Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

too many to list [RESOLVED]


  • This topic is locked This topic is locked

#1
cold_shot

cold_shot

    Member

  • Member
  • PipPip
  • 21 posts
started out as virtumonde but now has all kinds of stuff. Thanks in advance for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:01 AM, on 7/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Credant.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\CredUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\Dll32Agent.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\IdleProc.exe
C:\Program Files\AClient\Bin\XCGSTask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QXK Olive - {0E2E6382-7A6A-4B56-B646-0F11C13B3EA8} - C:\WINDOWS\kgqfwelttko.dll (file missing)
O2 - BHO: (no name) - {19F985B9-1B7F-47DD-9A76-944B205AAEB8} - C:\WINDOWS\system32\urqOIbBq.dll (file missing)
O2 - BHO: (no name) - {4022B044-363A-4158-BC53-0B1512D7289F} - C:\WINDOWS\system32\ljJBSlLE.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {550DCA36-F7CE-427D-96C3-478FE2991EA3} - C:\WINDOWS\system32\jkkIBTKC.dll (file missing)
O4 - HKLM\..\Run: [WSPPurge] C:\Program Files\Aflac\Common\WSPPurge.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Aflac_Do_Not_Remove] C:\Aflac2000\WSPInfo.exe
O4 - HKLM\..\Run: [!SysInit] c:\windows\system32\mschksys.exe
O4 - HKLM\..\Run: [CMGCredUI] C:\WINDOWS\system32\CredUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [50454258] rundll32.exe "C:\WINDOWS\system32\jxqvaroa.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Afaria Client Generic Scheduler.lnk = C:\Program Files\AClient\Bin\XCGSTask.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://playgames.com...ronGameHost.cab
O21 - SSODL: VoidUnknown - {27cbda71-5985-4eab-95a6-dc625275f1d2} - C:\WINDOWS\Resources\VoidUnknown.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CMG Shield (CMGShield) - Credant Technologies, Inc. - C:\WINDOWS\system32\Credant.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\WINDOWS\system32\o2flash.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8805 bytes
  • 0

Advertisements


#2
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, my name is fenzodahl512 and welcome to Geekstogo.. Please do the following....



Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.




Regards
fenzodahl512
  • 0

#3
cold_shot

cold_shot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Thanks for your fast response. Here is my first problem. For installing the Recovery Console, the instructions state to insert the Windows XP CD into the drive. I don't have the CD. My computer came with XP. Do I need to somehow use the disc labeled "Recovery and Utility" ?
  • 0

#4
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Just run ComboFix then..
  • 0

#5
cold_shot

cold_shot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:45 AM, on 7/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Credant.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\CredUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Dll32Agent.Exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\IdleProc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\AClient\Bin\XCGSTask.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E2E6382-7A6A-4B56-B646-0F11C13B3EA8} - (no file)
O2 - BHO: (no name) - {19F985B9-1B7F-47DD-9A76-944B205AAEB8} - (no file)
O2 - BHO: (no name) - {4022B044-363A-4158-BC53-0B1512D7289F} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {550DCA36-F7CE-427D-96C3-478FE2991EA3} - (no file)
O4 - HKLM\..\Run: [WSPPurge] C:\Program Files\Aflac\Common\WSPPurge.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Aflac_Do_Not_Remove] C:\Aflac2000\WSPInfo.exe
O4 - HKLM\..\Run: [!SysInit] c:\windows\system32\mschksys.exe
O4 - HKLM\..\Run: [CMGCredUI] C:\WINDOWS\system32\CredUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Afaria Client Generic Scheduler.lnk = C:\Program Files\AClient\Bin\XCGSTask.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://playgames.com...ronGameHost.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CMG Shield (CMGShield) - Credant Technologies, Inc. - C:\WINDOWS\system32\Credant.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\WINDOWS\system32\o2flash.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8574 bytes

Combofix log:

ComboFix 08-07-05.1 - 9X7J 2008-07-07 10:25:10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.273 [GMT -4:00]
Running from: C:\Documents and Settings\9X7J\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-07 to 2008-07-07 )))))))))))))))))))))))))))))))
.

2008-07-04 20:47 . 2008-07-04 20:47 89,088 --a------ C:\WINDOWS\system32\nxfscsss.dll
2008-07-04 20:45 . 2008-07-04 20:45 108,360 --a------ C:\WINDOWS\system32\tawvswxj.exe
2008-07-04 10:44 . 2008-07-04 10:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-03 07:54 . 2008-07-03 07:54 <DIR> d-------- C:\WINDOWS\system32\734914
2008-07-02 23:19 . 2008-07-02 23:19 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-02 23:19 . 2008-07-02 23:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-02 22:31 . 2008-07-03 14:03 579 --a------ C:\WINDOWS\wininit.ini
2008-06-23 20:51 . 2008-06-23 20:51 <DIR> d-------- C:\Program Files\Astraware
2008-06-23 00:05 . 2008-06-23 00:05 <DIR> d-------- C:\Program Files\Resco
2008-06-23 00:05 . 2006-12-08 12:23 90,112 --a------ C:\WINDOWS\RSetupCE.exe
2008-06-13 23:06 . 2008-06-13 23:06 <DIR> d-------- C:\GameSpy Arcade Setup
2008-06-13 22:36 . 2008-06-13 23:07 <DIR> d-------- C:\Program Files\PANZERS - Phase1
2008-06-10 17:22 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 17:22 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-07 14:16 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-07-07 14:14 --------- d-----w C:\Program Files\WorksitePro
2008-07-07 13:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-03 03:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-03 00:21 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-03 00:21 --------- d-----w C:\Documents and Settings\9X7J\Application Data\CaribbeanHideaway
2008-06-23 04:05 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-05 03:39 --------- d-----w C:\Program Files\Chill
2008-05-21 04:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-18 19:06 --------- d-----w C:\Documents and Settings\9X7J\Application Data\MSNInstaller
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-12 02:31 --------- d-----w C:\Program Files\iTunes
2008-05-12 02:31 --------- d-----w C:\Program Files\iPod
2008-05-12 02:28 --------- d-----w C:\Program Files\QuickTime
2008-05-12 02:28 --------- d-----w C:\Program Files\Bonjour
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-07-02 02:39 64,048 -c--a-w C:\Documents and Settings\9X7J\Application Data\GDIPFONTCACHEV1.DAT
2007-06-07 13:52 143,360 --sha-r C:\WINDOWS\IdleProc.exe
2007-06-07 13:52 200,704 --sha-r C:\WINDOWS\MsCae32.dll
2007-06-07 13:52 172,032 --sha-r C:\WINDOWS\system32\MsChkSys.dll
2007-06-07 13:52 339,968 --sha-r C:\WINDOWS\system32\MsChkSys.exe
2007-06-07 13:52 22,528 --sha-r C:\WINDOWS\system32\Optic32.dll
2007-06-07 13:52 176,128 -csha-r C:\WINDOWS\system32\SafPwd32.dll
2007-06-07 13:52 77,824 -csha-r C:\WINDOWS\system32\SdwChang.exe
2007-06-07 13:52 90,112 -csha-r C:\WINDOWS\system32\SdwCreat.exe
2007-06-07 13:52 77,824 -csha-r C:\WINDOWS\system32\SdwExpan.exe
2007-06-07 13:52 282,624 --sha-r C:\WINDOWS\system32\SdwLib.dll
2007-06-07 13:52 110,592 --sha-r C:\WINDOWS\system32\SdwMap32.exe
2007-06-07 13:52 77,824 --sha-w C:\WINDOWS\system32\drivers\SafDskNT.sys
.

((((((((((((((((((((((((((((( [email protected]_ 8.06.26.28 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-07 11:48:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-07 14:13:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WSPPurge"="C:\Program Files\Aflac\Common\WSPPurge.exe" [2007-12-26 11:41 20480]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-01 12:07 729177]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-05-11 11:47 151552]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-07-02 07:48 163840]
"Afaria Client File Differencing"="C:\Program Files\AClient\Bin\XCDiffCache.exe" [2006-11-30 23:03 167936]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-02-27 04:59 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-02-27 04:56 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-27 05:00 118784]
"Aflac_Do_Not_Remove"="C:\Aflac2000\WSPInfo.exe" [2006-09-12 08:15 45056]
"!SysInit"="c:\windows\system32\mschksys.exe" [2007-06-07 09:52 339968]
"CMGCredUI"="C:\WINDOWS\system32\CredUI.exe" [2007-05-08 11:56 204878]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 01:50 88204 C:\WINDOWS\AGRSMMSG.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 02:49 15691264 C:\WINDOWS\RTHDCPL.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Afaria Client Generic Scheduler.lnk - C:\Program Files\AClient\Bin\XCGSTask.exe [2006-11-07 10:01:42 552960]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-11-07 10:00:49 1459392]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-10-31 11:01 8704 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"C:\\Program Files\\Steam\\SteamApps\\jeschman\\the ship\\ship.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 CredCEF;CredCEF;C:\WINDOWS\system32\Drivers\CredCEF.sys [2007-05-08 11:53]
R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2005-07-08 17:06]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2005-09-23 10:48]
R1 SafDskNT;SafDskNT;C:\WINDOWS\system32\drivers\SafDskNT.sys [2007-06-07 09:52]
R2 CMGShield;CMG Shield;C:\WINDOWS\system32\Credant.exe [2007-05-08 11:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97d0f274-1506-11dc-9956-0019d26e488a}]
\Shell\AutoRun\command - E:\Setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-19 23:27:26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{0E2E6382-7A6A-4B56-B646-0F11C13B3EA8} - (no file)
BHO-{19F985B9-1B7F-47DD-9A76-944B205AAEB8} - (no file)
BHO-{4022B044-363A-4158-BC53-0B1512D7289F} - (no file)
BHO-{550DCA36-F7CE-427D-96C3-478FE2991EA3} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-07 10:27:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Documents and Settings\9X7J\Local Settings\Application Data\Identities\{EEF7A7A2-42D0-4B8F-A56B-CBF44109853B}\Microsoft\Outlook Express\CredDB.CEF 1184 bytes
C:\Documents and Settings\9X7J\Local Settings\Application Data\Microsoft\Office\ONetConfig\CredDB.CEF 612 bytes
C:\Documents and Settings\9X7J\Application Data\Adobe\Acrobat\7.0\Messages\ENU\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\Adobe\Acrobat\7.0\Updater\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\Adobe\Flash Player\AssetCache\5A7VTE23\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\Big Fish Games\Azada\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\Gamelab\Jojos Fashion Show\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\Google\GoogleEarth\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\Macromedia\Director MX 2004\Escape\Prefs\CredDB.CEF 592 bytes
C:\Documents and Settings\9X7J\Application Data\Macromedia\Shockwave Player\Prefs\5B2PQYNL\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\Microsoft\Internet Explorer\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\Microsoft\Office\CredDB.CEF 1480 bytes
C:\Documents and Settings\9X7J\Application Data\PlayFirst\chocolatier\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\PlayFirst\chocolatier2\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\PlayFirst\nightshiftcode\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\ScreenSeven\HuhnerRacheDeluxe\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\Uniblue\Registry Booster2\CredDB.CEF 2664 bytes
C:\Documents and Settings\9X7J\Application Data\Valusoft\HotDish\CredDB.CEF 296 bytes

scan completed successfully
hidden files: 19

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\CredNP.dll

PROCESS: C:\WINDOWS\Explorer.exe
-> ?:\WINDOWS\system32\mslbui.dll
.
Completion time: 2008-07-07 10:28:20
ComboFix-quarantined-files.txt 2008-07-07 14:28:15
ComboFix2.txt 2008-07-07 12:06:48

Pre-Run: 29,134,958,592 bytes free
Post-Run: 29,121,728,512 bytes free

169 --- E O F --- 2008-06-22 03:40:39
  • 0

#6
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please show hidden files and folders. Please visit HERE if you don't know how.

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\WINDOWS\IdleProc.exe
      C:\WINDOWS\system32\CredUI.exe
  • Click on the submit button. You can submit only one file per round
  • Please post the results in your next reply.
If Jotti server is too busy, please submit the file to VirusTotal instead.




NEXT


Installing Recovery Console:

It appears your computer has no Recovery Console installed. We need to install Recovery Console first before proceed to our next fix. Please do the following..

Please go to Microsoft's website => HERE
Select the download that's appropriate for your Operating System. Microsoft Windows XP Professional Service Pack 2


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

After successfully install Recovery Console, a pop-on will appear asking to run ComboFix, please select NO.




NEXT



1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\system32\nxfscsss.dll
C:\WINDOWS\system32\tawvswxj.exe
c:\windows\system32\mschksys.exe
C:\WINDOWS\Dll32Agent.Exe

Folder::
C:\WINDOWS\system32\734914

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!SysInit"=-

3. Save the above as CFScript.txt in your Desktop.

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Jotti/VirusTotal
  • Combofix.txt
  • A new HijackThis log.


Regards
fenzodahl512
  • 0

#7
cold_shot

cold_shot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Wasn't sure how to post the results of Jotti/VirusTotal but both displayed "Found Nothing" (or was it "Nothing Found"?) Anyway, hopefully that is good enough. Here is the remaining info requested.

ComboFix 08-07-05.1 - 9X7J 2008-07-07 13:02:57.4 - NTFSx86
Running from: C:\Documents and Settings\9X7J\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-06-07 to 2008-07-07 )))))))))))))))))))))))))))))))
.

2008-07-04 20:47 . 2008-07-04 20:47 89,088 --a------ C:\WINDOWS\system32\nxfscsss.dll
2008-07-04 20:45 . 2008-07-04 20:45 108,360 --a------ C:\WINDOWS\system32\tawvswxj.exe
2008-07-04 10:44 . 2008-07-04 10:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-03 07:54 . 2008-07-03 07:54 <DIR> d-------- C:\WINDOWS\system32\734914
2008-07-02 23:19 . 2008-07-02 23:19 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-02 23:19 . 2008-07-02 23:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-02 22:31 . 2008-07-03 14:03 579 --a------ C:\WINDOWS\wininit.ini
2008-06-23 20:51 . 2008-06-23 20:51 <DIR> d-------- C:\Program Files\Astraware
2008-06-23 00:05 . 2008-06-23 00:05 <DIR> d-------- C:\Program Files\Resco
2008-06-23 00:05 . 2006-12-08 12:23 90,112 --a------ C:\WINDOWS\RSetupCE.exe
2008-06-13 23:06 . 2008-06-13 23:06 <DIR> d-------- C:\GameSpy Arcade Setup
2008-06-13 22:36 . 2008-06-13 23:07 <DIR> d-------- C:\Program Files\PANZERS - Phase1
2008-06-10 17:22 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 17:22 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-07 17:00 --------- d-----w C:\Program Files\WorksitePro
2008-07-07 17:00 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-07-07 13:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-03 03:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-03 00:21 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-03 00:21 --------- d-----w C:\Documents and Settings\9X7J\Application Data\CaribbeanHideaway
2008-06-23 04:05 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-05 03:39 --------- d-----w C:\Program Files\Chill
2008-05-21 04:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-18 19:06 --------- d-----w C:\Documents and Settings\9X7J\Application Data\MSNInstaller
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-12 02:31 --------- d-----w C:\Program Files\iTunes
2008-05-12 02:31 --------- d-----w C:\Program Files\iPod
2008-05-12 02:28 --------- d-----w C:\Program Files\QuickTime
2008-05-12 02:28 --------- d-----w C:\Program Files\Bonjour
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-07-02 02:39 64,048 -c--a-w C:\Documents and Settings\9X7J\Application Data\GDIPFONTCACHEV1.DAT
2007-06-07 13:52 143,360 --sha-r C:\WINDOWS\IdleProc.exe
2007-06-07 13:52 200,704 --sha-r C:\WINDOWS\MsCae32.dll
2007-06-07 13:52 172,032 --sha-r C:\WINDOWS\system32\MsChkSys.dll
2007-06-07 13:52 339,968 --sha-r C:\WINDOWS\system32\MsChkSys.exe
2007-06-07 13:52 22,528 --sha-r C:\WINDOWS\system32\Optic32.dll
2007-06-07 13:52 176,128 -csha-r C:\WINDOWS\system32\SafPwd32.dll
2007-06-07 13:52 77,824 -csha-r C:\WINDOWS\system32\SdwChang.exe
2007-06-07 13:52 90,112 -csha-r C:\WINDOWS\system32\SdwCreat.exe
2007-06-07 13:52 77,824 -csha-r C:\WINDOWS\system32\SdwExpan.exe
2007-06-07 13:52 282,624 --sha-r C:\WINDOWS\system32\SdwLib.dll
2007-06-07 13:52 110,592 --sha-r C:\WINDOWS\system32\SdwMap32.exe
2007-06-07 13:52 77,824 --sha-w C:\WINDOWS\system32\drivers\SafDskNT.sys
.

((((((((((((((((((((((((((((( [email protected]_ 8.06.26.28 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-07 11:48:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-07 16:59:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WSPPurge"="C:\Program Files\Aflac\Common\WSPPurge.exe" [2007-12-26 11:41 20480]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-01 12:07 729177]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-05-11 11:47 151552]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-07-02 07:48 163840]
"Afaria Client File Differencing"="C:\Program Files\AClient\Bin\XCDiffCache.exe" [2006-11-30 23:03 167936]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-02-27 04:59 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-02-27 04:56 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-27 05:00 118784]
"Aflac_Do_Not_Remove"="C:\Aflac2000\WSPInfo.exe" [2006-09-12 08:15 45056]
"!SysInit"="c:\windows\system32\mschksys.exe" [2007-06-07 09:52 339968]
"CMGCredUI"="C:\WINDOWS\system32\CredUI.exe" [2007-05-08 11:56 204878]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 01:50 88204 C:\WINDOWS\AGRSMMSG.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 02:49 15691264 C:\WINDOWS\RTHDCPL.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Afaria Client Generic Scheduler.lnk - C:\Program Files\AClient\Bin\XCGSTask.exe [2006-11-07 10:01:42 552960]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-11-07 10:00:49 1459392]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-10-31 11:01 8704 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"C:\\Program Files\\Steam\\SteamApps\\jeschman\\the ship\\ship.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 CredCEF;CredCEF;C:\WINDOWS\system32\Drivers\CredCEF.sys [2007-05-08 11:53]
R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2005-07-08 17:06]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2005-09-23 10:48]
R1 SafDskNT;SafDskNT;C:\WINDOWS\system32\drivers\SafDskNT.sys [2007-06-07 09:52]
R2 CMGShield;CMG Shield;C:\WINDOWS\system32\Credant.exe [2007-05-08 11:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97d0f274-1506-11dc-9956-0019d26e488a}]
\Shell\AutoRun\command - E:\Setup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-19 23:27:26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{0E2E6382-7A6A-4B56-B646-0F11C13B3EA8} - (no file)
BHO-{19F985B9-1B7F-47DD-9A76-944B205AAEB8} - (no file)
BHO-{4022B044-363A-4158-BC53-0B1512D7289F} - (no file)
BHO-{550DCA36-F7CE-427D-96C3-478FE2991EA3} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-07 13:06:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Documents and Settings\9X7J\Local Settings\Application Data\Identities\{EEF7A7A2-42D0-4B8F-A56B-CBF44109853B}\Microsoft\Outlook Express\CredDB.CEF 1184 bytes
C:\Documents and Settings\9X7J\Local Settings\Application Data\Microsoft\Office\ONetConfig\CredDB.CEF 612 bytes
C:\Documents and Settings\9X7J\Application Data\Adobe\Acrobat\7.0\Messages\ENU\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\Adobe\Acrobat\7.0\Updater\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\Adobe\Flash Player\AssetCache\5A7VTE23\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\Big Fish Games\Azada\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\Gamelab\Jojos Fashion Show\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\Google\GoogleEarth\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\Macromedia\Director MX 2004\Escape\Prefs\CredDB.CEF 592 bytes
C:\Documents and Settings\9X7J\Application Data\Macromedia\Shockwave Player\Prefs\5B2PQYNL\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\Microsoft\Internet Explorer\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\Microsoft\Office\CredDB.CEF 1480 bytes
C:\Documents and Settings\9X7J\Application Data\PlayFirst\chocolatier\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\PlayFirst\chocolatier2\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\PlayFirst\nightshiftcode\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\ScreenSeven\HuhnerRacheDeluxe\CredDB.CEF 296 bytes
C:\Documents and Settings\9X7J\Application Data\Uniblue\Registry Booster2\CredDB.CEF 2664 bytes
C:\Documents and Settings\9X7J\Application Data\Valusoft\HotDish\CredDB.CEF 296 bytes

scan completed successfully
hidden files: 19

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\CredNP.dll

PROCESS: C:\WINDOWS\Explorer.exe
-> ?:\WINDOWS\system32\mslbui.dll
.
Completion time: 2008-07-07 13:07:52
ComboFix-quarantined-files.txt 2008-07-07 17:07:45
ComboFix2.txt 2008-07-07 16:48:45
ComboFix3.txt 2008-07-07 14:28:21
ComboFix4.txt 2008-07-07 12:06:48

Pre-Run: 29,068,890,112 bytes free
Post-Run: 29,056,249,856 bytes free

170 --- E O F --- 2008-06-22 03:40:39



HiJack This ...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:11:47 PM, on 7/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Credant.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\CredUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\Dll32Agent.Exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\AClient\Bin\XCGSTask.exe
C:\WINDOWS\IdleProc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E2E6382-7A6A-4B56-B646-0F11C13B3EA8} - (no file)
O2 - BHO: (no name) - {19F985B9-1B7F-47DD-9A76-944B205AAEB8} - (no file)
O2 - BHO: (no name) - {4022B044-363A-4158-BC53-0B1512D7289F} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {550DCA36-F7CE-427D-96C3-478FE2991EA3} - (no file)
O4 - HKLM\..\Run: [WSPPurge] C:\Program Files\Aflac\Common\WSPPurge.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Aflac_Do_Not_Remove] C:\Aflac2000\WSPInfo.exe
O4 - HKLM\..\Run: [!SysInit] c:\windows\system32\mschksys.exe
O4 - HKLM\..\Run: [CMGCredUI] C:\WINDOWS\system32\CredUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Afaria Client Generic Scheduler.lnk = C:\Program Files\AClient\Bin\XCGSTask.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://playgames.com...ronGameHost.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CMG Shield (CMGShield) - Credant Technologies, Inc. - C:\WINDOWS\system32\Credant.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\WINDOWS\system32\o2flash.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8500 bytes
  • 0

#8
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\system32\nxfscsss.dll
C:\WINDOWS\system32\tawvswxj.exe
c:\windows\system32\mschksys.exe
C:\WINDOWS\Dll32Agent.Exe
E:\Setup.exe

Folder::
C:\WINDOWS\system32\734914

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97d0f274-1506-11dc-9956-0019d26e488a}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!SysInit"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#9
cold_shot

cold_shot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
A couple of things happen when I try the above procedure. Spybot S&D pops up a couple of things and ask if I want to allow the change or deny the change. I'm not sure the correct answer. Secondly, Windows pops up a warning and says that it will shut down in 3 seconds. My screen icons disappear but my wallpaper stays. I have to shut down and bring it back up again. I will try it again and try to write down all of the pop ups. Sorry to be so much trouble...
  • 0

#10
cold_shot

cold_shot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I tried it again. When I drag and drop, Spybot S&D pops up "Category: System Starting Global Entry. Change: Value Added." and asks if i want to allow or deny. Then shortly after that, Windows warns me that it will shut down because "CMG Shield Service terminated unexpectedly."

I'm gonna try it once more.
  • 0

Advertisements


#11
cold_shot

cold_shot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Tried again ... same results.
  • 0

#12
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
First of all, Tell me... Do you use Aflac software?.... If yes, you have to disable it first...


Please disable your Spybot S&D before you do the CFScript step.. Please visit HERE if you do not know how.. Then perform the step above..
  • 0

#13
cold_shot

cold_shot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I followed the instruction. Getting the same thing "Windows must now restart because the CMG Shield Service terminated unexpectedly".
  • 0

#14
cold_shot

cold_shot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
also, I don't use Aflac software except when I am taking applications. Otherwise it is just Windows stuff.
  • 0

#15
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Do this then..


Please download Deckard's System Scanner (DSS) from HERE or HERE and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • Please let your firewall allow the scanning/downloading process.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
If you are using Vista, you need to right-click at dss.exe icon and choose Run as Administrator
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP