Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

ISearch virus? slow computer [CLOSED]


  • This topic is locked This topic is locked

#1
s56268

s56268

    New Member

  • Member
  • Pip
  • 6 posts
Computer has been sluggish past few days. Have run numerous virus scans on computer, and no luck at all. On Yahoo Scan, it found Isearch, with which it was unable to remove. I have run a Hijackthis scan and here are results. Help would be greatly appreciated!!! Thank you

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:35 PM, on 8/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\System32\CbEvtSvc.exe
C:\WINNT\system32\svchost.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\Notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [IEX] C:\WINNT\Prefetch\IEX.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [WinMedia] C:\mt2560.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{F48BB5E6-035F-1033-0307-010713200001}] "C:\Program Files\Common Files\{F48BB5E6-035F-1033-0307-010713200001}\Update.exe" mc-110-12-0000488 (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - http://h30155.www3.h...llMgr_v01_6.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://testcam.compu...activex/AMC.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} - https://echat.us.del...t/TLIEFlash.CAB
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn....FreeInstall.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.cus...l/java/RntX.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CbEvtSvc (cbevtsvc) - Unknown owner - C:\WINNT\System32\CbEvtSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Microsoft NetWork FireWall Services - Unknown owner - NetServices.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Print Spooler Service (SpoolSvc212) - Unknown owner - C:\WINNT\system32\sklrr7yuohbuojdyt.exe (file missing)
O23 - Service: Service Logon Protocol (SVSLOG) - Unknown owner - C:\WINNT\svslogon.exe (file missing)

--
End of file - 7192 bytes
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

First of all uninstall McAfee, because I am sure that it hasn't been updated in months most probably because you are running an outdated trial - (since the malware/backdoor that is present and running should be removed/deleted easily by McAfee).

Reboot after uninstalling McAfee. Important!
After reboot, * Please install Avira Antivirus: http://www.free-av.com/

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.

Edited by miekiemoes, 09 August 2008 - 07:39 AM.

  • 0

#3
s56268

s56268

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Ok, I uninstalled McAfee and downloaded Avira. Computer seems to be doing a little better. Here is new Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:40 PM, on 8/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [IEX] C:\WINNT\Prefetch\IEX.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [WinMedia] C:\mt2560.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{F48BB5E6-035F-1033-0307-010713200001}] "C:\Program Files\Common Files\{F48BB5E6-035F-1033-0307-010713200001}\Update.exe" mc-110-12-0000488 (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - http://h30155.www3.h...llMgr_v01_6.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://testcam.compu...activex/AMC.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} - https://echat.us.del...t/TLIEFlash.CAB
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn....FreeInstall.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.cus...l/java/RntX.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CbEvtSvc (cbevtsvc) - Unknown owner - C:\WINNT\System32\CbEvtSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Microsoft NetWork FireWall Services - Unknown owner - NetServices.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Print Spooler Service (SpoolSvc212) - Unknown owner - C:\WINNT\system32\sklrr7yuohbuojdyt.exe (file missing)
O23 - Service: Service Logon Protocol (SVSLOG) - Unknown owner - C:\WINNT\svslogon.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 7134 bytes
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Please uninstall the ZoneAlarm Spy Blocker Toolbar via software > add/remove programs since this toolbar is not recommended.

Then,


* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: ZoneAlarm Spy Blocker BHO - {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKUS\.DEFAULT\..\Run: [IEX] C:\WINNT\Prefetch\IEX.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [WinMedia] C:\mt2560.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{F48BB5E6-035F-1033-0307-010713200001}] "C:\Program Files\Common Files\{F48BB5E6-035F-1033-0307-010713200001}\Update.exe" mc-110-12-0000488 (User 'Default user')
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn....FreeInstall.cab
O23 - Service: CbEvtSvc (cbevtsvc) - Unknown owner - C:\WINNT\System32\CbEvtSvc.exe (file missing)
O23 - Service: Microsoft NetWork FireWall Services - Unknown owner - NetServices.exe (file missing)
O23 - Service: Print Spooler Service (SpoolSvc212) - Unknown owner - C:\WINNT\system32\sklrr7yuohbuojdyt.exe (file missing)
O23 - Service: Service Logon Protocol (SVSLOG) - Unknown owner - C:\WINNT\svslogon.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, go to start > run and copy and paste next commands in the field (ony by one)

sc delete cbevtsvc
hit enter

sc delete "Microsoft NetWork FireWall Services" hit enter

sc delete SpoolSvc212 hit enter

sc delete SVSLOG hit enter

A dos prompt will flash promptly - this is normal. Then...

* Download SDFix and save it to your Desktop.

* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Can you also do this as I asked?:

After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.


Edited by miekiemoes, 10 August 2008 - 12:28 AM.

  • 0

#5
s56268

s56268

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
miekiemoes,

thanks for all the help! i really appreciate all the tools and tips you have advised me to use. here is the report.txt results:


SDFix: Version 1.215
Run by Bo Sammons on Mon 08/11/2008 at 09:28 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\CHPPPEV.EXE - Deleted
C:\EYEIFP.EXE - Deleted
C:\EYXBF.EXE - Deleted
C:\IGDEVY.EXE - Deleted
C:\JCRC.EXE - Deleted
C:\RRIVPC.EXE - Deleted
C:\XAEYHOTL.EXE - Deleted
C:\XUGXEWHP.EXE - Deleted
C:\b2_log.txt - Deleted
C:\uniq - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 21:44:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6e5d5416]
"ImagePath"="\SystemRoot\System32\drivers\6e5d5416.sys"
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\6e5d5416]
"ImagePath"="\SystemRoot\System32\drivers\6e5d5416.sys"
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 19 Jan 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 25 Nov 2004 23,552 A..H. --- "C:\Documents and Settings\Bo Sammons\Desktop\~WRL1350.tmp"
Sun 26 Oct 2003 33,280 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL0002.tmp"
Tue 25 Mar 2003 25,600 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL0003.tmp"
Sun 14 Dec 2003 34,304 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL0004.tmp"
Fri 16 Apr 2004 42,496 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL0005.tmp"
Fri 24 Sep 2004 22,016 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL0006.tmp"
Fri 8 Oct 2004 25,600 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL0007.tmp"
Fri 28 Oct 2005 24,064 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL0008.tmp"
Sat 23 Oct 2004 20,992 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL0178.tmp"
Sun 28 Oct 2007 30,208 ...H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL0523.tmp"
Sat 26 Nov 2005 38,912 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL0542.tmp"
Sat 23 Oct 2004 21,504 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL0636.tmp"
Fri 16 Apr 2004 25,600 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL0670.tmp"
Fri 24 Sep 2004 25,600 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL0719.tmp"
Sun 16 Apr 2006 22,016 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL0783.tmp"
Sun 28 Oct 2007 30,720 ...H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL0825.tmp"
Sat 24 Apr 2004 38,400 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL1055.tmp"
Thu 12 Jan 2006 24,064 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL1194.tmp"
Sun 5 Aug 2007 22,016 ...H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL1260.tmp"
Sat 25 Mar 2006 41,984 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL1328.tmp"
Fri 16 Apr 2004 32,256 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL1342.tmp"
Sun 28 Oct 2007 29,696 ...H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL1371.tmp"
Fri 16 Apr 2004 31,744 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL1774.tmp"
Sun 14 Dec 2003 31,232 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL1905.tmp"
Sat 24 Apr 2004 39,936 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL1906.tmp"
Sun 20 Nov 2005 39,936 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL1955.tmp"
Sun 14 Dec 2003 31,232 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL2188.tmp"
Sun 14 Dec 2003 33,792 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL2476.tmp"
Wed 26 Sep 2007 26,112 ...H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL2480.tmp"
Mon 30 Apr 2007 26,112 ...H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL3211.tmp"
Sat 26 Nov 2005 40,448 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL3226.tmp"
Sat 20 Oct 2007 25,088 ...H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL3259.tmp"
Sun 28 Oct 2007 30,720 ...H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL3551.tmp"
Sun 14 Dec 2003 34,816 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL3559.tmp"
Mon 30 Apr 2007 24,064 ...H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL3577.tmp"
Sun 16 Apr 2006 39,424 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL3651.tmp"
Sat 23 Oct 2004 29,184 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL3680.tmp"
Sat 26 Nov 2005 23,040 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL3715.tmp"
Wed 2 Nov 2005 21,504 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL3720.tmp"
Sun 14 Dec 2003 31,744 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL3741.tmp"
Sat 26 Nov 2005 38,912 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL3750.tmp"
Sat 24 Apr 2004 38,400 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL3798.tmp"
Sun 28 Oct 2007 30,720 ...H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL3965.tmp"
Sat 26 Nov 2005 38,400 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL3976.tmp"
Sat 26 Nov 2005 40,960 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\~WRL3989.tmp"
Sun 17 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Thu 31 Jan 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\bc066f3f60df1b38218903dd0d40ce98\BITC.tmp"
Sat 19 Jul 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT32.tmp"
Thu 19 Jan 2006 4,348 ...H. --- "C:\Documents and Settings\Bo Sammons\My Documents\My Music\License Backup\drmv1key.bak"
Tue 29 Aug 2006 20 A..H. --- "C:\Documents and Settings\Bo Sammons\My Documents\My Music\License Backup\drmv1lic.bak"
Fri 18 Aug 2006 400 A.SH. --- "C:\Documents and Settings\Bo Sammons\My Documents\My Music\License Backup\drmv2key.bak"
Fri 4 May 2007 5,225 A.SH. --- "C:\Documents and Settings\Bo Sammons\Application Data\Roxio\Dragon\DiscInfoCache\SONY_____CD-RW__CRX215E1__SYS2_300_DICV018_DRGV2050108.TMP"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS01A57451-BD79-4ED1-B98D-596B8B0DDCC9.tmp"
Sat 5 May 2007 100 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS045A3A0E-507A-4A4A-ADB0-C1BB479B9124.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS043306F8-DEFE-481C-B511-22659133228D.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS064090D1-C7B8-4115-9856-D5D5FA8CDF67.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS099CC00F-44F7-4772-A2E7-BA4F5BC25469.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS12881F91-98A4-4A39-B5E3-D7805531B25D.tmp"
Sat 5 May 2007 966 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS136EEC1A-A590-499F-81DC-A15539E30CC5.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS130D7EA7-C4FE-4214-B8D3-8EBDD30ABE83.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS16693E06-C9FE-4FBD-8367-E9E7440DC27E.tmp"
Sat 5 May 2007 38 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1E7CE837-5A69-4932-A84D-E3661E6F4AE1.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1E3C7755-2302-442B-809B-5A0AF5458623.tmp"
Sat 5 May 2007 14 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS20C01C2E-34EE-4BA3-A864-04441909923F.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS20CF36CA-01E5-409C-A8F9-A9D5682C0682.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS22AD7A50-CDBC-4084-8299-97C79ED1639D.tmp"
Sat 5 May 2007 44 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS30A6CE77-79B3-4EA6-BF50-399D5E5493AD.tmp"
Sat 5 May 2007 100 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS31ECA65A-973C-442A-9376-958B3756C47F.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS34E6799E-3403-4A65-9E6D-D283AA16C805.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS373974B2-8FDB-4C0D-B5F4-FFFBF7027967.tmp"
Sat 5 May 2007 124 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS40C65501-F876-41CC-A56D-77CF0C3BA1AA.tmp"
Sat 5 May 2007 710 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4151322F-8A93-4D23-8289-CDC0ABCFF621.tmp"
Sat 5 May 2007 682 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS46C1C45A-D998-4374-ACD4-41150D9F15FD.tmp"
Sat 5 May 2007 44 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS494C28EC-4664-4F72-9475-C9BCEBDA62A2.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4C077889-FD6E-49C8-AA70-BE83E49A46C9.tmp"
Sat 5 May 2007 100 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4E5CBBBA-BF3E-4B02-9647-97E64DBE2EBD.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS52A84A0F-A6EE-441D-A219-916FB4C1C448.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5C134AFC-645F-437B-86FE-07D0C70651F9.tmp"
Sat 5 May 2007 896 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5C9403E7-389A-4241-A5E2-F37DCCE86A3A.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5CE4364A-8425-407E-A0DE-68E3F12006B1.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5DAD0193-F140-4866-9C10-0D86E729CBAE.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5EF91174-B4CE-44A8-90B0-6F0BF96525C2.tmp"
Sat 5 May 2007 42 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS68AF31D1-90E0-47F6-A4A8-092999527833.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS68620966-6786-4CFA-BB1B-0AE1C9096137.tmp"
Sat 5 May 2007 162 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6AE512E7-886D-46E8-ACBB-77BC65EFD708.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6C441D92-4BB7-474E-9DED-BA43C4832A1B.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6EC2577A-7383-4EB8-BE47-1B8911181287.tmp"
Sat 5 May 2007 114 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS78F05AA3-BDAC-444C-A0B1-968436CA0EF8.tmp"
Sat 5 May 2007 120 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS81FA5B5E-639E-4114-A1D0-BC2133E83107.tmp"
Sat 5 May 2007 120 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS85A52B4A-D5C9-4C6B-A046-40AF80D3BE00.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS86A4B530-998D-4124-8F5B-51524B9C7BC8.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS889D26BF-7915-4284-827E-2F8C0612086D.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8B009B69-0BAB-4BF0-BCFF-B1A7625B7F8A.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9B2DD52D-27D4-46B5-9220-06CF0688E7E8.tmp"
Sat 5 May 2007 102 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9ECEE263-8833-469E-9877-19E1183B14A6.tmp"
Sat 5 May 2007 118 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9E95A400-014B-4AFE-86AB-BBEA71BFE6EE.tmp"
Sat 5 May 2007 136 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAC54B034-472F-4CF5-BCD1-7786DB8F0777.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB2638B06-2E3C-4F48-A5A5-1FD785A81378.tmp"
Sat 5 May 2007 854 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB3447BB6-97F0-44BE-B6B9-D11D21A014C1.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB7D3FB8D-6ABD-4647-AA86-EEF01527140E.tmp"
Sat 5 May 2007 686 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB8A9232A-4EC2-4166-AB6A-DAE03F7A4F69.tmp"
Sat 5 May 2007 44 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBA24D3FF-B506-4727-86E4-704F036A1119.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBBCA9404-BD00-4BD0-AD93-2F6C0F8FD9B7.tmp"
Sat 5 May 2007 812 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBEB197DC-A7A2-40A0-81C9-7709C4A1E600.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBE8C2FCF-87A9-4E5A-A2E9-D25C5449656B.tmp"
Sat 5 May 2007 26 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC4877602-3067-4A00-8575-5164D4CB7E2D.tmp"
Sat 5 May 2007 46 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC5772311-5400-4015-ACB5-83D44D4BC7A5.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC5E372BB-886C-4786-9B2C-E11E55331824.tmp"
Sat 5 May 2007 68 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC60B3AA3-5C4F-471C-9844-E31ACC28420F.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC82B799C-FF5C-4989-BB91-08B204AF12FD.tmp"
Sat 5 May 2007 96 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCE0F3DED-7287-4CE5-95D1-487956F3CE21.tmp"
Sat 5 May 2007 652 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD3CEFE1B-A81D-4378-AF2C-CF6AA7DEAF68.tmp"
Sat 5 May 2007 854 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD4B61C08-530A-4877-95ED-79F9AD0ABBFA.tmp"
Sat 5 May 2007 1,026 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDA361BF6-CF1A-4447-BC29-514C7F1FEB79.tmp"
Sat 5 May 2007 724 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDEA6479F-DD69-468D-BC9A-E7993018BCA8.tmp"
Sat 5 May 2007 1,134 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE1257C11-1448-4B17-8C8E-C3E7DFF15B29.tmp"
Sat 5 May 2007 714 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE7D7A989-EDAC-4CC5-9F34-EE651F7E67E0.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF0156EEC-A039-4C01-A44C-01A01EF96A4F.tmp"
Sat 5 May 2007 26 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF3E84FD7-5686-4178-873D-33B570C1F6CB.tmp"
Sat 5 May 2007 682 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFE5FCAE2-CBB0-4808-9A67-CBB2F4412E6E.tmp"
Sat 5 May 2007 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFFDDC119-E6AF-44DE-8E6E-9321421961B4.tmp"
Wed 24 Oct 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Wed 24 Oct 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Wed 24 Oct 2007 8 A..H. --- "C:\Documents and Settings\Bo Sammons\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Wed 24 Oct 2007 8 A..H. --- "C:\Documents and Settings\Bo Sammons\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Wed 24 Oct 2007 8 A..H. --- "C:\Documents and Settings\Jake\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Wed 24 Oct 2007 8 A..H. --- "C:\Documents and Settings\Jake\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"

Finished!











HERE IS THE RESULTS OF THE AVIRA SCAN:



Avira AntiVir Personal
Report file date: Saturday, August 09, 2008 21:18

Scanning for 1542141 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: BOSAMMONS

Version information:
BUILD.DAT : 8.1.0.326 16933 Bytes 7/11/2008 12:57:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 14:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 16:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 19:54:15
ANTIVIR2.VDF : 7.0.5.207 2316800 Bytes 8/4/2008 01:15:58
ANTIVIR3.VDF : 7.0.5.235 160256 Bytes 8/9/2008 01:16:00
Engineversion : 8.1.1.19
AEVDF.DLL : 8.1.0.5 102772 Bytes 7/9/2008 14:46:50
AESCRIPT.DLL : 8.1.0.63 311673 Bytes 8/10/2008 01:16:09
AESCN.DLL : 8.1.0.23 119156 Bytes 8/10/2008 01:16:08
AERDL.DLL : 8.1.0.20 418165 Bytes 7/9/2008 14:46:50
AEPACK.DLL : 8.1.2.1 364917 Bytes 8/10/2008 01:16:08
AEOFFICE.DLL : 8.1.0.21 192891 Bytes 8/10/2008 01:16:06
AEHEUR.DLL : 8.1.0.47 1368437 Bytes 8/10/2008 01:16:05
AEHELP.DLL : 8.1.0.15 115063 Bytes 7/9/2008 14:46:50
AEGEN.DLL : 8.1.0.35 315764 Bytes 8/10/2008 01:16:03
AEEMU.DLL : 8.1.0.7 430452 Bytes 8/10/2008 01:16:02
AECORE.DLL : 8.1.1.8 172406 Bytes 8/10/2008 01:16:01
AEBB.DLL : 8.1.0.1 53617 Bytes 4/24/2008 14:50:42
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 8/10/2008 01:16:00
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Saturday, August 09, 2008 21:18

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'CCleaner.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'mdm.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'CbEvtSvc.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINNT\System32\CbEvtSvc.exe'
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'Lexpps.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'LexBceS.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process 'CbEvtSvc.exe' has been terminated
C:\WINNT\System32\CbEvtSvc.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48e3425e.qua'!

32 processes with 31 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.

The registry was scanned ( '53' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\bootlogging.exe
[0] Archive type: RAR SFX (self extracting)
--> winupdate32.exe
[DETECTION] Is the TR/Stpage.CK Trojan
[NOTE] The file was moved to '490d4289.qua'!
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\pendrive.com
[DETECTION] Is the TR/Dldr.Adload.CW.4 Trojan
[NOTE] The file was moved to '490c4281.qua'!
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Quarantine\{00004422-0000-0000-FB69-153C00ED0A18}\DATA.CAB
[0] Archive type: CAB (Microsoft)
--> RESOURCE1
[1] Archive type: HIDDEN
--> MEM\AV00000722.AV$
[DETECTION] Contains recognition pattern of the DR/SideFind.A.1 dropper
[NOTE] The file was moved to '48f242d8.qua'!
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2QCJB4MR\criticalsystems[1].zip
[0] Archive type: RAR SFX (self extracting)
--> winupdate32.exe
[DETECTION] Is the TR/Stpage.CK Trojan
[NOTE] The file was moved to '4907463a.qua'!
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\43CJEOKS\121[1].avi
[DETECTION] Is the TR/Tclock.A.1 Trojan
[NOTE] The file was moved to '48cf45ff.qua'!
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\43CJEOKS\121[1].net
[DETECTION] Contains a recognition pattern of the (harmful) BDS/TclockBased.A back-door program
[NOTE] The file was moved to '48cf4600.qua'!
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\43CJEOKS\pendb[1].zip
[DETECTION] Is the TR/Dldr.Adload.CW.4 Trojan
[NOTE] The file was moved to '490c4635.qua'!
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\IETPLK5A\pendb[1].zip
[DETECTION] Is the TR/Dldr.Adload.CW.4 Trojan
[NOTE] The file was moved to '490c4638.qua'!
C:\Documents and Settings\Jake\Local Settings\Temp\b125.exe
[DETECTION] Contains recognition pattern of the DR/SaveNow.BJ dropper
[NOTE] The file was moved to '48d0464d.qua'!
C:\Documents and Settings\Jake\Local Settings\Temporary Internet Files\Content.IE5\2QCJB4MR\125[1].net
[DETECTION] Contains recognition pattern of the DR/SaveNow.BJ dropper
[NOTE] The file was moved to '48d34656.qua'!
C:\Documents and Settings\Jake\Local Settings\Temporary Internet Files\Content.IE5\2QCJB4MR\criticalsystems[1].zip
[0] Archive type: RAR SFX (self extracting)
--> winupdate32.exe
[DETECTION] Is the TR/Stpage.CK Trojan
[NOTE] The file was moved to '490746a5.qua'!
C:\Documents and Settings\Jake\Local Settings\Temporary Internet Files\Content.IE5\43CJEOKS\121[1].avi
[DETECTION] Is the TR/Tclock.A.1 Trojan
[NOTE] The file was moved to '48cf467b.qua'!
C:\Documents and Settings\Jake\Local Settings\Temporary Internet Files\Content.IE5\43CJEOKS\121[1].net
[DETECTION] Contains a recognition pattern of the (harmful) BDS/TclockBased.A back-door program
[NOTE] The file was moved to '48cf467d.qua'!
C:\Documents and Settings\Jake\Local Settings\Temporary Internet Files\Content.IE5\43CJEOKS\pendb[1].zip
[DETECTION] Is the TR/Dldr.Adload.CW.4 Trojan
[NOTE] The file was moved to '490c46c9.qua'!
C:\Documents and Settings\Jake\Local Settings\Temporary Internet Files\Content.IE5\IETPLK5A\pendb[1].zip
[DETECTION] Is the TR/Dldr.Adload.CW.4 Trojan
[NOTE] The file was moved to '490c46e4.qua'!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2KC9B3XF\sss[1].htm
[DETECTION] Is the TR/Hijack.Explor.4998 Trojan
[NOTE] The file was moved to '4911472a.qua'!
C:\Documents and Settings\Rachel\Local Settings\Temp\aupd.exe
[DETECTION] Contains recognition pattern of the DR/EZula.CI.1 dropper
[NOTE] The file was moved to '490e4753.qua'!
C:\Documents and Settings\Rachel\Local Settings\Temporary Internet Files\Content.IE5\589WRZD2\CC[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '48f9473c.qua'!
C:\Documents and Settings\Rachel\Local Settings\Temporary Internet Files\Content.IE5\DWQEHJCM\ad_1.80[1].exe
[DETECTION] Contains recognition pattern of the DR/EZula.CI.1 dropper
[NOTE] The file was moved to '48fd4774.qua'!
C:\Documents and Settings\Rachel\Local Settings\Temporary Internet Files\Content.IE5\DWQEHJCM\popup[1].htm
[DETECTION] Contains recognition pattern of the EXP/Agent.B exploit
[NOTE] The file was moved to '490e478f.qua'!
C:\Documents and Settings\Rachel\Local Settings\Temporary Internet Files\Content.IE5\DWQEHJCM\P[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '48cf477b.qua'!
C:\Documents and Settings\Rachel\Local Settings\Temporary Internet Files\Content.IE5\SB3KP7KR\deliver46860[2].htm
[DETECTION] Contains recognition pattern of the EXP/Mhtl.SDI exploit
[NOTE] The file was moved to '490a4799.qua'!
C:\Documents and Settings\Rachel\Local Settings\Temporary Internet Files\Content.IE5\TAT0J1LQ\SR[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '48f947b0.qua'!
C:\Documents and Settings\Rachel\Local Settings\Temporary Internet Files\Content.IE5\TAT0J1LQ\SZ[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '48f947b9.qua'!
C:\Program Files\Common Files\ummq\ummqd\vocabulary
[DETECTION] Is the TR/Dldr.TSUpdate.J Trojan
[NOTE] The file was moved to '49014904.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CE20647.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CE20647.exe
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48e34b66.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CE95A40.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CE95A40.exe
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48e34b67.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CEC043D.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CEC043D.exe
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48e34b68.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CF35835.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CF35835.exe
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48e44b69.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CF60232.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CF60232.exe
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48e44b6a.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CF92C2E
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CF92C2E
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '4965c88b.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CFC562B
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CFC562B
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48e44b6b.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D000027
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D000027
[DETECTION] Is the TR/Dldr.ABT Trojan
[NOTE] The file was moved to '48ce4b6c.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D000027.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D000027.exe
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48ce4b6d.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D032A23.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D032A23.exe
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '494fc88e.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D097E1C.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D097E1C.exe
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48ce4b6e.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D0D2819.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D0D2819.exe
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48ce4b6f.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D105215.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D105215.exe
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48cf4b6f.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D137C12.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D137C12.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48cf4b70.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D17260E.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D17260E.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '49441539.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D1A500A.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D1A500A.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48cf4b72.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D202403
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D202403
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48d04b71.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D244E00.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D244E00.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '495b153a.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D2777FC.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D2777FC.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48d04b73.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D2D4BF5
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D2D4BF5
[DETECTION] Is the TR/Dldr.Qoologic.R Trojan
[NOTE] The file was moved to '48d04b72.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D2D4BF5.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D2D4BF5.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '495b153b.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D3175F1.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D3175F1.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48d14b72.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D3749EA.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D3749EA.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48d14b73.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D3A73E6.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D3A73E6.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '495a153c.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D4147DF.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D4147DF.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48d24b73.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D4471DC.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D4471DC.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48d24b74.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D4B45D4.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D4B45D4.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '4959153d.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D4E6FD1.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D4E6FD1.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48d24b75.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D5119CD.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D5119CD.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48d34b75.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D5543CA.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D5543CA.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '4958153e.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D586DC6.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D586DC6.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48d34b76.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D5B17C2.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D5B17C2.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '4958153f.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D626BBB
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D626BBB
[DETECTION] Is the TR/Click.Small.ET.1 Trojan
[NOTE] The file was moved to '48d44b77.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D626BBB.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D626BBB.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '495f1530.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D6515B8.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D6515B8.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48d44b79.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D683FB4.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D683FB4.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '495f1532.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D6B69B0.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D6B69B0.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48d44b78.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D723DA9.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D723DA9.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48d54b78.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D7C3B9F.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D7C3B9F.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '495e1531.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D820F97.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D820F97.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48d64b79.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D896390.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D896390.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '495d1532.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D936185
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D936185
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48d74b79.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D960B82.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D960B82.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48d74b7a.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D99357E.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D99357E.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '495c1533.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D9C5F7B.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D9C5F7B.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48d74b7c.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DA33373
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DA33373
[DETECTION] Is the TR/Click.Small.ET.1 Trojan
[NOTE] The file was moved to '48df4b7b.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DA33373.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DA33373.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '49541534.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DA5637C.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DA5637C.exe
[DETECTION] Is the TR/Dldr.1296 Trojan
[NOTE] The file was moved to '48df4b7c.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DAA076C.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DAA076C.exe
[DETECTION] Contains recognition pattern of the DR/Small.OF.F dropper
[NOTE] The file was moved to '49541535.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DAD3169.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DAD3169.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48df4b7d.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DB05B65.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DB05B65.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48e04b7d.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DB30561.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DB30561.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '496b1536.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DB72F5E.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DB72F5E.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48e04b7e.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DBD0357.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DBD0357.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '496b1537.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DC02D53.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DC02D53.asq
[DETECTION] Is the TR/Dldr.Qoologi.I.4 Trojan
[NOTE] The file was moved to '48e14b7e.qua'!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DC4574F.asq
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\N
  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

What a mess :)

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#7
s56268

s56268

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hey,

I have ran ComboFix and here are results of log/scan along w/ the new Hijackthis log:

ComboFix 08-08-12.01 - Bo Sammons 2008-08-12 20:07:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.58 [GMT -4:00]
Running from: C:\Documents and Settings\Bo Sammons\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bo Sammons\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Bo Sammons\Application Data\macromedia\Flash Player\#SharedObjects\3J8PHW6U\interclick.com
C:\Documents and Settings\Bo Sammons\Application Data\macromedia\Flash Player\#SharedObjects\3J8PHW6U\interclick.com\ud.sol
C:\Documents and Settings\Bo Sammons\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Bo Sammons\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Bo Sammons\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\Jake\Application Data\NetMon
C:\Documents and Settings\Jake\Application Data\NetMon\domains.txt
C:\Documents and Settings\Jake\Application Data\NetMon\log.txt
C:\Documents and Settings\Rachel\Application Data\NetMon
C:\Documents and Settings\Rachel\Application Data\NetMon\domains.txt
C:\Documents and Settings\Rachel\Application Data\NetMon\log.txt
C:\Program Files\Common Files\{F48BB~1
C:\Program Files\Common Files\{F48BB~2
C:\Program Files\Common Files\uninstall information
C:\WINNT\system32\Cache
C:\WINNT\system32\Cache\setup.exe
C:\WINNT\system32\crosof~1.net
C:\WINNT\system32\mdm.exe
C:\WINNT\system32\stem32~1
C:\WINNT\system32\wnsapisu.exe
C:\WINNT\system32\wnsxs~1
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 )))))))))))))))))))))))))))))))
.

2008-08-11 21:23 . 2008-08-11 21:23 <DIR> d-------- C:\WINNT\ERUNT
2008-08-11 20:42 . 2008-08-11 21:50 <DIR> d-------- C:\SDFix
2008-08-11 20:21 . 2008-08-09 21:43 262,144 --a------ C:\Program Files\Uninstall Spy Blocker.dll
2008-08-09 22:53 . 2008-08-12 20:22 1,005,600 --ahs---- C:\WINNT\system32\drivers\fidbox.dat
2008-08-09 22:53 . 2008-08-12 20:20 12,812 --ahs---- C:\WINNT\system32\drivers\fidbox.idx
2008-08-09 21:35 . 2008-08-09 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-08-09 21:34 . 2008-08-09 21:43 4,212 ---h----- C:\WINNT\system32\zllictbl.dat
2008-08-09 21:33 . 2008-07-09 09:05 75,248 --a------ C:\WINNT\zllsputility.exe
2008-08-09 21:30 . 2008-08-09 21:34 <DIR> d-------- C:\WINNT\system32\ZoneLabs
2008-08-09 21:30 . 2008-08-09 21:30 <DIR> d-------- C:\Program Files\Zone Labs
2008-08-09 21:30 . 2008-07-09 09:05 1,086,952 --a------ C:\WINNT\system32\zpeng24.dll
2008-08-09 21:29 . 2008-08-12 20:24 352,918 --a------ C:\WINNT\system32\vsconfig.xml
2008-08-09 21:28 . 2008-08-11 22:57 <DIR> d-------- C:\WINNT\Internet Logs
2008-08-09 21:13 . 2008-08-09 21:13 <DIR> d-------- C:\Program Files\Avira
2008-08-09 21:13 . 2008-08-09 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-08-08 23:15 . 2008-08-08 23:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-06 22:04 . 2008-08-06 22:05 <DIR> d-------- C:\Program Files\CCleaner
2008-07-30 21:49 . 2008-07-30 21:49 <DIR> d-------- C:\WINNT\system32\Adobe
2008-07-26 19:12 . 2008-08-12 20:29 94,150 --a------ C:\WINNT\system32\drivers\6e5d5416.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 00:59 --------- d-----w C:\Program Files\McAfee.com
2008-08-10 00:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-08-01 03:29 --------- d-----w C:\Program Files\iTube
2008-08-01 03:28 --------- d-----w C:\Program Files\AIM
2008-08-01 03:28 --------- d-----w C:\Documents and Settings\Bo Sammons\Application Data\Aim
2008-08-01 03:27 --------- d-----w C:\Program Files\Common Files\AOL
2008-08-01 03:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-29 22:57 --------- d-----w C:\Documents and Settings\Rachel\Application Data\HP
2008-06-29 22:51 --------- d-----w C:\Documents and Settings\Rachel\Application Data\Gtek
2008-06-20 17:41 245,248 ----a-w C:\WINNT\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINNT\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINNT\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINNT\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINNT\system32\drivers\bthport.sys
2008-03-05 02:33 47,920 -c--a-w C:\Documents and Settings\Bo Sammons\Application Data\GDIPFONTCACHEV1.DAT
2003-11-20 03:03 271 -csh--w C:\Program Files\desktop.ini
2003-11-20 03:03 21,952 -c-ha-w C:\Program Files\folder.htt
1998-12-09 02:53 99,840 -c--a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 -c--a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 -c--a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 -c--a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 -c--a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 -c--a-w C:\Program Files\Common Files\IRASRIAL.DLL
1998-08-24 16:09 10,000 -c--a-w C:\WINNT\inf\unregpn.exe
2005-07-29 20:24 472 -csha-r C:\WINNT\Qm8gU2FtbW9ucw\kAf0oZIQvq6RwT.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 04:48 53760 C:\WINNT\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.VDOM"= vdowave.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^hp digital imaging monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINNT\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adobe reader speed launcher]
--a--c--- 2007-05-11 03:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adobeupdater]
-ra--c--- 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 08:00 15360 C:\WINNT\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\easylinkadvisor]
--a------ 2007-03-15 18:16 454784 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp software update]
--a------ 2006-12-10 21:52 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper]
--a------ 2007-11-02 19:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\napstershell]
--a------ 2006-06-29 14:17 319488 C:\Program Files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\printray]
--a--c--- 2000-08-16 14:08 36864 C:\WINNT\system32\spool\drivers\w32x86\2\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task]
--a------ 2007-10-19 21:16 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\regshave]
-----c--- 2002-02-04 22:32 53248 C:\Program Files\REGSHAVE\REGSHAVE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ysearchprotection]
--a------ 2007-06-08 10:59 224248 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\synchronization manager]
--a--c--- 2004-08-04 08:00 143360 C:\WINNT\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

S3 lne100v5;Linksys LNE100TX(v5) Fast Ethernet Adapter;C:\WINNT\system32\DRIVERS\lne100v5.sys [2001-04-01 15:01]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);C:\WINNT\system32\Drivers\xbreader.sys [2001-01-02 23:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-08-06 C:\WINNT\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-RunOnce-^SetupICWDesktop - (no file)
MSConfigStartUp-mcagentexe - c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-mcupdateexe - c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
MSConfigStartUp-mpfexe - C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-virusscan online - c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
MSConfigStartUp-vsochecktask - c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Bo Sammons\Application Data\Mozilla\Firefox\Profiles\gj362lig.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-12 20:25:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\6e5d5416]
"ImagePath"="\SystemRoot\System32\drivers\6e5d5416.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\LexBceS.exe
C:\WINNT\system32\Lexpps.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-12 20:34:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-13 00:34:35

Pre-Run: 4,439,482,368 bytes free
Post-Run: 4,616,040,448 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

200 --- E O F --- 2008-08-01 07:03:15




HERE ARE RESULTS OF HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:39 PM, on 8/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\ViaVoice\Bin\engine.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - http://h30155.www3.h...llMgr_v01_6.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://testcam.compu...activex/AMC.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} - https://echat.us.del...t/TLIEFlash.CAB
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.cus...l/java/RntX.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 5429 bytes
  • 0

#8
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\Program Files\Uninstall Spy Blocker.dll
Folder::
C:\Program Files\McAfee.com
C:\Documents and Settings\All Users\Application Data\McAfee.com
C:\WINNT\Qm8gU2FtbW9ucw
C:\SDFix
Suspect::[8]
C:\WINNT\system32\drivers\6e5d5416.sys


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. * it will create a zipped file on your Desktop - [8]-Submit_Date_Time.zip
* another file will be present on your desktop: CF-Submit.htm which will open after you ran Combofix.
* Where it says: "Submit files for further analysis", click OK and a browser Window will open. There you'll see: "copy/paste filepath into the box & click OK". You'll find the filepath below, so copy and paste this in the above field and click OK.
If the window didn't open, just submit the [8]-Submit_Date_Time.zip file here

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • 0

#9
s56268

s56268

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hey, when I performed of what you asked w/ the notepad program, I did not get a zipped file on my computer labeled Submit_Date_Time.zip or CFSubmit.htm. But when the computer rebooted, a new log appeared w/ these results:

ComboFix 08-08-12.01 - Bo Sammons 2008-08-13 16:13:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.57 [GMT -4:00]
Running from: C:\Documents and Settings\Bo Sammons\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bo Sammons\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\Uninstall Spy Blocker.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\McAfee.com
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Cache\McSubDB.Bak
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\mcifolog.log
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\mcini.ini
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\McSubDB.Dat
C:\Program Files\McAfee.com
C:\Program Files\McAfee.com\Personal Firewall\data\certi.idx
C:\Program Files\McAfee.com\Personal Firewall\data\Dump.ini
C:\Program Files\McAfee.com\Personal Firewall\data\hwcache.xdb
C:\Program Files\McAfee.com\Personal Firewall\data\IpRules.xdb
C:\Program Files\McAfee.com\Personal Firewall\data\log.edb
C:\Program Files\McAfee.com\Personal Firewall\data\mvtx\LS.idx
C:\Program Files\McAfee.com\Personal Firewall\data\mvtx\Whois.idx
C:\Program Files\McAfee.com\Personal Firewall\data\options.idx
C:\Program Files\McAfee.com\Personal Firewall\data\rdns.idx
C:\Program Files\McAfee.com\Personal Firewall\data\summary\appicons\appicon0.bmp
C:\Program Files\McAfee.com\Personal Firewall\data\summary\appicons\appicon1.bmp
C:\Program Files\McAfee.com\Personal Firewall\data\summary\appicons\appicon2.bmp
C:\Program Files\McAfee.com\Personal Firewall\data\summary\appicons\appicon3.bmp
C:\Program Files\McAfee.com\Personal Firewall\data\summary\appicons\appicon4.bmp
C:\Program Files\McAfee.com\Personal Firewall\data\summary\appicons\appicon5.bmp
C:\Program Files\McAfee.com\Personal Firewall\data\summary\appicons\appicon6.bmp
C:\Program Files\McAfee.com\Personal Firewall\data\summary\appicons\appicon7.bmp
C:\Program Files\McAfee.com\Personal Firewall\data\summary\sum_04_hw.htm
C:\Program Files\McAfee.com\Personal Firewall\data\TrafficHist.xdb
C:\Program Files\McAfee.com\Personal Firewall\MpfTrayErrors.txt
C:\Program Files\Uninstall Spy Blocker.dll
C:\SDFix
C:\SDFix\apps\assosfix.reg
C:\SDFix\apps\cliptext.exe
C:\SDFix\apps\download.exe
C:\SDFix\apps\dummy.sys
C:\SDFix\apps\Enable_Command_Prompt.reg
C:\SDFix\apps\ERDNT.E_E
C:\SDFix\apps\ERDNTDOS.LOC
C:\SDFix\apps\ERDNTWIN.LOC
C:\SDFix\apps\ERUNT.EXE
C:\SDFix\apps\ERUNT.LOC
C:\SDFix\apps\fix.reg
C:\SDFix\apps\FixBH.reg
C:\SDFix\apps\FixComponents.reg
C:\SDFix\apps\FIXCU.reg
C:\SDFix\apps\FIXLM.reg
C:\SDFix\apps\FixPath.exe
C:\SDFix\apps\FixRedir.reg
C:\SDFix\apps\FixSchedule.reg
C:\SDFix\apps\FixWebCheck.reg
C:\SDFix\apps\fixXP.reg
C:\SDFix\apps\FixXPsp2.reg
C:\SDFix\apps\grep.exe
C:\SDFix\apps\HaxdFix.reg
C:\SDFix\apps\HPFix.reg
C:\SDFix\apps\HPFix2.reg
C:\SDFix\apps\HPFix3.reg
C:\SDFix\apps\HPFix4.reg
C:\SDFix\apps\HPFix5.reg
C:\SDFix\apps\HPFix6.reg
C:\SDFix\apps\HPFix7.reg
C:\SDFix\apps\HPFix8.reg
C:\SDFix\apps\HPFix9.reg
C:\SDFix\apps\isadmin.exe
C:\SDFix\apps\leg2.txt
C:\SDFix\apps\legacy.txt
C:\SDFix\apps\legacybk.txt
C:\SDFix\apps\locate.com
C:\SDFix\apps\LS.exe
C:\SDFix\apps\MD5File.exe
C:\SDFix\apps\moveex.exe
C:\SDFix\apps\MyGcpvFix.reg
C:\SDFix\apps\MyGkFix2.reg
C:\SDFix\apps\Process.exe
C:\SDFix\apps\procs.exe
C:\SDFix\apps\psservice.exe
C:\SDFix\apps\Rem.txt
C:\SDFix\apps\Rem2.txt
C:\SDFix\apps\Replace\regedit.exe
C:\SDFix\apps\Replace\W2K.exe
C:\SDFix\apps\Replace\w2k\beep.sys
C:\SDFix\apps\Replace\w2k\null.sys
C:\SDFix\apps\Replace\XP.exe
C:\SDFix\apps\Replace\xp\beep.sys
C:\SDFix\apps\Replace\xp\null.sys
C:\SDFix\apps\Reset_AppInit_DLLs.reg
C:\SDFix\apps\RestartIt!.exe
C:\SDFix\apps\Restore_SafeBoot_Windows2000.reg
C:\SDFix\apps\Restore_SafeBoot_WindowsXP_SP2.reg
C:\SDFix\apps\Restore_SafeBoot_WindowsXP_SP3.reg
C:\SDFix\apps\Restore_SecurityCenter.reg
C:\SDFix\apps\Restore_SharedAccess.reg
C:\SDFix\apps\sc.exe
C:\SDFix\apps\sed.exe
C:\SDFix\apps\SF.exe
C:\SDFix\apps\shutdown.exe
C:\SDFix\apps\srv2.txt
C:\SDFix\apps\srv2bk.txt
C:\SDFix\apps\svc.txt
C:\SDFix\apps\svcbk.txt
C:\SDFix\apps\swreg.exe
C:\SDFix\apps\swsc.exe
C:\SDFix\apps\unzip.exe
C:\SDFix\apps\vfind.exe
C:\SDFix\apps\WINMSG.EXE
C:\SDFix\apps\winsec.reg
C:\SDFix\apps\zip.exe
C:\SDFix\backups\backupreg.zip
C:\SDFix\backups\backups.zip
C:\SDFix\backups\catchme.log
C:\SDFix\backups\HOSTS
C:\SDFix\catchme.exe
C:\SDFix\dummy.sys
C:\SDFix\Report.txt
C:\SDFix\RunThis.bat
C:\SDFix\SDFIX_ReadMe_Online.url
C:\SDFix\W2K_VirusAlert_Repair.inf
C:\SDFix\XP_VirusAlert_Repair.inf
C:\WINNT\Qm8gU2FtbW9ucw
C:\WINNT\Qm8gU2FtbW9ucw\kAf0oZIQvq6RwT.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 )))))))))))))))))))))))))))))))
.

2008-08-11 21:23 . 2008-08-11 21:23 <DIR> d-------- C:\WINNT\ERUNT
2008-08-09 22:53 . 2008-08-13 16:37 1,226,784 --ahs---- C:\WINNT\system32\drivers\fidbox.dat
2008-08-09 22:53 . 2008-08-13 16:24 15,428 --ahs---- C:\WINNT\system32\drivers\fidbox.idx
2008-08-09 21:35 . 2008-08-09 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-08-09 21:34 . 2008-08-09 21:43 4,212 ---h----- C:\WINNT\system32\zllictbl.dat
2008-08-09 21:33 . 2008-07-09 09:05 75,248 --a------ C:\WINNT\zllsputility.exe
2008-08-09 21:30 . 2008-08-09 21:34 <DIR> d-------- C:\WINNT\system32\ZoneLabs
2008-08-09 21:30 . 2008-08-09 21:30 <DIR> d-------- C:\Program Files\Zone Labs
2008-08-09 21:30 . 2008-07-09 09:05 1,086,952 --a------ C:\WINNT\system32\zpeng24.dll
2008-08-09 21:29 . 2008-08-13 16:27 352,918 --a------ C:\WINNT\system32\vsconfig.xml
2008-08-09 21:28 . 2008-08-13 16:26 <DIR> d-------- C:\WINNT\Internet Logs
2008-08-09 21:13 . 2008-08-09 21:13 <DIR> d-------- C:\Program Files\Avira
2008-08-09 21:13 . 2008-08-09 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-08-08 23:15 . 2008-08-08 23:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-06 22:04 . 2008-08-06 22:05 <DIR> d-------- C:\Program Files\CCleaner
2008-07-30 21:49 . 2008-07-30 21:49 <DIR> d-------- C:\WINNT\system32\Adobe
2008-07-26 19:12 . 2008-08-13 16:38 94,150 --a------ C:\WINNT\system32\drivers\6e5d5416.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 20:26 772,930 ----a-w C:\WINNT\Internet Logs\tvDebug.zip
2008-08-01 03:29 --------- d-----w C:\Program Files\iTube
2008-08-01 03:28 --------- d-----w C:\Program Files\AIM
2008-08-01 03:28 --------- d-----w C:\Documents and Settings\Bo Sammons\Application Data\Aim
2008-08-01 03:27 --------- d-----w C:\Program Files\Common Files\AOL
2008-08-01 03:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-29 22:57 --------- d-----w C:\Documents and Settings\Rachel\Application Data\HP
2008-06-29 22:51 --------- d-----w C:\Documents and Settings\Rachel\Application Data\Gtek
2008-06-20 10:45 360,320 ----a-w C:\WINNT\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINNT\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINNT\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINNT\system32\drivers\bthport.sys
2008-03-05 02:33 47,920 -c--a-w C:\Documents and Settings\Bo Sammons\Application Data\GDIPFONTCACHEV1.DAT
2003-11-20 03:03 271 -csh--w C:\Program Files\desktop.ini
2003-11-20 03:03 21,952 -c-ha-w C:\Program Files\folder.htt
1998-12-09 02:53 99,840 -c--a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 -c--a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 -c--a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 -c--a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 -c--a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 -c--a-w C:\Program Files\Common Files\IRASRIAL.DLL
1998-08-24 16:09 10,000 -c--a-w C:\WINNT\inf\unregpn.exe
.

((((((((((((((((((((((((((((( [email protected]_20.32.52.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-11 07:12:19 79,412 -c--a-w C:\WINNT\system32\perfc009.dat
+ 2008-08-13 00:46:23 79,412 ----a-w C:\WINNT\system32\perfc009.dat
- 2008-04-11 07:12:19 463,450 -c--a-w C:\WINNT\system32\perfh009.dat
+ 2008-08-13 00:46:23 463,450 ----a-w C:\WINNT\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 04:48 53760 C:\WINNT\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.VDOM"= vdowave.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^hp digital imaging monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINNT\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adobe reader speed launcher]
--a--c--- 2007-05-11 03:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adobeupdater]
-ra--c--- 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 08:00 15360 C:\WINNT\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\easylinkadvisor]
--a------ 2007-03-15 18:16 454784 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp software update]
--a------ 2006-12-10 21:52 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper]
--a------ 2007-11-02 19:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\napstershell]
--a------ 2006-06-29 14:17 319488 C:\Program Files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\printray]
--a--c--- 2000-08-16 14:08 36864 C:\WINNT\system32\spool\drivers\w32x86\2\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task]
--a------ 2007-10-19 21:16 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\regshave]
-----c--- 2002-02-04 22:32 53248 C:\Program Files\REGSHAVE\REGSHAVE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ysearchprotection]
--a------ 2007-06-08 10:59 224248 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\synchronization manager]
--a--c--- 2004-08-04 08:00 143360 C:\WINNT\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

S3 lne100v5;Linksys LNE100TX(v5) Fast Ethernet Adapter;C:\WINNT\system32\DRIVERS\lne100v5.sys [2001-04-01 15:01]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);C:\WINNT\system32\Drivers\xbreader.sys [2001-01-02 23:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-08-13 C:\WINNT\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 16:35:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\6e5d5416]
"ImagePath"="\SystemRoot\System32\drivers\6e5d5416.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\LexBceS.exe
C:\WINNT\system32\Lexpps.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
.
**************************************************************************
.
Completion time: 2008-08-13 16:45:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-13 20:45:02
ComboFix2.txt 2008-08-13 00:35:05

Pre-Run: 4,691,058,688 bytes free
Post-Run: 4,704,428,032 bytes free

282 --- E O F --- 2008-08-01 07:03:15
  • 0

#10
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Is the zipfile present on your desktop now? If not, then, Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\WINNT\system32\drivers\6e5d5416.sys

Select it and click ok:
Then click the Send File button below.
This file is most probably Ok though (part of Daemon tools).

Also, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
  • 0

#11
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP