Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hijack This log [RESOLVED]

Started by MVV , Aug 02 2008 05:31 PM

  • This topic is locked This topic is locked

#16
MVV
Posted 03 August 2008 - 06:43 PM

MVV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts
404Fix.exe;C:\WINDOWS\system32;BackDoor.IRC.Chazz.38;Deleted.;
IEDFix.C.exe;C:\WINDOWS\system32;BackDoor.IRC.Chazz.38;Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;





Malwarebytes' Anti-Malware 1.24
Database version: 1020
Windows 5.1.2600 Service Pack 2

8:38:08 PM 8/2/2008
mbam-log-8-2-2008 (20-38-08).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 107456
Time elapsed: 57 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\SYSTEM32\fonts (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vn3 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)
  • 0

Advertisements

#17
MVV
Posted 03 August 2008 - 06:43 PM

MVV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts
Deckard's System Scanner v20071014.68
Run by Mike on 2008-08-02 20:39:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Mike.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:11 PM, on 8/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\System32\igfxpers.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Documents and Settings\Mike\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Mike.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Search - ?p=ZKxdm011YYUS
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol....83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol....,20/McGDMgr.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: gseuyh.dll,thqbkz.dll,ehfjjb.dll,avgrsstx.dll,
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7495 bytes

-- Files created between 2008-07-02 and 2008-08-02 -----------------------------

2008-08-02 22:29:06 50688 --a------ C:\Program Files\ATF-Cleaner.exe <Not Verified; Atribune.org; ATF Cleaner>
2008-08-02 22:16:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-02 22:16:41 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-08-02 21:30:34 68096 --a------ C:\WINDOWS\zip.exe
2008-08-02 21:30:34 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-02 21:30:34 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-02 21:30:34 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-02 21:30:34 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-02 21:30:34 98816 --a------ C:\WINDOWS\sed.exe
2008-08-02 21:30:34 80412 --a------ C:\WINDOWS\grep.exe
2008-08-02 21:30:34 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-02 19:11:14 0 d-------- C:\Documents and Settings\Mike\DoctorWeb
2008-08-02 18:29:36 0 dr-h----- C:\Documents and Settings\Mike\Recent
2008-08-02 16:39:57 0 d--h----- C:\$AVG8.VAULT$
2008-08-02 15:57:42 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-02 15:57:42 0 d-------- C:\Documents and Settings\Mike\Application Data\AVGTOOLBAR
2008-08-02 15:57:29 0 d-------- C:\Program Files\AVG
2008-08-02 15:57:28 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-27 19:48:25 0 d--hs---- C:\WINDOWS\THVjeTYz
2008-07-27 19:48:01 0 d-------- C:\WINDOWS\system32\bosh
2008-07-25 01:35:45 0 d-------- C:\Documents and Settings\Mike\Application Data\ACASystems
2008-07-25 01:35:45 0 d-------- C:\Documents and Settings\All Users\Application Data\ACASystems
2008-07-12 05:24:18 0 d-------- C:\MGtools
2008-07-12 05:04:07 0 d-------- C:\cmdcons
2008-07-12 03:37:53 1238055 --a------ C:\MGtools.exe
2008-07-12 01:48:51 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-07-12 01:44:57 0 d-------- C:\Program Files\Common Files\PC Tools
2008-07-12 01:44:51 0 d-------- C:\Program Files\PC Tools AntiVirus
2008-07-12 01:10:43 1710 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-12 01:10:04 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-12 01:10:04 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-12 01:10:04 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-12 01:10:04 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-12 01:10:04 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-12 01:10:04 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-12 01:10:03 0 d-------- C:\Program Files\SmitfraudFix
2008-07-11 22:14:07 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-07-11 22:13:27 0 d-------- C:\WINDOWS\system32\sfig
2008-07-11 22:13:27 0 d-------- C:\WINDOWS\system32\provdll
2008-07-11 22:13:27 0 d-------- C:\WINDOWS\system32\OBDE
2008-07-11 22:13:27 0 d-------- C:\WINDOWS\system32\imp32
2008-07-11 22:13:20 0 d-------- C:\WINDOWS\system32\olixds01
2008-07-11 21:30:28 70656 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-07-11 21:30:28 70656 --a------ C:\WINDOWS\system32\i420vfw.dll <Not Verified; www.helixcommunity.org; Helix I420 YUV Codec>
2008-07-11 21:30:28 719872 --a------ C:\WINDOWS\system32\devil.dll <Not Verified; Abysmal Software; Developer's Image Library (DevIL)>
2008-07-11 21:30:28 27648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-07-11 21:30:28 318976 --a------ C:\WINDOWS\system32\avisynth.dll <Not Verified; The Public; Avisynth 2.5>
2008-07-11 21:30:28 66560 --a------ C:\WINDOWS\MOTA113.exe
2008-07-11 21:30:28 217073 --a------ C:\WINDOWS\meta4.exe
2008-07-11 20:37:30 0 d-------- C:\Documents and Settings\Mike\Application Data\gtk-2.0
2008-07-11 20:36:40 0 d-------- C:\Documents and Settings\Mike\Application Data\avidemux
2008-07-11 20:32:49 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-11 20:32:34 0 d-------- C:\Documents and Settings\Mike\Application Data\Any Video Converter Professional
2008-07-11 19:11:09 0 d-------- C:\Documents and Settings\Mike\Application Data\Sony
2008-07-11 19:09:52 0 d-------- C:\Program Files\Microsoft SQL Server
2008-07-11 19:08:25 0 d-------- C:\Program Files\Sony
2008-07-11 18:56:18 261632 --a------ C:\WINDOWS\system32\mcdvd_32.dll <Not Verified; MainConcept; MainConcept DV Codec "2.0.4>
2008-07-11 18:03:50 0 d-------- C:\Documents and Settings\Mike\Application Data\dvdcss
2008-07-11 17:36:46 0 d-------- C:\Program Files\ProjectX_0.90.4.00
2008-07-11 17:32:21 0 d-------- C:\Program Files\ProjectX_Source_0.90.4
2008-07-11 17:24:00 0 d-------- C:\Documents and Settings\Mike\Application Data\DVD Flick
2008-07-11 04:15:25 43698 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2008-07-11 01:57:16 0 d-------- C:\Documents and Settings\Mike\Application Data\AVS4YOU
2008-07-11 01:57:12 0 d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-07-11 01:56:11 0 d-------- C:\Program Files\Common Files\AVSMedia
2008-07-07 20:19:03 563712 --a------ C:\WINDOWS\system32\Redemption.dll <Not Verified; Dmitry Streblechenko; Outlook Redemption>
2008-07-07 20:05:45 0 d-------- C:\Program Files\doubleTwist
2008-07-03 11:07:58 0 d-------- C:\Documents and Settings\Jen\Application Data\Snapfish
2008-07-03 11:00:15 0 dr-h----- C:\Documents and Settings\Jen\Application Data\yahoo!
2008-07-03 10:55:51 0 d-------- C:\Documents and Settings\Jen\Application Data\DivX


-- Find3M Report ---------------------------------------------------------------

2008-08-02 22:48:23 0 d-------- C:\Program Files\QuickTime
2008-08-02 22:48:23 0 d-------- C:\Program Files\iTunes
2008-08-02 22:48:23 0 d-------- C:\Program Files\Dell Support
2008-08-02 22:48:23 0 d-------- C:\Program Files\Dell AIO Printer A920
2008-08-02 22:43:41 0 d-------- C:\Program Files\Common Files
2008-08-02 19:39:45 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-02 04:39:02 0 d-------- C:\Program Files\Soulseek
2008-07-29 20:20:12 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-28 18:28:57 0 d-------- C:\Program Files\Trend Micro
2008-07-27 20:55:11 0 d-------- C:\Program Files\Enigma Software Group
2008-07-11 20:18:01 0 d-------- C:\Documents and Settings\Mike\Application Data\Yahoo!
2008-07-11 04:17:40 626 --a------ C:\Documents and Settings\Mike\Application Data\AutoGK.ini
2008-06-14 15:40:57 0 d-------- C:\Program Files\MySpace
2008-06-14 04:40:28 0 d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-06-14 04:40:04 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-13 22:37:42 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-13 22:22:54 0 d-------- C:\Documents and Settings\Mike\Application Data\Adobe
2008-06-12 04:05:36 0 d-------- C:\Program Files\Common Files\AOL
2008-06-12 04:02:40 0 d-------- C:\Documents and Settings\Mike\Application Data\AOL
2008-06-12 01:26:43 0 d-------- C:\Documents and Settings\Mike\Application Data\Uniblue
2008-06-11 01:39:10 0 d-------- C:\Program Files\DivX
2008-06-03 15:22:13 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-30 17:22:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 17:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 17:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 17:22:46 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 17:22:46 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-22 16:22:18 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 16:19:46 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-22 16:19:46 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-22 16:18:54 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-04 21:36:34 304957 --a------ C:\Program Files\hjsplit.zip


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
08/02/2008 03:57 PM 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\System32\igfxtray.exe" [02/10/2004 10:55 AM]
"igfxhkcmd"="C:\WINDOWS\System32\hkcmd.exe" [02/10/2004 10:51 AM]
"igfxpers"="C:\WINDOWS\System32\igfxpers.exe" [09/20/2005 09:36 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/10/2006 08:11 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/23/2006 04:45 PM]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [07/21/2006 04:19 PM]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [08/24/2005 07:51 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [08/02/2008 03:57 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/03/2008 03:22 PM]
"Yahoo! Pager"="1" []

C:\Documents and Settings\Mike\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 8:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 4:44:06 AM]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [9/20/2004 10:19:13 AM]
DESKTOP.INI [9/3/2002 8:00:00 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [9/20/2004 10:16:41 AM]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [1/17/2008 5:18:59 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/20/2008 05:39 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=gseuyh.dll,thqbkz.dll,ehfjjb.dll,avgrsstx.dll,

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - AVG8EMC
*Newly Created Service* - AVG8WD
*Newly Created Service* - AVGLDX86
*Newly Created Service* - AVGMFX86
*Newly Created Service* - AVGTDIX



-- End of Deckard's System Scanner: finished at 2008-08-02 20:41:40 ------------
  • 0

#18
andrewuk
Posted 03 August 2008 - 07:28 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
this could be a lot of information to post, i want to look inside some folders that look decidely suspect.

====STEP 1====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O8 - Extra context menu item: &Search - ?p=ZKxdm011YYUS

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.



====STEP 2====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"="avgrsstx.dll"

DirLook::
C:\WINDOWS\THVjeTYz
C:\WINDOWS\system32\bosh
C:\WINDOWS\system32\sfig
C:\WINDOWS\system32\provdll
C:\WINDOWS\system32\OBDE
C:\WINDOWS\system32\imp32
C:\WINDOWS\system32\olixds01


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

In your next reply could i see:
1. the combofix log (it may be large and you may have to spread it over more than one post)
2. the hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#19
MVV
Posted 03 August 2008 - 07:59 PM

MVV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts
ComboFix 08-08-01.05 - Mike 2008-08-02 21:40:16.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.242 [GMT -6:00]
Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mike\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\#SharedObjects\8QPH3DT2\interclick.com
C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\#SharedObjects\8QPH3DT2\interclick.com\ud.sol
C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Mike\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol

.
((((((((((((((((((((((((( Files Created from 2008-07-03 to 2008-08-03 )))))))))))))))))))))))))))))))
.

2008-08-02 22:29 . 2008-08-02 22:28 50,688 --a------ C:\Program Files\ATF-Cleaner.exe
2008-08-02 22:16 . 2008-08-02 22:16 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-08-02 22:16 . 2008-08-02 22:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-02 19:11 . 2008-08-02 19:11 <DIR> d-------- C:\Documents and Settings\Mike\DoctorWeb
2008-08-02 17:13 . 2008-08-02 17:13 <DIR> d-------- C:\Deckard
2008-08-02 16:39 . 2008-08-02 17:51 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-02 15:57 . 2008-08-02 16:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\Avg
2008-08-02 15:57 . 2008-08-02 15:57 <DIR> d-------- C:\Program Files\AVG
2008-08-02 15:57 . 2008-08-02 15:57 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\AVGTOOLBAR
2008-08-02 15:57 . 2008-08-02 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-02 15:57 . 2008-08-02 15:57 96,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys
2008-08-02 15:57 . 2008-08-02 15:57 76,040 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgtdix.sys
2008-08-02 15:57 . 2008-08-02 15:57 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-08-02 15:49 . 2008-08-02 15:55 48,367,896 --a------ C:\Program Files\avg_free_stf_en_8_138a1332.exe
2008-07-29 23:00 . 2008-07-29 23:01 6,046,584 --a------ C:\Program Files\Firefox Setup 2.0.0.16.exe
2008-07-29 20:18 . 2008-08-02 22:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-29 20:18 . 2008-07-29 20:18 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-28 18:28 . 2008-07-28 18:28 812,344 --a------ C:\Program Files\HJTInstall.exe
2008-07-27 21:08 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-07-27 19:48 . 2008-07-28 21:22 <DIR> d--hs---- C:\WINDOWS\THVjeTYz
2008-07-27 19:48 . 2008-08-02 22:39 <DIR> d-------- C:\WINDOWS\SYSTEM32\bosh
2008-07-27 19:48 . 2008-07-27 19:48 <DIR> d-------- C:\Temp\epr1
2008-07-25 01:49 . 2008-07-28 03:20 72 --a------ C:\WINDOWS\SCapPro.INI
2008-07-25 01:35 . 2008-07-25 01:35 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\ACASystems
2008-07-25 01:35 . 2008-07-25 01:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACASystems
2008-07-12 05:24 . 2008-07-12 05:24 <DIR> d-------- C:\MGtools
2008-07-12 05:24 . 2008-07-12 05:24 18,463 --a------ C:\MGlogs.zip
2008-07-12 03:37 . 2008-07-12 03:38 1,238,055 --a------ C:\MGtools.exe
2008-07-12 01:48 . 2008-07-12 01:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-07-12 01:44 . 2008-07-12 01:49 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2008-07-12 01:44 . 2008-07-12 01:44 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-07-12 01:10 . 2008-08-02 16:39 <DIR> d-------- C:\Program Files\SmitfraudFix
2008-07-12 01:10 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-07-12 01:10 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-07-12 01:10 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-07-12 01:10 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-07-12 01:10 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-07-12 01:10 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-07-12 01:10 . 2008-07-12 01:28 1,710 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-07-11 22:13 . 2008-07-12 00:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\sfig
2008-07-11 22:13 . 2008-07-11 23:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\provdll
2008-07-11 22:13 . 2008-08-02 04:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\olixds01
2008-07-11 22:13 . 2008-07-11 23:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\OBDE
2008-07-11 22:13 . 2008-08-02 04:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\imp32
2008-07-11 22:13 . 2008-07-11 22:13 <DIR> d-------- C:\Temp\stmpv4
2008-07-11 22:13 . 2002-08-29 04:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
2008-07-11 20:37 . 2008-07-11 21:50 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\gtk-2.0
2008-07-11 20:36 . 2008-07-11 20:38 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\avidemux
2008-07-11 20:32 . 2008-07-11 20:43 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Any Video Converter Professional
2008-07-11 20:32 . 2008-07-12 01:48 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-11 19:11 . 2008-07-11 19:11 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Sony
2008-07-11 19:10 . 2002-12-17 16:23 33,340 --a------ C:\WINDOWS\SYSTEM32\dbmsqlgc.dll
2008-07-11 19:10 . 2002-10-20 14:05 24,576 --a------ C:\WINDOWS\SYSTEM32\dbmsgnet.dll
2008-07-11 19:09 . 2008-07-11 19:09 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-07-11 19:08 . 2008-07-12 00:00 <DIR> d-------- C:\Program Files\Sony
2008-07-11 18:56 . 2003-05-21 23:50 261,632 --a------ C:\WINDOWS\SYSTEM32\mcdvd_32.dll
2008-07-11 18:56 . 2003-05-21 23:50 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2008-07-11 18:56 . 2003-05-21 23:50 82,944 --a------ C:\WINDOWS\SYSTEM32\vct3216.acm
2008-07-11 18:56 . 2004-02-04 21:11 81,920 --a------ C:\WINDOWS\SYSTEM32\AC3ACM.acm
2008-07-11 18:56 . 2003-05-21 23:50 38,912 --a------ C:\WINDOWS\SYSTEM32\alf2cd.acm
2008-07-11 18:56 . 2000-03-14 20:55 13,239 --a------ C:\WINDOWS\SYSTEM32\Scg726.acm
2008-07-11 18:03 . 2008-07-11 18:04 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\dvdcss
2008-07-11 17:36 . 2008-07-11 18:08 <DIR> d-------- C:\Program Files\ProjectX_0.90.4.00
2008-07-11 17:32 . 2006-03-28 20:18 <DIR> d-------- C:\Program Files\ProjectX_Source_0.90.4
2008-07-11 17:24 . 2008-07-11 17:55 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\DVD Flick
2008-07-11 17:23 . 2004-03-09 00:00 662,288 --a------ C:\WINDOWS\SYSTEM32\mscomct2.ocx
2008-07-11 17:23 . 2004-03-09 00:00 212,240 --a------ C:\WINDOWS\SYSTEM32\richtx32.ocx
2008-07-11 17:23 . 2000-05-19 17:56 81,920 --a------ C:\WINDOWS\SYSTEM32\mbmouse.ocx
2008-07-11 17:23 . 2000-11-05 15:27 36,864 --a------ C:\WINDOWS\SYSTEM32\trayicon.ocx
2008-07-11 04:15 . 2008-07-11 04:15 43,698 --a------ C:\WINDOWS\SYSTEM32\xvid-uninstall.exe
2008-07-11 01:57 . 2008-07-11 01:57 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\AVS4YOU
2008-07-11 01:57 . 2008-07-11 01:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-07-11 01:56 . 2008-07-11 22:24 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-07-07 20:19 . 2008-07-07 20:19 563,712 --a------ C:\WINDOWS\SYSTEM32\Redemption.dll
2008-07-07 20:05 . 2008-07-07 20:43 <DIR> d-------- C:\Program Files\doubleTwist
2008-07-03 11:07 . 2008-07-03 11:08 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\Snapfish
2008-07-03 11:00 . 2008-07-03 11:00 <DIR> dr-h----- C:\Documents and Settings\Jen\Application Data\yahoo!
2008-07-03 10:55 . 2008-07-03 10:55 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-03 04:48 --------- d-----w C:\Program Files\QuickTime
2008-08-03 04:48 --------- d-----w C:\Program Files\iTunes
2008-08-03 04:48 --------- d-----w C:\Program Files\Dell Support
2008-08-03 04:48 --------- d-----w C:\Program Files\Dell AIO Printer A920
2008-08-03 01:39 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-08-02 10:39 --------- d-----w C:\Program Files\Soulseek
2008-07-31 02:07 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-07-29 00:28 --------- d-----w C:\Program Files\Trend Micro
2008-07-28 02:55 --------- d-----w C:\Program Files\Enigma Software Group
2008-07-12 02:18 --------- d-----w C:\Documents and Settings\Mike\Application Data\Yahoo!
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 21:40 --------- d-----w C:\Program Files\MySpace
2008-06-14 10:40 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-06-14 10:40 --------- d-----w C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-06-14 10:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-14 10:39 128,368 ----a-w C:\Program Files\Download_mbam-setup.exe
2008-06-14 10:29 7,652,632 ----a-w C:\Program Files\Free-SpyHunter-Scanner-Install.exe
2008-06-14 04:37 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-13 17:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 10:05 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-12 10:02 --------- d-----w C:\Documents and Settings\Mike\Application Data\AOL
2008-06-12 10:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-12 09:14 636,192 ----a-w C:\Program Files\DMSetup-Serial.exe
2008-06-12 07:26 4,257,184 ----a-w C:\Program Files\registryboosteraff.exe
2008-06-12 07:26 --------- d-----w C:\Documents and Settings\Mike\Application Data\Uniblue
2008-06-12 01:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-11 22:34 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-11 22:33 9,722,720 ----a-w C:\Program Files\spybotsd152.exe
2008-06-11 07:39 --------- d-----w C:\Program Files\DivX
2008-06-03 21:22 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-05-13 08:13 486,108,144 ----a-w C:\Program Files\ADBEPHSPCS3_WWE.exe
2008-05-05 03:36 304,957 ----a-w C:\Program Files\hjsplit.zip
2008-04-29 04:04 1,071,480 ----a-w C:\Program Files\dBpoweramp-Codec-m4a.exe
2008-03-26 23:37 6,104,632 ----a-w C:\Program Files\picasaweb-current-setup.exe
2008-03-26 23:23 13,445,041 ----a-w C:\Program Files\ps701up.exe
2008-03-13 02:33 90,044,946 ----a-w C:\Program Files\ableton_live_demo_702_en.zip
2008-01-17 23:19 1,958 ----a-w C:\Program Files\AT&T Self Support Tool.lnk
2008-01-17 23:19 1,741 ----a-w C:\Program Files\AT&T Help.lnk
2007-12-25 23:35 54,330,664 ----a-w C:\Program Files\iTunesSetup.exe
2007-12-20 02:08 5,914,648 ----a-w C:\Program Files\SUPERAntiSpyware.exe
2007-10-05 03:35 842,672 ----a-w C:\Program Files\slsk156c.exe
2007-09-30 22:01 6,016,952 ----a-w C:\Program Files\Firefox Setup 2.0.0.7.exe
2007-09-21 07:59 5,651,713 ----a-w C:\Program Files\The-Codecs-5.0.zip
2007-09-21 05:26 23,769,896 ----a-w C:\Program Files\DivXInstaller.exe
2007-06-12 02:57 4,044,152 ----a-w C:\Program Files\dBpoweramp-encoder-helix.exe
2007-06-12 02:52 4,112,760 ----a-w C:\Program Files\dMC-r12[1].1.exe
2007-05-18 23:16 3,362,502 ----a-w C:\Program Files\cxp_free.exe
2007-05-16 04:44 1,055,648 ----a-w C:\Program Files\qmpsetup_win_ie_07010901.exe
2007-04-10 05:52 206,039 ----a-w C:\Program Files\RAR.zip
2007-03-18 05:43 877,976 ----a-w C:\Program Files\7z444.exe
2007-03-18 03:18 1,202,303 ----a-w C:\Program Files\wrar37b4.exe
2007-02-28 00:06 881 ----a-w C:\Program Files\fixreg.zip
2007-02-13 02:57 4,964,776 ----a-w C:\Program Files\Windows-KB890830-V1.24.exe
2006-12-29 04:29 40,409,184 ----a-w C:\Program Files\MIS_9_0_183_1_trial30OEM_Release.exe
2006-12-26 13:22 70,873,480 ----a-w C:\Program Files\tis2007_trial.exe
2006-12-24 11:50 4,813,736 ----a-w C:\Program Files\Windows-KB890830-V1.23.exe
2004-11-07 21:58 0 ----a-w C:\Documents and Settings\Lucy63\4.dat
2004-11-07 21:58 0 ----a-w C:\Documents and Settings\Lucy63\3.dat
2004-11-07 03:56 0 ----a-w C:\Documents and Settings\Jen\4.dat
2004-11-07 03:56 0 ----a-w C:\Documents and Settings\Jen\3.dat
2006-11-22 20:13 104 --sh--w C:\WINDOWS\Microsoft.NET\ergafx.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\bosh ----


---- Directory of C:\WINDOWS\system32\imp32 ----


---- Directory of C:\WINDOWS\system32\OBDE ----


---- Directory of C:\WINDOWS\system32\olixds01 ----


---- Directory of C:\WINDOWS\system32\provdll ----


---- Directory of C:\WINDOWS\system32\sfig ----


---- Directory of C:\WINDOWS\THVjeTYz ----



((((((((((((((((((((((((((((( snapshot@2008-07-12_ 5.21.51.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-03-15 06:04:00 122,933 ----a-w C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
+ 2008-08-02 21:57:45 26,824 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
- 2005-09-20 15:32:24 77,824 ----a-w C:\WINDOWS\SYSTEM32\hkcmd.exe
+ 2004-02-10 16:51:30 118,784 ----a-w C:\WINDOWS\SYSTEM32\hkcmd.exe
- 2005-09-20 15:35:40 94,208 ----a-w C:\WINDOWS\SYSTEM32\igfxtray.exe
+ 2004-02-10 16:55:32 155,648 ----a-w C:\WINDOWS\SYSTEM32\igfxtray.exe
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
+ 2008-06-25 16:15:46 17,972,344 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
+ 2008-08-03 03:46:18 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_564.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" [X]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-03 15:22 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 10:55 155648]
"igfxhkcmd"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 10:51 118784]
"igfxpers"="C:\WINDOWS\System32\igfxpers.exe" [2005-09-20 09:36 114688]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-10 20:11 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45 278528]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19 129536]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 07:51 442455]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-02 15:57 1232152]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-09-20 10:19:13 36953]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-09-20 10:16:41 24576]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2008-01-17 17:18:59 217088]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-20 17:39 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"VIDC.HFYU"= huffyuv.dll
"msacm.avis"= ff_acm.acm
"vidc.i263"= C:\WINDOWS\system32\i263_32.drv
"msacm.imc"= C:\WINDOWS\system32\imc32.acm
"vidc.yv12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-02 15:57]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-02 15:57]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-02 15:57]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-02 15:57]
S1 mssmbioss;mssmbioss;C:\WINDOWS\system32\drivers\mssmbioss.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-07-11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-02 21:49:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
.
**************************************************************************
.
Completion time: 2008-08-02 21:58:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-03 03:57:55
ComboFix2.txt 2008-08-03 04:57:33
ComboFix3.txt 2008-08-03 03:49:45
ComboFix4.txt 2008-07-12 11:23:23

Pre-Run: 47,505,567,744 bytes free
Post-Run: 47,495,782,400 bytes free

270 --- E O F --- 2008-07-30 04:54:08
  • 0

#20
MVV
Posted 03 August 2008 - 08:00 PM

MVV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:14 PM, on 8/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\System32\igfxpers.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Trend Micro\HijackThis\Gotcha.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Search - ?p=ZKxdm011YYUS
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol....83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol....,20/McGDMgr.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: gseuyh.dll,thqbkz.dll,ehfjjb.dll,avgrsstx.dll,
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7459 bytes
  • 0

#21
andrewuk
Posted 03 August 2008 - 09:41 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
we will delete those folders and i want to scan a couple of files that may have been patched.

====STEP 1====
Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\WINDOWS\SYSTEM32\igfxtray.exe

Click on the submit button

Please also do the same with the following file:
C:\WINDOWS\SYSTEM32\hkcmd.exe


Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal



====STEP 2====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

Folder::
C:\WINDOWS\system32\bosh
C:\WINDOWS\system32\imp32
C:\WINDOWS\system32\OBDE
C:\WINDOWS\system32\olixds01
C:\WINDOWS\system32\provdll
C:\WINDOWS\system32\sfig
C:\WINDOWS\THVjeTYz

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"Appinit_dlls"="avgrsstx.dll"


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.




In your next reply could i see:
1. the 2 jotti logs
2. the combofix log
3. the hijackthis log
4. some idea of how your machine is running now

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#22
MVV
Posted 03 August 2008 - 10:19 PM

MVV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts
Scan taken on 04 Aug 2008 03:49:52 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


Last file scanned at least one scanner reported something about: mirc612.exe (MD5: e4be097180f95967b48209381589d1e2, size: 1236992 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus not-a-virus:Client-IRC.Win32.mIRC.612 (6, 2, 601)
Fortinet X
Ikarus not-a-virus:Client-IRC.Win32.mIRC.612
Kaspersky Anti-Virus not-a-virus:Client-IRC.Win32.mIRC.612
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X








Scan taken on 04 Aug 2008 03:52:37 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


Last file scanned at least one scanner reported something about: winrarv3.71beta1patchlordpe.zip (MD5: 30e38672082076509b371cf5c80a5721, size: 47154 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir TR/Packed.3208
ArcaVir X
Avast Win32:Trojan-gen {Other}
AVG Antivirus Generic10.XLJ
BitDefender Trojan.Packed.3208
ClamAV PUA.Packed.NPack-3
CPsecure Troj.Downloader.W32.Small.got
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Ikarus Packed.Win32.Klone.af
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control W32/Suspicious_N.gen
Panda Antivirus X
Sophos Antivirus Mal/Packer
VirusBuster X
VBA32 X
  • 0

#23
MVV
Posted 03 August 2008 - 10:20 PM

MVV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts
ComboFix 08-08-01.05 - Mike 2008-08-02 23:57:01.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.274 [GMT -6:00]
Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mike\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bosh
C:\WINDOWS\system32\imp32
C:\WINDOWS\system32\OBDE
C:\WINDOWS\system32\olixds01
C:\WINDOWS\system32\provdll
C:\WINDOWS\system32\sfig
C:\WINDOWS\THVjeTYz

.
((((((((((((((((((((((((( Files Created from 2008-07-03 to 2008-08-03 )))))))))))))))))))))))))))))))
.

2008-08-02 22:29 . 2008-08-02 22:28 50,688 --a------ C:\Program Files\ATF-Cleaner.exe
2008-08-02 22:16 . 2008-08-02 22:16 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-08-02 22:16 . 2008-08-02 22:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-02 19:11 . 2008-08-02 19:11 <DIR> d-------- C:\Documents and Settings\Mike\DoctorWeb
2008-08-02 17:13 . 2008-08-02 17:13 <DIR> d-------- C:\Deckard
2008-08-02 16:39 . 2008-08-02 17:51 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-02 15:57 . 2008-08-02 16:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\Avg
2008-08-02 15:57 . 2008-08-02 15:57 <DIR> d-------- C:\Program Files\AVG
2008-08-02 15:57 . 2008-08-02 15:57 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\AVGTOOLBAR
2008-08-02 15:57 . 2008-08-02 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-02 15:57 . 2008-08-02 15:57 96,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys
2008-08-02 15:57 . 2008-08-02 15:57 76,040 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgtdix.sys
2008-08-02 15:57 . 2008-08-02 15:57 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-08-02 15:49 . 2008-08-02 15:55 48,367,896 --a------ C:\Program Files\avg_free_stf_en_8_138a1332.exe
2008-07-29 23:00 . 2008-07-29 23:01 6,046,584 --a------ C:\Program Files\Firefox Setup 2.0.0.16.exe
2008-07-29 20:18 . 2008-08-02 23:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-29 20:18 . 2008-07-29 20:18 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-28 18:28 . 2008-07-28 18:28 812,344 --a------ C:\Program Files\HJTInstall.exe
2008-07-27 21:08 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-07-27 19:48 . 2008-07-27 19:48 <DIR> d-------- C:\Temp\epr1
2008-07-25 01:49 . 2008-07-28 03:20 72 --a------ C:\WINDOWS\SCapPro.INI
2008-07-25 01:35 . 2008-07-25 01:35 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\ACASystems
2008-07-25 01:35 . 2008-07-25 01:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACASystems
2008-07-12 05:24 . 2008-07-12 05:24 <DIR> d-------- C:\MGtools
2008-07-12 05:24 . 2008-07-12 05:24 18,463 --a------ C:\MGlogs.zip
2008-07-12 03:37 . 2008-07-12 03:38 1,238,055 --a------ C:\MGtools.exe
2008-07-12 01:48 . 2008-07-12 01:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-07-12 01:44 . 2008-07-12 01:49 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2008-07-12 01:44 . 2008-07-12 01:44 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-07-12 01:10 . 2008-08-02 16:39 <DIR> d-------- C:\Program Files\SmitfraudFix
2008-07-12 01:10 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-07-12 01:10 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-07-12 01:10 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-07-12 01:10 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-07-12 01:10 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-07-12 01:10 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-07-12 01:10 . 2008-07-12 01:28 1,710 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-07-11 22:13 . 2008-07-11 22:13 <DIR> d-------- C:\Temp\stmpv4
2008-07-11 22:13 . 2002-08-29 04:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
2008-07-11 20:37 . 2008-07-11 21:50 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\gtk-2.0
2008-07-11 20:36 . 2008-07-11 20:38 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\avidemux
2008-07-11 20:32 . 2008-07-11 20:43 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Any Video Converter Professional
2008-07-11 20:32 . 2008-07-12 01:48 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-11 19:11 . 2008-07-11 19:11 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Sony
2008-07-11 19:10 . 2002-12-17 16:23 33,340 --a------ C:\WINDOWS\SYSTEM32\dbmsqlgc.dll
2008-07-11 19:10 . 2002-10-20 14:05 24,576 --a------ C:\WINDOWS\SYSTEM32\dbmsgnet.dll
2008-07-11 19:09 . 2008-07-11 19:09 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-07-11 19:08 . 2008-07-12 00:00 <DIR> d-------- C:\Program Files\Sony
2008-07-11 18:56 . 2003-05-21 23:50 261,632 --a------ C:\WINDOWS\SYSTEM32\mcdvd_32.dll
2008-07-11 18:56 . 2003-05-21 23:50 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2008-07-11 18:56 . 2003-05-21 23:50 82,944 --a------ C:\WINDOWS\SYSTEM32\vct3216.acm
2008-07-11 18:56 . 2004-02-04 21:11 81,920 --a------ C:\WINDOWS\SYSTEM32\AC3ACM.acm
2008-07-11 18:56 . 2003-05-21 23:50 38,912 --a------ C:\WINDOWS\SYSTEM32\alf2cd.acm
2008-07-11 18:56 . 2000-03-14 20:55 13,239 --a------ C:\WINDOWS\SYSTEM32\Scg726.acm
2008-07-11 18:03 . 2008-07-11 18:04 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\dvdcss
2008-07-11 17:36 . 2008-07-11 18:08 <DIR> d-------- C:\Program Files\ProjectX_0.90.4.00
2008-07-11 17:32 . 2006-03-28 20:18 <DIR> d-------- C:\Program Files\ProjectX_Source_0.90.4
2008-07-11 17:24 . 2008-07-11 17:55 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\DVD Flick
2008-07-11 17:23 . 2004-03-09 00:00 662,288 --a------ C:\WINDOWS\SYSTEM32\mscomct2.ocx
2008-07-11 17:23 . 2004-03-09 00:00 212,240 --a------ C:\WINDOWS\SYSTEM32\richtx32.ocx
2008-07-11 17:23 . 2000-05-19 17:56 81,920 --a------ C:\WINDOWS\SYSTEM32\mbmouse.ocx
2008-07-11 17:23 . 2000-11-05 15:27 36,864 --a------ C:\WINDOWS\SYSTEM32\trayicon.ocx
2008-07-11 04:15 . 2008-07-11 04:15 43,698 --a------ C:\WINDOWS\SYSTEM32\xvid-uninstall.exe
2008-07-11 01:57 . 2008-07-11 01:57 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\AVS4YOU
2008-07-11 01:57 . 2008-07-11 01:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-07-11 01:56 . 2008-07-11 22:24 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-07-07 20:19 . 2008-07-07 20:19 563,712 --a------ C:\WINDOWS\SYSTEM32\Redemption.dll
2008-07-07 20:05 . 2008-07-07 20:43 <DIR> d-------- C:\Program Files\doubleTwist
2008-07-03 11:07 . 2008-07-03 11:08 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\Snapfish
2008-07-03 11:00 . 2008-07-03 11:00 <DIR> dr-h----- C:\Documents and Settings\Jen\Application Data\yahoo!
2008-07-03 10:55 . 2008-07-03 10:55 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-03 04:48 --------- d-----w C:\Program Files\QuickTime
2008-08-03 04:48 --------- d-----w C:\Program Files\iTunes
2008-08-03 04:48 --------- d-----w C:\Program Files\Dell Support
2008-08-03 04:48 --------- d-----w C:\Program Files\Dell AIO Printer A920
2008-08-03 01:39 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-08-02 10:39 --------- d-----w C:\Program Files\Soulseek
2008-07-31 02:07 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-07-29 00:28 --------- d-----w C:\Program Files\Trend Micro
2008-07-28 02:55 --------- d-----w C:\Program Files\Enigma Software Group
2008-07-12 02:18 --------- d-----w C:\Documents and Settings\Mike\Application Data\Yahoo!
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-14 21:40 --------- d-----w C:\Program Files\MySpace
2008-06-14 10:40 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-06-14 10:40 --------- d-----w C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-06-14 10:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-14 10:39 128,368 ----a-w C:\Program Files\Download_mbam-setup.exe
2008-06-14 10:29 7,652,632 ----a-w C:\Program Files\Free-SpyHunter-Scanner-Install.exe
2008-06-14 04:37 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-13 17:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-06-12 10:05 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-12 10:02 --------- d-----w C:\Documents and Settings\Mike\Application Data\AOL
2008-06-12 10:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-12 09:14 636,192 ----a-w C:\Program Files\DMSetup-Serial.exe
2008-06-12 07:26 4,257,184 ----a-w C:\Program Files\registryboosteraff.exe
2008-06-12 07:26 --------- d-----w C:\Documents and Settings\Mike\Application Data\Uniblue
2008-06-12 01:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-11 22:34 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-11 22:33 9,722,720 ----a-w C:\Program Files\spybotsd152.exe
2008-06-11 07:39 --------- d-----w C:\Program Files\DivX
2008-06-03 21:22 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx0c.dll
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx07.dll
2008-05-30 23:22 815,104 ----a-w C:\WINDOWS\SYSTEM32\divx_xx0a.dll
2008-05-30 23:22 802,816 ----a-w C:\WINDOWS\SYSTEM32\divx_xx11.dll
2008-05-30 23:22 683,520 ----a-w C:\WINDOWS\SYSTEM32\DivX.dll
2008-05-30 23:22 593,920 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI11.dll
2008-05-30 23:22 57,344 ----a-w C:\WINDOWS\SYSTEM32\dpv11.dll
2008-05-30 23:22 53,248 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI10.dll
2008-05-30 23:22 344,064 ----a-w C:\WINDOWS\SYSTEM32\dpus11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu10.dll
2008-05-22 22:22 524,288 ----a-w C:\WINDOWS\SYSTEM32\DivXsm.exe
2008-05-22 22:22 3,596,288 ----a-w C:\WINDOWS\SYSTEM32\qt-dx331.dll
2008-05-22 22:20 200,704 ----a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\libdivx.dll
2008-05-22 22:19 81,920 ----a-w C:\WINDOWS\SYSTEM32\dpl100.dll
2008-05-22 22:19 196,608 ----a-w C:\WINDOWS\SYSTEM32\dtu100.dll
2008-05-22 22:19 161,096 ----a-w C:\WINDOWS\SYSTEM32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2008-05-13 08:13 486,108,144 ----a-w C:\Program Files\ADBEPHSPCS3_WWE.exe
2008-05-08 12:28 202,752 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2008-05-05 03:36 304,957 ----a-w C:\Program Files\hjsplit.zip
2008-04-29 04:04 1,071,480 ----a-w C:\Program Files\dBpoweramp-Codec-m4a.exe
2008-03-26 23:37 6,104,632 ----a-w C:\Program Files\picasaweb-current-setup.exe
2008-03-26 23:23 13,445,041 ----a-w C:\Program Files\ps701up.exe
2008-03-13 02:33 90,044,946 ----a-w C:\Program Files\ableton_live_demo_702_en.zip
2008-01-17 23:19 1,958 ----a-w C:\Program Files\AT&T Self Support Tool.lnk
2008-01-17 23:19 1,741 ----a-w C:\Program Files\AT&T Help.lnk
2007-12-25 23:35 54,330,664 ----a-w C:\Program Files\iTunesSetup.exe
2007-12-20 02:08 5,914,648 ----a-w C:\Program Files\SUPERAntiSpyware.exe
2007-10-05 03:35 842,672 ----a-w C:\Program Files\slsk156c.exe
2007-09-30 22:01 6,016,952 ----a-w C:\Program Files\Firefox Setup 2.0.0.7.exe
2007-09-21 07:59 5,651,713 ----a-w C:\Program Files\The-Codecs-5.0.zip
2007-09-21 05:26 23,769,896 ----a-w C:\Program Files\DivXInstaller.exe
2007-06-12 02:57 4,044,152 ----a-w C:\Program Files\dBpoweramp-encoder-helix.exe
2007-06-12 02:52 4,112,760 ----a-w C:\Program Files\dMC-r12[1].1.exe
2007-05-18 23:16 3,362,502 ----a-w C:\Program Files\cxp_free.exe
2007-05-16 04:44 1,055,648 ----a-w C:\Program Files\qmpsetup_win_ie_07010901.exe
2007-04-10 05:52 206,039 ----a-w C:\Program Files\RAR.zip
2007-03-18 05:43 877,976 ----a-w C:\Program Files\7z444.exe
2007-03-18 03:18 1,202,303 ----a-w C:\Program Files\wrar37b4.exe
2007-02-28 00:06 881 ----a-w C:\Program Files\fixreg.zip
2007-02-13 02:57 4,964,776 ----a-w C:\Program Files\Windows-KB890830-V1.24.exe
2006-12-29 04:29 40,409,184 ----a-w C:\Program Files\MIS_9_0_183_1_trial30OEM_Release.exe
2006-12-26 13:22 70,873,480 ----a-w C:\Program Files\tis2007_trial.exe
2006-12-24 11:50 4,813,736 ----a-w C:\Program Files\Windows-KB890830-V1.23.exe
2004-11-07 21:58 0 ----a-w C:\Documents and Settings\Lucy63\4.dat
2004-11-07 21:58 0 ----a-w C:\Documents and Settings\Lucy63\3.dat
2004-11-07 03:56 0 ----a-w C:\Documents and Settings\Jen\4.dat
2004-11-07 03:56 0 ----a-w C:\Documents and Settings\Jen\3.dat
2006-11-22 20:13 104 --sh--w C:\WINDOWS\Microsoft.NET\ergafx.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-12_ 5.21.51.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-03-15 06:04:00 122,933 ----a-w C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
+ 2008-08-02 21:57:45 26,824 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
- 2005-09-20 15:32:24 77,824 ----a-w C:\WINDOWS\SYSTEM32\hkcmd.exe
+ 2004-02-10 16:51:30 118,784 ----a-w C:\WINDOWS\SYSTEM32\hkcmd.exe
- 2005-09-20 15:35:40 94,208 ----a-w C:\WINDOWS\SYSTEM32\igfxtray.exe
+ 2004-02-10 16:55:32 155,648 ----a-w C:\WINDOWS\SYSTEM32\igfxtray.exe
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
+ 2008-06-25 16:15:46 17,972,344 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
+ 2008-08-03 06:03:30 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_1c8.dat
+ 2008-08-03 06:03:45 40,960 ----a-w C:\WINDOWS\temp\rtdrvmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" [X]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-03 15:22 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 10:55 155648]
"igfxhkcmd"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 10:51 118784]
"igfxpers"="C:\WINDOWS\System32\igfxpers.exe" [2005-09-20 09:36 114688]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-10 20:11 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45 278528]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19 129536]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 07:51 442455]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-02 15:57 1232152]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-09-20 10:19:13 36953]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-09-20 10:16:41 24576]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2008-01-17 17:18:59 217088]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-20 17:39 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"VIDC.HFYU"= huffyuv.dll
"msacm.avis"= ff_acm.acm
"vidc.i263"= C:\WINDOWS\system32\i263_32.drv
"msacm.imc"= C:\WINDOWS\system32\imc32.acm
"vidc.yv12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-02 15:57]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-02 15:57]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-02 15:57]
S1 mssmbioss;mssmbioss;C:\WINDOWS\system32\drivers\mssmbioss.sys []
S2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-02 15:57]
.
Contents of the 'Scheduled Tasks' folder

2008-07-11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-03 00:03:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\fxssvc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-08-03 0:14:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-03 06:14:34
ComboFix2.txt 2008-08-03 03:58:11
ComboFix3.txt 2008-08-03 04:57:33
ComboFix4.txt 2008-08-03 03:49:45
ComboFix5.txt 2008-08-03 05:56:15

Pre-Run: 47,473,274,880 bytes free
Post-Run: 47,459,057,664 bytes free

291 --- E O F --- 2008-07-30 04:54:08
  • 0

#24
MVV
Posted 03 August 2008 - 10:20 PM

MVV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:51 AM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\igfxpers.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\Gotcha.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol....83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol....,20/McGDMgr.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7499 bytes
  • 0

#25
MVV
Posted 03 August 2008 - 10:23 PM

MVV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts
My machine is running pretty good, though I get this warning now when I boot up about a hccutils.DLL.

Also, regarding AVG do I go into the Virus Vault and press empty vault or do I delete the problems individually?
  • 0

Advertisements

#26
andrewuk
Posted 03 August 2008 - 10:27 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

My machine is running pretty good, though I get this warning now when I boot up about a hccutils.DLL.

what does the warning say?

Also, regarding AVG do I go into the Virus Vault and press empty vault or do I delete the problems individually?

you just empty the vault. but lets not do that at the moment, in case it has some false positives in there.

andrewuk
  • 0

#27
MVV
Posted 03 August 2008 - 10:44 PM

MVV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts

My machine is running pretty good, though I get this warning now when I boot up about a hccutils.DLL.

what does the warning say?

andrewuk


One says;
igfxtray.exe Entry Point not found
The procedure entry point GetHardwareKey could not be located in the dynamic link library hccutils.DLL.

Another one says;
hkcmd.exe Entry Point not found
The procedure entry point ReleaseClassDevice could not be located in the dynamic link library hccutils.DLL.
  • 0

#28
andrewuk
Posted 03 August 2008 - 10:53 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
OK it looks like AWF could not repair those two files

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Both of those files are related to on board graphics extra controls and are not essential.

let me know if that solves the problem.
  • 0

#29
MVV
Posted 03 August 2008 - 10:59 PM

MVV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts
That did the trick, thanks.

Though something else seems to have happened regarding AVG, it says that e-mail scanner is not active, and I can't seem to find where to go to activate it.
  • 0

#30
andrewuk
Posted 04 August 2008 - 12:14 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Firstly read this thread here. if that does not work then look through this here, read through this brief post here and this one here (in the latter one go to the post from hewee).
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP