Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

antivirus xp 2008 [CLOSED]


  • This topic is locked This topic is locked

#1
Rickyp

Rickyp

    New Member

  • Member
  • Pip
  • 4 posts
This program showed up changing my desktop and removing the start menu. I have used Malwarebyes, Avast, and spybot. I have restarted my system but still have no start menu. Can you look at this log and offer any help. Thank you

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:46 PM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Intrigue Technologies\Harmony Remote\EasyZapperMonitor.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Intrigue Technologies\Harmony Remote\EasyZapperManagerExe.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sbcglobal.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: PicLens plug-in for Internet Explorer - {EAEE5C74-6D0D-4aca-9232-0DA4A7B866BA} - C:\Program Files\PicLensIE\PicLens.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Harmony Monitor.lnk = C:\Program Files\Intrigue Technologies\Harmony Remote\EasyZapperMonitor.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - file://C:\DOCUME~1\Rickyp\LOCALS~1\Temp\IXP000.TMP\setup.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://targetphoto.k..._2/axofupld.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\Sony\Giga Pocket\shwserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
Rickyp

Rickyp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
The task bar shows up at the start then is covered up by a 2nd xp wallpaper.

Here is the log. Thanks for your help....

ComboFix 08-07-29.1 - Rickyp 2008-07-31 0:08:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.543 [GMT -7:00]
Running from: C:\Documents and Settings\Rickyp\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Rickyp\Application Data\macromedia\Flash Player\#SharedObjects\C9L7YMXT\interclick.com
C:\Documents and Settings\Rickyp\Application Data\macromedia\Flash Player\#SharedObjects\C9L7YMXT\interclick.com\ud.sol
C:\Documents and Settings\Rickyp\Application Data\macromedia\Flash Player\#SharedObjects\C9L7YMXT\www.broadcaster.com
C:\Documents and Settings\Rickyp\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Rickyp\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Rickyp\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Rickyp\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_MSDIRECT
-------\Legacy_SYSREST.SYS
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-31 )))))))))))))))))))))))))))))))
.

2008-07-28 16:38 . 2008-07-28 16:38 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-28 16:33 . 2008-07-28 16:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-28 16:24 . 2008-07-28 16:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-28 16:24 . 2008-07-28 16:24 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-28 16:24 . 2008-07-28 16:24 <DIR> d-------- C:\Documents and Settings\Rickyp\Application Data\Malwarebytes
2008-07-28 16:24 . 2008-07-28 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-28 16:24 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-28 16:24 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-27 23:35 . 2008-07-27 23:35 <DIR> d-------- C:\Program Files\Windows Defender
2008-07-11 14:48 . 2008-07-29 23:44 <DIR> d-------- C:\Program Files\iTunes
2008-06-20 10:41 . 2008-06-20 10:41 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 03:44 . 2008-06-20 03:44 138,368 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-10 18:48 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-30 23:49 --------- d-----w C:\Program Files\Java
2008-07-29 06:27 --------- d-----w C:\Program Files\QuickTime
2008-07-28 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-28 15:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-28 15:37 --------- d-----w C:\Program Files\SpywareBlaster
2008-07-28 06:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-28 06:08 --------- d-----w C:\Program Files\HP
2008-07-11 21:48 --------- d-----w C:\Program Files\iPod
2008-07-11 21:31 --------- d-----w C:\Program Files\Apple Software Update
2008-07-10 16:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2002-06-25 09:36 92,160 -c--a-w C:\Program Files\Common Files\WISC30.dll
2002-06-25 09:36 91,648 -c--a-w C:\Program Files\Common Files\WHSC30.dll
2002-06-25 09:36 55,808 -c--a-w C:\Program Files\Common Files\SOAPIS30.dll
2002-06-25 09:36 437,760 -c--a-w C:\Program Files\Common Files\MSSOAP30.dll
2002-06-25 09:36 30,208 -c--a-w C:\Program Files\Common Files\MSSOAPR3.dll
2001-08-23 14:00 25,088 -c--a-w C:\Program Files\Common Files\wisc10.dll
2001-08-23 14:00 23,552 -c--a-w C:\Program Files\Common Files\mssoapr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-10-29 17:50 4620288]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-02-28 21:00 315392]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 11:24 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 11:11 114688]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 10:29 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2002-04-12 15:02 1417216]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 01:01 155648]
"VAIO Recovery"="C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 22:08 28672]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-10-29 17:50 86016]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50 204800]
"PDUiP6600DMon"="C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [2005-05-25 10:35 69632]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 17:38 437008]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"nwiz"="nwiz.exe" [2004-10-29 17:50 921600 C:\WINDOWS\system32\nwiz.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 14:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 12:59 88107 C:\WINDOWS\AGRSMMSG.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\Rickyp\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2005-01-18 18:03:29 1976056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
Harmony Monitor.lnk - C:\Program Files\Intrigue Technologies\Harmony Remote\EasyZapperMonitor.exe [2004-01-19 20:47:34 81920]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-09-11 21:28:46 67128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2006-09-21 14:29 226992 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
"MSACM.CEGSM"= mobilev.acm
"VIDC.I263"= i263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Sony\\Giga Pocket\\gps.exe"=
"C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"C:\\Program Files\\D-Link Media Server\\MediaServer.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 07:35]
R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2004-10-15 11:46]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 07:37]
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2003-08-20 15:01]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2008-07-27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-07-31 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2003-11-21 C:\WINDOWS\Tasks\Registration reminder 1.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 00:56]

2003-11-26 C:\WINDOWS\Tasks\Registration reminder 2.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 00:56]

2003-12-06 C:\WINDOWS\Tasks\Registration reminder 3.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 00:56]

2008-07-30 C:\WINDOWS\Tasks\{48DF1B58-A1B4-462B-81FB-EBE591E38A03}_RICKYP2_Rickyp.job
- C:\WINDOWS\system32\mobsync.exe [2004-08-04 00:56]

2008-07-25 C:\WINDOWS\Tasks\{6724F127-DCE9-4D38-9240-8124A58706B1}_RICKYP2_Rickyp.job
- C:\WINDOWS\system32\mobsync.exe [2004-08-04 00:56]

2008-07-30 C:\WINDOWS\Tasks\{81385676-4A7B-45BA-8E4D-92F419D11E22}_RICKYP2_Rickyp.job
- C:\WINDOWS\system32\mobsync.exe [2004-08-04 00:56]

2008-07-30 C:\WINDOWS\Tasks\{92215601-AA95-46FA-83EB-A85390926E0D}_RICKYP2_Rickyp.job
- C:\WINDOWS\system32\mobsync.exe [2004-08-04 00:56]

2008-07-25 C:\WINDOWS\Tasks\{E9E1CA26-4D93-4C49-8DC7-1BBF584745EA}_RICKYP2_Rickyp.job
- C:\WINDOWS\system32\mobsync.exe [2004-08-04 00:56]

2008-07-30 C:\WINDOWS\Tasks\{ECA6C4DE-38F8-4C6D-8F22-238FCAFF9D5E}_RICKYP2_Rickyp.job
- C:\WINDOWS\system32\mobsync.exe [2004-08-04 00:56]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SysMetrix - C:\Program Files\SysMetrix\SysMetrix.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.msn.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.sbcglobal.net/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 -: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 -: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 -: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 -: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O18 -: Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 -: Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} -
O18 -: WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
O18 -: WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
O18 -: WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
O18 -: WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
O18 -: WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
O18 -: WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {62BC5DB2-0044-4040-B366-D628F3CFD551} - file://C:\DOCUME~1\Rickyp\LOCALS~1\Temp\IXP000.TMP\setup.cab
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\Downloaded Program Files\PrinterBvr.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-31 00:14:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Stardock\ObjectDock\DockShellHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intrigue Technologies\Harmony Remote\EasyZapperManagerExe.exe
.
**************************************************************************
.
Completion time: 2008-07-31 0:24:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-31 07:24:46

Pre-Run: 2,466,598,912 bytes free
Post-Run: 2,450,853,888 bytes free

235 --- E O F --- 2008-07-30 10:02:27
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
What background is that second wallpaper you are referring to? Are you sure it's not related to WindowsBlinds by any chance?

Download smitRem at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.

Restart your computer and boot into Safe Mode. If you don't know how, go to http://www.bleepingc...tutorial61.html

Run the smitRem.exe tool you downloaded earlier. There should be a folder called smitrem created on your desktop. Open it and double-click on the RunThis.bat file. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Post that log in your next reply

Restart the computer...

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.
  • 0

#5
Rickyp

Rickyp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
sorry was out of town......

smitRem © log file
version 3.2

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
"IE"="7.0000"
The current date is: Thu 07/31/2008
The current time is: 22:09:56.34

Running from
C:\Documents and Settings\Rickyp\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Appinitdll check ........ Thank you Grinler!

dumphive.exe ©2000-2004 Markus Stephany
REGEDIT4

[Windows]
"AppInit_DLLs"="wbsys.dll"
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

XP Firewall allowed access

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Sony\\Giga Pocket\\gps.exe"="C:\\Program Files\\Sony\\Giga Pocket\\gps.exe:*:Enabled:Giga Pocket Server"
"C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"="C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe:*:Disabled:tgcmd Module"
"C:\\Program Files\\D-Link Media Server\\MediaServer.exe"="C:\\Program Files\\D-Link Media Server\\MediaServer.exe:*:Enabled:MediaServer"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Disabled:Firefox"
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe:*:Enabled:QuickTime Player Application"
"C:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"="C:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe:*:Enabled:SonicWALL Global VPN Client"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present
VirusBurst uninstaller NOT present
BraveSentry uninstaller NOT present
AntiVermins uninstaller NOT present
VirusBursters uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

amcompat.tlb
nscompat.tlb
logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 868 'explorer.exe'
Killing PID 868 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~



~~~ Wininet.dll ~~~

CLEAN! :)



«« Back to homeDEMO

Export to:
Threats with free disinfection (4)
Low danger level (4) Trojan Horse Virus Latent Show + Info
1. C:\Documents and Settings\Rickyp\.jpi_cache\j...68d6783e-631c456c.zip[Beyond.class]

Rootkit/Booto.... Virus Latent Show + Info
1. C:\System Volume Information\_restore{543848E...47-9852573A650F}\RP955\A0100668.sys

Generic Malwar... Virus Latent Show + Info
1. C:\Documents and Settings\Rickyp\Application ...lliance\3DGrooveXtrav181\Groove.x32

Trojan Horse Virus Latent Show + Info
1. C:\Documents and Settings\Rickyp\.jpi_cache\j...246797d4-746d742d.zip[Beyond.class]
2. C:\Documents and Settings\Rickyp\.jpi_cache\j...730774d5-1264b417.zip[Beyond.class]


Only available for registered users.
Register free - I'm registered
Threats disinfected with the paid version (20)
Medium danger level (1) Adware/IST.IST... Adware Latent Show + Info
1. C:\Documents and Settings\Rickyp\.jpi_cache\j...avainstaller/InstallerApplet.class]
2. C:\Documents and Settings\Rickyp\.jpi_cache\j...avainstaller/InstallerApplet.class]


Low danger level (19) Exploit/ByteVe... Hack Tool Latent Show + Info
1. C:\Documents and Settings\Rickyp\.jpi_cache\j...77f73f-225eb786.zip[BlackBox.class]
2. C:\Documents and Settings\Rickyp\.jpi_cache\j...faee52-474b7937.zip[BlackBox.class]
3. C:\Documents and Settings\Rickyp\.jpi_cache\j...0a8915-2f82ea62.zip[BlackBox.class]

Application/Pr... Tracking Application Latent Show + Info
1. C:\System Volume Information\_restore{543848E...6\A0101760.exe[smitRem/Process.exe]
2. C:\Documents and Settings\Rickyp\Desktop\smitRem\Process.exe
3. C:\Documents and Settings\Rickyp\Desktop\smitRem.exe[smitRem/Process.exe]

Application/Ps... Tracking Application Latent Show + Info
1. C:\System Volume Information\_restore{543848E...47-9852573A650F}\RP955\A0100691.EXE

Adware/CWS Adware Latent Show + Info
1. C:\Documents and Settings\Rickyp\.jpi_cache\f...oader.class-6fd9f626-7322ab91.class

Cookie/YieldMa... Tracking Cookie Latent Show + Info
1. C:\Documents and Settings\Rickyp\Application ...r\cookies.txt[ad.yieldmanager.com/]

Exploit/ByteVe... Hack Tool Latent Show + Info
1. C:\Documents and Settings\Rickyp\.jpi_cache\j...r-730774d5-1264b417.zip[Mein.class]
2. C:\Documents and Settings\Rickyp\.jpi_cache\j...r-246797d4-746d742d.zip[Mein.class]

Exploit/ByteVe... Hack Tool Latent Show + Info
1. C:\Documents and Settings\Rickyp\.jpi_cache\j...-68d6783e-631c456c.zip[Dummy.class]
2. C:\Documents and Settings\Rickyp\.jpi_cache\j...-677d2343-416616fa.zip[Dummy.class]
3. C:\Documents and Settings\Rickyp\.jpi_cache\j...-410a8915-2f82ea62.zip[Dummy.class]
4. C:\Documents and Settings\Rickyp\.jpi_cache\j...-2377f73f-225eb786.zip[Dummy.class]
5. C:\Documents and Settings\Rickyp\.jpi_cache\j...-65faee52-474b7937.zip[Dummy.class]
6. C:\Documents and Settings\Rickyp\.jpi_cache\j...-2921e73b-7c9b6818.zip[Dummy.class]
7. C:\Documents and Settings\Rickyp\.jpi_cache\j...-730774d5-1264b417.zip[Dummy.class]
8. C:\Documents and Settings\Rickyp\.jpi_cache\j...-246797d4-746d742d.zip[Dummy.class]

Exploit/ByteVe... Hack Tool Latent Show + Info
1. C:\Documents and Settings\Rickyp\.jpi_cache\j...343-416616fa.zip[VerifierBug.class]
2. C:\Documents and Settings\Rickyp\.jpi_cache\j...73f-225eb786.zip[VerifierBug.class]
3. C:\Documents and Settings\Rickyp\.jpi_cache\j...915-2f82ea62.zip[VerifierBug.class]
4. C:\Documents and Settings\Rickyp\.jpi_cache\j...83e-631c456c.zip[VerifierBug.class]
5. C:\Documents and Settings\Rickyp\.jpi_cache\j...73b-7c9b6818.zip[VerifierBug.class]
6. C:\Documents and Settings\Rickyp\.jpi_cache\j...e52-474b7937.zip[VerifierBug.class]

Cookie/Ccbill Tracking Cookie Latent Show + Info
1. C:\Documents and Settings\Rickyp\Application ...ault User\cookies.txt[.ccbill.com/]

Exploit/ByteVe... Hack Tool Latent Show + Info
1. C:\Documents and Settings\Rickyp\.jpi_cache\j...4d5-1264b417.zip[ProbeLoader.class]
2. C:\Documents and Settings\Rickyp\.jpi_cache\j...7d4-746d742d.zip[ProbeLoader.class]

Exploit/ByteVe... Hack Tool Latent Show + Info
1. C:\Documents and Settings\Rickyp\.jpi_cache\j...7d2343-416616fa.zip[BlackBox.class]

Exploit/ByteVe... Hack Tool Latent Show + Info
1. C:\Documents and Settings\Rickyp\.jpi_cache\j...-f336957-37dab531.zip[Beyond.class]
2. C:\Documents and Settings\Rickyp\Application ...\36\49dea264-292caad6[Beyond.class]
3. C:\Documents and Settings\Rickyp\Application ...0\12\6c22f0c-1e2df970[Beyond.class]
4. C:\Documents and Settings\Rickyp\Application ...\18\4e4d5952-32d152d6[Beyond.class]
5. C:\Documents and Settings\Rickyp\Application ...0\7\64e49c07-37da59bf[Beyond.class]
6. C:\Documents and Settings\Rickyp\.jpi_cache\j...5bef3ae7-4ceb1378.zip[Beyond.class]
7. C:\Documents and Settings\Rickyp\.jpi_cache\j...2de2e2c5-2010b846.zip[Beyond.class]
8. C:\Documents and Settings\Rickyp\.jpi_cache\j...5da14268-27ae2e02.zip[Beyond.class]
9. C:\Documents and Settings\Rickyp\.jpi_cache\j...358b1162-44aef7dc.zip[Beyond.class]
10. C:\Documents and Settings\Rickyp\.jpi_cache\j...5980ca7e-5c630de7.zip[Beyond.class]
11. C:\Documents and Settings\Rickyp\.jpi_cache\j...5980bc51-77d664c4.zip[Beyond.class]
12. C:\Documents and Settings\Rickyp\.jpi_cache\j...7e84fe99-6d356e28.zip[Beyond.class]
13. C:\Documents and Settings\Rickyp\.jpi_cache\j...6a13ddf6-6d7f9890.zip[Beyond.class]
14. C:\Documents and Settings\Rickyp\.jpi_cache\j...5980c178-5ad1632d.zip[Beyond.class]
15. C:\Documents and Settings\Rickyp\Application ...\62\17c297fe-4ee864ef[Beyond.class]

Exploit/ByteVe... Hack Tool Latent Show + Info
1. C:\Documents and Settings\Rickyp\.jpi_cache\j...d6783e-631c456c.zip[BlackBox.class]

Cookie/adultfr... Tracking Cookie Latent Show + Info
1. C:\Documents and Settings\Rickyp\Application ...ookies.txt[.adultfriendfinder.com/]

Exploit/ByteVe... Hack Tool Latent Show + Info
1. C:\Documents and Settings\Rickyp\.jpi_cache\j...80ca7e-5c630de7.zip[BlackBox.class]
2. C:\Documents and Settings\Rickyp\.jpi_cache\j...8b1162-44aef7dc.zip[BlackBox.class]
3. C:\Documents and Settings\Rickyp\.jpi_cache\j...e2e2c5-2010b846.zip[BlackBox.class]
4. C:\Documents and Settings\Rickyp\Application ...2\17c297fe-4ee864ef[BlackBox.class]
5. C:\Documents and Settings\Rickyp\Application ...8\4e4d5952-32d152d6[BlackBox.class]
6. C:\Documents and Settings\Rickyp\.jpi_cache\j...ef3ae7-4ceb1378.zip[BlackBox.class]
7. C:\Documents and Settings\Rickyp\.jpi_cache\j...336957-37dab531.zip[BlackBox.class]
8. C:\Documents and Settings\Rickyp\Application ...7\64e49c07-37da59bf[BlackBox.class]
9. C:\Documents and Settings\Rickyp\.jpi_cache\j...80c178-5ad1632d.zip[BlackBox.class]
10. C:\Documents and Settings\Rickyp\.jpi_cache\j...a14268-27ae2e02.zip[BlackBox.class]
11. C:\Documents and Settings\Rickyp\.jpi_cache\j...80bc51-77d664c4.zip[BlackBox.class]
12. C:\Documents and Settings\Rickyp\.jpi_cache\j...84fe99-6d356e28.zip[BlackBox.class]
13. C:\Documents and Settings\Rickyp\.jpi_cache\j...13ddf6-6d7f9890.zip[BlackBox.class]
14. C:\Documents and Settings\Rickyp\Application ...6\49dea264-292caad6[BlackBox.class]
15. C:\Documents and Settings\Rickyp\Application ...12\6c22f0c-1e2df970[BlackBox.class]

Exploit/ByteVe... Hack Tool Latent Show + Info
1. C:\Documents and Settings\Rickyp\.jpi_cache\j...-5da14268-27ae2e02.zip[Dummy.class]
2. C:\Documents and Settings\Rickyp\.jpi_cache\j...r-f336957-37dab531.zip[Dummy.class]
3. C:\Documents and Settings\Rickyp\.jpi_cache\j...-7e84fe99-6d356e28.zip[Dummy.class]
4. C:\Documents and Settings\Rickyp\.jpi_cache\j...-5980c178-5ad1632d.zip[Dummy.class]
5. C:\Documents and Settings\Rickyp\.jpi_cache\j...-5bef3ae7-4ceb1378.zip[Dummy.class]
6. C:\Documents and Settings\Rickyp\Application ...0\62\17c297fe-4ee864ef[Dummy.class]
7. C:\Documents and Settings\Rickyp\Application ....0\7\64e49c07-37da59bf[Dummy.class]
8. C:\Documents and Settings\Rickyp\.jpi_cache\j...-5980bc51-77d664c4.zip[Dummy.class]
9. C:\Documents and Settings\Rickyp\.jpi_cache\j...-2de2e2c5-2010b846.zip[Dummy.class]
10. C:\Documents and Settings\Rickyp\Application ...0\36\49dea264-292caad6[Dummy.class]
11. C:\Documents and Settings\Rickyp\Application ...0\18\4e4d5952-32d152d6[Dummy.class]
12. C:\Documents and Settings\Rickyp\Application ....0\12\6c22f0c-1e2df970[Dummy.class]
13. C:\Documents and Settings\Rickyp\.jpi_cache\j...-6a13ddf6-6d7f9890.zip[Dummy.class]
14. C:\Documents and Settings\Rickyp\.jpi_cache\j...-5980ca7e-5c630de7.zip[Dummy.class]
15. C:\Documents and Settings\Rickyp\.jpi_cache\j...-358b1162-44aef7dc.zip[Dummy.class]

Cookie/onestat... Tracking Cookie Latent Show + Info
1. C:\Documents and Settings\Rickyp\Application ...User\cookies.txt[stat.onestat.com/]

Exploit/ByteVe... Hack Tool Latent Show + Info
1. C:\Documents and Settings\Rickyp\.jpi_cache\j...268-27ae2e02.zip[VerifierBug.class]
2. C:\Documents and Settings\Rickyp\Application ...7c297fe-4ee864ef[VerifierBug.class]
3. C:\Documents and Settings\Rickyp\.jpi_cache\j...2c5-2010b846.zip[VerifierBug.class]
4. C:\Documents and Settings\Rickyp\Application ...9dea264-292caad6[VerifierBug.class]
5. C:\Documents and Settings\Rickyp\.jpi_cache\j...e99-6d356e28.zip[VerifierBug.class]
6. C:\Documents and Settings\Rickyp\.jpi_cache\j...df6-6d7f9890.zip[VerifierBug.class]
7. C:\Documents and Settings\Rickyp\Application ...6c22f0c-1e2df970[VerifierBug.class]
8. C:\Documents and Settings\Rickyp\.jpi_cache\j...c51-77d664c4.zip[VerifierBug.class]
9. C:\Documents and Settings\Rickyp\.jpi_cache\j...162-44aef7dc.zip[VerifierBug.class]
10. C:\Documents and Settings\Rickyp\Application ...4e49c07-37da59bf[VerifierBug.class]
11. C:\Documents and Settings\Rickyp\Application ...e4d5952-32d152d6[VerifierBug.class]
12. C:\Documents and Settings\Rickyp\.jpi_cache\j...957-37dab531.zip[VerifierBug.class]
13. C:\Documents and Settings\Rickyp\.jpi_cache\j...ae7-4ceb1378.zip[VerifierBug.class]
14. C:\Documents and Settings\Rickyp\.jpi_cache\j...a7e-5c630de7.zip[VerifierBug.class]
15. C:\Documents and Settings\Rickyp\.jpi_cache\j...178-5ad1632d.zip[VerifierBug.class]

Exploit/ByteVe... Hack Tool Latent Show + Info
1. C:\Documents and Settings\Rickyp\.jpi_cache\j...2377f73f-225eb786.zip[Beyond.class]
2. C:\Documents and Settings\Rickyp\.jpi_cache\j...65faee52-474b7937.zip[Beyond.class]
3. C:\Documents and Settings\Rickyp\.jpi_cache\j...410a8915-2f82ea62.zip[Beyond.class]


Only available in paid version.
Buy - I am a client
Suspicious files (1)
C:\Documents and Settings\Rickyp\Desktop\ComboFix.exe


Vulnerabilities (0)
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Go to http://www.java.com/.../5000020300.xml and see how to clear your Java cache or follow the instructions below:

Go into the Control Panel and double-click the Java icon (looks like a coffee cup).

- Under Temporary Internet Files, click the Delete Files button.
- There are three options in the window to clear the cache - Leave ALL 3 Checked
- Downloaded Applets
- Downloaded Applications
- Other Files
- Click OK on Delete Temporary Files window (Note: This deletes ALL the Downloaded Java Applications and Applets from the CACHE.)
- Click OK to leave the Java Control Panel.

Do you still have the wallpaper problem? What background is that second wallpaper you are referring to? Are you sure it's not related to WindowsBlinds by any chance?

Run Combofix and post the log here. What other issues are remaining now?
  • 0

#7
Rickyp

Rickyp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I will try to uninstall winblinds if you think it may be the problem. The system seems stable I have a blue background now and on startup the task bar shows up but at the end of start up it seems to go behind the backgroud the only way to get the start menu is the windows key.


ComboFix 08-07-29.1 - Rickyp 2008-08-07 22:22:10.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.546 [GMT -7:00]
Running from: C:\Documents and Settings\Rickyp\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 )))))))))))))))))))))))))))))))
.

2008-07-31 22:24 . 2008-07-31 22:24 <DIR> d-------- C:\Program Files\Panda Security
2008-07-31 22:24 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-28 16:38 . 2008-07-28 16:38 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-28 16:33 . 2008-07-28 16:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-28 16:24 . 2008-07-28 16:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-28 16:24 . 2008-07-28 16:24 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-28 16:24 . 2008-07-28 16:24 <DIR> d-------- C:\Documents and Settings\Rickyp\Application Data\Malwarebytes
2008-07-28 16:24 . 2008-07-28 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-28 16:24 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-28 16:24 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-27 23:35 . 2008-07-27 23:35 <DIR> d-------- C:\Program Files\Windows Defender
2008-07-11 14:48 . 2008-07-29 23:44 <DIR> d-------- C:\Program Files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 05:21 --------- d-----w C:\Program Files\Java
2008-08-08 05:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-29 06:27 --------- d-----w C:\Program Files\QuickTime
2008-07-28 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-28 15:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-28 15:37 --------- d-----w C:\Program Files\SpywareBlaster
2008-07-28 06:08 --------- d-----w C:\Program Files\HP
2008-07-11 21:48 --------- d-----w C:\Program Files\iPod
2008-07-11 21:31 --------- d-----w C:\Program Files\Apple Software Update
2008-07-10 16:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2002-06-25 09:36 92,160 -c--a-w C:\Program Files\Common Files\WISC30.dll
2002-06-25 09:36 91,648 -c--a-w C:\Program Files\Common Files\WHSC30.dll
2002-06-25 09:36 55,808 -c--a-w C:\Program Files\Common Files\SOAPIS30.dll
2002-06-25 09:36 437,760 -c--a-w C:\Program Files\Common Files\MSSOAP30.dll
2002-06-25 09:36 30,208 -c--a-w C:\Program Files\Common Files\MSSOAPR3.dll
2001-08-23 14:00 25,088 -c--a-w C:\Program Files\Common Files\wisc10.dll
2001-08-23 14:00 23,552 -c--a-w C:\Program Files\Common Files\mssoapr.dll
.

((((((((((((((((((((((((((((( [email protected]_ 0.24.23.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-30 17:39:58 128,256 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
- 2008-07-31 07:17:43 73,770 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-07 19:32:59 73,770 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-31 07:17:44 431,924 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-07 19:32:59 431,924 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-07 19:28:38 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_194.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-10-29 17:50 4620288]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-02-28 21:00 315392]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 11:24 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 11:11 114688]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 10:29 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2002-04-12 15:02 1417216]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 01:01 155648]
"VAIO Recovery"="C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 22:08 28672]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-10-29 17:50 86016]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50 204800]
"PDUiP6600DMon"="C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [2005-05-25 10:35 69632]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 17:38 437008]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"nwiz"="nwiz.exe" [2004-10-29 17:50 921600 C:\WINDOWS\system32\nwiz.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 14:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 12:59 88107 C:\WINDOWS\AGRSMMSG.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\Rickyp\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2005-01-18 18:03:29 1976056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
Harmony Monitor.lnk - C:\Program Files\Intrigue Technologies\Harmony Remote\EasyZapperMonitor.exe [2004-01-19 20:47:34 81920]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-09-11 21:28:46 67128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2006-09-21 14:29 226992 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
"MSACM.CEGSM"= mobilev.acm
"VIDC.I263"= i263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Sony\\Giga Pocket\\gps.exe"=
"C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"C:\\Program Files\\D-Link Media Server\\MediaServer.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 07:35]
R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2004-10-15 11:46]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 07:37]
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2003-08-20 15:01]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

*Newly Created Service* - CATCHME
*Newly Created Service* - PAVBOOT
.
Contents of the 'Scheduled Tasks' folder

2008-08-03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-07 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2003-11-21 C:\WINDOWS\Tasks\Registration reminder 1.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 00:56]

2003-11-26 C:\WINDOWS\Tasks\Registration reminder 2.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 00:56]

2003-12-06 C:\WINDOWS\Tasks\Registration reminder 3.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 00:56]

2008-08-07 C:\WINDOWS\Tasks\{48DF1B58-A1B4-462B-81FB-EBE591E38A03}_RICKYP2_Rickyp.job
- C:\WINDOWS\system32\mobsync.exe [2004-08-04 00:56]

2008-08-01 C:\WINDOWS\Tasks\{6724F127-DCE9-4D38-9240-8124A58706B1}_RICKYP2_Rickyp.job
- C:\WINDOWS\system32\mobsync.exe [2004-08-04 00:56]

2008-08-06 C:\WINDOWS\Tasks\{81385676-4A7B-45BA-8E4D-92F419D11E22}_RICKYP2_Rickyp.job
- C:\WINDOWS\system32\mobsync.exe [2004-08-04 00:56]

2008-08-06 C:\WINDOWS\Tasks\{92215601-AA95-46FA-83EB-A85390926E0D}_RICKYP2_Rickyp.job
- C:\WINDOWS\system32\mobsync.exe [2004-08-04 00:56]

2008-08-01 C:\WINDOWS\Tasks\{E9E1CA26-4D93-4C49-8DC7-1BBF584745EA}_RICKYP2_Rickyp.job
- C:\WINDOWS\system32\mobsync.exe [2004-08-04 00:56]

2008-08-07 C:\WINDOWS\Tasks\{ECA6C4DE-38F8-4C6D-8F22-238FCAFF9D5E}_RICKYP2_Rickyp.job
- C:\WINDOWS\system32\mobsync.exe [2004-08-04 00:56]
.
.
------- Supplementary Scan -------
.
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.sbcglobal.net/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 -: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 -: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 -: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 -: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O18 -: Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 -: Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} -
O18 -: WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
O18 -: WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
O18 -: WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
O18 -: WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
O18 -: WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
O18 -: WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {62BC5DB2-0044-4040-B366-D628F3CFD551} - file://C:\DOCUME~1\Rickyp\LOCALS~1\Temp\IXP000.TMP\setup.cab
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\Downloaded Program Files\PrinterBvr.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 22:24:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\TMP0000005E1B04AD0F0ED8923A 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Stardock\ObjectDock\DockShellHook.dll
.
Completion time: 2008-08-07 22:27:59
ComboFix-quarantined-files.txt 2008-08-08 05:27:14
ComboFix2.txt 2008-07-31 07:24:54

Pre-Run: 1,953,816,576 bytes free
Post-Run: 1,989,160,960 bytes free

205 --- E O F --- 2008-08-07 20:12:52
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Delete the following file:

C:\WINDOWS\Downloaded Program Files\as2stubie.dll

Download SmitfraudFix at http://siri.urz.free...mitfraudFix.zip and extract the content (a folder named SmitfraudFix) to your desktop.

Open the SmitfraudFix folder. Double-click on smitfraudfix.cmd and select option #1 - Search by typing 1 and press Enter. A text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 or any other option until you are directed to do so!

NOTE: process.exe is detected by some antivirus programs as a Risk Tool. It is not a virus. If you get this detected, ignore it.

Right click on the desktop and go to Properties. Then go to the Desktop tab and click on the Customize Desktop icon. Go to the Web tab and make sure there are no other entries there except for My Current Home Page which should be unchecked by default. If you see any other entries, please delete/remove them.

Edited by greyknight17, 08 August 2008 - 06:58 PM.

  • 0

#9
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP