Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Antivirus XP 08 [RESOLVED]

Started by mdphelps , Jul 08 2008 07:52 AM

This topic is locked

#1
mdphelps

Posted 08 July 2008 - 07:52 AM

Member

Member
51 posts

Hi,

I tried to clean out the Antivirus XP 08 and was partially successful; but after running a Kaspersky scan, i see i still have many issues. Help please/ log is below.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, July 7, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, July 07, 2008 05:46:12
Records in database: 919808
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 38477
Threat name: 10
Infected objects: 27
Suspicious objects: 0
Duration of the scan: 01:13:09

File name / Threat name / Threats count
C:\WINDOWS\system32\winlogon.exe/C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.aa 1
C:\WINDOWS\system32\services.exe/C:\WINDOWS\system32\services.exe Infected: Trojan.Win32.Patched.aa 1
C:\WINDOWS\system32\lsass.exe/C:\WINDOWS\system32\lsass.exe Infected: Trojan.Win32.Patched.aa 1
C:\WINDOWS\system32\svchost.exe/C:\WINDOWS\system32\svchost.exe Infected: Trojan.Win32.Patched.aa 6
C:\WINDOWS\System32\svchost.exe/C:\WINDOWS\System32\svchost.exe Infected: Trojan.Win32.Patched.aa 1
C:\WINDOWS\system32\spoolsv.exe/C:\WINDOWS\system32\spoolsv.exe Infected: Trojan.Win32.Patched.aa 1
C:\Documents and Settings\El Marko\Desktop\Mark's stuff\sent emails\Mark Phelps resume.msg Infected: Virus.MSWord.Class.b 1
C:\Documents and Settings\El Marko\Desktop\Mark's stuff\sent emails\Mark Phelps Resume.msg Infected: Virus.MSWord.Class.b 1
C:\QooBox\Quarantine\C\WINDOWS\17PHolmes72.exe.vir Infected: Trojan-Downloader.Win32.Homles.br 1
C:\QooBox\Quarantine\C\WINDOWS\444.471.vir Infected: Trojan.Win32.DNSChanger.eys 1
C:\QooBox\Quarantine\C\WINDOWS\lfn.exe.vir Infected: Hoax.Win32.Renos.vaff 1
C:\QooBox\Quarantine\C\WINDOWS\portsv.exe.vir Infected: Trojan.Win32.Agent.sdd 1
C:\QooBox\Quarantine\C\WINDOWS\system32\000070.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.gb 1
C:\QooBox\Quarantine\C\WINDOWS\system32\~.exe.vir Infected: Trojan.Win32.Agent.cyt 1
C:\WINDOWS\$NtUninstallKB938828$\explorer.exe Infected: Trojan.Win32.Patched.aa 1
C:\WINDOWS\system32\25.tmp Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\WINDOWS\system32\lsass.exe Infected: Trojan.Win32.Patched.aa 1
C:\WINDOWS\system32\netrax06\netrax061083.exe Infected: Trojan-Downloader.Win32.VB.eyc 1
C:\WINDOWS\system32\services.exe Infected: Trojan.Win32.Patched.aa 1
C:\WINDOWS\system32\spoolsv.exe Infected: Trojan.Win32.Patched.aa 1
C:\WINDOWS\system32\svchost.exe Infected: Trojan.Win32.Patched.aa 1
C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.aa 1

The selected area was scanned.

#2
Mike

Posted 08 July 2008 - 08:35 AM

Malware Monger

Retired Staff
2,745 posts

Hi there,

Some legitimate system files have been infected. Do you have your windows CD handy? You ran combofix too, please post it's log for me (you'll find it at C:\combofix.txt)

Please do this for me,

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\Documents and Settings\El Marko\Desktop\Mark's stuff\sent emails\Mark Phelps resume.msg
C:\Documents and Settings\El Marko\Desktop\Mark's stuff\sent emails\Mark Phelps Resume.msg
C:\WINDOWS\system32\25.tmp
C:\WINDOWS\system32\netrax06\netrax061083.exe

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Now,

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.

Then,

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Note:These logs may be too large to post in one reply, if so, please post extra.txt in a seperate reply.

Edited by Mike, 08 July 2008 - 08:36 AM.

#3
mdphelps

Posted 08 July 2008 - 08:59 AM

Member

Topic Starter
Member
51 posts

Thanks Mike! Here is the ComboFix log. Doing the other things now.

ComboFix 08-07-05.1 - El Marko 2008-07-06 18:37:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.205 [GMT -4:00]
Running from: C:\Documents and Settings\El Marko\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\El Marko\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\El Marko\Application Data\rhcn7nj0erfn
C:\Documents and Settings\Mark Phelps\Application Data\rhcn7nj0erfn
C:\Program Files\rhcn7nj0erfn
C:\WINDOWS\17PHolmes72.exe
C:\WINDOWS\444.471
C:\WINDOWS\accesss.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\default.htm
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\lfn.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\muotr.so
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\portsv.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\system32\.exe
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\000070.exe
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\7.tmp
C:\WINDOWS\system32\A.tmp
C:\WINDOWS\system32\blphcj7nj0erfn.scr
C:\WINDOWS\system32\E.tmp
C:\WINDOWS\system32\lphcj7nj0erfn.exe
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\phcj7nj0erfn.bmp
C:\WINDOWS\system32\yrqrmjsdhci.dll
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\y.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-06 to 2008-07-06 )))))))))))))))))))))))))))))))
.

2008-07-06 17:08 . 2008-07-06 18:46 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-07-06 16:20 . 2008-07-06 16:20 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-07-06 15:07 . 2008-07-06 15:44 <DIR> d-------- C:\Program Files\GetPack
2008-07-06 00:00 . 2008-07-06 00:00 0 --a------ C:\WINDOWS\system32\8.tmp
2008-07-05 19:22 . 2008-07-05 19:22 0 --a------ C:\WINDOWS\system32\6.tmp
2008-07-05 17:55 . 2008-07-05 17:55 0 --a------ C:\WINDOWS\system32\B.tmp
2008-07-05 17:50 . 2008-07-05 17:50 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-07-05 17:44 . 2008-07-05 17:44 109,056 --a------ C:\WINDOWS\system32\clwrgnah.exe
2008-07-05 17:40 . 2008-07-05 17:40 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-05 16:48 . 2008-07-05 16:48 <DIR> d-------- C:\Program Files\ThreatFire
2008-07-05 16:48 . 2008-07-05 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-07-05 16:48 . 2008-04-24 16:52 51,520 --a------ C:\WINDOWS\system32\drivers\TfFsMon.sys
2008-07-05 16:48 . 2008-04-24 16:52 38,208 --a------ C:\WINDOWS\system32\drivers\TfSysMon.sys
2008-07-05 16:48 . 2008-04-24 16:52 33,088 --a------ C:\WINDOWS\system32\drivers\TfNetMon.sys
2008-07-05 16:48 . 2008-04-24 16:52 12,608 --a------ C:\WINDOWS\system32\drivers\TfKbMon.sys
2008-07-05 16:38 . 2008-07-05 16:38 0 --a------ C:\WINDOWS\system32\4.tmp
2008-07-05 16:10 . 2008-07-05 16:16 <DIR> d-------- C:\WINDOWS\system32\8366
2008-07-05 15:04 . 2008-07-05 15:04 <DIR> d-------- C:\WINDOWS\system32\netrax06
2008-07-05 15:04 . 2008-07-05 15:04 <DIR> d-------- C:\temp\itmp4
2008-07-05 15:04 . 2008-07-05 16:16 94,208 --a------ C:\WINDOWS\system32\25.tmp
2008-07-05 15:04 . 2008-07-05 15:04 64,317 --a------ C:\WINDOWS\system32\cbenhxpesaivt.exe
2008-07-05 15:03 . 2008-07-05 15:03 <DIR> d-------- C:\Program Files\lcccute
2008-07-05 15:03 . 2008-07-05 15:03 <DIR> d-------- C:\Program Files\iCheck
2008-07-05 15:03 . 2008-07-06 13:12 <DIR> d-------- C:\Program Files\GetModule
2008-07-05 15:03 . 2008-07-05 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vqlyjmjo
2008-07-05 13:26 . 2008-07-06 18:46 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-05 13:26 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-07-05 13:26 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-07-05 13:26 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-07-05 13:26 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-07-05 13:25 . 2008-07-06 16:33 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-07-05 13:25 . 2008-07-05 13:25 <DIR> d-------- C:\Documents and Settings\El Marko\Application Data\PC Tools
2008-07-05 10:49 . 2008-07-05 10:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Linksys
2008-07-04 16:31 . 2008-07-04 16:33 <DIR> d-------- C:\Documents and Settings\Mark Phelps\Application Data\Canon
2008-07-03 17:54 . 2008-07-03 17:54 <DIR> d-------- C:\Program Files\Linksys
2008-07-03 08:40 . 2008-07-03 08:40 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2008-07-03 08:40 . 2008-07-03 08:40 <DIR> d-------- C:\Program Files\ComcastUI
2008-06-07 22:16 . 2008-06-07 22:16 32,768 --a------ C:\WINDOWS\system32\netrax06\netrax061083.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-01 03:16 1,901 ----a-w C:\WINDOWS\panose.bin
2008-06-01 01:24 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-01 01:01 --------- d-----w C:\Program Files\Neevia.Com
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
.

------- Sigcheck -------

md5deep: C:\WINDOWS\SoftwareDistribution\Download\354955e5a48449db338e32557238a670\svchost.exe: No such file or directory
2004-08-04 08:00 17408 14baef1a5bdfd9f683c571d1a27d4a5f C:\WINDOWS\system32\svchost.exe

md5deep: C:\WINDOWS\SoftwareDistribution\Download\354955e5a48449db338e32557238a670\winlogon.exe: No such file or directory
2004-08-04 08:00 506368 4f373f015c508d8116b3a6b37134356c C:\WINDOWS\system32\winlogon.exe

md5deep: C:\WINDOWS\SoftwareDistribution\Download\354955e5a48449db338e32557238a670\services.exe: No such file or directory
2004-08-04 08:00 110592 48e207cc699e7010caf6ea387208c8ec C:\WINDOWS\system32\services.exe

md5deep: C:\WINDOWS\SoftwareDistribution\Download\354955e5a48449db338e32557238a670\lsass.exe: No such file or directory
2004-08-04 08:00 14848 62c9a70fcc51a6ed36cfeb09450eb492 C:\WINDOWS\system32\lsass.exe

2005-06-10 20:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 08:00 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
md5deep: C:\WINDOWS\SoftwareDistribution\Download\354955e5a48449db338e32557238a670\spoolsv.exe: No such file or directory
md5deep: C:\WINDOWS\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\backup\spoolsv.exe: No such file or directory
2005-06-10 19:53 58880 388d0a4fb83ed39521042a99209650f4 C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-06 12:53 68856]
"Universal Installer"="C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" [2008-03-18 14:50 984616]
"GetModule19"="C:\Program Files\GetModule\GetModule19.exe" [2008-06-17 05:58 351744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 15:13 176128]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 22:05 344064]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28 684032]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-29 00:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 11:36 267048]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [2008-04-24 16:52 259392]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 08:00 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 21:17 443968]

C:\Documents and Settings\Mark Phelps\Start Menu\Programs\Startup\
Palm Registration.lnk - C:\Program Files\Palm\register.exe [2005-08-08 12:36:14 2494464]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - C:\QUICKENW\BILLMIND.EXE [2007-06-02 12:07:06 30208]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34 471040]
Quicken Startup.lnk - C:\QUICKENW\QWDLLS.EXE [2007-06-02 12:07:14 27136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"AppWebWin"= {01C26FC4-0AF5-9F00-9E21-03DC7EA6F38B} - C:\Program Files\lcccute\AppWebWin.dll [2008-07-05 15:03 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57148:TCP"= 57148:TCP:PORT_57148
"50209:TCP"= 50209:TCP:PORT_50209
"45575:TCP"= 45575:TCP:PORT_45575
"17692:TCP"= 17692:TCP:PORT_17692
"43323:TCP"= 43323:TCP:PORT_43323
"27228:TCP"= 27228:TCP:PORT_27228
"50285:TCP"= 50285:TCP:PORT_50285
"64132:TCP"= 64132:TCP:PORT_64132
"43709:TCP"= 43709:TCP:PORT_43709
"6864:TCP"= 6864:TCP:PORT_6864
"29054:TCP"= 29054:TCP:PORT_29054
"35047:TCP"= 35047:TCP:PORT_35047
"14512:TCP"= 14512:TCP:PORT_14512
"62857:TCP"= 62857:TCP:PORT_62857
"30113:TCP"= 30113:TCP:PORT_30113
"44430:TCP"= 44430:TCP:PORT_44430
"25664:TCP"= 25664:TCP:PORT_25664
"6386:TCP"= 6386:TCP:PORT_6386
"18146:TCP"= 18146:TCP:PORT_18146
"6868:TCP"= 6868:TCP:PORT_6868
"23026:TCP"= 23026:TCP:PORT_23026
"11263:TCP"= 11263:TCP:PORT_11263
"12010:TCP"= 12010:TCP:PORT_12010
"28469:TCP"= 28469:TCP:PORT_28469
"47404:TCP"= 47404:TCP:PORT_47404
"34736:TCP"= 34736:TCP:PORT_34736
"41730:TCP"= 41730:TCP:PORT_41730
"17879:TCP"= 17879:TCP:PORT_17879
"29584:TCP"= 29584:TCP:PORT_29584
"42263:TCP"= 42263:TCP:PORT_42263
"56462:TCP"= 56462:TCP:PORT_56462
"58882:TCP"= 58882:TCP:PORT_58882
"61385:TCP"= 61385:TCP:PORT_61385
"18625:TCP"= 18625:TCP:PORT_18625
"40905:TCP"= 40905:TCP:PORT_40905
"40409:TCP"= 40409:TCP:PORT_40409
"26319:TCP"= 26319:TCP:PORT_26319
"57687:TCP"= 57687:TCP:PORT_57687
"43656:TCP"= 43656:TCP:PORT_43656
"23850:TCP"= 23850:TCP:PORT_23850
"29193:TCP"= 29193:TCP:PORT_29193
"17494:TCP"= 17494:TCP:PORT_17494
"34121:TCP"= 34121:TCP:PORT_34121
"63264:TCP"= 63264:TCP:PORT_63264
"26954:TCP"= 26954:TCP:PORT_26954
"20462:TCP"= 20462:TCP:PORT_20462
"18418:TCP"= 18418:TCP:PORT_18418
"35058:TCP"= 35058:TCP:PORT_35058
"62624:TCP"= 62624:TCP:PORT_62624
"55399:TCP"= 55399:TCP:PORT_55399
"32210:TCP"= 32210:TCP:PORT_32210
"48207:TCP"= 48207:TCP:PORT_48207
"42900:TCP"= 42900:TCP:PORT_42900
"32600:TCP"= 32600:TCP:PORT_32600
"13848:TCP"= 13848:TCP:PORT_13848
"7812:TCP"= 7812:TCP:PORT_7812
"46471:TCP"= 46471:TCP:PORT_46471

R0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys [2008-04-24 16:52]
R0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys [2008-04-24 16:52]
R2 LinksysUpdater;Linksys Updater;C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe -s C:\Program Files\Linksys\Linksys Updater\conf\wrapper.conf []
R2 ThreatFire;ThreatFire;C:\Program Files\ThreatFire\TFService.exe service []
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2005-04-21 22:58]
R3 TfNetMon;TfNetMon;C:\WINDOWS\system32\drivers\TfNetMon.sys [2008-04-24 16:52]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-30 17:18:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-06 21:30:28 C:\WINDOWS\Tasks\SpyHunter Scanner.job"
- C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-vxazlkwl - C:\WINDOWS\system32\jsfwrqjy.exe
HKLM-Run-lphcj7nj0erfn - C:\WINDOWS\system32\lphcj7nj0erfn.exe
HKLM-Run-SMrhcn7nj0erfn - C:\Program Files\rhcn7nj0erfn\rhcn7nj0erfn.exe
HKLM-Run-{ff966407-b0f2-0f49-b268-63dc04c904ab} - C:\WINDOWS\system32\yrqrmjsdhci.dll
HKLM-Explorer_Run-vXfpkHGxC2 - C:\Documents and Settings\All Users\Application Data\vqlyjmjo\jylmjmxe.exe
SSODL-RYjtQBlvmdcly-{ECFD2C69-4657-86C3-588D-4022C0149906} - C:\WINDOWS\system32\sn.dll

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-06 18:46:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll
PROCESS: C:\WINDOWS\system32\winlogon.exe

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll
.
Completion time: 2008-07-06 18:50:23
ComboFix-quarantined-files.txt 2008-07-06 22:50:07

Pre-Run: 28,749,975,552 bytes free
Post-Run: 29,046,538,240 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

294 --- E O F --- 2008-07-06 20:21:18

#4
mdphelps

Posted 08 July 2008 - 09:18 AM

Member

Topic Starter
Member
51 posts

Here is the OTMoveIt2 log:

C:\Documents and Settings\El Marko\Desktop\Mark's stuff\sent emails\Mark Phelps resume.msg moved successfully.
File/Folder C:\Documents and Settings\El Marko\Desktop\Mark's stuff\sent emails\Mark Phelps Resume.msg not found.
C:\WINDOWS\system32\25.tmp moved successfully.
C:\WINDOWS\system32\netrax06\netrax061083.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07082008_111232

#5
Mike

Posted 08 July 2008 - 11:48 AM

Malware Monger

Retired Staff
2,745 posts

OK, I'm waiting on the Dr. WebCureIt scan and the DSS log.

#6
mdphelps

Posted 08 July 2008 - 11:55 AM

Member

Topic Starter
Member
51 posts

Here's DrWeb - running DSS now.

beep.sys;c:\windows\system32\drivers;Trojan.Fakealert.458;Deleted.;
lsass.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
services.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
spoolsv.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
svchost.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
winlogon.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
psexec.cfexe;C:\327882R2FWJFW;Program.PsExec.171;;
ComboFix.exe\327882R2FWJFW\psexec.cfexe;C:\Documents and Settings\El Marko\Desktop\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\El Marko\Desktop;Archive contains infected objects;Moved.;
Mark Phelps resume.msg\resume phelps.doc;C:\Documents and Settings\El Marko\Desktop\Mark's stuff\sent emails\Mark Phelps resume.msg;W97M.Class;;
Mark Phelps resume.msg;C:\Documents and Settings\El Marko\Desktop\Mark's stuff\sent emails;Archive contains infected objects;Moved.;
install[1].exe;C:\Documents and Settings\El Marko\Local Settings\Temporary Internet Files\Content.IE5\K8CKTM1T;Trojan.Packed.564;Deleted.;
17PHolmes72.exe.vir;C:\QooBox\Quarantine\C\WINDOWS;Trojan.DownLoader.62803;Deleted.;
lfn.exe.vir;C:\QooBox\Quarantine\C\WINDOWS;Modification of BackDoor.Generic.1699;Moved.;
.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.DownLoader.42369;Deleted.;
lphcj7nj0erfn.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Fakealert.950;Deleted.;
A0058861.exe;C:\System Volume Information\_restore{DE9E8BF3-F8C0-409B-9A2D-80317427CC3F}\RP336;Modification of BackDoor.Generic.1699;Moved.;
A0059013.exe;C:\System Volume Information\_restore{DE9E8BF3-F8C0-409B-9A2D-80317427CC3F}\RP336;Trojan.DownLoader.62803;Deleted.;
A0059015.exe;C:\System Volume Information\_restore{DE9E8BF3-F8C0-409B-9A2D-80317427CC3F}\RP336;Trojan.Fakealert.950;Deleted.;
A0059016.exe;C:\System Volume Information\_restore{DE9E8BF3-F8C0-409B-9A2D-80317427CC3F}\RP336;Trojan.DownLoader.42369;Deleted.;
cpu.exe;C:\WINDOWS;Trojan.Packed.564;Deleted.;
cru629.dat;C:\WINDOWS;Trojan.Proxy.1739;Deleted.;
PSEXESVC.EXE;C:\WINDOWS;Program.PsExec.170;;
explorer.exe;C:\WINDOWS\$NtUninstallKB938828$;Trojan.Starter.384;Cured.;
clwrgnah.exe;C:\WINDOWS\system32;Trojan.Fakealert.950;Deleted.;
cru629.dat;C:\WINDOWS\system32;Trojan.Proxy.1739;Deleted.;
beep.sys;C:\WINDOWS\system32\dllcache;Trojan.Fakealert.458;Deleted.;
Mark Phelps Resume.msg\resume phelps.doc;C:\_OTMoveIt\MovedFiles\07082008_111232\Documents and Settings\El Marko\Desktop\Mark's stuff\sent emails\Mark Phelps Resume.msg;W97M.Class;;
Mark Phelps Resume.msg;C:\_OTMoveIt\MovedFiles\07082008_111232\Documents and Settings\El Marko\Desktop\Mark's stuff\sent emails;Archive contains infected objects;Moved.;
25.tmp;C:\_OTMoveIt\MovedFiles\07082008_111232\WINDOWS\system32;Trojan.Fakealert.949;Deleted.;
netrax061083.exe;C:\_OTMoveIt\MovedFiles\07082008_111232\WINDOWS\system32\netrax06;Trojan.DownLoader.56730;Deleted.;

#7
mdphelps

Posted 08 July 2008 - 12:02 PM

Member

Topic Starter
Member
51 posts

DSS main.txt:

Deckard's System Scanner v20071014.68
Run by El Marko on 2008-07-08 13:56:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
6: 2008-07-08 17:56:54 UTC - RP339 - Deckard's System Scanner Restore Point
5: 2008-07-07 16:37:41 UTC - RP338 - Removed Java™ 6 Update 3
4: 2008-07-07 03:18:02 UTC - RP337 - Installed Java™ 6 Update 5
3: 2008-07-06 22:35:22 UTC - RP336 - ComboFix created restore point
2: 2008-07-06 21:05:13 UTC - RP335 - Software Distribution Service 3.0

-- First Restore Point --
1: 2008-07-06 20:26:22 UTC - RP334 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-08 13:58:24
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
C:\Program Files\Apoint\hidfind.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\Program Files\GetModule\GetModule19.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Palm\Hotsync.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\El Marko\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_SL.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Apoint\hidfind.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Apoint\ApntEx.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co...n...UTF-8&hl=en
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Universal Installer] "C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden
O4 - HKCU\..\Run: [GetModule19] "C:\Program Files\GetModule\GetModule19.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Billminder.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.h...nosticsxp2k.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.ma...t/ultrashim.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: cru629.dat
O21 - SSODL: AppWebWin - {01C26FC4-0AF5-9F00-9E21-03DC7EA6F38B} - C:\Program Files\lcccute\AppWebWin.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 9955 bytes

-- File Associations -----------------------------------------------------------

.ini - inifile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1
.txt - txtfile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 BthServ (Bluetooth Support Service) - c:\windows\system32\svchost.exe -k bthsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 LinksysUpdater (Linksys Updater) - "c:\program files\linksys\linksys updater\bin\linksysupdater.exe" -s "c:\program files\linksys\linksys updater\conf\wrapper.conf"

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-07-07 13:18:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-07-06 17:30:28 454 --a------ C:\WINDOWS\Tasks\SpyHunter Scanner.job

-- Files created between 2008-06-08 and 2008-07-08 -----------------------------

2008-07-08 11:27:17 0 d-------- C:\Documents and Settings\El Marko\DoctorWeb
2008-07-07 12:38:28 0 d-------- C:\WINDOWS\system32\appmgmt
2008-07-07 12:34:24 0 d-------- C:\VundoFix Backups
2008-07-06 21:32:27 0 d-------- C:\327882R2FWJFW
2008-07-06 18:44:13 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-07-06 18:36:55 0 d-------- C:\cmdcons
2008-07-06 18:33:14 68096 --a------ C:\WINDOWS\zip.exe
2008-07-06 18:33:14 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-06 18:33:14 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-06 18:33:14 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-06 18:33:14 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-06 18:33:14 98816 --a------ C:\WINDOWS\sed.exe
2008-07-06 18:33:14 80412 --a------ C:\WINDOWS\grep.exe
2008-07-06 18:33:14 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-06 17:08:00 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-07-06 15:07:54 0 d-------- C:\Program Files\GetPack
2008-07-05 17:50:56 0 d-------- C:\Program Files\Enigma Software Group
2008-07-05 17:40:07 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-05 17:40:07 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-05 17:40:07 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-05 17:40:07 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-05 17:40:07 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-05 17:40:07 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-05 17:40:07 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-05 17:40:07 0 d-------- C:\Documents and Settings\Administrator\My Documents <MYDOCU~1>
2008-07-05 17:40:07 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-05 17:40:07 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-05 17:40:07 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-05 17:40:07 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-07-05 17:40:07 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-05 17:40:07 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-05 17:19:31 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-07-05 16:48:24 0 d-------- C:\Program Files\ThreatFire
2008-07-05 16:48:24 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-07-05 16:10:40 0 d-------- C:\WINDOWS\system32\8366
2008-07-05 15:04:48 64317 --a------ C:\WINDOWS\system32\cbenhxpesaivt.exe
2008-07-05 15:04:25 0 d-------- C:\WINDOWS\system32\netrax06
2008-07-05 15:03:45 0 d-------- C:\Program Files\lcccute
2008-07-05 15:03:32 0 d-------- C:\Documents and Settings\All Users\Application Data\vqlyjmjo
2008-07-05 15:03:27 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-07-05 15:03:26 0 d-------- C:\Program Files\iCheck
2008-07-05 15:03:26 0 d-------- C:\Program Files\GetModule
2008-07-05 15:03:24 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-07-05 15:03:08 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-07-05 13:26:09 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-05 13:25:52 0 d-------- C:\Program Files\Spyware Doctor
2008-07-05 13:25:52 0 d-------- C:\Documents and Settings\El Marko\Application Data\PC Tools
2008-07-05 10:49:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Linksys
2008-07-04 16:31:49 0 d-------- C:\Documents and Settings\Mark Phelps\Application Data\Canon
2008-07-03 17:54:52 0 d-------- C:\Program Files\Linksys
2008-07-03 08:40:43 0 d-------- C:\Program Files\Common Files\SupportSoft
2008-07-03 08:40:43 0 d-------- C:\Program Files\ComcastUI

-- Find3M Report ---------------------------------------------------------------

2008-07-06 23:20:17 0 d-------- C:\Program Files\Java
2008-07-05 16:28:54 0 d-------- C:\Program Files\Common Files
2008-05-31 23:16:22 1901 --a------ C:\WINDOWS\panose.bin
2008-05-31 21:24:21 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-31 21:01:16 0 d-------- C:\Program Files\Neevia.Com
2008-05-08 06:42:31 1 --a------ C:\WINDOWS\system32\kl_done

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [10/07/2005 03:13 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [11/10/2005 10:05 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [02/23/2005 05:19 PM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 08:00 AM C:\WINDOWS\system32\bthprops.cpl]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [12/17/2002 12:28 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/29/2008 12:37 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 11:36 AM]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [04/24/2008 04:52 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"braviax"="braviax.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/06/2007 12:53 PM]
"Universal Installer"="C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" [03/18/2008 02:50 PM]
"GetModule19"="C:\Program Files\GetModule\GetModule19.exe" [06/17/2008 05:58 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"braviax"="C:\WINDOWS\system32\braviax.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - C:\QUICKENW\BILLMIND.EXE [6/2/2007 12:07:06 PM]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [6/9/2004 2:27:34 PM]
Quicken Startup.lnk - C:\QUICKENW\QWDLLS.EXE [6/2/2007 12:07:14 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"AppWebWin"= {01C26FC4-0AF5-9F00-9E21-03DC7EA6F38B} - C:\Program Files\lcccute\AppWebWin.dll [07/05/2008 03:03 PM 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=cru629.dat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

*Newly Created Service* - HTTPFILTER

-- End of Deckard's System Scanner: finished at 2008-07-08 13:59:16 ------------

#8
mdphelps

Posted 08 July 2008 - 12:03 PM

Member

Topic Starter
Member
51 posts

DSS extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.60GHz
Percentage of Memory in Use: 64%
Physical Memory (total/avail): 511.23 MiB / 179.77 MiB
Pagefile Memory (total/avail): 2017.79 MiB / 1629.44 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1930.07 MiB

C: is Fixed (NTFS) - 37.26 GiB total, 27.95 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHT2040AH - 37.26 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.
AntivirusOverride is set.

AV: ThreatFire v3.5.0.21 (PC Tools) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\El Marko\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MARK-MOBILE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\El Marko
LOGONSERVER=\\MARK-MOBILE
NeeviaTEMP=C:\Program Files\Neevia.Com\docuPrinterPro\temp\
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d06
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ELMARK~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ELMARK~1\LOCALS~1\Temp
USERDOMAIN=MARK-MOBILE
USERNAME=El Marko
USERPROFILE=C:\Documents and Settings\El Marko
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Mark Phelps (admin)
El Marko (admin)
Administrator (new local, admin)

-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 4.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe PageMaker 6.5 --> C:\WINDOWS\UNINST.EXE -f"C:\Program Files\Adobe\PM65\DeIsL1.isu" -c"C:\Program Files\Adobe\PM65\Uninst.dll"
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
AntivirXP08 --> "C:\Program Files\rhcn7nj0erfn\uninstall.exe"
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Broadcom Gigabit Integrated Controller --> MsiExec.exe /X{B7F54262-AB66-44B3-88BF-9FC69941B643}
C-Major Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Comcast Universal Installer v1.2 --> MsiExec.exe /I{54AE3C08-D7D8-45FF-9348-0B4BE0D5A6CB}
Conexant D480 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf
DocuPrinter Pro 4.01 --> "C:\Program Files\Neevia.Com\docuPrinterPro\unins000.exe"
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Driver Diagnostics --> MsiExec.exe /I{16BE87BC-69F5-4D36-8CF0-E1CB3ACD5ED3}
HP Product Detection --> MsiExec.exe /X{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}
Internet Speed Monitor --> C:\Program Files\iCheck\Uninstall.exe
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Lexmark Z700-P700 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBLUN5C.EXE -dLexmark Z700-P700 Series
Linksys Updater --> MsiExec.exe /X{C15B6175-689A-4D97-A42C-7225353F60A7}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
O2Micro Smartcard Driver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C5BED10B-42A9-4142-B4C2-008C0FDE27D5} /l1033
Palm --> MsiExec.exe /X{0030188A-533E-42EE-9837-E044F10E4369}
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PowerDVD 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Quicken Home & Business 99 --> C:\WINDOWS\IsUninst.exe -fC:\QUICKENW\Uninst.isu
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Real Alternative 1.60 --> "C:\Program Files\Real Alternative\unins000.exe"
SpyHunter --> "C:\Program Files\Enigma Software Group\SpyHunter\Uninstall.exe" "C:\Program Files\Enigma Software Group\SpyHunter\install.log" -u
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
ThreatFire 3.5 --> "C:\Program Files\ThreatFire\unins000.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"

-- Application Event Log -------------------------------------------------------

Event Record #/Type910 / Error
Event Submitted/Written: 07/06/2008 05:14:13 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type909 / Error
Event Submitted/Written: 07/06/2008 04:35:21 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module embd3260.dll, version 6.0.12.1739, fault address 0x0001a60d.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type902 / Error
Event Submitted/Written: 07/06/2008 03:08:31 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application getpack19.exe, version 0.0.0.0, faulting module getpack19.exe, version 0.0.0.0, fault address 0x00006dc9.
Processing media-specific event for [getpack19.exe!ws!]

Event Record #/Type900 / Error
Event Submitted/Written: 07/06/2008 01:13:05 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type899 / Error
Event Submitted/Written: 07/06/2008 01:11:08 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application msimn.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type17839 / Warning
Event Submitted/Written: 07/08/2008 01:48:33 PM / 07/08/2008 01:49:01 PM
Event ID/Source: 4 / b57w2k
Event Description:
Broadcom 570x Gigabit Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.

Event Record #/Type17834 / Warning
Event Submitted/Written: 07/08/2008 01:47:23 PM
Event ID/Source: 31240 / Windows File Protection
Event Description:
The protected system file c:\windows\system32\winlogon.exe could not be verified as valid because Windows
File Protection is terminating.
Use the SFC utility to verify the integrity of the file at a later time.

Event Record #/Type17833 / Warning
Event Submitted/Written: 07/08/2008 01:47:23 PM
Event ID/Source: 31240 / Windows File Protection
Event Description:
The protected system file c:\windows\system32\svchost.exe could not be verified as valid because Windows
File Protection is terminating.
Use the SFC utility to verify the integrity of the file at a later time.

Event Record #/Type17832 / Warning
Event Submitted/Written: 07/08/2008 01:47:23 PM
Event ID/Source: 31240 / Windows File Protection
Event Description:
The protected system file c:\windows\system32\spoolsv.exe could not be verified as valid because Windows
File Protection is terminating.
Use the SFC utility to verify the integrity of the file at a later time.

Event Record #/Type17831 / Warning
Event Submitted/Written: 07/08/2008 01:47:23 PM
Event ID/Source: 31240 / Windows File Protection
Event Description:
The protected system file c:\windows\system32\services.exe could not be verified as valid because Windows
File Protection is terminating.
Use the SFC utility to verify the integrity of the file at a later time.

-- End of Deckard's System Scanner: finished at 2008-07-08 13:59:16 ------------

#9
Mike

Posted 08 July 2008 - 02:17 PM

Malware Monger

Retired Staff
2,745 posts

Hi there,

* Click here to download HJTsetup.exe

Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.

Do a system scan only and put a checkmark next to the following:

O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - Global Startup: Billminder.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = ?
O20 - AppInit_DLLs: cru629.dat
O21 - SSODL: AppWebWin - {01C26FC4-0AF5-9F00-9E21-03DC7EA6F38B} - C:\Program Files\lcccute\AppWebWin.dll

Press "Fix checked", close hijack this.

Now,

Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\Tasks\SpyHunter Scanner.job
C:\327882R2FWJFW
C:\WINDOWS\system32\cbenhxpesaivt.exe
C:\WINDOWS\system32\netrax06
C:\Program Files\lcccute
C:\Documents and Settings\All Users\Application Data\vqlyjmjo
C:\WINDOWS\system32\kl_done

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

then,

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Post back with the logs and re-run DSS and post back with main.txt as well.

Edited by Mike, 08 July 2008 - 02:18 PM.

#10
mdphelps

Posted 08 July 2008 - 02:39 PM

Member

Topic Starter
Member
51 posts

otmoveit log:

C:\WINDOWS\Tasks\SpyHunter Scanner.job moved successfully.
C:\327882R2FWJFW moved successfully.
C:\WINDOWS\system32\cbenhxpesaivt.exe moved successfully.
C:\WINDOWS\system32\netrax06 moved successfully.
C:\Program Files\lcccute moved successfully.
C:\Documents and Settings\All Users\Application Data\vqlyjmjo moved successfully.
C:\WINDOWS\system32\kl_done moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07082008_163634

#11
mdphelps

Posted 08 July 2008 - 03:07 PM

Member

Topic Starter
Member
51 posts

Report.txt:

SDFix: Version 1.203
Run by El Marko on Tue 07/08/2008 at 04:53 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\Program Files\GetModule\dicik.gz - Deleted
C:\Program Files\GetModule\GetModule19.exe - Deleted
C:\Program Files\GetModule\kwdik.gz - Deleted
C:\Program Files\GetModule\pckik.dat - Deleted
C:\Program Files\GetPack\dictame.gz - Deleted
C:\Program Files\GetPack\trgtame.gz - Deleted
C:\Program Files\iCheck\iCheck.exe - Deleted
C:\Program Files\iCheck\Uninstall.exe - Deleted

Folder C:\Program Files\GetModule - Removed
Folder C:\Program Files\GetPack - Removed
Folder C:\Program Files\iCheck - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-08 17:00:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0010c617ebb0]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0010c617ebb0]

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 19 Oct 2007 5,903,928 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Thu 21 Jun 2007 26,624 ...H. --- "C:\Documents and Settings\Mark Phelps\My Documents\~WRL0003.tmp"
Thu 16 Aug 2007 96,768 ...H. --- "C:\Documents and Settings\Mark Phelps\My Documents\~WRL0031.tmp"
Fri 17 Aug 2007 101,376 ...H. --- "C:\Documents and Settings\Mark Phelps\My Documents\~WRL0269.tmp"
Fri 17 Aug 2007 107,520 ...H. --- "C:\Documents and Settings\Mark Phelps\My Documents\~WRL1108.tmp"
Mon 22 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 6 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT16.tmp"

Finished!

#12
mdphelps

Posted 08 July 2008 - 03:09 PM

Member

Topic Starter
Member
51 posts

DSS Main.txt log. No extra.txt log produced that i could find.

Deckard's System Scanner v20071014.68
Run by El Marko on 2008-07-08 17:07:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as El Marko.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:43 PM, on 7/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\El Marko\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\El Marko.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Universal Installer] "C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.h...nosticsxp2k.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 6901 bytes

-- Files created between 2008-06-08 and 2008-07-08 -----------------------------

2008-07-08 16:49:19 0 d-------- C:\WINDOWS\ERUNT
2008-07-08 16:32:47 0 d-------- C:\Program Files\Trend Micro
2008-07-08 11:27:17 0 d-------- C:\Documents and Settings\El Marko\DoctorWeb
2008-07-07 12:38:28 0 d-------- C:\WINDOWS\system32\appmgmt
2008-07-07 12:34:24 0 d-------- C:\VundoFix Backups
2008-07-06 18:44:13 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-07-06 18:36:55 0 d-------- C:\cmdcons
2008-07-06 18:33:14 68096 --a------ C:\WINDOWS\zip.exe
2008-07-06 18:33:14 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-06 18:33:14 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-06 18:33:14 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-06 18:33:14 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-06 18:33:14 98816 --a------ C:\WINDOWS\sed.exe
2008-07-06 18:33:14 80412 --a------ C:\WINDOWS\grep.exe
2008-07-06 18:33:14 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-06 17:08:00 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-07-05 17:50:56 0 d-------- C:\Program Files\Enigma Software Group
2008-07-05 17:40:07 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-05 17:40:07 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-05 17:40:07 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-05 17:40:07 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-05 17:40:07 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-05 17:40:07 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-05 17:40:07 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-05 17:40:07 0 d-------- C:\Documents and Settings\Administrator\My Documents <MYDOCU~1>
2008-07-05 17:40:07 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-05 17:40:07 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-05 17:40:07 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-05 17:40:07 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-07-05 17:40:07 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-05 17:40:07 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-05 17:19:31 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-07-05 16:48:24 0 d-------- C:\Program Files\ThreatFire
2008-07-05 16:48:24 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-07-05 16:10:40 0 d-------- C:\WINDOWS\system32\8366
2008-07-05 15:03:27 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-07-05 15:03:24 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-07-05 15:03:08 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-07-05 13:26:09 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-05 13:25:52 0 d-------- C:\Program Files\Spyware Doctor
2008-07-05 13:25:52 0 d-------- C:\Documents and Settings\El Marko\Application Data\PC Tools
2008-07-05 10:49:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Linksys
2008-07-04 16:31:49 0 d-------- C:\Documents and Settings\Mark Phelps\Application Data\Canon
2008-07-03 17:54:52 0 d-------- C:\Program Files\Linksys
2008-07-03 08:40:43 0 d-------- C:\Program Files\Common Files\SupportSoft
2008-07-03 08:40:43 0 d-------- C:\Program Files\ComcastUI

-- Find3M Report ---------------------------------------------------------------

2008-07-06 23:20:17 0 d-------- C:\Program Files\Java
2008-07-05 16:28:54 0 d-------- C:\Program Files\Common Files
2008-05-31 23:16:22 1901 --a------ C:\WINDOWS\panose.bin
2008-05-31 21:24:21 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-31 21:01:16 0 d-------- C:\Program Files\Neevia.Com

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [10/07/2005 03:13 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [11/10/2005 10:05 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [02/23/2005 05:19 PM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 08:00 AM C:\WINDOWS\system32\bthprops.cpl]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [12/17/2002 12:28 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/29/2008 12:37 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 11:36 AM]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [04/24/2008 04:52 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/06/2007 12:53 PM]
"Universal Installer"="C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" [03/18/2008 02:50 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

-- End of Deckard's System Scanner: finished at 2008-07-08 17:08:14 ------------

#13
mdphelps

Posted 08 July 2008 - 03:10 PM

Member

Topic Starter
Member
51 posts

I have to leave my computer now. I will pick back up later tonight. Thnak you for all of your help.

Mark

#14
mdphelps

Posted 08 July 2008 - 08:38 PM

Member

Topic Starter
Member
51 posts

how do we look?

#15
Mike

Posted 09 July 2008 - 03:55 AM

Malware Monger

Retired Staff
2,745 posts

Hi there,

Your java is outdated

Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

Let's do a sweep of your PC for stray registry keys.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

It looks pretty good to me, are you having any problems?