Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Warning-Spyware

Started by mike777 , Jul 12 2008 03:46 PM

Please log in to reply

#1
mike777

Posted 12 July 2008 - 03:46 PM

New Member

Member
6 posts

Sorry if I'm in the wrong place or doing this incorrectly.
Windows 2k
HiJack log (hopefully)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:41:38, on 7/12/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\mgabg.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PDesk\PDesk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daddyosmusic.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AutoDiscovery Class - {CAB710D6-532E-4B68-97AE-398477FA5524} - C:\Program Files\Deskshare\Active Web Reader\IERSSFeedDiscovery.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\PartyGaming\PartyPoker\RunApp.exe
O15 - Trusted Zone: http://www.pristine.com
O16 - DPF: Sametime JNI Loader ST30SP1 - http://chat.pristine...STJNILoader.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cmeevents.we...ent/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A266880D-6DCA-47AF-AF02-E524F1B80306}: NameServer = 66.210.16.52,66.210.17.52
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5836 bytes

#2
sarahw

Posted 12 July 2008 - 03:54 PM

Malware Staff

Member
2,781 posts

Hi,
Welcome to the site

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

I want you to show hidden files. There are instructions HERE to help you do this.
You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time.
Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.
These instructions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat.

#3
sarahw

Posted 12 July 2008 - 04:12 PM

Malware Staff

Member
2,781 posts

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

#4
mike777

Posted 12 July 2008 - 04:18 PM

New Member

Topic Starter
Member
6 posts

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-12 17:15:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:15:22, on 7/12/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\mgabg.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PDesk\PDesk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S00MT1.EXE
C:\Program Files\Common Files\EPSON\EBAPI\EBRR.EXE
C:\Documents and Settings\ADMINISTRATOR\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daddyosmusic.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AutoDiscovery Class - {CAB710D6-532E-4B68-97AE-398477FA5524} - C:\Program Files\Deskshare\Active Web Reader\IERSSFeedDiscovery.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\PartyGaming\PartyPoker\RunApp.exe
O15 - Trusted Zone: http://www.pristine.com
O16 - DPF: Sametime JNI Loader ST30SP1 - http://chat.pristine...STJNILoader.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cmeevents.we...ent/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A266880D-6DCA-47AF-AF02-E524F1B80306}: NameServer = 66.210.16.52,66.210.17.52
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5900 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.js - JSFile - DefaultIcon - C:\WINNT\System32\WScript.exe,3
.js - JSFile - shell\open\command - C:\WINNT\System32\WScript.exe "%1" %*
.vbs - VBSFile - DefaultIcon - C:\WINNT\System32\WScript.exe,2
.vbs - VBSFile - shell\open\command - C:\WINNT\System32\WScript.exe "%1" %*
.vbs - VBSFile - shell\edit\command - C:\WINNT\System32\Notepad.exe %1

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 hpt366 - c:\winnt\system32\drivers\hpt366.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
R3 WinDriver (WinDriver kernel module) - c:\winnt\system32\drivers\windrvr.sys <Not Verified; Jungo; WinDriver Device Driver>

S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 UtilNT - c:\winnt\system32\drivers\utilnt.sys <Not Verified; Matrox Graphics Inc.; Matrox Graphics Inc. UtilNt>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {D45B1C18-C8FA-11D1-9F77-0000F805F530}
Description: NT Apm/Legacy Interface Node
Device ID: ROOT\NTAPM\0000
Manufacturer: Microsoft
Name: NT Apm/Legacy Interface Node
PNP Device ID: ROOT\NTAPM\0000
Service: NtApm

-- Scheduled Tasks -------------------------------------------------------------

2008-06-07 03:00:00 512 --a------ C:\WINNT\Tasks\AdwareAlert Scheduled Scan.job

-- Files created between 2008-06-12 and 2008-07-12 -----------------------------

2008-07-12 16:41:22 0 d-------- C:\Program Files\Trend Micro
2008-07-12 14:32:44 0 d-------- C:\Documents and Settings\ADMINISTRATOR\Application Data\Malwarebytes
2008-07-12 14:32:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-12 14:32:39 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-12 14:22:50 0 d-------- C:\Program Files\Common Files\Download Manager
2008-07-11 17:35:13 0 d-------- C:\Documents and Settings\ADMINISTRATOR\Application Data\HouseCall 6.6
2008-07-11 15:55:41 68096 --a------ C:\WINNT\zip.exe
2008-07-11 15:55:41 49152 --a------ C:\WINNT\VFind.exe
2008-07-11 15:55:41 136704 --a------ C:\WINNT\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-11 15:55:41 161792 --a------ C:\WINNT\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-11 15:55:41 98816 --a------ C:\WINNT\sed.exe
2008-07-11 15:55:41 80412 --a------ C:\WINNT\grep.exe
2008-07-11 15:55:41 89504 --a------ C:\WINNT\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-10 22:54:54 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-07-10 22:54:22 0 d-------- C:\Program Files\Common Files\PC Tools
2008-07-10 21:43:13 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-10 21:42:43 0 d-------- C:\Program Files\Spyware Doctor
2008-07-10 21:42:43 0 d-------- C:\Documents and Settings\ADMINISTRATOR\Application Data\PC Tools
2008-07-10 17:32:47 25600 --a------ C:\WINNT\system32\WS2Fix.exe
2008-07-10 17:32:47 289144 --a------ C:\WINNT\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-10 17:32:47 86528 --a------ C:\WINNT\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-10 17:32:47 288417 --a------ C:\WINNT\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-10 17:32:47 82944 --a------ C:\WINNT\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-07-10 17:32:47 51200 --a------ C:\WINNT\system32\dumphive.exe
2008-07-10 17:32:47 82944 --a------ C:\WINNT\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-07-10 17:32:46 53248 --a------ C:\WINNT\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-10 17:04:35 105232 --a------ C:\WINNT\system32\byrebxpn.dll
2008-07-10 16:58:35 90912 --a------ C:\WINNT\system32\oxoxjigo.dll
2008-07-10 10:58:30 25888 --a------ C:\WINNT\system32\rqRKAPJb.dll
2008-07-10 10:58:29 25888 --a------ C:\WINNT\system32\ssqRHAss.dll
2008-07-10 10:50:20 25888 --a------ C:\WINNT\system32\wvUkICuT.dll
2008-07-10 10:50:12 0 d-a------ C:\WINNT\system32\olixds01

-- Find3M Report ---------------------------------------------------------------

2008-07-12 15:45:32 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-12 14:36:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-12 14:22:50 0 d-a------ C:\Program Files\Common Files
2008-07-12 14:01:26 2224 --a------ C:\WINNT\system32\tmp.reg
2008-07-11 17:50:20 0 d-------- C:\Documents and Settings\ADMINISTRATOR\Application Data\AVG7
2008-07-10 15:24:35 0 d-------- C:\Program Files\InvestRT
2008-07-10 13:08:59 0 d-------- C:\Program Files\PokerStars
2008-06-30 18:15:42 0 d-------- C:\Program Files\QuickTime
2008-05-28 17:36:20 0 d-------- C:\Program Files\Napster
2008-05-28 17:36:20 0 d-------- C:\Program Files\J-Trader
2008-05-28 17:36:20 0 d-------- C:\Program Files\eSignal
2008-05-28 17:36:20 0 d-------- C:\Documents and Settings\ADMINISTRATOR\Application Data\LimeWire
2008-05-28 17:31:44 0 d-------- C:\Program Files\ToniArts
2008-05-28 17:31:43 0 d--h----- C:\Program Files\InstallShield Installation Information

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Matrox Powerdesk"="C:\WINNT\system32\PDesk\PDesk.exe" [09/14/04 11:13a]
"Synchronization Manager"="mobsync.exe" [06/19/03 02:05p C:\WINNT\system32\mobsync.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03/31/04 01:35p]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/07 04:00a]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [06/27/08 11:29a]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/30/08 06:15p]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [04/10/08 03:14p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealPlayer"="C:\Program Files\Real\RealPlayer\realplay.exe" [06/01/06 08:57a]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/27/07 11:39a]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\ADMINISTRATOR\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/06 12:55p 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/07 11:39a 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

-- End of Deckard's System Scanner: finished at 2008-07-12 17:15:58 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 30%
Physical Memory (total/avail): 1023.49 MiB / 706.96 MiB
Pagefile Memory (total/avail): 2226.46 MiB / 1767.42 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1953.61 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.26 GiB total, 27.7 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST340810A - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\ADMINISTRATOR\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BACK-COMPUTER
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\ADMINISTRATOR
LOGONSERVER=\\BACK-COMPUTER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\Program Files\Outlook Express;C:\WINNT\system32;C:\WINNT;C:\WINNT\system32\wbem;C:\WINNT\Microsoft.NET\Framework\v1.1.4322;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=BACK-COMPUTER
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\ADMINISTRATOR
windir=C:\WINNT

-- User Profiles ---------------------------------------------------------------

ADMINISTRATOR (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Active Web Reader 2.49 --> "C:\Program Files\Deskshare\Active Web Reader\unins000.exe"
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Download Manager 1.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX --> C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
AutoHotkey 1.0.47.04 --> C:\Program Files\AutoHotkey\uninst.exe
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
BurnAware Free Edition --> "C:\Documents and Settings\All Users\Application Data\{732094A9-8D45-41EB-B8CC-4EBAADD7808E}\burnaware_free.exe" REMOVE=TRUE MODIFY=FALSE
EasyCleaner --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9 -removeonly
EPSON Printer Software --> C:\WINNT\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /r
eSignal --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{03EA3D6E-D92B-11D0-892B-00A0C91827B3}\setup.exe" -uninst
FC060224 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FE14F6AF-4E33-4868-B11A-356A33ABEFFF}\setup.exe" -l0x9
FC060316 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A4D3F51E-3CF8-4310-8E8D-7D745B231B2B}\setup.exe" -l0x9
FC060326 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{89430CC6-A337-4785-A72E-6862D466546F}\setup.exe" -l0x9
Full Tilt Poker --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}\setup.exe" -l0x9
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
GoToMeeting 2.0.0.127 --> C:\Program Files\Citrix\GoToMeeting\127\G2MInstaller.exe /uninstall
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
hotComm Lite® --> C:\PROGRA~1\1stWORKS\HOTCOM~1\CFG\UNWISE.EXE C:\PROGRA~1\1stWORKS\HOTCOM~1\CFG\INSTALL.LOG
hotComm® CL --> C:\PROGRA~1\1stWORKS\HOTCOM~2\CFG\UNWISE.EXE C:\PROGRA~1\1stWORKS\HOTCOM~2\CFG\INSTALL.LOG
Investor/RT 8.8.6 --> "C:\Program Files\InvestRT\unins000.exe"
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{78F4DFCE-1336-4027-BCB2-1A00C24A8653} /l1033
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_350000_1271226\Setup.exe /APR-REMOVE
Macromedia Shockwave Player --> C:\WINNT\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINNT\system32\Macromed\SHOCKW~1\Install.log
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MarketDelta 8.6.1 --> "C:\Program Files\MktDelta\unins000.exe"
Matrox Graphics Software (remove only) --> C:\WINNT\system32\PDesk\PDUninst.exe
Matrox System Utilities --> C:\WINNT\IsUninst.exe -fC:\Matrox\util\DeIsL1.isu
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB928366) --> "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 2.0 Service Pack 1 --> MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINNT\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft FrontPage 2000 --> MsiExec.exe /I{00120409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 SR-1 Small Business --> MsiExec.exe /I{00030409-78E1-11D2-B60F-006097C998E7}
Microsoft Text-to-Speech Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINNT\INF\msTTSa22.inf, Uninstall
Microsoft XML Parser and SDK --> MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
mIRC --> "C:\Program Files\mIRC\mirc.exe" -uninstall
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
Napster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBBCAE4B-B416-4182-A6F2-438180894A81}\setup.exe" -l0x9 -removeonly
Napster Burn Engine --> MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}
Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
PartyPoker --> "C:\program files\PartyGaming\PartyPoker\Uninstall.exe" "C:\program files\PartyGaming\PartyPoker\install.log"
PokerStars --> C:\Program Files\PokerStars\Uninstall.EXE /u:"PokerStars"
Pristine Chat --> C:\PROGRA~1\1stWORKS\PRISTI~1\CFG\UNWISE.EXE C:\PROGRA~1\1stWORKS\PRISTI~1\CFG\INSTALL.LOG
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Remote Desktop Connection --> MsiExec.exe /X{3E713D52-C967-41FB-AA24-3A92CC1025A4}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for DirectX 9 (KB941568) --> "C:\WINNT\$NtUninstallKB941568_DX9$\spuninst\spuninst.exe"
Security Update for DirectX 9 (KB951698) --> "C:\WINNT\$NtUninstallKB951698_DX9$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB904706) --> "C:\WINNT\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB923689) --> "C:\WINNT\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB941569) --> "C:\WINNT\$NtUninstallKB941569$\spuninst\spuninst.exe"
Sibelius Scorch (ActiveX Only) --> MsiExec.exe /I{C8E4455F-0F70-4DA2-A9F9-2D56C80E10AD}
SimInfinityAT --> C:\Program Files\InstallShield Installation Information\{E989FC1C-0643-4F54-A04E-828CC1D5BD73}\Setup.exe
Skype 2.0 --> "C:\Program Files\Skype\Phone\unins000.exe"
Skype™ 3.5 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SmartFTP Client --> MsiExec.exe /I{C169D3BB-9A27-43F5-9979-09A0D65FE95C}
SmartFTP Client 2.5 Setup Files (remove only) --> C:\Program Files\SmartFTP Client 2.5 Setup Files\uninst-sftp.exe
SnagIt 8 --> MsiExec.exe /I{524228C9-826F-4B58-9E47-4F2E5C7E9F45}
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symantec Technical Support Web Controls --> MsiExec.exe /X{C4868E88-F5B5-4E45-9592-C7062BD97441}
TapeReader --> C:\WINNT\st6unst.exe -n "C:\Program Files\TapeReader\ST6UNST.LOG"
Time Zone Data Update Tool for Microsoft Office Outlook --> MsiExec.exe /X{95120000-0038-0409-0000-0000000FF1CE}
TradeMaven --> MsiExec.exe /I{3E03542A-310A-401E-BA51-F8A278FE918B}
Turbo Trader 2 --> MsiExec.exe /I{17A4C473-2046-44AF-8157-96DC83FDBC36}
UBNet --> C:\PROGRA~1\UBNet\UNWISE.EXE C:\PROGRA~1\UBNet\INSTALL.LOG
WebEx --> C:\WINNT\Downlo~1\atcliun.exe
Windows Blaster Worm Removal Tool (KB833330) --> C:\WINNT\$NtUninstallKB833330$\spuninst\spuninst.exe
Windows Genuine Advantage v1.3.0254.0 --> MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Media Player system update (9 Series) --> C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall

-- Application Event Log -------------------------------------------------------

Event Record #/Type16551 / Warning
Event Submitted/Written: 07/12/2008 04:36:36 PM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET_2.0.50727 performance library because it returned invalid data: 0x0

Event Record #/Type16550 / Warning
Event Submitted/Written: 07/12/2008 04:36:33 PM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET performance library because it returned invalid data: 0x0

Event Record #/Type16549 / Warning
Event Submitted/Written: 07/12/2008 04:36:08 PM
Event ID/Source: 4100 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber {6295DF2D-35EE-11D1-8707-00C04FD93327}. CoCreateInstanceEx returned HRESULT 8000401A.

Event Record #/Type16544 / Warning
Event Submitted/Written: 07/12/2008 11:46:14 AM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET_2.0.50727 performance library because it returned invalid data: 0x0

Event Record #/Type16543 / Warning
Event Submitted/Written: 07/12/2008 11:46:08 AM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET performance library because it returned invalid data: 0x0

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type2604 / Error
Event Submitted/Written: 07/12/2008 04:35:49 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Task Scheduler service failed to start due to the following error:
%%1083

Event Record #/Type2600 / Error
Event Submitted/Written: 07/12/2008 11:45:18 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Task Scheduler service failed to start due to the following error:
%%1083

Event Record #/Type2596 / Error
Event Submitted/Written: 07/12/2008 11:42:50 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {1BE1F766-5536-11D1-B726-00C04FB926AF} did not register with DCOM within the required timeout.

Event Record #/Type2595 / Error
Event Submitted/Written: 07/12/2008 10:53:18 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {1BE1F766-5536-11D1-B726-00C04FB926AF} did not register with DCOM within the required timeout.

Event Record #/Type2594 / Error
Event Submitted/Written: 07/12/2008 10:52:27 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
%%1077

-- End of Deckard's System Scanner: finished at 2008-07-12 17:15:58 ------------

#5
sarahw

Posted 14 July 2008 - 03:04 AM

Malware Staff

Member
2,781 posts

I can see the infections now.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#6
mike777

Posted 14 July 2008 - 09:53 AM

New Member

Topic Starter
Member
6 posts

Thank you, Sarah.

ComboFix 08-07-13.12 - Administrator 07/14/2008 10:43:48.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.728 [GMT -5:00]
Running from: C:\Documents and Settings\ADMINISTRATOR\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\pskt.ini
C:\WINNT\system32\byrebxpn.dll
C:\WINNT\system32\oxoxjigo.dll
C:\WINNT\system32\rqRKAPJb.dll
C:\WINNT\system32\ssqRHAss.dll
C:\WINNT\system32\wvUkICuT.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-14 to 2008-07-14 )))))))))))))))))))))))))))))))
.

2008-07-14 10:43 . 08-07-14 10:43 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_32c.dat
2008-07-12 19:55 . 08-07-12 19:55 1,284,260 ---h----- C:\WINNT\ShellIconCache
2008-07-12 17:14 . 08-07-12 17:14 <DIR> d-------- C:\Deckard
2008-07-12 16:41 . 08-07-12 16:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-12 14:32 . 08-07-12 14:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-12 14:32 . 08-07-12 14:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-12 14:32 . 08-07-12 14:32 <DIR> d-------- C:\Documents and Settings\ADMINISTRATOR\Application Data\Malwarebytes
2008-07-12 14:32 . 08-07-07 17:35 34,296 --a------ C:\WINNT\system32\drivers\mbamcatchme.sys
2008-07-12 14:32 . 08-07-07 17:35 17,144 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-07-12 14:22 . 08-07-12 14:22 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-12 13:59 . 08-07-02 13:33 82,432 --a------ C:\WINNT\system32\IEDFix.C.exe
2008-07-11 17:35 . 08-07-11 17:35 <DIR> d-------- C:\Documents and Settings\ADMINISTRATOR\Application Data\HouseCall 6.6
2008-07-10 22:54 . 08-07-10 22:54 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-07-10 22:54 . 08-07-10 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-07-10 22:54 . 08-07-10 22:54 159,880 --a------ C:\WINNT\system32\drivers\pctfw2.sys
2008-07-10 21:43 . 08-07-14 10:37 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-10 21:42 . 08-07-14 10:27 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-07-10 21:42 . 08-07-10 21:42 <DIR> d-------- C:\Documents and Settings\ADMINISTRATOR\Application Data\PC Tools
2008-07-10 21:42 . 02-05-15 15:16 462,848 --a------ C:\WINNT\system32\msaatext.dll
2008-07-10 21:42 . 02-05-15 15:16 360,448 --a------ C:\WINNT\system32\oleacc.dll
2008-07-10 21:42 . 02-05-15 15:16 356,352 --a------ C:\WINNT\system32\oleaccrc.dll
2008-07-10 21:42 . 07-12-10 13:53 81,288 --a------ C:\WINNT\system32\drivers\iksyssec.sys
2008-07-10 21:42 . 07-12-10 13:53 66,952 --a------ C:\WINNT\system32\drivers\iksysflt.sys
2008-07-10 21:42 . 08-02-01 11:55 42,376 --a------ C:\WINNT\system32\drivers\ikfilesec.sys
2008-07-10 21:42 . 07-12-10 13:53 29,576 --a------ C:\WINNT\system32\drivers\kcom.sys
2008-07-10 17:32 . 07-09-06 00:22 289,144 --a------ C:\WINNT\system32\VCCLSID.exe
2008-07-10 17:32 . 06-04-27 17:49 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2008-07-10 17:32 . 08-04-24 08:10 86,528 --a------ C:\WINNT\system32\VACFix.exe
2008-07-10 17:32 . 08-04-28 08:03 82,944 --a------ C:\WINNT\system32\IEDFix.exe
2008-07-10 17:32 . 08-04-28 08:03 82,944 --a------ C:\WINNT\system32\404Fix.exe
2008-07-10 17:32 . 03-06-05 21:13 53,248 --a------ C:\WINNT\system32\Process.exe
2008-07-10 17:32 . 04-07-31 18:50 51,200 --a------ C:\WINNT\system32\dumphive.exe
2008-07-10 17:32 . 07-10-04 00:36 25,600 --a------ C:\WINNT\system32\WS2Fix.exe
2008-07-10 16:58 . 08-07-12 16:15 110,419 --a------ C:\WINNT\BMc3d26a86.xml
2008-07-10 10:50 . 08-07-10 10:58 <DIR> d-a------ C:\WINNT\system32\olixds01
2008-07-10 10:50 . 08-07-10 10:50 <DIR> d-------- C:\Temp\stmpv4
2008-06-25 04:41 . 08-06-25 04:41 137,488 --a--c--- C:\WINNT\system32\dllcache\dnsapi.dll
2008-06-25 04:41 . 08-06-25 04:41 105,744 --a------ C:\WINNT\system32\msafd.dll
2008-06-25 04:41 . 08-06-25 04:41 105,744 --a--c--- C:\WINNT\system32\dllcache\msafd.dll
2008-06-25 04:41 . 08-06-25 04:41 64,784 --a------ C:\WINNT\system32\mswsock.dll
2008-06-25 04:41 . 08-06-25 04:41 64,784 -----c--- C:\WINNT\system32\dllcache\mswsock.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 20:45 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-07-12 19:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-12 19:01 2,224 ----a-w C:\WINNT\system32\tmp.reg
2008-07-11 22:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\avg7
2008-07-11 22:50 --------- d-----w C:\Documents and Settings\ADMINISTRATOR\Application Data\AVG7
2008-07-10 20:24 --------- d-----w C:\Program Files\InvestRT
2008-07-10 18:08 --------- d-----w C:\Program Files\PokerStars
2008-06-30 23:15 --------- d-----w C:\Program Files\QuickTime
2008-06-18 10:05 320,528 ----a-w C:\WINNT\system32\drivers\tcpip.sys
2008-06-10 15:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\RCGOnyx2
2008-05-28 22:36 --------- d-----w C:\Program Files\Napster
2008-05-28 22:36 --------- d-----w C:\Program Files\J-Trader
2008-05-28 22:36 --------- d-----w C:\Program Files\eSignal
2008-05-28 22:36 --------- d-----w C:\Documents and Settings\ADMINISTRATOR\Application Data\LimeWire
2008-05-28 22:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-28 22:31 --------- d-----w C:\Program Files\ToniArts
2008-05-01 03:16 1,222,656 ----a-w C:\WINNT\system32\quartz.dll
2008-04-18 13:55 575,488 ----a-w C:\WINNT\system32\WININET.DLL
2006-06-07 16:36 208,824 ----a-w C:\Program Files\scv.exe
2006-05-19 23:26 422 ----a-w C:\Program Files\Shortcut to TapeReader.lnk
2006-05-18 00:39 22,912,122 ----a-w C:\Program Files\eSignal_80r1.exe
2006-05-15 17:03 9,396,952 ----a-w C:\Program Files\SkypeSetup.exe
2006-04-23 21:15 13,951,112 ----a-w C:\Program Files\MPSetup.exe
2003-10-18 20:56 271 ---h--w C:\Program Files\desktop.ini
2003-10-18 20:56 21,952 ---h--w C:\Program Files\folder.htt
1999-12-07 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealPlayer"="C:\Program Files\Real\RealPlayer\realplay.exe" [06-06-01 08:57 1003520]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [07-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Matrox Powerdesk"="C:\WINNT\system32\PDesk\PDesk.exe" [04-09-14 11:13 684032]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04-03-31 13:35 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07-07-12 04:00 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08-06-27 11:29 580096]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08-06-30 18:15 413696]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [08-04-10 15:14 1107848]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 111376 C:\WINNT\system32\mobsync.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [08-01-04 19:43 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 186640]

C:\Documents and Settings\ADMINISTRATOR\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [06-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
07-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"msacm.Mi-sc4"= Mi-sc4.acm

R0 hpt366;hpt366;C:\WINNT\system32\DRIVERS\hpt366.sys [99-09-28 09:33 ]
R0 ultra66;ultra66;C:\WINNT\system32\DRIVERS\ultra66.sys [99-09-25 12:11 ]
R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys [08-01-04 19:43 ]
R1 pctfw2;pctfw2;C:\WINNT\system32\drivers\pctfw2.sys [08-07-10 22:54 ]
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 14:05 ]
R3 voodoo3;voodoo3;C:\WINNT\system32\DRIVERS\voodoo3.sys [99-10-29 10:00 ]
R3 WinDriver;WinDriver kernel module;C:\WINNT\system32\Drivers\windrvr.sys [04-06-18 20:03 ]
S3 lne100tx;Linksys LNE100TX Fast Ethernet PCI Adapter;C:\WINNT\system32\DRIVERS\lne100tx.sys [99-09-24 14:17 ]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINNT\system32\DRIVERS\NtApm.sys [99-09-25 05:36 ]
S3 UtilNT;UtilNT;C:\WINNT\system32\drivers\UtilNT.sys [00-01-27 06:31 ]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 08:00:00 C:\WINNT\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 10:46:41
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-14 10:48:46
ComboFix-quarantined-files.txt 2008-07-14 15:48:23
ComboFix2.txt 2008-07-11 21:13:48

Pre-Run: 29,720,190,976 bytes free
Post-Run: 29,736,329,216 bytes free

151 --- E O F --- 2008-07-09 16:09:32

#7
sarahw

Posted 15 July 2008 - 06:05 AM

Malware Staff

Member
2,781 posts

Could you please tell me the securitry products you are using.
How is the computer running at the moment?
I want you to try to run MBAM:

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan (Full scan is optional. According to the program's creator Quick Scan will do just fine.).
Click Scan.
When the scan is complete, click OK, then Show Results to view the results.

If Malware is found...
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please save it to your desktop.

NOTE: Logs can be retrieved at a later date from the Malwarebytes' Anti-Malware main screen:

Launch Malwarebytes' Anti-Malware.
Click the Logs tab.
Double-click log-mm.dd.yyyy [xxxxxx].txt.

In your next reply post the Malwarebytes' Anti-Malware log.

#8
mike777

Posted 15 July 2008 - 10:36 AM

New Member

Topic Starter
Member
6 posts

Thank you, Sarah.

I usually have AVG running. I also have PC Tools Spyware Dr. and SuperAntiSpyware.
I've downloaded the MalwareBytes' program a couple of times but it won't run for me. It starts and then suddenly disappears. Any ideas there?

My computer is better but still occassionally slow or sticky. The random website popups and taking over of ads on sites is no longer happening. Sometimes the legit ads are slow to load which in turn slows down the loading of the site.

I also think it may have messed up my printing. I can print from notepad but not Word. I've tried uninstalling/reinstalling the printer software but there's a glitch. I get the "process cannot access the file because the port is being used" message.

Should I change anything back yet from our previous setting changes?

Mike

Edited by mike777, 16 July 2008 - 04:30 PM.

#9
sarahw

Posted 17 July 2008 - 04:42 AM

Malware Staff

Member
2,781 posts

There are a few other types of scans we can try. Try this one:
Please click HERE to run the Trend Micro™ HouseCall Scan.

Click Scan now. It's free!
Read and put a Check next to Yes I accept the terms of use.
Click the Launching HouseCall>> button.
Under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
You may receive a Security Warning about the TrendMicro Java applet, click YES.
Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
Please be patient while it installs, updates, and scans your system.
Once the scan is complete, it will take you to the summary page.
Under Cleanup options, choose clean all detected infections automatically.
Click the Clean now>> button.
If anything was found you may be prompted to run the scan again, you can just close the browser window.

#10
mike777

Posted 17 July 2008 - 12:31 PM

New Member

Topic Starter
Member
6 posts

Thank you, Sarah.

The Housecall program also found a few items.

My computer seems to be running better and the printer actually printed Word docs today...crossin' my fingers there.

Anything else I can do to clean more?

I appreciate this web site and particularly your help with all of this. It is very kind of you. I will gladly make a donation.

Mike

#11
sarahw

Posted 19 July 2008 - 09:37 PM

Malware Staff

Member
2,781 posts

Please download OTCleanIt from HERE to your desktop.
Double click to run it. It will clean up the assortment of tools used during malware removal. When it has finnished, it will ask you to reboot so it can remove itself.

Congratulations, your log is now clean.

A well protected computer should have at least an Anti Virus and Firewall, an Anti Spyware is also great addition to your computers security. Here is a list of tools I like to recommend to people that will help ensure safe surfing on the internet, and to help you from getting infected again.
Note: DO NOT install more than one antivirus or Firewall program. They will conflict, and provide less protection, not more. Uninstall any existing Anti Virus\Firewall programs if you're going to install a new one.

Free Online Scans:
Free Active X and Java based online scans. You can use these scans from other companies and it will not interfere with your current Anti Virus. If you find that you are infected, post a Hijack This log in the forums.

Free Temp Cleaners:
Use these tools to clean temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. ATF cleaner recommended.

Free Firewall Downloads:
You must have a Firewall installed on your computer. This helps stop anything from leaving or entering your computer without your permission.

Free Anti Spyware Downloads:
An Antispyware is a great tool that can help remove infections along side your Anti Virus. Some include real time protection, scheduled scans and automatic definition updates.

Free Anti Virus Downloads:
A must have for all computers. Avast! recommended.

Other:

SpywareGuard
Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
IE-SpyAd
This tool puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Memtest86
Great memory testing software.
CPU-Z
This application gives detailed information about your system in a nice layout
Speedfan
Returns and monitors system temperatures.
Windows Updates
It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

You can now Rehide your system files by using the reversal of these instructions HERE

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read THIS article by Tony Klein.

If you have any other problems or questions be sure to ask.