Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Just finished one infection, new one came up- 'hitpop' [RESOLV

Started by kelltech , Aug 16 2008 10:06 AM

  • This topic is locked This topic is locked

#1
kelltech
Posted 16 August 2008 - 10:06 AM

kelltech

    Member

  • Member
  • PipPipPip
  • 131 posts
Well, we just finished cleaning one infection (http://www.geekstogo...OL-t207706.html) and now I have a new one. I ran CA anti-virus and spyware last night with zero results, but this morning I tried to perform a windows update and it's when IE7 opened that CA popped up with these infections. It also gave a RUNDLL error: "Error loading C:\\WINDOWS\wftadfi16_080816.dll Access is denied"

Here is the information CA gives me, then the HJ log:

1) Filename: C:\\WINDOWS\system32\inf\scsys16_080816.dll - Infection: Win32/Hitpop!generic

2) Filename: C:\\WINDOWS\wftadfi16_080816.dll - Infection: Win32/Hitpop!generic

3) Filename: C:\\WINDOWS\wftadfi16_080816.dll - Infection: Win32/Hitpop!generic

HJ Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:33 AM, on 8/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [FlyMonitor] "C:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\mmchost.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mmchost.dll
O16 - DPF: {068BFA33-99F4-4BA9-887D-182386FA2931} - http://www.playfirst...eb.1.0.0.17.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - https://www.topprodu...ds/msjavx86.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {163B7151-7627-49BB-B673-2457906BBDE7} - http://www.learningc...Blaze3D.1.5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...DC_2.3.0.97.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildt...iveLauncher.cab
O16 - DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} - http://download.play...ash.1.0.0.6.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1167089842625
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} - https://www.topprodu...ads/arview2.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E5C97835-6865-443E-8C33-671D9C71A6D0} - https://www.clientsp...d/RapidocsX.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10848 bytes
  • 0

Advertisements

#2
kahdah
Posted 16 August 2008 - 10:11 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello kelltech

Welcome to G2Go. :)
=====================

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
kelltech
Posted 16 August 2008 - 10:30 AM

kelltech

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 131 posts
Thank you for your help! DSS only gave me one txt, and I tried twice. Its the main.txt:

Deckard's System Scanner v20071014.68
Run by Mom & Dad on 2008-08-16 09:26:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Mom & Dad.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:06 AM, on 8/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Documents and Settings\Mom & Dad\Desktop\dss.exe
C:\PROGRA~1\HJT\HIJACK~1\MOM&DA~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [FlyMonitor] "C:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\mmchost.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mmchost.dll
O16 - DPF: {068BFA33-99F4-4BA9-887D-182386FA2931} - http://www.playfirst...eb.1.0.0.17.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - https://www.topprodu...ds/msjavx86.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {163B7151-7627-49BB-B673-2457906BBDE7} - http://www.learningc...Blaze3D.1.5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...DC_2.3.0.97.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildt...iveLauncher.cab
O16 - DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} - http://download.play...ash.1.0.0.6.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1167089842625
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} - https://www.topprodu...ads/arview2.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E5C97835-6865-443E-8C33-671D9C71A6D0} - https://www.clientsp...d/RapidocsX.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10846 bytes

-- Files created between 2008-07-16 and 2008-08-16 -----------------------------

2008-08-16 08:23:38 238592 --a------ C:\WINDOWS\dcbdcatys32_080816a.dll
2008-08-16 08:23:35 120520 --a------ C:\WINDOWS\system\sgcxcxxaspf080816.exe
2008-08-16 08:23:32 0 d-------- C:\WINDOWS\system32\inf
2008-08-16 08:04:42 0 d-------- C:\WINDOWS\LastGood
2008-08-15 10:19:32 15360 --ah----- C:\WINDOWS\system32\dbi102.dll
2008-08-14 19:01:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-14 19:00:53 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-14 18:54:17 0 dr-h----- C:\Documents and Settings\Mom & Dad\Recent
2008-08-14 18:39:59 0 d-------- C:\Program Files\SpywareBlaster
2008-08-14 16:16:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-14 15:54:26 0 d-------- C:\Program Files\Panda Security
2008-08-14 12:04:01 0 d-------- C:\Program Files\HJT
2008-08-14 11:39:27 0 d-------- C:\Program Files\Windows Resource Kits
2008-08-11 19:55:36 0 d-------- C:\Program Files\Audacity
2008-08-11 14:05:36 0 d-------- C:\Documents and Settings\Mom & Dad\Application Data\Malwarebytes
2008-08-11 14:05:31 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-11 14:05:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-11 11:53:37 17408 --a------ C:\WINDOWS\system32\mmchost.dll
2008-08-11 11:42:49 0 d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-08-11 11:37:25 0 d-------- C:\Program Files\Trend Micro
2008-08-09 11:52:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-08-09 11:37:23 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-08-09 11:37:18 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-08-08 22:07:06 0 d-------- C:\Documents and Settings\Mom & Dad\Application Data\gtk-2.0
2008-08-08 22:06:42 0 d-------- C:\Documents and Settings\Mom & Dad\.thumbnails
2008-08-08 22:04:43 0 d-------- C:\Documents and Settings\Mom & Dad\.gimp-2.4
2008-08-08 22:03:04 0 d-------- C:\Program Files\GIMP-2.0


-- Find3M Report ---------------------------------------------------------------

2008-08-14 19:01:19 0 d-------- C:\Program Files\Lavasoft
2008-08-14 19:00:53 0 d-------- C:\Program Files\Common Files
2008-08-14 16:09:06 0 d-------- C:\Program Files\iWin.com
2008-08-14 12:11:58 0 d-------- C:\Program Files\Common Files\AOL
2008-08-09 11:52:18 0 d-------- C:\Program Files\Common Files\Adobe
2008-08-09 11:46:38 0 d-------- C:\Documents and Settings\Mom & Dad\Application Data\AdobeUM
2008-07-30 08:46:49 0 d-------- C:\Program Files\dl_Cats
2008-07-21 08:39:13 0 d-------- C:\Program Files\Java
2008-06-26 17:49:04 988 --a------ C:\WINDOWS\eReg.dat
2008-06-26 17:39:32 0 d-------- C:\Program Files\EA GAMES
2008-06-25 16:36:54 0 d-------- C:\Program Files\MSXML 6.0
2008-06-22 16:37:14 0 d-------- C:\Program Files\Disney
2008-06-21 12:41:23 0 d-------- C:\Program Files\Common Files\Macromedia
2008-06-21 12:41:14 0 d-------- C:\Program Files\Macromedia
2008-06-21 12:41:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-20 23:19:01 0 d-------- C:\Program Files\Common Files\Nullsoft
2008-06-20 21:44:56 0 d-------- C:\Program Files\Viewpoint
2008-06-20 16:47:29 0 d-------- C:\Program Files\Firaxis Games
2008-06-20 16:10:55 0 d-------- C:\Documents and Settings\Mom & Dad\Application Data\Mozilla
2008-06-20 15:16:48 0 d-------- C:\Program Files\Common Files\Real
2008-06-20 15:16:42 0 d-------- C:\Program Files\RealArcade
2008-05-29 16:46:09 29184 --a------ C:\WINDOWS\system32\sstunst2.exe <Not Verified; Stardust Software; Stardust Screen Saver Uninstaller>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [04/14/2005 08:01 PM C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/04/2007 06:14 PM]
"nwiz"="nwiz.exe" [10/04/2007 06:14 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/04/2007 06:14 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/31/2008 11:13 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 01:10 PM]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [08/16/2007 10:19 PM]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [04/10/2008 10:09 AM]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [08/20/2007 01:36 PM]
"x3watch"="C:\Program Files\X3watch\x3watch.exe" [07/10/2008 01:30 PM]
"FlyMonitor"="C:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe" [05/13/2008 02:34 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [10/18/2007 11:34 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 10/10/2006 06:53 PM 135168 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-08-16 09:28:08 ------------
  • 0

#4
kahdah
Posted 16 August 2008 - 10:42 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.
  • Please download LSPFix from here.
  • Run the LSPFix.exe that you have just finished downloading.
  • Check the I know what I'm doing box.
  • In the Keep box you should see one or more instances of mmchost.dll
  • Select every instance of mmchost.dll and move each one to the Remove box by clicking the >> button.
  • When you are done click Finish>>.
=============
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    c:\windows\system32\mmchost.dll
C:\WINDOWS\dcbdcatys32_080816a.dll
C:\WINDOWS\system\sgcxcxxaspf080816.exe
C:\WINDOWS\system32\dbi102.dll
Viewpoint Manager Service <delete service>
C:\Program Files\Viewpoint
C:\\WINDOWS\system32\inf\scsys16_080816.dll 
C:\\WINDOWS\wftadfi16_080816.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=================================
After that POst the OT MOve it log and a new Dss log then let me know how things are running?
  • 0

#5
kelltech
Posted 16 August 2008 - 01:49 PM

kelltech

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 131 posts
So far ok, except in the OT Move it file there is only a file named 'windows' and inside that is 'system' which is empty, 'system32' which has 'mmchost.dll' inside. then there is 'dcbdcatys32_080816a.dll' by itself in that windows folder next to the above mentioned files.
  • 0

#6
kahdah
Posted 16 August 2008 - 01:53 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok just post a new dss log please.
  • 0

#7
kelltech
Posted 16 August 2008 - 02:00 PM

kelltech

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 131 posts
Updated DSS:

Deckard's System Scanner v20071014.68
Run by Mom & Dad on 2008-08-16 12:57:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Mom & Dad.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:04 PM, on 8/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Documents and Settings\Mom & Dad\Desktop\dss.exe
C:\PROGRA~1\HJT\HIJACK~1\MOM&DA~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [FlyMonitor] "C:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: office.lnk = C:\WINDOWS\system\sgcxcxxaspf080816.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {068BFA33-99F4-4BA9-887D-182386FA2931} - http://www.playfirst...eb.1.0.0.17.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - https://www.topprodu...ds/msjavx86.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {163B7151-7627-49BB-B673-2457906BBDE7} - http://www.learningc...Blaze3D.1.5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...DC_2.3.0.97.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildt...iveLauncher.cab
O16 - DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} - http://download.play...ash.1.0.0.6.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1167089842625
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} - https://www.topprodu...ads/arview2.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E5C97835-6865-443E-8C33-671D9C71A6D0} - https://www.clientsp...d/RapidocsX.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10786 bytes

-- Files created between 2008-07-16 and 2008-08-16 -----------------------------

2008-08-16 08:23:35 120520 --a------ C:\WINDOWS\system\sgcxcxxaspf080816.exe
2008-08-16 08:23:32 0 d-------- C:\WINDOWS\system32\inf
2008-08-16 08:04:42 0 d-------- C:\WINDOWS\LastGood
2008-08-15 10:19:32 15360 --ah----- C:\WINDOWS\system32\dbi102.dll
2008-08-14 19:01:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-14 19:00:53 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-14 18:54:17 0 dr-h----- C:\Documents and Settings\Mom & Dad\Recent
2008-08-14 18:39:59 0 d-------- C:\Program Files\SpywareBlaster
2008-08-14 16:16:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-14 15:54:26 0 d-------- C:\Program Files\Panda Security
2008-08-14 12:04:01 0 d-------- C:\Program Files\HJT
2008-08-14 11:39:27 0 d-------- C:\Program Files\Windows Resource Kits
2008-08-11 19:55:36 0 d-------- C:\Program Files\Audacity
2008-08-11 14:05:36 0 d-------- C:\Documents and Settings\Mom & Dad\Application Data\Malwarebytes
2008-08-11 14:05:31 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-11 14:05:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-11 11:42:49 0 d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-08-11 11:37:25 0 d-------- C:\Program Files\Trend Micro
2008-08-09 11:52:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-08-09 11:37:23 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-08-09 11:37:18 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-08-08 22:07:06 0 d-------- C:\Documents and Settings\Mom & Dad\Application Data\gtk-2.0
2008-08-08 22:06:42 0 d-------- C:\Documents and Settings\Mom & Dad\.thumbnails
2008-08-08 22:04:43 0 d-------- C:\Documents and Settings\Mom & Dad\.gimp-2.4
2008-08-08 22:03:04 0 d-------- C:\Program Files\GIMP-2.0


-- Find3M Report ---------------------------------------------------------------

2008-08-14 19:01:19 0 d-------- C:\Program Files\Lavasoft
2008-08-14 19:00:53 0 d-------- C:\Program Files\Common Files
2008-08-14 16:09:06 0 d-------- C:\Program Files\iWin.com
2008-08-14 12:11:58 0 d-------- C:\Program Files\Common Files\AOL
2008-08-09 11:52:18 0 d-------- C:\Program Files\Common Files\Adobe
2008-08-09 11:46:38 0 d-------- C:\Documents and Settings\Mom & Dad\Application Data\AdobeUM
2008-07-30 08:46:49 0 d-------- C:\Program Files\dl_Cats
2008-07-21 08:39:13 0 d-------- C:\Program Files\Java
2008-06-26 17:49:04 988 --a------ C:\WINDOWS\eReg.dat
2008-06-26 17:39:32 0 d-------- C:\Program Files\EA GAMES
2008-06-25 16:36:54 0 d-------- C:\Program Files\MSXML 6.0
2008-06-22 16:37:14 0 d-------- C:\Program Files\Disney
2008-06-21 12:41:23 0 d-------- C:\Program Files\Common Files\Macromedia
2008-06-21 12:41:14 0 d-------- C:\Program Files\Macromedia
2008-06-21 12:41:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-20 23:19:01 0 d-------- C:\Program Files\Common Files\Nullsoft
2008-06-20 21:44:56 0 d-------- C:\Program Files\Viewpoint
2008-06-20 16:47:29 0 d-------- C:\Program Files\Firaxis Games
2008-06-20 16:10:55 0 d-------- C:\Documents and Settings\Mom & Dad\Application Data\Mozilla
2008-06-20 15:16:48 0 d-------- C:\Program Files\Common Files\Real
2008-06-20 15:16:42 0 d-------- C:\Program Files\RealArcade
2008-05-29 16:46:09 29184 --a------ C:\WINDOWS\system32\sstunst2.exe <Not Verified; Stardust Software; Stardust Screen Saver Uninstaller>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [04/14/2005 08:01 PM C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/04/2007 06:14 PM]
"nwiz"="nwiz.exe" [10/04/2007 06:14 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/04/2007 06:14 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/31/2008 11:13 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 01:10 PM]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [08/16/2007 10:19 PM]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [04/10/2008 10:09 AM]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [08/20/2007 01:36 PM]
"x3watch"="C:\Program Files\X3watch\x3watch.exe" [07/10/2008 01:30 PM]
"FlyMonitor"="C:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe" [05/13/2008 02:34 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [10/18/2007 11:34 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]
office.lnk - C:\WINDOWS\system\sgcxcxxaspf080816.exe [8/16/2008 8:23:35 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 10/10/2006 06:53 PM 135168 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-08-16 12:59:00 ------------
  • 0

#8
kahdah
Posted 16 August 2008 - 02:05 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please visit this web page for instructions for downloading and running Combofix >ComboFix Instructions
We now suggest that you install the Windows Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.

(Note:If the Recovery Console fails to install then do not proceed rather alert me and post back here we will continue)
  • 0

#9
kelltech
Posted 16 August 2008 - 06:29 PM

kelltech

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 131 posts
Dangit...my windows xp cd wont allow me to install the recovery console because the version on the cd is older. I'm now looking at this option:

If you use Windows XP and do not have the Windows CD, ComboFix includes a method of installing the Windows Recovery console by downloading a file from Microsoft. To install the Windows Recovery Console when you do not have the Windows XP CD, please follow these instructions:

1. Click on the following link to go to Microsoft's Web site:

http://support.microsoft.com/kb/310994

Edited by kelltech, 16 August 2008 - 06:31 PM.

  • 0

#10
kahdah
Posted 16 August 2008 - 07:06 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yes just do it with Combofix it will work.
  • 0

Advertisements

#11
kelltech
Posted 16 August 2008 - 07:40 PM

kelltech

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 131 posts
I dragged the XP download onto the Combofix and it began doing work, then it went blue screen and now says "Fatal system error- the system has been shut down."

Looks scary :)
  • 0

#12
kahdah
Posted 16 August 2008 - 07:45 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please disable your antivirus and try it again.
If it happens again report it back to me
  • 0

#13
kelltech
Posted 16 August 2008 - 08:04 PM

kelltech

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 131 posts
Ok, after the Combofix reboot, we got the window that says 'Preparing log report - do not run any programs until Combofix has finished,' but right below that it says system cannot find the file Desktop.Folder.dat and cannot find the file temp01. There is also a popup that says "windows cannot open this file: sgcxcxxaspf080816.exe.vir" then offers me use the web service to find the appropriate program or select from a list.
  • 0

#14
kahdah
Posted 16 August 2008 - 08:11 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
That is a malware file.
See if Combofix makes a report please and post it.
  • 0

#15
kelltech
Posted 16 August 2008 - 08:17 PM

kelltech

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 131 posts
ComboFix 08-08-15.04 - Mom & Dad 2008-08-16 18:56:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.985 [GMT -7:00]
Running from: C:\Documents and Settings\Mom & Dad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mom & Dad\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
Error: Cfiles.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Aryana\Application Data\macromedia\Flash Player\#SharedObjects\77YEG4H9\interclick.com
C:\Documents and Settings\Aryana\Application Data\macromedia\Flash Player\#SharedObjects\77YEG4H9\interclick.com\ud.sol
C:\Documents and Settings\Aryana\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Aryana\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Aryana\Cookies\aryana@myspace[1].txt
C:\Documents and Settings\Kayla\Application Data\FunWebProducts
C:\Documents and Settings\Kayla\Application Data\FunWebProducts\Data\Kayla\avatar.dat
C:\Documents and Settings\Kayla\Application Data\FunWebProducts\Data\Kayla\register.dat
C:\Documents and Settings\Kayla\Cookies\kayla@live[1].txt
C:\Documents and Settings\Kayla\Cookies\kayla@live[2].txt
C:\Documents and Settings\Kayla\Cookies\kayla@msn[2].txt
C:\Documents and Settings\LocalService\Application Data\macromedia\Flash Player\#SharedObjects\ZSP5D7RW\interclick.com
C:\Documents and Settings\LocalService\Application Data\macromedia\Flash Player\#SharedObjects\ZSP5D7RW\interclick.com\ud.sol
C:\Documents and Settings\LocalService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\LocalService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\dcbdcatys32_080816a.dll
C:\WINDOWS\system\sgcxcxxaspf080816.exe
C:\WINDOWS\system32\drivers\secdrv.sys
C:\WINDOWS\system32\inf\sppdcrs080816.scr
C:\WINDOWS\system32\inf\svchosd.exe
C:\WINDOWS\system32\Skinlib.dll
C:\WINDOWS\Temp\19.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_MACIDWE
-------\Legacy_PERFS
-------\Legacy_ROUTING
-------\Legacy_SEICTRL
-------\Legacy_SOBICYT
-------\Legacy_TDXDOWKC
-------\Legacy_WSERVING
-------\Service_seictrl


((((((((((((((((((((((((( Files Created from 2008-07-17 to 2008-08-17 )))))))))))))))))))))))))))))))
.

2008-08-16 12:46 . 2008-08-16 12:46 <DIR> d-------- C:\_OTMoveIt
2008-08-16 09:23 . 2008-08-16 09:23 <DIR> d-------- C:\Deckard
2008-08-16 08:23 . 2008-08-16 18:57 <DIR> d-------- C:\WINDOWS\system32\inf
2008-08-16 08:23 . 2008-08-16 12:46 438 --a------ C:\WINDOWS\tawisys.ini
2008-08-15 10:19 . 2008-08-15 10:19 15,360 --ah----- C:\WINDOWS\system32\dbi102.dll
2008-08-15 10:19 . 2008-08-15 10:19 142 --a------ C:\WINDOWS\system32\syspilog.pil
2008-08-14 19:01 . 2008-08-14 19:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-14 19:00 . 2008-08-14 19:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-14 18:39 . 2008-08-14 18:40 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-14 16:16 . 2008-08-14 16:16 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-14 16:16 . 2008-08-14 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-14 15:54 . 2008-08-14 15:54 <DIR> d-------- C:\Program Files\Panda Security
2008-08-14 12:04 . 2008-08-14 12:17 <DIR> d-------- C:\Program Files\HJT
2008-08-14 11:39 . 2008-08-14 11:39 <DIR> d-------- C:\Program Files\Windows Resource Kits
2008-08-11 19:55 . 2008-08-11 19:55 <DIR> d-------- C:\Program Files\Audacity
2008-08-11 14:05 . 2008-08-11 14:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-11 14:05 . 2008-08-11 14:05 <DIR> d-------- C:\Documents and Settings\Mom & Dad\Application Data\Malwarebytes
2008-08-11 14:05 . 2008-08-11 14:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-11 14:05 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-11 14:05 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-11 11:42 . 2008-08-11 11:42 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-08-11 11:37 . 2008-08-11 11:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-08 22:07 . 2008-08-08 22:25 <DIR> d-------- C:\Documents and Settings\Mom & Dad\Application Data\gtk-2.0
2008-08-08 22:06 . 2008-08-08 22:06 <DIR> d-------- C:\Documents and Settings\Mom & Dad\.thumbnails
2008-08-08 22:04 . 2008-08-08 22:36 <DIR> d-------- C:\Documents and Settings\Mom & Dad\.gimp-2.4
2008-08-08 22:03 . 2008-08-08 22:03 <DIR> d-------- C:\Program Files\GIMP-2.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-15 17:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\x3watch
2008-08-15 02:01 --------- d-----w C:\Program Files\Lavasoft
2008-08-15 01:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-14 23:09 --------- d-----w C:\Program Files\iWin.com
2008-08-14 19:11 --------- d-----w C:\Program Files\Common Files\AOL
2008-08-09 18:52 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-09 18:46 --------- d-----w C:\Documents and Settings\Mom & Dad\Application Data\AdobeUM
2008-07-30 15:46 --------- d-----w C:\Program Files\dl_Cats
2008-07-21 15:39 --------- d-----w C:\Program Files\Java
2008-06-28 15:50 --------- d-----w C:\Documents and Settings\Kayla\Application Data\acccore
2008-06-28 15:49 --------- d-----w C:\Documents and Settings\Kayla\Application Data\AIMPro
2008-06-27 00:39 --------- d-----w C:\Program Files\EA GAMES
2008-06-26 00:42 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-06-26 00:42 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-06-25 23:36 --------- d-----w C:\Program Files\MSXML 6.0
2008-06-22 23:37 --------- d-----w C:\Program Files\Disney
2008-06-21 19:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-21 19:41 --------- d-----w C:\Program Files\Macromedia
2008-06-21 19:41 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-06-21 06:19 --------- d-----w C:\Program Files\Common Files\Nullsoft
2008-06-21 06:19 --------- d-----w C:\Documents and Settings\Aryana\Application Data\AIMPro
2008-06-21 06:18 --------- d-----w C:\Documents and Settings\Aryana\Application Data\AIM
2008-06-21 04:48 --------- d-----w C:\Documents and Settings\Aryana\Application Data\acccore
2008-06-21 04:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-06-21 04:44 --------- d-----w C:\Program Files\Viewpoint
2008-06-21 04:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-21 04:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-20 23:47 --------- d-----w C:\Program Files\Firaxis Games
2008-06-20 22:19 --------- d-----w C:\Documents and Settings\Aryana\Application Data\Eyeblaster
2008-06-20 22:16 --------- d-----w C:\Program Files\RealArcade
2008-06-20 22:16 --------- d-----w C:\Program Files\Common Files\Real
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-05-29 23:46 29,184 ----a-w C:\WINDOWS\system32\sstunst2.exe
2007-07-23 19:43 469 ----a-w C:\Program Files\INSTALL.LOG
2007-06-06 23:29 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 22:19 177416]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2008-04-10 10:09 14088]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 13:36 230664]
"x3watch"="C:\Program Files\X3watch\x3watch.exe" [2008-07-10 13:30 299008]
"FlyMonitor"="C:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe" [2008-05-13 14:34 664904]
"SoundMan"="SOUNDMAN.EXE" [2005-04-14 20:01 77824 C:\WINDOWS\soundman.exe]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 18:17 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
office.lnk - C:\QooBox\Quarantine\C\WINDOWS\system\sgcxcxxaspf080816.exe.vir [2008-08-16 08:23:35 120520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2006-10-10 18:53 135168 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"F:\\Programs\\Americas Army\\System\\ArmyOps.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"F:\\Programs\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\EA GAMES\\Need for Speed Most Wanted\\speed.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\LeapFrog\\FlyWorld\\bin\\FLYMonitor.exe"=
"C:\\Program Files\\LeapFrog\\FlyWorld\\bin\\FLYWorld.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 08:11]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 14:38]
R3 PPCtlPriv;PPCtlPriv;C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2007-08-16 21:10]
S0 sdqsnecn;sdqsnecn;C:\WINDOWS\system32\drivers\mxayx.sys []
S3 FlyUsb;FLY Fusion;C:\WINDOWS\system32\DRIVERS\FlyUsb.sys [2007-08-20 23:04]
S3 PciCon;PciCon;D:\PciCon.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-08-13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-08-16 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Mom & Dad\Application Data\Mozilla\Firefox\Profiles\vxf5qc8k.default\
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPAdbESD.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npracplug.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-16 19:01:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\TMP00000013DBC34BBF89662399

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\system32\DUSER.dll
-> ?:\WINDOWS\system32\DUSER.dll
-> ?:\WINDOWS\system32\DUSER.dll
-> ?:\WINDOWS\system32\odbcint.dll
-> ?:\WINDOWS\system32\odbcint.dll
-> ?:\WINDOWS\system32\odbcint.dll
-> ?:\WINDOWS\system32\odbcint.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-16 19:15:38 - machine was rebooted [Mom & Dad]
ComboFix-quarantined-files.txt 2008-08-17 02:15:09

Pre-Run: 100,344,246,272 bytes free
Post-Run: 100,828,512,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

250 --- E O F --- 2008-08-09 18:57:10
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP