDesigns

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
OK here are the results:
A few of the items (Snadboy and VNC) are tools I use when a cutomer forgets a password or requests that I show them (by remote) how to do something.

**********************************
File tbfree.dll received on 06.22.2008 21:49:51 (CET)
Current status: finished

Result: 0/33 (0.00%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.6.22.0 2008.06.22 -
AntiVir 7.8.0.59 2008.06.22 -
Authentium 5.1.0.4 2008.06.21 -
Avast 4.8.1195.0 2008.06.21 -
AVG 7.5.0.516 2008.06.22 -
BitDefender 7.2 2008.06.22 -
CAT-QuickHeal 9.50 2008.06.20 -
ClamAV 0.93.1 2008.06.22 -
DrWeb 4.44.0.09170 2008.06.22 -
eSafe 7.0.15.0 2008.06.22 -
eTrust-Vet 31.6.5892 2008.06.21 -
Ewido 4.0 2008.06.22 -
F-Prot 4.4.4.56 2008.06.21 -
F-Secure 7.60.13501.0 2008.06.20 -
Fortinet 3.14.0.0 2008.06.22 -
GData 2.0.7306.1023 2008.06.22 -
Ikarus T3.1.1.26.0 2008.06.22 -
Kaspersky 7.0.0.125 2008.06.22 -
McAfee 5322 2008.06.20 -
Microsoft 1.3604 2008.06.22 -
NOD32v2 3207 2008.06.22 -
Norman 5.80.02 2008.06.20 -
Panda 9.0.0.4 2008.06.22 -
Prevx1 V2 2008.06.22 -
Rising 20.49.62.00 2008.06.22 -
Sophos 4.30.0 2008.06.22 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.22 -
TheHacker 6.2.92.358 2008.06.21 -
TrendMicro 8.700.0.1004 2008.06.20 -
VBA32 3.12.6.7 2008.06.22 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.22 -
Additional information
File size: 1510424 bytes
MD5...: ade6f3efaa68caf59eee9c17d35d4927
SHA1..: 4bceb823538e922f8c5df8c7a49731950fc8aa6a
SHA256: 2cb168272b4b34644e1b916eda408b840bba86a999b746f1cecf7ac9fab714c0
SHA512: 1eaa3a22d053cb33b21ff19f4faa07b10610d6b0972894d667e02a836ddf3299
0ec82a146bb2773cf0325ddbb754c4d70f63374501e89f5efd7a1c9c689ccf49
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x100b6f58
timedatestamp.....: 0x475d272a (Mon Dec 10 11:46:50 2007)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xde8f6 0xdf000 6.55 e1aa6d12cebfb77b3dbe84cfa2b25821
.rdata 0xe0000 0x413ad 0x42000 4.87 02a7ba0eaf3965cb232f2c85d90053c4
.data 0x122000 0x2f6c 0x2000 2.72 614fe4059324dfc0d0bd205126915e4c
.rsrc 0x125000 0x3b980 0x3c000 4.90 efe9673756bb3d22e09aea552c423ccb
.reloc 0x161000 0xf79a 0x10000 6.31 9ab9569abab8e90c85371c37942ff6cd

( 17 imports )
> COMCTL32.dll: CreateToolbarEx, PropertySheetW, CreatePropertySheetPageW, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, _TrackMouseEvent
> WININET.dll: DeleteUrlCacheEntryW, InternetCloseHandle, InternetSetOptionA, InternetSetCookieW, HttpQueryInfoA, FindFirstUrlCacheEntryA, HttpQueryInfoW, InternetOpenUrlW, InternetOpenW, GetUrlCacheEntryInfoW, CreateUrlCacheEntryW, FindNextUrlCacheEntryA, DeleteUrlCacheEntry, FindCloseUrlCache, InternetReadFile, InternetCanonicalizeUrlA, InternetQueryOptionA, InternetGetConnectedState, HttpSendRequestA, HttpOpenRequestW, InternetConnectW, InternetCrackUrlW, InternetCrackUrlA, InternetSetOptionExA, InternetOpenA, InternetGetLastResponseInfoA, InternetConnectA, HttpOpenRequestA, CommitUrlCacheEntryW, InternetCanonicalizeUrlW
> SHLWAPI.dll: PathFileExistsW, PathAppendW
> WSOCK32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -
> VERSION.dll: GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
> MSIMG32.dll: GradientFill
> urlmon.dll: URLDownloadToFileW
> CRYPT32.dll: CryptProtectData, CryptQueryObject, CryptMsgGetParam, CertFindCertificateInStore, CertGetNameStringA, CertGetNameStringW, CertFreeCertificateContext, CertCloseStore, CryptMsgClose, CryptUnprotectData
> WINMM.dll: PlaySoundW, sndPlaySoundW, timeGetTime, PlaySoundA
> KERNEL32.dll: ResumeThread, ExitThread, HeapAlloc, LocalFree, LocalAlloc, FreeLibrary, GetProcAddress, LoadLibraryW, CloseHandle, ReleaseMutex, GetLastError, CreateMutexW, lstrlenW, GetModuleFileNameW, lstrcpyW, InterlockedExchange, GetACP, GetLocaleInfoA, GetThreadLocale, GetVersionExA, RaiseException, InitializeCriticalSection, DeleteCriticalSection, GetModuleHandleA, MultiByteToWideChar, WideCharToMultiByte, lstrlenA, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameA, LoadLibraryA, GetLocalTime, GetCurrentThreadId, lstrcpyA, WriteFile, CreateFileW, FindClose, FindFirstFileW, CopyFileW, DeleteFileW, HeapReAlloc, GetVersion, lstrcmpiA, lstrcmpiW, CompareStringA, CompareStringW, GetEnvironmentVariableA, GetEnvironmentVariableW, GetStringTypeExA, GetStringTypeExW, FindNextFileW, TerminateThread, GetExitCodeThread, CreateThread, GlobalAlloc, GlobalFree, MulDiv, GlobalUnlock, GlobalLock, ReadFile, GetFileSize, FreeResource, LockResource, SizeofResource, LoadResource, FindResourceW, GetModuleHandleW, CreateProcessW, ExpandEnvironmentStringsW, Sleep, GetTickCount, WaitForSingleObject, CreateSemaphoreW, ReleaseSemaphore, GetFileAttributesW, SystemTimeToFileTime, GetSystemTime, GetTimeFormatW, GetDateFormatW, Beep, CreateDirectoryW, GetLocaleInfoW, InterlockedDecrement, HeapFree, ExitProcess, RtlUnwind, SetEnvironmentVariableA, SetEndOfFile, GetTimeZoneInformation, SetConsoleCtrlHandler, CreateFileA, SetStdHandle, GetStringTypeW, GetStringTypeA, IsValidCodePage, IsValidLocale, EnumSystemLocalesA, GetUserDefaultLCID, GetSystemTimeAsFileTime, VirtualProtect, VirtualAlloc, GetDateFormatA, GetTimeFormatA, GetSystemInfo, VirtualQuery, GetCommandLineA, TlsAlloc, GetCurrentThread, TlsFree, TlsSetValue, TlsGetValue, QueryPerformanceCounter, GetCurrentProcessId, HeapDestroy, HeapCreate, VirtualFree, FatalAppExitA, IsBadWritePtr, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, HeapSize, LCMapStringA, LCMapStringW, SetUnhandledExceptionFilter, FlushFileBuffers, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, IsBadReadPtr, IsBadCodePtr, GetOEMCP, GetCPInfo, SetFilePointer, SetLastError
> USER32.dll: GetUpdateRect, EndPaint, BeginPaint, GetCursorPos, IsWindowVisible, SetCapture, DispatchMessageA, GetCapture, GetMessageA, TranslateMessage, SetActiveWindow, ReleaseCapture, EnableMenuItem, DeleteMenu, EndMenu, GetMenuItemInfoW, SetMenuItemInfoW, InsertMenuItemW, GetMenuItemCount, LoadImageA, SetWindowPos, SetWindowRgn, LoadBitmapA, SetClassLongA, CreatePopupMenu, GetMonitorInfoW, TrackPopupMenu, CheckMenuItem, GetMenuState, GetMenuItemID, SetMenuInfo, GetMenuInfo, IsMenu, DestroyMenu, GetScrollInfo, MessageBoxA, PostThreadMessageA, MsgWaitForMultipleObjects, LoadImageW, GetDesktopWindow, LoadStringW, DrawFrameControl, FrameRect, GetDlgItemTextA, CreateWindowExA, RegisterClassExA, GetWindowRgn, PtInRect, CharUpperW, CharUpperA, CharLowerW, CharLowerA, MonitorFromRect, IsDlgButtonChecked, GetDlgItemTextW, MessageBoxW, CheckDlgButton, GetDlgCtrlID, GetWindowTextW, DefWindowProcW, SendMessageW, GetWindowTextLengthW, CreateDialogParamW, DialogBoxParamW, SetForegroundWindow, EnableWindow, EndDialog, SetLayeredWindowAttributes, GetMenuItemInfoA, SetWindowsHookExA, UnhookWindowsHookEx, CallNextHookEx, GetClassInfoW, RegisterClassW, CreateWindowExW, GetSystemMetrics, ShowWindow, CallWindowProcW, IsWindowUnicode, GetClassNameW, GetFocus, IsChild, SetFocus, SetWindowLongA, CopyRect, RegisterWindowMessageW, GetDC, GetMonitorInfoA, DrawIconEx, ReleaseDC, DrawTextW, GetWindowRect, ScreenToClient, GetAsyncKeyState, PostMessageA, GetWindow, UpdateWindow, GetClassInfoExW, DefWindowProcA, RegisterClassExW, LoadStringA, UnregisterClassA, wsprintfW, DestroyWindow, KillTimer, LoadCursorA, SetCursor, MoveWindow, GetIconInfo, DestroyIcon, FillRect, GetSysColor, PeekMessageA, SetDlgItemTextW, SetWindowTextA, SetWindowTextW, GetClientRect, CallWindowProcA, InvalidateRect, GetDlgItem, SendMessageA, GetWindowLongA, SetTimer, IsWindow, SetWindowLongW, GetWindowLongW, GetParent, ClientToScreen, SystemParametersInfoW
> GDI32.dll: GetTextExtentPoint32W, CreateRectRgn, RoundRect, PlgBlt, SetTextAlign, ExcludeClipRect, PtInRegion, CreateDIBSection, GetLayout, CreateFontIndirectW, CreateSolidBrush, Rectangle, GetPixel, CreateCompatibleDC, DeleteDC, CreatePen, MoveToEx, LineTo, DeleteObject, SelectObject, SetTextColor, GdiFlush, SetBkColor, GetWindowOrgEx, SetWindowOrgEx, SetBkMode, GetStretchBltMode, SetStretchBltMode, StretchBlt, GetDeviceCaps, CreateCompatibleBitmap, BitBlt, Polygon, SetPixel, GetObjectA, TextOutW, GetTextAlign, CombineRgn, GetStockObject
> comdlg32.dll: GetOpenFileNameW
> ADVAPI32.dll: RegSetValueExW, RegCreateKeyExW, RegDeleteKeyW, CryptReleaseContext, CryptAcquireContextA, CryptDestroyHash, CryptGetHashParam, RegEnumKeyExW, RegDeleteValueW, RegOpenKeyW, RegEnumKeyW, RegCreateKeyW, RegEnumValueW, RegOpenKeyExW, RegQueryValueExW, CryptCreateHash, CryptHashData, RegCloseKey
> SHELL32.dll: SHCreateDirectoryExW, SHGetFolderPathW, ShellExecuteW
> ole32.dll: CoCreateInstance, CoInitialize, CLSIDFromString, CoGetMalloc, StringFromIID, CoTaskMemFree, IIDFromString, CreateStreamOnHGlobal, CoUninitialize
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -

( 8 exports )
DllCanUnloadNow, DllGetClassObject, DllOpenUninstallPage, DllRegisterServer, DllShowTB, DllShowToolbar, DllShowToolbarWithIE, DllUnregisterServer

********************************************
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, June 28, 2008 11:19:25 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/06/2008
Kaspersky Anti-Virus database records: 895741
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Z:\

Scan Statistics:
Total number of scanned objects: 247042
Number of viruses found: 9
Number of infected objects: 21
Number of suspicious objects: 11
Duration of the scan process: 04:28:55

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12062006-214834.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Ipswitch\WS_FTP\Logs\applog132620.log Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Ipswitch\WS_FTP\requests.dat Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Ipswitch\WS_FTP\TransferHistory.dat Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Microsoft\Outlook\Charlie.NK2 Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Microsoft\Outlook\Charlie.srs Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\call256.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\call512.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\chat1024.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\chat256.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\chat512.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\chat8192.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\chatmsg1024.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\chatmsg2048.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\chatmsg4096.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\chatmsg8192.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\index2.dat Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\message256.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\profile16384.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\sms256.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\transfer256.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\transfer512.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\user1024.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\user16384.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\user256.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\user4096.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Application Data\Skype\cncwebdesigns\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Charlie\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Charlie\Local Settings\Application Data\Identities\{3D1F2EB4-D3F6-4679-86E1-48F030BF9DB4}\Microsoft\Outlook Express\createdbymarcia.dbx/[From "Charlie Niehaus" <[email protected]>][Date Sun, 16 Jan 2005 21:58:33 -0600]/UNNAMED/Your Infected: Trojan-Spy.HTML.Bankfraud.bk skipped
C:\Documents and Settings\Charlie\Local Settings\Application Data\Identities\{3D1F2EB4-D3F6-4679-86E1-48F030BF9DB4}\Microsoft\Outlook Express\createdbymarcia.dbx/[From "Charlie Niehaus" <[email protected]>][Date Sun, 16 Jan 2005 21:58:33 -0600]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.bk skipped
C:\Documents and Settings\Charlie\Local Settings\Application Data\Identities\{3D1F2EB4-D3F6-4679-86E1-48F030BF9DB4}\Microsoft\Outlook Express\createdbymarcia.dbx MailMSOutlook5: infected - 2 skipped
C:\Documents and Settings\Charlie\Local Settings\Application Data\Identities\{3D1F2EB4-D3F6-4679-86E1-48F030BF9DB4}\Microsoft\Outlook Express\Inbox.dbx/[From [email protected]][Date 22 May 2006 17:58:48 -0000]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Charlie\Local Settings\Application Data\Identities\{3D1F2EB4-D3F6-4679-86E1-48F030BF9DB4}\Microsoft\Outlook Express\Inbox.dbx/[From [email protected]][Date 22 May 2006 17:58:48 -0000]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Charlie\Local Settings\Application Data\Identities\{3D1F2EB4-D3F6-4679-86E1-48F030BF9DB4}\Microsoft\Outlook Express\Inbox.dbx/[From [email protected]][Date 22 May 2006 17:58:48 -0000]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Charlie\Local Settings\Application Data\Identities\{3D1F2EB4-D3F6-4679-86E1-48F030BF9DB4}\Microsoft\Outlook Express\Inbox.dbx/[From [email protected]][Date 22 May 2006 17:58:48 -0000]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Charlie\Local Settings\Application Data\Identities\{3D1F2EB4-D3F6-4679-86E1-48F030BF9DB4}\Microsoft\Outlook Express\Inbox.dbx/[From "Branch Banking and Trust" <[email protected]>][Date 5 Apr 2007 13:24:47 -0200]/UNNAMED/html Infected: Trojan-Spy.HTML.Bankfraud.ra skipped
C:\Documents and Settings\Charlie\Local Settings\Application Data\Identities\{3D1F2EB4-D3F6-4679-86E1-48F030BF9DB4}\Microsoft\Outlook Express\Inbox.dbx/[From "Branch Banking and Trust" <[email protected]>][Date 5 Apr 2007 13:24:47 -0200]/UNNAMED/ameliorate.gif Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\Charlie\Local Settings\Application Data\Identities\{3D1F2EB4-D3F6-4679-86E1-48F030BF9DB4}\Microsoft\Outlook Express\Inbox.dbx/[From "Branch Banking and Trust" <[email protected]>][Date 5 Apr 2007 13:24:47 -0200]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\Charlie\Local Settings\Application Data\Identities\{3D1F2EB4-D3F6-4679-86E1-48F030BF9DB4}\Microsoft\Outlook Express\Inbox.dbx/[From "Bank of the West" <[email protected]>][Date Mon, 9 Jul 2007 17:15:54 -0900]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Charlie\Local Settings\Application Data\Identities\{3D1F2EB4-D3F6-4679-86E1-48F030BF9DB4}\Microsoft\Outlook Express\Inbox.dbx/[From "Bank of the West" <[email protected]>][Date Mon, 9 Jul 2007 17:15:54 -0900]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Charlie\Local Settings\Application Data\Identities\{3D1F2EB4-D3F6-4679-86E1-48F030BF9DB4}\Microsoft\Outlook Express\Inbox.dbx MailMSOutlook5: infected - 3, suspicious - 6 skipped
C:\Documents and Settings\Charlie\Local Settings\Application Data\Identities\{3D1F2EB4-D3F6-4679-86E1-48F030BF9DB4}\Microsoft\Outlook Express\SPAMfighter.avg/[From "[email protected]" <[email protected]>][Date Sun, 3 Oct 2004 11:52:36 -0400]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Charlie\Local Settings\Application Data\Identities\{3D1F2EB4-D3F6-4679-86E1-48F030BF9DB4}\Microsoft\Outlook Express\SPAMfighter.avg MailMSOutlook5: suspicious - 1 skipped
C:\Documents and Settings\Charlie\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Object is locked skipped
C:\Documents and Settings\Charlie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Charlie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Charlie\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Charlie\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\Charlie\Local Settings\Temp\~DF8BB3.tmp Object is locked skipped
C:\Documents and Settings\Charlie\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Charlie\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Charlie\ntuser.dat Object is locked skipped
C:\Documents and Settings\Charlie\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Patti\Local Settings\Application Data\Identities\{1EF8E4E9-A46E-4831-8FEA-0998C2FB903C}\Microsoft\Outlook Express\Sent Items.dbx/[From "Patti" <[email protected]>][Date Tue, 14 Sep 2004 21:41:21 -0500]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Patti\Local Settings\Application Data\Identities\{1EF8E4E9-A46E-4831-8FEA-0998C2FB903C}\Microsoft\Outlook Express\Sent Items.dbx/[From "Patti" <[email protected]>][Date Tue, 14 Sep 2004 21:41:21 -0500]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Patti\Local Settings\Application Data\Identities\{1EF8E4E9-A46E-4831-8FEA-0998C2FB903C}\Microsoft\Outlook Express\Sent Items.dbx MailMSOutlook5: suspicious - 2 skipped
C:\Documents and Settings\Shelby\Local Settings\Temp\iqhueqcn.dat Object is locked skipped
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s skipped
C:\Program Files\RealVNC\WinVNC\othread2.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\Program Files\RealVNC\WinVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\Program Files\TightVNC\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\Program Files\TightVNC\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{86E33EC9-B849-4D92-BAF7-E5A460918861}\RP16\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetol1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{C339B7F7-1E51-46D6-B4D2-67672E56A8E8}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\csrvdhpe.dat Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\Program Files\SnadBoy's Revelation v2\RevelationV2.zip/SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
F:\Program Files\SnadBoy's Revelation v2\RevelationV2.zip/SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
F:\Program Files\SnadBoy's Revelation v2\RevelationV2.zip/SetupRevelationV2.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
F:\Program Files\SnadBoy's Revelation v2\RevelationV2.zip ZIP: infected - 3 skipped
F:\Program Files\SnadBoy's Revelation v2\SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
F:\Program Files\SnadBoy's Revelation v2\SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
F:\Program Files\SnadBoy's Revelation v2\SetupRevelationV2.exe WiseSFX: infected - 2 skipped
F:\Program Files\SnadBoy's Revelation v2\RevelationHelper.dll Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
F:\Program Files\SnadBoy's Revelation v2\Revelation.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped

Scan process completed.

******************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:55 PM, on 6/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\JGsoft\EditPadLite\EditPadLite.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Charlie\Desktop\4-HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: altamontchamber Toolbar - {ea8447cd-7127-4469-8902-5ee9b2d1588a} - C:\Program Files\altamontchamber\tbalt0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: altamontchamber Toolbar - {ea8447cd-7127-4469-8902-5ee9b2d1588a} - C:\Program Files\altamontchamber\tbalt0.dll
O3 - Toolbar: altamontchamber Toolbar - {ea8447cd-7127-4469-8902-5ee9b2d1588a} - C:\Program Files\altamontchamber\tbalt0.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://209.107.231.2...sCamControl.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://echat.us.dell...t/TLIEFlash.CAB
O16 - DPF: {958FCAB0-616B-11D3-A63F-00001B322780} (TimetickerLittleHelpers.usfServer) - http://www.timeticke...t/TcpServer.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8252 bytes

Thanks Again!
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo...83#entry1272383

File::
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll
F:\Program Files\SnadBoy's Revelation v2\RevelationV2.zip

Collect::
C:\WINDOWS\system32\drivers\csrvdhpe.dat

Folder::

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Edited by Rorschach112, 29 June 2008 - 07:56 AM.

  • 0

#13
CnCWebDesigns

CnCWebDesigns

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is the reply file from ComboFix:
ComboFix 08-06-20.4 - Charlie 2008-06-30 0:12:45.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.602 [GMT -5:00]
Running from: C:\Documents and Settings\Charlie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Charlie\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll
F:\Program Files\SnadBoy's Revelation v2\RevelationV2.zip
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Real\Toolbar\RealBar.dll
C:\WINDOWS\system32\drivers\csrvdhpe.dat
F:\Program Files\SnadBoy's Revelation v2\RevelationV2.zip

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-28 13:07 . 2008-06-28 13:07 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-28 13:07 . 2008-06-28 13:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-28 07:42 . 2008-06-28 07:42 <DIR> d-------- C:\Documents and Settings\Charlie\Application Data\JGsoft
2008-06-28 07:40 . 2008-06-28 07:40 <DIR> d-------- C:\Program Files\JGsoft
2008-06-28 07:40 . 2008-01-17 03:00 67,208 --a------ C:\WINDOWS\UnDeploy.exe
2008-06-26 17:52 . 2008-06-26 17:53 <DIR> d-------- C:\Program Files\Panda Security
2008-06-25 23:27 . 2008-06-25 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-25 23:26 . 2008-06-27 09:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-25 23:26 . 2008-06-25 23:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-25 23:26 . 2008-06-25 23:26 <DIR> d-------- C:\Documents and Settings\Charlie\Application Data\SUPERAntiSpyware.com
2008-06-24 23:26 . 2008-06-24 23:27 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-24 23:26 . 2008-06-24 23:26 <DIR> d-------- C:\Documents and Settings\Charlie\Application Data\Malwarebytes
2008-06-24 23:26 . 2008-06-24 23:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-24 23:26 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-24 23:26 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-24 23:25 . 2008-06-24 23:25 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-22 20:04 . 2008-06-22 20:04 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-22 20:03 . 2008-06-22 20:03 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-06-22 13:07 . 2008-06-22 13:07 <DIR> d-------- C:\ProgramData
2008-06-22 13:07 . 2008-06-22 16:09 1,474 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2008-06-22 13:01 . 2008-06-22 13:01 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-06-21 09:48 . 2008-06-21 09:48 <DIR> d-------- C:\Deckard
2008-06-14 20:16 . 2008-06-14 20:25 <DIR> d-------- C:\Documents and Settings\Shelby\Application Data\AVGTOOLBAR
2008-06-12 19:16 . 2008-06-28 07:22 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-12 17:26 . 2008-06-29 01:12 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-12 17:26 . 2008-06-12 21:01 <DIR> d-------- C:\Documents and Settings\Charlie\Application Data\AVGTOOLBAR
2008-06-12 17:26 . 2008-06-12 17:26 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-12 17:26 . 2008-06-12 17:26 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-12 17:25 . 2008-06-12 17:25 <DIR> d-------- C:\Program Files\AVG
2008-06-12 17:25 . 2008-06-12 17:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-10 20:32 . 2008-06-13 08:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-24 13:49 . 2008-05-24 13:49 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-24 13:49 . 2008-05-24 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-17 21:24 . 2008-03-15 19:58 363,328 --a------ C:\TOY_S___.TTF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-30 05:11 --------- d-----w C:\Documents and Settings\Charlie\Application Data\Skype
2008-06-30 05:03 --------- d-----w C:\Documents and Settings\Charlie\Application Data\skypePM
2008-06-30 02:48 --------- d-----w C:\Documents and Settings\Shelby\Application Data\Skype
2008-06-29 23:31 --------- d-----w C:\Documents and Settings\Shelby\Application Data\skypePM
2008-06-27 18:10 --------- d-----w C:\Program Files\Evrsoft First Page 2006
2008-06-22 21:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-22 03:00 --------- d-----w C:\Documents and Settings\Shelby\Application Data\LimeWire
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 22:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-27 22:11 --------- d-----w C:\Program Files\Return to Castle Wolfenstein
2008-05-10 00:12 --------- d-----w C:\Documents and Settings\Shelby\Application Data\AdobeUM
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-03-03 03:31 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-02 05:38 70 ----a-w C:\Documents and Settings\Charlie\pinger.bat
2004-07-15 03:23 18 ----a-w C:\Program Files\Intellicast.ini
2004-06-01 05:42 364,544 ----a-w C:\Program Files\Intellicast.exe
2004-05-23 00:00 22,016 ----a-w C:\Program Files\shootthemessenger.exe
2003-11-09 19:55 1,569 ----a-w C:\Program Files\uninstal.log
2003-11-02 04:44 77 ----a-w C:\Documents and Settings\Charlie\check.bat
2005-02-05 00:08 141 --sha-r C:\WINDOWS\Regbak.dat
2006-07-05 06:14 56 --sh--r C:\WINDOWS\system32\39DC0A51D4.sys
2006-07-05 06:14 11,270 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_11.30.35.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-26 11:21:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-30 05:22:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-06-26 11:22:18 16,100 ----a-w C:\WINDOWS\system32\tablet.dat
+ 2008-06-30 05:22:52 16,100 ----a-w C:\WINDOWS\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ea8447cd-7127-4469-8902-5ee9b2d1588a}]
2007-12-10 14:46 1510424 --a------ C:\Program Files\altamontchamber\tbalt0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EA8447CD-7127-4469-8902-5EE9B2D1588A}"= "C:\Program Files\altamontchamber\tbalt0.dll" [2007-12-10 14:46 1510424]

[HKEY_CLASSES_ROOT\clsid\{ea8447cd-7127-4469-8902-5ee9b2d1588a}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EA8447CD-7127-4469-8902-5EE9B2D1588A}"= C:\Program Files\altamontchamber\tbalt0.dll [2007-12-10 14:46 1510424]

[HKEY_CLASSES_ROOT\clsid\{ea8447cd-7127-4469-8902-5ee9b2d1588a}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-05-30 15:54 21718312]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 19:44 1200128]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFast Schedule"="C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" [2003-05-23 11:38 159744]
"pdfFactory Dispatcher v1"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe" [2003-07-22 22:03 380928]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 12:19 15872]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-12 17:25 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 23:21 68856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12 28672]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-06-30 14:55:38 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"MSACM.CEGSM"= mobilev.acm
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"VIDC.YV12"= xl_yv12.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"VIDC.HFYU"= huffyuv.dll
"vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax
"VIDC.D263"= xl_x263dec.dll
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PayPal Plug-In for Outlook Express.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PayPal Plug-In for Outlook Express.lnk
backup=C:\WINDOWS\pss\PayPal Plug-In for Outlook Express.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2002 Delivery Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks 2002 Delivery Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks 2002 Delivery Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
--a------ 2002-04-03 01:01 135264 C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NGServer]
C:\Program Files\Symantec\Ghost\ngserver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-01-26 23:51 36972 C:\Program Files\Java\jre1.5.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-18 23:21 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-12-24 19:47 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YellowTipWS_mysql"=2 (0x2)
"YellowTipWS_Apache"=2 (0x2)
"AWHelpServer"=3 (0x3)
"NGServer"=2 (0x2)
"ngdbserv"=3 (0x3)
"rpcapd"=3 (0x3)
"NVSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\WS_FTP Pro\\wsftppro.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 PenClass;Pen Class;C:\WINDOWS\system32\Drivers\PenClass.sys [2005-11-29 16:50]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-12 17:26]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-12 17:25]
R2 BT848;WinFast TV2000 XP WDM Video Capture;C:\WINDOWS\system32\drivers\wf2kvcap.sys [2002-06-24 11:57]
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;C:\WINDOWS\system32\drivers\wf2ktunr.sys [2002-06-24 11:57]
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;C:\WINDOWS\system32\drivers\wf2kxbar.sys [2002-06-24 11:57]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 01:01]
R3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS [2003-01-07 10:16]
S0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys []
S2 P1C1394;Phase One 1394 Camera Driver;C:\WINDOWS\system32\Drivers\p1c1394.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 12:31]
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 13:53]
S3 XIRLINK;Veo PC Camera;C:\WINDOWS\system32\DRIVERS\ucdnt.sys [2002-04-08 11:57]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-28 03:16:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-30 05:25:50 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-06-30 05:28:44 C:\WINDOWS\Tasks\User_Feed_Synchronization-{5001D6A3-BD16-4CA9-920B-990C326F32F2}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 00:24:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\LexBceS.exe
C:\WINDOWS\system32\Lexpps.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-06-30 0:38:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-30 05:38:36
ComboFix2.txt 2008-06-27 22:06:55
ComboFix3.txt 2008-06-27 16:30:59

Pre-Run: 14,478,229,504 bytes free
Post-Run: 14,837,923,840 bytes free
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html




You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here




  • Make sure you have an Internet Connection.
  • Download OTCleanIt to your desktop and run it
  • Click the CleanUp! button and let the program run



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#15
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP