Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need Help With Smitfraud [RESOLVED]


  • This topic is locked This topic is locked

#1
joea333

joea333

    New Member

  • Member
  • Pip
  • 7 posts
So apparently I've been infected with the Smitfraud virus. I've researched for some solutions to this problem and have ran Smitfraudfix but still seem to have some problems. Specifically, something is attempting to send out emails from my computer but Symantec blocks them. Changes to my startup registry are also attempting to be made but spybot is blocking them. After reading some threads of people with the same problem, I've noticed that the mod's have requested logs before and after the SmitFraudFix as well as a Hijack This log. I will include these in separate posts to make it a little easier to read.

Any help with this problem will be greatly appreciated. Thanks.

BEFORE SMITFRAUDFIX LOG

SmitFraudFix v2.323



Scan done at 10:14:19.15, Wed 06/11/2008

Run from C:\Documents and Settings\Jonathan Clay\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode



»»»»»»»»»»»»»»»»»»»»»»»» Process



C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\system32\cmd.exe



»»»»»»»»»»»»»»»»»»»»»»»» hosts





»»»»»»»»»»»»»»»»»»»»»»»» C:\





»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS





»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system





»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web





»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32





»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles





»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jonathan Clay





»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jonathan Clay\Application Data





»»»»»»»»»»»»»»»»»»»»»»»» Start Menu





»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JONATH~1\FAVORI~1





»»»»»»»»»»»»»»»»»»»»»»»» Desktop



C:\DOCUME~1\JONATH~1\Desktop\Privacy Protector.url FOUND !



»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files





»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys





»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="file:///C:\\WINDOWS\\privacy_danger\\index.htm"

"SubscribedURL"=""

"FriendlyName"="Privacy Protection"



[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

!!!Attention, following keys are not inevitably infected!!!



IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri





»»»»»»»»»»»»»»»»»»»»»»»» VACFix

!!!Attention, following keys are not inevitably infected!!!



VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

+--------------------------------------------------+

[!] Suspicious: kvsdpfeawdo.dll

BHO: QXK Olive - {973F2B57-1A14-407A-9424-112756C730F9}

TypeLib: {272D05E9-D35F-4E85-9D58-63F3B87140B3}

Interface: {9A7A26DE-2DE0-456A-9611-EB65F4DE7824}

Interface: {DC21A0B7-3114-4451-970D-BED2790EE1EB}





»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

!!!Attention, following keys are not inevitably infected!!!



404Fix

Credits: Malware Analysis & Diagnostic

Code: S!Ri





»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!



SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll





»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""





»»»»»»»»»»»»»»»»»»»»»»»» Winlogon

!!!Attention, following keys are not inevitably infected!!!



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

"System"=""





»»»»»»»»»»»»»»»»»»»»»»»» Rustock







»»»»»»»»»»»»»»»»»»»»»»»» DNS



Description: Intel® PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport

DNS Server Search Order: 68.87.64.146

DNS Server Search Order: 68.87.75.194



HKLM\SYSTEM\CCS\Services\Tcpip\..\{D2EF23E8-8E1B-48C4-B7FC-8F20A52EB087}: DhcpNameServer=68.87.64.146 68.87.75.194

HKLM\SYSTEM\CS1\Services\Tcpip\..\{D2EF23E8-8E1B-48C4-B7FC-8F20A52EB087}: DhcpNameServer=68.87.64.146 68.87.75.194

HKLM\SYSTEM\CS2\Services\Tcpip\..\{D2EF23E8-8E1B-48C4-B7FC-8F20A52EB087}: DhcpNameServer=68.87.64.146 68.87.75.194

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.64.146 68.87.75.194

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.64.146 68.87.75.194

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.64.146 68.87.75.194





»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection





»»»»»»»»»»»»»»»»»»»»»»»» End

AFTER SMITFRAUDFIX LOG

SmitFraudFix v2.323



Scan done at 10:20:28.21, Wed 06/11/2008

Run from C:\Documents and Settings\Jonathan Clay\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode



»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!



SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll



»»»»»»»»»»»»»»»»»»»»»»»» Killing process





»»»»»»»»»»»»»»»»»»»»»»»» hosts





127.0.0.1 localhost



»»»»»»»»»»»»»»»»»»»»»»»» VACFix



VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

C:\WINDOWS\kvsdpfeawdo.dll deleted.





»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix



S!Ri's WS2Fix: LSP not Found.




»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix



GenericRenosFix by S!Ri





»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files



C:\DOCUME~1\JONATH~1\Desktop\Privacy Protector.url Deleted



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix



IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri





»»»»»»»»»»»»»»»»»»»»»»»» 404Fix



404Fix

Credits: Malware Analysis & Diagnostic

Code: S!Ri





»»»»»»»»»»»»»»»»»»»»»»»» DNS



HKLM\SYSTEM\CCS\Services\Tcpip\..\{D2EF23E8-8E1B-48C4-B7FC-8F20A52EB087}: DhcpNameServer=68.87.64.146 68.87.75.194

HKLM\SYSTEM\CS1\Services\Tcpip\..\{D2EF23E8-8E1B-48C4-B7FC-8F20A52EB087}: DhcpNameServer=68.87.64.146 68.87.75.194

HKLM\SYSTEM\CS2\Services\Tcpip\..\{D2EF23E8-8E1B-48C4-B7FC-8F20A52EB087}: DhcpNameServer=68.87.64.146 68.87.75.194

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.64.146 68.87.75.194

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.64.146 68.87.75.194

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.64.146 68.87.75.194





»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files





»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""





»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning



Registry Cleaning done.



»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!



SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll





»»»»»»»»»»»»»»»»»»»»»»»» End

CURRENT HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:21:27, on 6/29/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe



R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O3 - Toolbar: rtsplgob - {65059A5D-7EBF-41DC-8A37-B30F87021E22} - C:\WINDOWS\rtsplgob.dll (file missing)

O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [BMef183783] Rundll32.exe "C:\WINDOWS\system32\essyixgl.dll",s

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://learn.vt.edu

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O21 - SSODL: rnopbfgt - {308A89E7-DD86-4D8D-915F-A984467F96A6} - C:\WINDOWS\rnopbfgt.dll (file missing)

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE

O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe



--

End of file - 6614 bytes

Reason for edit: Merged all 4 posts

Edited by Octagonal, 30 June 2008 - 03:49 AM.

  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
1. Download combofix at http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
joea333

joea333

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
thanks for the quick response, here is the ComboFix log...






ComboFix 08-06-30.2 - Jonathan Clay 2008-07-01 23:07:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1551 [GMT -4:00]
Running from: C:\Documents and Settings\Jonathan Clay\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\esdn.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aGjRAcfe.ini
C:\WINDOWS\system32\aGjRAcfe.ini2
C:\WINDOWS\system32\awtqnkhe.dll
C:\WINDOWS\system32\dxcvngbr.dll
C:\WINDOWS\system32\EdLTDJjl.ini
C:\WINDOWS\system32\EdLTDJjl.ini2
C:\WINDOWS\system32\edNVvyxx.ini
C:\WINDOWS\system32\edNVvyxx.ini2
C:\WINDOWS\system32\essyixgl.dll
C:\WINDOWS\system32\ljJDTLdE.dll
C:\WINDOWS\system32\rbgnvcxd.ini
C:\WINDOWS\system32\tasuqkny.ini
C:\WINDOWS\system32\vxkkmthy.ini
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\xowefdij.dll
C:\WINDOWS\system32\yaywvsro.dll
C:\WINDOWS\system32\yhtmkkxv.dll
C:\WINDOWS\system32\ynkqusat.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-07-01 19:17 . 2008-07-01 19:09 112,768 --a------ C:\WINDOWS\system32\kkrvep.dll
2008-07-01 19:01 . 2008-07-01 19:09 112,768 --a------ C:\WINDOWS\system32\obysyfnk.dll
2008-06-29 20:20 . 2008-06-29 20:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-11 10:34 . 2008-07-01 18:32 110,321 --a------ C:\WINDOWS\BMef183783.xml
2008-06-11 10:11 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-11 10:11 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-11 10:11 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-11 10:11 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-11 10:11 . 2008-06-11 10:21 1,050 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-11 10:10 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-11 10:10 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-11 10:10 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-11 10:10 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-10 23:25 . 2008-06-11 13:00 705 --a------ C:\WINDOWS\wininit.ini
2008-06-10 21:45 . 2008-06-10 21:45 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-06-10 21:45 . 2008-06-10 21:45 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-06-10 21:41 . 2008-06-10 21:46 0 --a------ C:\WINDOWS\system32\ieupdates.exe.tmp
2008-06-10 21:29 . 2008-06-10 17:33 81,920 --a------ C:\WINDOWS\pebgkxwq.exe
2008-06-10 20:45 . 2008-06-10 20:45 <DIR> d-------- C:\Documents and Settings\Jonathan Clay\Application Data\DAEMON Tools Pro
2008-06-10 20:31 . 2008-06-10 20:31 <DIR> d-------- C:\Documents and Settings\Jonathan Clay\Application Data\vlc
2008-06-10 20:08 . 2008-06-10 20:08 <DIR> d-------- C:\Program Files\VideoLAN
2008-06-10 20:03 . 2008-06-10 20:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-10 20:03 . 2008-06-10 20:03 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-10 14:02 . 2008-06-10 20:24 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-06-10 13:55 . 2008-04-14 08:30 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 13:55 . 2008-04-14 08:30 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 18:49 . 2008-06-10 20:11 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-06-08 18:47 . 2008-06-08 18:47 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-06-08 18:47 . 2008-06-08 18:48 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-06-04 18:46 . 2006-10-04 22:42 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-06-04 18:46 . 2006-10-04 22:42 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-06-04 18:43 . 2008-06-04 18:46 <DIR> d-------- C:\Program Files\Picasa2
2008-06-04 10:53 . 2008-06-10 21:41 <DIR> d-------- C:\Documents and Settings\Jonathan Clay\Application Data\BitTorrent
2008-06-04 10:52 . 2008-06-04 10:52 <DIR> d-------- C:\Program Files\DNA
2008-06-04 10:52 . 2008-06-04 10:52 <DIR> d-------- C:\Program Files\BitTorrent
2008-06-04 10:52 . 2008-06-09 21:00 <DIR> d-------- C:\Documents and Settings\Jonathan Clay\Application Data\DNA
2008-06-04 10:40 . 2008-06-10 15:00 <DIR> d-------- C:\Program Files\mIRC
2008-06-04 10:40 . 2008-06-10 15:06 <DIR> d-------- C:\Documents and Settings\Jonathan Clay\Application Data\mIRC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-11 00:04 --------- d-----w C:\Documents and Settings\Jonathan Clay\Application Data\Apple Computer
2008-06-04 22:44 --------- d-----w C:\Program Files\Google
2008-06-04 22:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-31 14:15 --------- d-----w C:\Program Files\Apple Software Update
2008-05-27 15:16 --------- d-----w C:\Program Files\Revit Structure 2009
2008-05-27 15:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-05-27 15:15 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-05-27 05:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-27 04:23 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-27 03:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-27 03:56 --------- d-----w C:\Program Files\SigmaTel
2008-05-27 03:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-27 02:33 --------- d-----w C:\Documents and Settings\Jonathan Clay\Application Data\Autodesk
2008-05-27 02:03 --------- d-----w C:\Program Files\Revit Architecture 2009
2008-05-27 02:01 --------- d-----w C:\Program Files\Autodesk
2008-05-27 01:27 --------- d-----w C:\Program Files\Autodesk Student Community Download Tool
2008-05-27 01:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-27 01:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-27 01:08 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-27 01:08 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-27 01:08 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-27 01:08 10,563 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-27 01:08 --------- d-----w C:\Program Files\Symantec
2008-05-27 00:45 --------- d-----w C:\Program Files\iTunes
2008-05-27 00:45 --------- d-----w C:\Program Files\iPod
2008-05-27 00:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-27 00:44 --------- d-----w C:\Program Files\QuickTime
2008-05-27 00:44 --------- d-----w C:\Program Files\Bonjour
2008-05-27 00:43 --------- d-----w C:\Program Files\Common Files\Apple
2008-05-27 00:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-27 00:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-05-27 00:38 --------- d-----w C:\Program Files\AIM6
2008-05-27 00:38 --------- d-----w C:\Documents and Settings\Jonathan Clay\Application Data\acccore
2008-05-27 00:37 --------- d-----w C:\Program Files\Viewpoint
2008-05-27 00:37 --------- d-----w C:\Program Files\Common Files\AOL
2008-05-27 00:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-27 00:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-26 23:50 --------- d-----w C:\Program Files\Broadcom
2008-05-26 23:41 --------- d-----w C:\Program Files\ATI Technologies
2008-05-26 23:32 21,425 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-05-26 23:32 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2008-05-26 23:32 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Intel
2008-05-26 23:32 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Intel
2008-05-26 23:32 --------- d-----w C:\Documents and Settings\Jonathan Clay\Application Data\Intel
2008-05-26 23:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2008-05-26 23:31 --------- d-----w C:\Program Files\Intel
2008-05-26 22:27 2,855 ----a-w C:\WINDOWS\PIF\R155386.PIF
2008-05-26 21:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-26 21:26 --------- d-----w C:\Program Files\MSBuild
2008-05-26 21:26 --------- d-----w C:\Program Files\Microsoft Works
2008-05-23 17:29 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 09:42 23,552 ----a-w C:\WINDOWS\system32\wdmaud.drv
2008-04-14 09:41 4,096 ----a-w C:\WINDOWS\system32\ksuser.dll
2008-04-14 05:42 74,752 ----a-w C:\WINDOWS\system32\storprop.dll
2008-04-14 05:42 74,240 ----a-w C:\WINDOWS\system32\usbui.dll
2008-04-14 05:40 1,296,669 ----a-r C:\WINDOWS\SET3.tmp
2008-04-14 05:34 16,535 ----a-r C:\WINDOWS\SET8.tmp
2008-04-14 05:34 1,088,840 ----a-r C:\WINDOWS\SET4.tmp
2008-04-14 03:55 1,804 ----a-w C:\WINDOWS\system32\Dcache.bin
2008-04-14 03:51 52,736 ----a-w C:\WINDOWS\system32\wzcsapi.dll
2008-04-14 03:51 52,224 ----a-w C:\WINDOWS\system32\dmutil.dll
2008-04-14 03:51 483,840 ----a-w C:\WINDOWS\system32\wzcsvc.dll
2008-04-14 03:51 47,616 ----a-w C:\WINDOWS\system32\iyuv_32.dll
2008-04-14 03:51 47,104 ----a-w C:\WINDOWS\system32\cnbjmon.dll
2008-04-14 03:51 35,328 ----a-w C:\WINDOWS\system32\pid.dll
2008-04-14 03:51 294,912 ----a-w C:\WINDOWS\system32\msh263.drv
2008-04-14 03:51 20,992 ----a-w C:\WINDOWS\system32\hid.dll
2008-04-14 03:51 2,065,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-14 03:51 16,896 ----a-w C:\WINDOWS\system32\msyuv.dll
2008-04-14 03:51 15,360 ----a-w C:\WINDOWS\system32\pjlmon.dll
2008-04-14 03:46 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 03:43 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 03:43 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 03:43 299,520 ----a-w C:\WINDOWS\system32\drmclien.dll
2008-04-14 03:43 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 03:41 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll
2008-04-14 03:40 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 03:40 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 03:40 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 03:40 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 23:00 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 22:57 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 22:15 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 22:13 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-13 22:01 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 22:00 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 21:45 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 21:09 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 21:09 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 21:09 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 21:08 306,176 ----a-w C:\WINDOWS\system32\slbcsp.dll
2008-04-13 21:08 169,984 ----a-w C:\WINDOWS\system32\sccbase.dll
2008-04-13 21:08 101,888 ----a-w C:\WINDOWS\system32\gpkcsp.dll
2008-04-13 21:07 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 21:07 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 20:58 2,940,928 ----a-w C:\WINDOWS\system32\wmploc.dll
2008-04-13 20:58 2,940,928 ----a-w C:\WINDOWS\system32\dllcache\wmploc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dd8ab86f-918e-4f6a-81c3-c1641a7766c2}]
2008-07-01 19:09 112768 --a------ C:\WINDOWS\system32\kkrvep.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 23:42 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 11:19 819200]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 11:17 970752]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05 344064]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 01:25 115560]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winai20.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windl43.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmu31.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmu54.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winrb32.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winyh54.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S0 Winai20;Winai20;C:\WINDOWS\system32\Drivers\Winai20.sys []
S0 Windl43;Windl43;C:\WINDOWS\system32\Drivers\Windl43.sys []
S0 Winmu31;Winmu31;C:\WINDOWS\system32\Drivers\Winmu31.sys []
S0 Winmu54;Winmu54;C:\WINDOWS\system32\Drivers\Winmu54.sys []
S0 Winrb32;Winrb32;C:\WINDOWS\system32\Drivers\Winrb32.sys []
S0 Winyh54;Winyh54;C:\WINDOWS\system32\Drivers\Winyh54.sys []
S3 ATIXPGAA;ATIXPGAA;C:\Dell\Drivers\R101351\ATIXPGAA.SYS [2004-02-20 12:31]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2007-05-29 13:55]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 18:05:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{625CE5C2-0730-488B-B45D-5EFABFDF01F8} - C:\WINDOWS\system32\efcARjGa.dll
BHO-{973F2B57-1A14-407A-9424-112756C730F9} - C:\WINDOWS\kvsdpfeawdo.dll
BHO-{F6FCAB5D-CCA0-4002-911A-7328D385B99E} - C:\WINDOWS\system32\xxyvVNde.dll
Toolbar-{65059A5D-7EBF-41DC-8A37-B30F87021E22} - C:\WINDOWS\rtsplgob.dll
HKCU-Run-Aim6 - (no file)
HKLM-Run-BMef183783 - C:\WINDOWS\system32\essyixgl.dll
SSODL-rnopbfgt-{308A89E7-DD86-4D8D-915F-A984467F96A6} - C:\WINDOWS\rnopbfgt.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 23:18:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Program Files\Common Files\Symantec Shared\SPBBC\2008-07-01-5f52.kc

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2008-07-01 23:21:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-02 03:21:14

Pre-Run: 62,162,821,120 bytes free
Post-Run: 62,116,724,736 bytes free

293 --- E O F --- 2008-07-02 03:21:07
  • 0

#4
joea333

joea333

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
another point i forgot to mention, after ComboFix had finished, a XP Antivirus 2008 shortcut appeared on my desktop, but without its normal icon, I know that this was part of the SmitFraud bug, and that deleting the shortcut will not remove the file, what can I do to remove this?
  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download Malwarebytes ' Anti-Malware at http://www.besttechi.../mbam-setup.exe or http://www.majorgeek...ware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Double click on C:\WINDOWS\wininit.ini to open it up in Notepad. Copy & paste the entire contents of that file here. Then go back and delete all the lines. Copy & paste the following two lines back:

[rename]
nul=

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Driver::
Winai20
Windl43
Winmu31
Winmu54
Winrb32
Winyh54
File::
C:\WINDOWS\system32\kkrvep.dll
C:\WINDOWS\system32\obysyfnk.dll
C:\WINDOWS\BMef183783.xml
C:\WINDOWS\system32\nscompat.tlb
C:\WINDOWS\system32\amcompat.tlb
C:\WINDOWS\system32\ieupdates.exe.tmp
C:\WINDOWS\pebgkxwq.exe
C:\WINDOWS\system32\kkrvep.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dd8ab86f-918e-4f6a-81c3-c1641a7766c2}]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winai20.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windl43.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmu31.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmu54.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winrb32.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winyh54.sys]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#6
joea333

joea333

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks again for your help and quick responce

As an update, after ComboFix finished, an internet explorer shortcut appeared on the desktop (the xp antivirus 2008 is gone) all of a sudden SpyBot started blocking registry changes....there are two different files, multiple notifications are popping up every couple seconds, I don't know if this will help, but the file names are

{625CE5C2-0730-488B-B45D-5EFABFDF01F8}
{F6FCAB5D-CCA0-4002-911A-7328D385B99E}


MBAM LOG WITH Wininit

Malwarebytes' Anti-Malware 1.19
Database version: 916
Windows 5.1.2600 Service Pack 3

11:07:29 PM 7/2/2008
mbam-log-7-2-2008 (23-07-29).txt

Scan type: Full Scan (C:\|)
Objects scanned: 72887
Time elapsed: 23 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rtsplgob.bxqd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rtsplgob.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\esdn.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ljJDTLdE.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0EDAE3B3-7AF0-4D05-8015-345FE0D5F762}\RP31\A0007278.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0EDAE3B3-7AF0-4D05-8015-345FE0D5F762}\RP31\A0007280.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0EDAE3B3-7AF0-4D05-8015-345FE0D5F762}\RP31\A0007283.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0EDAE3B3-7AF0-4D05-8015-345FE0D5F762}\RP31\A0007290.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\pebgkxwq.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

[rename]
c:\tempjunk5912.tmp=C:\Documents and Settings\Jonathan Clay\Start Menu\XP Antivirus 2008\Uninstall XP Antivirus 2008.lnk
nul=c:\tempjunk9583.tmp
c:\tempjunk5351.tmp=C:\Documents and Settings\Jonathan Clay\Start Menu\XP Antivirus 2008\XP Antivirus 2008.lnk
c:\tempjunk1667.tmp=C:\WINDOWS\system32\xxyvVNde.dll_old
c:\tempjunk7445.tmp=C:\WINDOWS\rnopbfgt.dll_old
c:\tempjunk6291.tmp=C:\WINDOWS\rtsplgob.dll_old
c:\tempjunk5525.tmp=C:\WINDOWS\xkefqtgs.dll_old
c:\tempjunk6540.tmp=C:\WINDOWS\system32\xxyvVNde.dll_old
c:\tempjunk6.tmp=C:\WINDOWS\system32\xxyvVNde.dll_old
c:\tempjunk5903.tmp=C:\WINDOWS\system32\efcARjGa.dll_old
c:\tempjunk9583.tmp=C:\WINDOWS\system32\efcARjGa.dll_old

ComboFix Log

ComboFix 08-06-30.2 - Jonathan Clay 2008-07-02 23:19:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1477 [GMT -4:00]
Running from: C:\Documents and Settings\Jonathan Clay\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jonathan Clay\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BMef183783.xml
C:\WINDOWS\pebgkxwq.exe
C:\WINDOWS\system32\amcompat.tlb
C:\WINDOWS\system32\ieupdates.exe.tmp
C:\WINDOWS\system32\kkrvep.dll
C:\WINDOWS\system32\nscompat.tlb
C:\WINDOWS\system32\obysyfnk.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMef183783.xml
C:\WINDOWS\system32\amcompat.tlb
C:\WINDOWS\system32\ieupdates.exe.tmp
C:\WINDOWS\system32\kkrvep.dll
C:\WINDOWS\system32\nscompat.tlb
C:\WINDOWS\system32\obysyfnk.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Winai20
-------\Service_Windl43
-------\Service_Winmu31
-------\Service_Winmu54
-------\Service_Winrb32
-------\Service_Winyh54


((((((((((((((((((((((((( Files Created from 2008-06-03 to 2008-07-03 )))))))))))))))))))))))))))))))
.

2008-07-02 22:27 . 2008-07-02 22:27 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-02 22:27 . 2008-07-02 22:27 <DIR> d-------- C:\Documents and Settings\Jonathan Clay\Application Data\Malwarebytes
2008-07-02 22:27 . 2008-07-02 22:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-02 22:27 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-02 22:27 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-29 20:20 . 2008-06-29 20:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-11 10:11 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-11 10:11 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-11 10:11 . 2008-06-11 10:21 1,050 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-11 10:10 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-11 10:10 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-11 10:10 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-11 10:10 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-10 23:25 . 2008-07-02 23:16 16 --a------ C:\WINDOWS\wininit.ini
2008-06-10 20:45 . 2008-06-10 20:45 <DIR> d-------- C:\Documents and Settings\Jonathan Clay\Application Data\DAEMON Tools Pro
2008-06-10 20:31 . 2008-06-10 20:31 <DIR> d-------- C:\Documents and Settings\Jonathan Clay\Application Data\vlc
2008-06-10 20:08 . 2008-06-10 20:08 <DIR> d-------- C:\Program Files\VideoLAN
2008-06-10 20:03 . 2008-06-10 20:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-10 20:03 . 2008-06-10 20:03 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-10 14:02 . 2008-06-10 20:24 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-06-10 13:55 . 2008-06-13 07:05 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 13:55 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 18:49 . 2008-06-10 20:11 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-06-08 18:47 . 2008-06-08 18:47 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-06-08 18:47 . 2008-06-08 18:48 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-06-04 18:46 . 2006-10-04 22:42 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-06-04 18:46 . 2006-10-04 22:42 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-06-04 18:43 . 2008-06-04 18:46 <DIR> d-------- C:\Program Files\Picasa2
2008-06-04 10:53 . 2008-06-10 21:41 <DIR> d-------- C:\Documents and Settings\Jonathan Clay\Application Data\BitTorrent
2008-06-04 10:52 . 2008-06-04 10:52 <DIR> d-------- C:\Program Files\DNA
2008-06-04 10:52 . 2008-06-04 10:52 <DIR> d-------- C:\Program Files\BitTorrent
2008-06-04 10:52 . 2008-06-09 21:00 <DIR> d-------- C:\Documents and Settings\Jonathan Clay\Application Data\DNA
2008-06-04 10:40 . 2008-06-10 15:00 <DIR> d-------- C:\Program Files\mIRC
2008-06-04 10:40 . 2008-06-10 15:06 <DIR> d-------- C:\Documents and Settings\Jonathan Clay\Application Data\mIRC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-11 00:04 --------- d-----w C:\Documents and Settings\Jonathan Clay\Application Data\Apple Computer
2008-06-04 22:44 --------- d-----w C:\Program Files\Google
2008-06-04 22:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-31 14:15 --------- d-----w C:\Program Files\Apple Software Update
2008-05-27 15:16 --------- d-----w C:\Program Files\Revit Structure 2009
2008-05-27 15:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-05-27 15:15 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-05-27 05:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-27 04:23 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-27 03:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-27 03:56 --------- d-----w C:\Program Files\SigmaTel
2008-05-27 03:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-27 02:33 --------- d-----w C:\Documents and Settings\Jonathan Clay\Application Data\Autodesk
2008-05-27 02:03 --------- d-----w C:\Program Files\Revit Architecture 2009
2008-05-27 02:01 --------- d-----w C:\Program Files\Autodesk
2008-05-27 01:27 --------- d-----w C:\Program Files\Autodesk Student Community Download Tool
2008-05-27 01:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-27 01:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-27 01:08 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-27 01:08 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-27 01:08 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-27 01:08 10,563 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-27 01:08 --------- d-----w C:\Program Files\Symantec
2008-05-27 00:45 --------- d-----w C:\Program Files\iTunes
2008-05-27 00:45 --------- d-----w C:\Program Files\iPod
2008-05-27 00:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-27 00:44 --------- d-----w C:\Program Files\QuickTime
2008-05-27 00:44 --------- d-----w C:\Program Files\Bonjour
2008-05-27 00:43 --------- d-----w C:\Program Files\Common Files\Apple
2008-05-27 00:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-27 00:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-05-27 00:38 --------- d-----w C:\Program Files\AIM6
2008-05-27 00:38 --------- d-----w C:\Documents and Settings\Jonathan Clay\Application Data\acccore
2008-05-27 00:37 --------- d-----w C:\Program Files\Viewpoint
2008-05-27 00:37 --------- d-----w C:\Program Files\Common Files\AOL
2008-05-27 00:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-27 00:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-26 23:50 --------- d-----w C:\Program Files\Broadcom
2008-05-26 23:41 --------- d-----w C:\Program Files\ATI Technologies
2008-05-26 23:32 21,425 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-05-26 23:32 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2008-05-26 23:32 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Intel
2008-05-26 23:32 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Intel
2008-05-26 23:32 --------- d-----w C:\Documents and Settings\Jonathan Clay\Application Data\Intel
2008-05-26 23:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2008-05-26 23:31 --------- d-----w C:\Program Files\Intel
2008-05-26 22:27 2,855 ----a-w C:\WINDOWS\PIF\R155386.PIF
2008-05-26 21:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-26 21:26 --------- d-----w C:\Program Files\MSBuild
2008-05-26 21:26 --------- d-----w C:\Program Files\Microsoft Works
2008-05-23 17:29 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 09:42 23,552 ----a-w C:\WINDOWS\system32\wdmaud.drv
2008-04-14 09:41 4,096 ----a-w C:\WINDOWS\system32\ksuser.dll
2008-04-14 05:42 74,752 ----a-w C:\WINDOWS\system32\storprop.dll
2008-04-14 05:42 74,240 ----a-w C:\WINDOWS\system32\usbui.dll
2008-04-14 05:40 1,296,669 ----a-r C:\WINDOWS\SET3.tmp
2008-04-14 05:34 16,535 ----a-r C:\WINDOWS\SET8.tmp
2008-04-14 05:34 1,088,840 ----a-r C:\WINDOWS\SET4.tmp
2008-04-14 03:55 1,804 ----a-w C:\WINDOWS\system32\Dcache.bin
2008-04-14 03:51 52,736 ----a-w C:\WINDOWS\system32\wzcsapi.dll
2008-04-14 03:51 52,224 ----a-w C:\WINDOWS\system32\dmutil.dll
2008-04-14 03:51 483,840 ----a-w C:\WINDOWS\system32\wzcsvc.dll
2008-04-14 03:51 47,616 ----a-w C:\WINDOWS\system32\iyuv_32.dll
2008-04-14 03:51 47,104 ----a-w C:\WINDOWS\system32\cnbjmon.dll
2008-04-14 03:51 35,328 ----a-w C:\WINDOWS\system32\pid.dll
2008-04-14 03:51 294,912 ----a-w C:\WINDOWS\system32\msh263.drv
2008-04-14 03:51 20,992 ----a-w C:\WINDOWS\system32\hid.dll
2008-04-14 03:51 2,065,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-14 03:51 16,896 ----a-w C:\WINDOWS\system32\msyuv.dll
2008-04-14 03:51 15,360 ----a-w C:\WINDOWS\system32\pjlmon.dll
2008-04-14 03:46 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 03:43 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 03:43 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 03:43 299,520 ----a-w C:\WINDOWS\system32\drmclien.dll
2008-04-14 03:43 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 03:41 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll
2008-04-14 03:40 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 03:40 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 03:40 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 03:40 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 23:00 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 22:57 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 22:15 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 22:13 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-13 22:01 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 22:00 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 21:45 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 21:09 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 21:09 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 21:09 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 21:08 306,176 ----a-w C:\WINDOWS\system32\slbcsp.dll
2008-04-13 21:08 169,984 ----a-w C:\WINDOWS\system32\sccbase.dll
2008-04-13 21:08 101,888 ----a-w C:\WINDOWS\system32\gpkcsp.dll
2008-04-13 21:07 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 21:07 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 20:58 2,940,928 ----a-w C:\WINDOWS\system32\wmploc.dll
2008-04-13 20:58 2,940,928 ----a-w C:\WINDOWS\system32\dllcache\wmploc.dll
.

((((((((((((((((((((((((((((( [email protected]_23.20.47.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-02 03:17:21 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-03 03:23:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-14 12:30:49 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-06-13 11:05:51 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-07-03 03:23:57 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_228.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 23:42 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 11:19 819200]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 11:17 970752]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05 344064]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 01:25 115560]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S3 ATIXPGAA;ATIXPGAA;C:\Dell\Drivers\R101351\ATIXPGAA.SYS [2004-02-20 12:31]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2007-05-29 13:55]
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-06-28 14:16]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 18:05:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{625CE5C2-0730-488B-B45D-5EFABFDF01F8} - (no file)
BHO-{973F2B57-1A14-407A-9424-112756C730F9} - (no file)
BHO-{A30B575B-0E87-446B-BB58-DD22D0F61DE0} - (no file)
BHO-{F6FCAB5D-CCA0-4002-911A-7328D385B99E} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 23:24:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Program Files\Common Files\Symantec Shared\SPBBC\2008-07-02-0e58.kc 105732 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2008-07-02 23:26:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-03 03:26:31
ComboFix2.txt 2008-07-02 03:21:21

Pre-Run: 62,072,754,176 bytes free
Post-Run: 62,072,565,760 bytes free

277 --- E O F --- 2008-07-02 03:21:07
]

Edited by joea333, 02 July 2008 - 09:43 PM.

  • 0

#7
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Check Spybot for any updates and run a scan to see if it finds anything. Remove it if found.

Uninstall Viewpoint Manager. Restart the computer and see if anything else still shows up?

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP