Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Redirecting virus [RESOLVED]

Started by mpestle , Aug 25 2008 11:36 PM

This topic is locked

#1
mpestle

Posted 25 August 2008 - 11:36 PM

Member

Member
12 posts

It appears my PC has been infected with some sort of Google redirecting virus. Everytime I click on a link from a google search, I am rerouted to a completely unrelated website. This usually happens the first time only, then it takes me to the correct website the second time around. I attempted to follow the instructions on a previous forum from December 2007. So far, I have run SmitFraudFix, SDFix, True Sword 5, VundoFix, SuperAntiSpyware, ATF Cleaner, ERUNT, Ad-Aware, and Malwarebytes. I also ran Fixwareout and attempted to download AVG Antispyware only to find out that it is not available by itself anymore, it is only available as part of a security suite that includes 7 other programs. I have included my hijackthis log, the log from the fixwareout, and the log from Malwarebytes as well.

Just to give you the full picture - beginning last Thursday, I received the WARNING! Spyware virtumonde and privacyremover. I then received the trojan-spy.win32.keylogger.aa. I also found a folder called desktopvirii and a desktop trojan called blackbird in my documents and settings folders. I have also seen a trojan called datantstealth pop up occasionally. I have also been getting fairly frequent notices from my CA Antivirus software that 6 threats have been prevented.

Any help that you can provide would be most appreciated. Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:52 PM, on 8/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.c...oad/tgctlcm.cab
O16 - DPF: {0DB0E34A-E2CA-4748-AC02-087E2662CBEA} (DirectPrint.PrintAXView) - http://www.fultonhom...DirectPrint.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - https://as00.estara....998968OneCC.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {DE3F1566-A06D-11D0-ACD5-00A02417B281} (ApplicationXtender View Control) - http://www.fultonhom...ocs/aexview.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: UiSetApi - {4C07C461-D1E0-F56D-2AB9-0B8713BF6090} - C:\Program Files\vswrlye\UiSetApi.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 7089 bytes

Username "Karrie" - 08/25/2008 21:52:53 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"LTMSG"="LTMSG.exe 7"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe\""
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"nmctxth"="\"C:\\Program Files\\Common Files\\Pure Networks Shared\\Platform\\nmctxth.exe\""
"cctray"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\cctray\\cctray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\CA Anti-Virus\\CAVRID.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

Malwarebytes' Anti-Malware 1.25
Database version: 1087
Windows 5.1.2600 Service Pack 3

9:38:45 PM 8/25/2008
mbam-log-08-25-2008 (21-38-45).txt

Scan type: Quick Scan
Objects scanned: 49774
Time elapsed: 39 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 43

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\System32akttzn.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32anticipator.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32awtoolb.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32bdn.com (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32bsva-egihsg52.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32dpcproxy.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32emesx.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32h@tkeysh@@k.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32hoproxy.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32hxiwlgpm.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32hxiwlgpm.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32medup012.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32medup020.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32msgp.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32msnbho.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32mssecu.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32msvchost.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32mtr2.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32mwin32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32netode.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32newsd32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32psof1.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32psoft1.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32regc64.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32regm64.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32Rundl1.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32sncntr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32ssurf022.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32ssvchost.com (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32ssvchost.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32sysreq.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32taack.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32taack.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32temp#01.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32thun.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32thun32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32VBIEWER.OCX (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32vbsys2.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32vcatchpi.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32winlogonpc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32winsystem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32WINWGPX.EXE (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32ps1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#2
greyknight17

Posted 31 August 2008 - 06:04 AM

Malware Expert

Visiting Consultant
16,560 posts

Welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download the Flash Disinfector at http://www.techsuppo...Disinfector.exe and save it to your desktop. Double-click on it to run it and follow the on-screen instructions.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O21 - SSODL: UiSetApi - {4C07C461-D1E0-F56D-2AB9-0B8713BF6090} - C:\Program Files\vswrlye\UiSetApi.dll

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\Program Files\vswrlye\

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

#3
mpestle

Posted 01 September 2008 - 02:37 PM

Member

Topic Starter
Member
12 posts

Thanks for your response greyknight17. I successfully dowloaded and ran Flash Disinfector. There really wasn't a whole lot to it (not sure if there was supposed to be) and no log was generated (at least that I could tell).

I then proceeded with the HJT scan and the 3 items listed were still on the list, so I checked them and clicked the 'fix checked' box.

I then located C:\Program Files\vswrlye, but was unable to delete the folder. I received a "Error deleting file or folder" message that stated:

Error deleting UiSetApi.dll: Access is denied

Make sure the disk is not full or write protected and that the file is not currently in use.

Since I was not able to proceed with this, I did not go any further.

Please advise.

#4
mpestle

Posted 01 September 2008 - 04:49 PM

Member

Topic Starter
Member
12 posts

Okay, please disregard the previous reply. I couldn't delete the file when I was logged on as myself, so I logged off and logged on as my wife and was able to delete the file that way. I ran the combofix and the log is posted below.

ComboFix 08-09-01.01 - Tony Lucchi 2008-09-01 15:32:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.209 [GMT -7:00]
Running from: C:\Documents and Settings\Tony Lucchi\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Karrie\Application Data\macromedia\Flash Player\#SharedObjects\THUKMLRM\bin.clearspring.com
C:\Documents and Settings\Karrie\Application Data\macromedia\Flash Player\#SharedObjects\THUKMLRM\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Karrie\Application Data\macromedia\Flash Player\#SharedObjects\THUKMLRM\interclick.com
C:\Documents and Settings\Karrie\Application Data\macromedia\Flash Player\#SharedObjects\THUKMLRM\interclick.com\ud.sol
C:\Documents and Settings\Karrie\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Karrie\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Karrie\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Karrie\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Tony Lucchi\Application Data\macromedia\Flash Player\#SharedObjects\U9APTUNE\interclick.com
C:\Documents and Settings\Tony Lucchi\Application Data\macromedia\Flash Player\#SharedObjects\U9APTUNE\interclick.com\ud.sol
C:\Documents and Settings\Tony Lucchi\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Tony Lucchi\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol

.
((((((((((((((((((((((((( Files Created from 2008-08-01 to 2008-09-01 )))))))))))))))))))))))))))))))
.

2008-08-25 22:40 . 2008-08-25 22:40 <DIR> d-------- C:\Documents and Settings\Tony Lucchi\Application Data\Malwarebytes
2008-08-25 21:52 . 2008-08-25 21:59 <DIR> d-------- C:\fixwareout
2008-08-25 20:56 . 2008-08-25 20:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-25 20:56 . 2008-08-25 20:56 <DIR> d-------- C:\Documents and Settings\Karrie\Application Data\Malwarebytes
2008-08-25 20:56 . 2008-08-25 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-25 20:56 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-25 20:56 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-25 20:53 . 2008-08-25 20:53 <DIR> d-------- C:\Program Files\ERUNT
2008-08-25 19:42 . 2008-08-25 19:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-25 07:03 . 2008-08-25 07:03 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-25 07:03 . 2008-08-25 07:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-24 22:44 . 2008-08-24 22:44 <DIR> d-------- C:\Documents and Settings\Karrie\Application Data\SUPERAntiSpyware.com
2008-08-24 12:17 . 2008-08-24 12:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-24 12:17 . 2008-08-24 12:17 <DIR> d-------- C:\Documents and Settings\Tony Lucchi\Application Data\SUPERAntiSpyware.com
2008-08-24 12:17 . 2008-08-24 12:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-24 12:16 . 2008-08-25 07:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-24 11:29 . 2008-08-24 11:29 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-08-24 11:27 . 2008-08-24 11:28 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-24 11:24 . 2008-08-24 22:43 <DIR> d-------- C:\SDFix
2008-08-24 10:37 . 2008-08-24 10:37 <DIR> d-------- C:\VundoFix Backups
2008-08-23 12:40 . 2008-08-23 12:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-08-23 09:53 . 2008-08-24 08:09 <DIR> d-------- C:\Program Files\True Sword 5
2008-08-23 09:53 . 2008-08-23 09:53 <DIR> d-------- C:\Documents and Settings\Tony Lucchi\Application Data\True Sword
2008-08-23 09:53 . 2005-10-11 15:40 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
2008-08-23 09:53 . 2003-06-06 12:21 81,920 --a------ C:\WINDOWS\eSellerateControl350.dll
2008-08-22 22:23 . 2008-08-22 22:23 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-22 21:37 . 2008-08-23 10:20 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-22 21:32 . 2008-08-22 22:39 3,560 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-22 21:12 . 2008-08-25 20:56 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-22 20:08 . 2008-08-22 20:08 <DIR> d--h----- C:\WINDOWS\PIF
2008-08-21 23:50 . 2008-08-21 23:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\snunoxsx
2008-08-18 22:10 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-18 22:10 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-10 15:43 . 2008-08-23 10:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-10 15:42 . 2008-08-10 15:42 <DIR> d-------- C:\Program Files\MSN Games
2008-08-10 00:05 . 2008-08-10 00:05 880,560 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-08-10 00:05 . 2008-08-10 00:05 108,368 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-08-10 00:05 . 2008-08-10 00:05 99,568 --a------ C:\WINDOWS\system32\isafeif.dll
2008-08-10 00:05 . 2008-08-10 00:05 91,376 --a------ C:\WINDOWS\system32\isafprod.dll
2008-08-10 00:05 . 2008-08-10 00:05 83,256 --a------ C:\WINDOWS\system32\vetredir.dll
2008-08-10 00:05 . 2008-08-10 00:05 32,240 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-08-10 00:05 . 2008-08-10 00:05 26,352 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2008-08-10 00:05 . 2008-08-10 00:05 21,488 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-08-10 00:05 . 2008-08-10 00:05 21,104 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2008-08-10 00:04 . 2008-08-10 00:04 <DIR> d-------- C:\Program Files\CA
2008-08-10 00:04 . 2008-08-10 00:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2008-08-09 23:53 . 2004-01-05 00:27 38,867 --------- C:\WINDOWS\hpomdl03.dat
2008-08-09 23:53 . 2008-08-09 23:58 29,566 --a------ C:\WINDOWS\hpoins03.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-01 20:26 --------- d-----w C:\Program Files\WebEx
2008-08-23 05:34 --------- d-----w C:\Program Files\Palm
2008-08-01 04:12 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2008-08-01 04:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-01 04:06 --------- d-----w C:\Program Files\Linksys
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-09 03:54 --------- d-----w C:\Program Files\Java
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-04 01:07 --------- d-----w C:\Program Files\MSECache
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL" [2003-07-28 14:19 49152]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 23:34 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 14:19 4841472]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-28 22:33 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 06:11 648504]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-08-10 00:05 181488]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-08-10 00:05 234736]
"nwiz"="nwiz.exe" [2003-07-28 14:19 323584 C:\WINDOWS\system32\nwiz.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 10:52 40960 C:\WINDOWS\ltmsg.exe]

C:\Documents and Settings\Karrie\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34 471040]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R2 LinksysUpdater;Linksys Updater;C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-05-08 16:59]

*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://phoenix.cox.net/cci/home
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: {0DB0E34A-E2CA-4748-AC02-087E2662CBEA} - hxxp://www.fultonhomes.com/ContractDocs/DirectPrint.cab
C:\WINDOWS\Downloaded Program Files\DirectPrint.INF
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\olepro32.dll
C:\WINDOWS\system32\asycfilt.dll
C:\WINDOWS\system32\stdole2.tlb
C:\WINDOWS\system32\comcat.dll
C:\WINDOWS\system32\msvbvm60.dll
C:\WINDOWS\Downloaded Program Files\DirectPrint.ocx

O16 -: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} - hxxps://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=c227af632116b5248e66110fb6de510e&url=http%3A%2F%2Fd.66.155.171.31.downloads.estara.com.%2Fas%2FOneCCDM.php&template=55366&sessionid=103393968_66.155.171.31_55976&=&req=1184638998968OneCC.cab
C:\WINDOWS\Downloaded Program Files\OneCC.inf
C:\WINDOWS\Downloaded Program Files\OneCC.dll

O16 -: {DE3F1566-A06D-11D0-ACD5-00A02417B281} - hxxp://www.fultonhomes.com/ContractDocs/aexview.cab
C:\WINDOWS\Downloaded Program Files\aexview.inf
C:\WINDOWS\system32\mfc71.dll
C:\WINDOWS\system32\msvcr71.dll
C:\WINDOWS\system32\msvcp71.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\mfc42.dll
C:\WINDOWS\system32\olepro32.dll
C:\WINDOWS\Downloaded Program Files\aexdex32.dll
C:\WINDOWS\Downloaded Program Files\il.dll
C:\WINDOWS\Downloaded Program Files\virtimg.dll
C:\WINDOWS\Downloaded Program Files\ImageObjects.dll
C:\WINDOWS\Downloaded Program Files\aexview.ocx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-01 15:41:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-01 15:46:28
ComboFix-quarantined-files.txt 2008-09-01 22:45:52

Pre-Run: 102,560,763,904 bytes free
Post-Run: 102,613,651,456 bytes free

184 --- E O F --- 2008-08-19 05:41:10

#5
greyknight17

Posted 02 September 2008 - 06:44 PM

Malware Expert

Visiting Consultant
16,560 posts

Download OTMoveIt2 at http://download.blee...r/OTMoveIt2.exe
* Save it to your desktop.
* Double-click OTMoveIt2.exe to run it. (Vista users, right click on OTMoveIt2.exe and select Run as an Administrator).
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\system32\tmp.reg
C:\Documents and Settings\All Users\Application Data\snunoxsx

#6
mpestle

Posted 03 September 2008 - 12:40 AM

Member

Topic Starter
Member
12 posts

As requested the log from my OTMoveIt2:

C:\WINDOWS\system32\tmp.reg moved successfully.
C:\Documents and Settings\All Users\Application Data\snunoxsx moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09022008_201755

A couple of quick questions:
If I ran all of these things on my profile in XP, do I need to do the same under any other user profiles?

Do you have any suggested programs to prevent these types of infections in the future?

I am still getting a pop-up from my CA anti-virus about 15-20 minutes into my session: 6 threats detected and prevented. Do you think this is a conflict between the anti-spyware software and the anti-virus, or a real threat?

Also, can you tell me, is it okay to delete/remove any of the other programs I downloaded to help fix the myriad of problems I've had over the past couple of weeks. I have downloaded ATF_Cleaner.exe, ComboFix.exe, erunt_setup.exe, Fixwareout.exe, Flash_disinfector.exe, HJTInstall.exe, OTMoveIt2.exe, SDFix.exe, SmitFraudFix.exe, SuperAntiSpywarePro.exe, Vundofix.exe.

Thanks for all your help.

#7
greyknight17

Posted 03 September 2008 - 04:32 PM

Malware Expert

Visiting Consultant
16,560 posts

No need to run them again in the other profiles. I have seen very...very rare cases where something gets stuck on one account only. The scanners will usually pick up everything in your computer including different profiles/accounts.

You can get the prevention programs in the link I provided earlier (last reply). Nothing is 100% fool-proof, but they will help out.

What are the 6 threats detected? Can you give me their filename and locations?

If you follow my previous instructions on how to remove Combofix, that one should be gone already

You may remove erunt, FixWareout, Flash Disinfector, HJTInstall, OTMoveIt, SDFix, SmitfraudFix and VundoFix. You may keep the others that are remaining if you like.

#8
mpestle

Posted 03 September 2008 - 09:54 PM

Member

Topic Starter
Member
12 posts

The 6 files that are currently in my virus scans "Real Time Scan" Log are as follows:
8/24/2008 8:55:50 AM File infection: C:\WINDOWS\system32\sysrest.sys is Win32/Datantstealth trojan.
8/24/2008 8:55:50 AM File infection: C:\WINDOWS\system32\sysrest.sys is Win32/Datantstealth trojan.
8/24/2008 9:38:46 AM File infection: C:\WINDOWS\system32\sysrest.sys is Win32/Datantstealth trojan.
8/24/2008 9:38:46 AM File infection: C:\WINDOWS\system32\sysrest.sys is Win32/Datantstealth trojan.
8/24/2008 11:24:13 AM File infection: C:\WINDOWS\system32\sysrest.sys is Win32/Datantstealth trojan.
8/24/2008 11:24:14 AM File infection: C:\WINDOWS\system32\sysrest.sys is Win32/Datantstealth trojan.

Do you think these are the 6 threats that the message is referring to?

I removed erunt, HJT and Combofix. The other programs (ATF_Cleaner.exe, Fixwareout.exe, Flash_disinfector.exe, OTMoveIt2.exe, SDFix.exe, SmitFraudFix.exe, Vundofix.exe) do not show up in the add/remove programs. Should I simply delete the .exe files or is there some other action I should take?

#9
greyknight17

Posted 04 September 2008 - 08:00 PM

Malware Expert

Visiting Consultant
16,560 posts

Yes, you may just delete those other third party tools that are not listed in the Add/Remove Programs panel.

We may need OTMoveIt again for this task...

Download OTMoveIt2 at http://download.blee...r/OTMoveIt2.exe
* Save it to your desktop.
* Double-click OTMoveIt2.exe to run it. (Vista users, right click on OTMoveIt2.exe and select Run as an Administrator).
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\system32\sysrest.sys

* Return to OTMoveIt2. Right click in the Paste List of Files/Folders to Move window (under the Yellow bar) and choose Paste.
* Click the red Moveit! button.
* A log of files and folders moved will be created in the C:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
* Close OTMoveIt2.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Download Combofix again and run it. Post the new log here.

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.

See if the scans still detect any trojans now.

#10
mpestle

Posted 05 September 2008 - 07:58 AM

Member

Topic Starter
Member
12 posts

Okay, I ran the OTMoveIt2, Combofix and Pandascan. The logs are posted below. Just something of interest, when I ran ActiveScan, it went through a bunch of files and stated that it found 74 infected files and 1 suspicious file. The report, however, only shows 32 infected files and 1 suspicious file. Not sure why the discrepancy, but found this interesting. Also, Panda Scan stated that my virus scan was updated but disabled. When I open my virus scan "security center" it states that my computer is protected. Is this possible for the software to be disabled, but the program to show otherwise?

Here are the logs you requested:

File/Folder C:\WINDOWS\system32\sysrest.sys not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09042008_205851

ComboFix 08-09-04.08 - Tony Lucchi 2008-09-04 21:09:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.248 [GMT -7:00]
Running from: C:\Documents and Settings\All Users\Documents\Anti-Spyware Software\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-08-05 to 2008-09-05 )))))))))))))))))))))))))))))))
.

2008-09-04 20:58 . 2008-09-04 20:58 <DIR> d-------- C:\_OTMoveIt
2008-09-02 15:00 . 2008-09-02 15:00 <DIR> d-------- C:\Documents and Settings\Karrie\Application Data\Creative Memories
2008-09-02 15:00 . 2008-09-02 15:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Creative Memories
2008-09-02 14:43 . 2008-09-02 14:43 <DIR> d-------- C:\Program Files\Creative Memories
2008-09-01 20:57 . 2008-09-01 20:57 <DIR> d--hs---- C:\Documents and Settings\Tony Lucchi\UserData
2008-08-25 22:40 . 2008-08-25 22:40 <DIR> d-------- C:\Documents and Settings\Tony Lucchi\Application Data\Malwarebytes
2008-08-25 21:52 . 2008-08-25 21:59 <DIR> d-------- C:\fixwareout
2008-08-25 20:56 . 2008-08-25 20:56 <DIR> d-------- C:\Documents and Settings\Karrie\Application Data\Malwarebytes
2008-08-25 20:56 . 2008-08-25 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-25 19:42 . 2008-08-25 19:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-25 07:03 . 2008-08-25 07:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-24 22:44 . 2008-08-24 22:44 <DIR> d-------- C:\Documents and Settings\Karrie\Application Data\SUPERAntiSpyware.com
2008-08-24 12:17 . 2008-09-04 19:26 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-24 12:17 . 2008-08-24 12:17 <DIR> d-------- C:\Documents and Settings\Tony Lucchi\Application Data\SUPERAntiSpyware.com
2008-08-24 12:17 . 2008-08-24 12:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-24 12:16 . 2008-09-02 23:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-24 11:29 . 2008-08-24 11:29 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-08-24 11:27 . 2008-08-24 11:28 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-23 12:40 . 2008-08-23 12:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-08-23 09:53 . 2008-09-02 21:25 <DIR> d-------- C:\Program Files\True Sword 5
2008-08-23 09:53 . 2008-08-23 09:53 <DIR> d-------- C:\Documents and Settings\Tony Lucchi\Application Data\True Sword
2008-08-22 22:23 . 2008-08-22 22:23 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-22 21:37 . 2008-08-23 10:20 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-22 21:12 . 2008-08-25 20:56 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-22 20:08 . 2008-08-22 20:08 <DIR> d--h----- C:\WINDOWS\PIF
2008-08-18 22:10 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-18 22:10 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-10 15:43 . 2008-08-23 10:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-10 15:42 . 2008-08-10 15:42 <DIR> d-------- C:\Program Files\MSN Games
2008-08-10 00:05 . 2008-08-10 00:05 880,560 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-08-10 00:05 . 2008-08-10 00:05 108,368 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-08-10 00:05 . 2008-08-10 00:05 99,568 --a------ C:\WINDOWS\system32\isafeif.dll
2008-08-10 00:05 . 2008-08-10 00:05 91,376 --a------ C:\WINDOWS\system32\isafprod.dll
2008-08-10 00:05 . 2008-08-10 00:05 83,256 --a------ C:\WINDOWS\system32\vetredir.dll
2008-08-10 00:05 . 2008-08-10 00:05 32,240 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-08-10 00:05 . 2008-08-10 00:05 26,352 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2008-08-10 00:05 . 2008-08-10 00:05 21,488 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-08-10 00:05 . 2008-08-10 00:05 21,104 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2008-08-10 00:04 . 2008-08-10 00:04 <DIR> d-------- C:\Program Files\CA
2008-08-10 00:04 . 2008-08-10 00:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2008-08-09 23:53 . 2004-01-05 00:27 38,867 --------- C:\WINDOWS\hpomdl03.dat
2008-08-09 23:53 . 2008-08-09 23:58 29,566 --a------ C:\WINDOWS\hpoins03.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-02 02:26 --------- d-----w C:\Program Files\Palm
2008-09-01 20:26 --------- d-----w C:\Program Files\WebEx
2008-08-01 04:12 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2008-08-01 04:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-01 04:06 --------- d-----w C:\Program Files\Linksys
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-09 03:54 --------- d-----w C:\Program Files\Java
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL" [2003-07-28 49152]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-04 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 4841472]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-28 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-08-10 181488]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-08-10 234736]
"nwiz"="nwiz.exe" [2003-07-28 C:\WINDOWS\system32\nwiz.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 C:\WINDOWS\ltmsg.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 471040]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R2 LinksysUpdater;Linksys Updater;C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-05-08 204800]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://phoenix.cox.net/cci/home
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: {0DB0E34A-E2CA-4748-AC02-087E2662CBEA} - hxxp://www.fultonhomes.com/ContractDocs/DirectPrint.cab
C:\WINDOWS\Downloaded Program Files\DirectPrint.INF
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\olepro32.dll
C:\WINDOWS\system32\asycfilt.dll
C:\WINDOWS\system32\stdole2.tlb
C:\WINDOWS\system32\comcat.dll
C:\WINDOWS\system32\msvbvm60.dll
C:\WINDOWS\Downloaded Program Files\DirectPrint.ocx

O16 -: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} - hxxps://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=c227af632116b5248e66110fb6de510e&url=http%3A%2F%2Fd.66.155.171.31.downloads.estara.com.%2Fas%2FOneCCDM.php&template=55366&sessionid=103393968_66.155.171.31_55976&=&req=1184638998968OneCC.cab
C:\WINDOWS\Downloaded Program Files\OneCC.inf
C:\WINDOWS\Downloaded Program Files\OneCC.dll

O16 -: {DE3F1566-A06D-11D0-ACD5-00A02417B281} - hxxp://www.fultonhomes.com/ContractDocs/aexview.cab
C:\WINDOWS\Downloaded Program Files\aexview.inf
C:\WINDOWS\system32\mfc71.dll
C:\WINDOWS\system32\msvcr71.dll
C:\WINDOWS\system32\msvcp71.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\mfc42.dll
C:\WINDOWS\system32\olepro32.dll
C:\WINDOWS\Downloaded Program Files\aexdex32.dll
C:\WINDOWS\Downloaded Program Files\il.dll
C:\WINDOWS\Downloaded Program Files\virtimg.dll
C:\WINDOWS\Downloaded Program Files\ImageObjects.dll
C:\WINDOWS\Downloaded Program Files\aexview.ocx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-04 21:19:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-04 21:23:59
ComboFix-quarantined-files.txt 2008-09-05 04:23:03
ComboFix2.txt 2008-09-01 22:46:31

Pre-Run: 102,257,528,832 bytes free
Post-Run: 102,339,960,832 bytes free

160 --- E O F --- 2008-08-19 05:41:10

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-09-05 06:44:01
PROTECTIONS: 1
MALWARE: 32
SUSPECTS: 1
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
CA Anti-Virus 9.0.0.171 No Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00035328 Application/KillApp.A HackTools No 0 Yes No C:\OldData\hp\bin\Terminator.exe
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\karrie@casalemedia[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\OldData\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\ypg5zch5.default\cookies.txt[.doubleclick.net/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Program Files\True Sword 5\backuped\6\tony_lucchi@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Tony Lucchi\Cookies\tony_lucchi@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\karrie@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\karrie@doubleclick[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Program Files\True Sword 5\backuped\17\tony_lucchi@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\karrie@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\karrie@atdmt[3].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Tony Lucchi\Cookies\tony_lucchi@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Program Files\True Sword 5\backuped\3\tony_lucchi@atdmt[1].txt
00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\All Users\Documents\Anti-Spyware Software\SDFix.exe[C:\Documents and Settings\All Users\Documents\Anti-Spyware Software\SDFix.exe][SDFix\apps\Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Tony Lucchi\My Documents\Downloads\SmitfraudFix\Process.exe
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\karrie@fastclick[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\karrie@fastclick[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\karrie@tribalfusion[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Program Files\True Sword 5\backuped\10\tony_lucchi@tribalfusion[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Tony Lucchi\Cookies\tony_lucchi@tribalfusion[1].txt
00145770 Cookie/CentrPort TrackingCookie No 0 Yes No C:\Documents and Settings\Tony Lucchi\Karrie\Application Data\Mozilla\Firefox\Profiles\tqcsv2zr.default\cookies.txt[.centrport.net/]
00145770 Cookie/CentrPort TrackingCookie No 0 Yes No C:\OldData\Documents and Settings\Karrie\Application Data\Mozilla\Firefox\Profiles\tqcsv2zr.default\cookies.txt[.centrport.net/]
00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No C:\OldData\Documents and Settings\Karrie\Application Data\Mozilla\Firefox\Profiles\tqcsv2zr.default\cookies.txt[www.myaffiliateprogram.com/]
00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No C:\Documents and Settings\Tony Lucchi\Karrie\Application Data\Mozilla\Firefox\Profiles\tqcsv2zr.default\cookies.txt[www.myaffiliateprogram.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\karrie@com[1].txt
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Tony Lucchi\Cookies\[email protected][1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Tony Lucchi\Cookies\[email protected][2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\[email protected][1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\[email protected][2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Program Files\True Sword 5\backuped\0\[email protected][2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Tony Lucchi\Cookies\tony_lucchi@apmebf[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\karrie@apmebf[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\karrie@apmebf[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\karrie@burstnet[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\[email protected][1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Program Files\True Sword 5\backuped\2\tony_lucchi@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\OldData\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\ypg5zch5.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Tony Lucchi\Cookies\tony_lucchi@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\OldData\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\ypg5zch5.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\OldData\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\ypg5zch5.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\karrie@advertising[3].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\karrie@advertising[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\OldData\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\ypg5zch5.default\cookies.txt[.advertising.com/]
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Tony Lucchi\Cookies\[email protected][2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\[email protected][1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Program Files\True Sword 5\backuped\1\[email protected][1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\karrie@overture[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\karrie@realmedia[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\karrie@questionmarket[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Program Files\True Sword 5\backuped\8\tony_lucchi@questionmarket[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\karrie@zedo[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\karrie@zedo[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\OldData\Documents and Settings\Karrie\Application Data\Mozilla\Firefox\Profiles\tqcsv2zr.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Tony Lucchi\Karrie\Application Data\Mozilla\Firefox\Profiles\tqcsv2zr.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\OldData\Documents and Settings\Karrie\Application Data\Mozilla\Firefox\Profiles\tqcsv2zr.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Tony Lucchi\Karrie\Application Data\Mozilla\Firefox\Profiles\tqcsv2zr.default\cookies.txt[.go.com/]
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\OldData\Documents and Settings\Karrie\Application Data\Mozilla\Firefox\Profiles\tqcsv2zr.default\cookies.txt[searchportal.information.com/]
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Tony Lucchi\Karrie\Application Data\Mozilla\Firefox\Profiles\tqcsv2zr.default\cookies.txt[searchportal.information.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\OldData\Documents and Settings\Karrie\Application Data\Mozilla\Firefox\Profiles\tqcsv2zr.default\cookies.txt[.target.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\OldData\Documents and Settings\Karrie\Application Data\Mozilla\Firefox\Profiles\tqcsv2zr.default\cookies.txt[.target.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Tony Lucchi\Karrie\Application Data\Mozilla\Firefox\Profiles\tqcsv2zr.default\cookies.txt[.target.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Tony Lucchi\Karrie\Application Data\Mozilla\Firefox\Profiles\tqcsv2zr.default\cookies.txt[.target.com/]
00207712 Cookie/360i TrackingCookie No 0 Yes No C:\Documents and Settings\Tony Lucchi\Karrie\Application Data\Mozilla\Firefox\Profiles\tqcsv2zr.default\cookies.txt[.ct.360i.com/]
00207712 Cookie/360i TrackingCookie No 0 Yes No C:\OldData\Documents and Settings\Karrie\Application Data\Mozilla\Firefox\Profiles\tqcsv2zr.default\cookies.txt[.ct.360i.com/]
00207712 Cookie/360i TrackingCookie No 0 Yes No C:\Documents and Settings\Tony Lucchi\Karrie\Application Data\Mozilla\Firefox\Profiles\tqcsv2zr.default\cookies.txt[.ct.360i.com/]
00207712 Cookie/360i TrackingCookie No 0 Yes No C:\OldData\Documents and Settings\Karrie\Application Data\Mozilla\Firefox\Profiles\tqcsv2zr.default\cookies.txt[.ct.360i.com/]
00207712 Cookie/360i TrackingCookie No 0 Yes No C:\OldData\Documents and Settings\Karrie\Application Data\Mozilla\Firefox\Profiles\tqcsv2zr.default\cookies.txt[.ct.360i.com/]
00207712 Cookie/360i TrackingCookie No 0 Yes No C:\Documents and Settings\Tony Lucchi\Karrie\Application Data\Mozilla\Firefox\Profiles\tqcsv2zr.default\cookies.txt[.ct.360i.com/]
00207936 Cookie/Adviva TrackingCookie No 0 Yes No C:\Documents and Settings\Tony Lucchi\Cookies\tony_lucchi@adviva[2].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\OldData\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\ypg5zch5.default\cookies.txt[.atwola.com/]
00366244 Application/NirCmd.A HackTools No 0 Yes No C:\fixwareout\FindT\nircmd.exe
00366244 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\All Users\Documents\Anti-Spyware Software\Flash_Disinfector.exe[C:\Documents and Settings\All Users\Documents\Anti-Spyware Software\Flash_Disinfector.exe][nircmd.exe]
01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\Karrie\Cookies\karrie@enhance[1].txt
03477235 Application/SmithFraudFix.A HackTools No 0 Yes No C:\Documents and Settings\Tony Lucchi\My Documents\Downloads\SmitfraudFix.exe
03541233 HackTool/Rebooter HackTools No 0 Yes No C:\Documents and Settings\Tony Lucchi\My Documents\Downloads\SmitfraudFix\Reboot.exe
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location H
;===============================================================================
=================================================================================
===================
No C:\OldData\hp\bin\KillIt.exe H
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description H
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================

#11
greyknight17

Posted 05 September 2008 - 06:37 PM

Malware Expert

Visiting Consultant
16,560 posts

Most of them are just cookie files which you can delete in the c:\windows\cookies folder. For Netscape cookies, delete them from the Preferences.

Go into Firefox->Tools->Clear Private Data and hit OK to delete all your cookie and temp files.

Do you see your antivirus program running right now? If so, Panda probably didn't detect it properly.

Is anything still detected now? Any other issues?

#12
mpestle

Posted 05 September 2008 - 10:28 PM

Member

Topic Starter
Member
12 posts

Thanks for your reply. Unfortunately I was unable to follow your instruction.

I could not find a folder c:\windows\cookies . I did a search and I went to tools --> folder options --> view --> show hidden files and folders and still did not see it.

Also, I do not currently have Netscape or Firefox loaded on my computer. I had it previously, but never reloaded it after the McAfee fiasco I had in late 2006.

Any other suggestions re: the 6 threats? I did receive another message a few minutes after I signed on today (6 threats detected and removed). I apologize, I am sure this thread is growing old for you.

#13
greyknight17

Posted 06 September 2008 - 11:37 AM

Malware Expert

Visiting Consultant
16,560 posts

Sorry about that....it's in each user's profile:

C:\Documents and Settings\Karrie\Cookies\
C:\Documents and Settings\Tony Lucchi\Cookies\

Go into any other user profiles and delete the cookies from their respective folders. You can delete these folders:

C:\OldData\Documents and Settings\Karrie\Application Data\Mozilla\
C:\OldData\Documents and Settings\LocalService\Application Data\Netscape\

Is it the same exact file again that's detected 6 times?

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Driver::
sysrest.sys
File::
C:\Documents and Settings\All Users\TEMP\1f34ff45
C:\Documents and Settings\Tony Lucchi\1f34ff45
C:\WINDOWS\system32\sysrest.sys
Folder::
C:\Documents and Settings\All Users\Application Data\TEMP
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest.sys]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sysrest32.exe"=-
Rootkit::
sysrest.sys

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

See if there are any changes after doing the above.

#14
mpestle

Posted 06 September 2008 - 04:26 PM

Member

Topic Starter
Member
12 posts

I looked for the following files and was unsuccessful in finding them:
C:\Documents and Settings\Karrie\Cookies\
C:\Documents and Settings\Tony Lucchi\Cookies\

I deleted the following files:
C:\OldData\Documents and Settings\Karrie\Application Data\Mozilla\
C:\OldData\Documents and Settings\LocalService\Application Data\Netscape\

I can't seem to find where the log is for my virus scan to determine which 6 files are being detected each time. The log I checked the last time, does not have any data in it because I cleared I cleared the log.

I created the script as you instructed below and ran Combofix.exe The log is as follows:

ComboFix 08-09-05.02 - Tony Lucchi 2008-09-06 15:00:56.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.262 [GMT -7:00]
Running from: C:\Documents and Settings\All Users\Documents\Anti-Spyware Software\ComboFix.exe
Command switches used :: C:\Documents and Settings\All Users\Documents\Anti-Spyware Software\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\TEMP
C:\Documents and Settings\All Users\Application Data\TEMP\DFC5A2B2.TMP

.
((((((((((((((((((((((((( Files Created from 2008-08-06 to 2008-09-06 )))))))))))))))))))))))))))))))
.

2008-09-04 21:28 . 2008-09-04 21:28 <DIR> d-------- C:\Program Files\Panda Security
2008-09-04 21:28 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-09-04 20:58 . 2008-09-04 20:58 <DIR> d-------- C:\_OTMoveIt
2008-09-02 15:00 . 2008-09-02 15:00 <DIR> d-------- C:\Documents and Settings\Karrie\Application Data\Creative Memories
2008-09-02 15:00 . 2008-09-02 15:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Creative Memories
2008-09-02 14:43 . 2008-09-02 14:43 <DIR> d-------- C:\Program Files\Creative Memories
2008-09-01 20:57 . 2008-09-01 20:57 <DIR> d--hs---- C:\Documents and Settings\Tony Lucchi\UserData
2008-08-25 22:40 . 2008-08-25 22:40 <DIR> d-------- C:\Documents and Settings\Tony Lucchi\Application Data\Malwarebytes
2008-08-25 21:52 . 2008-08-25 21:59 <DIR> d-------- C:\fixwareout
2008-08-25 20:56 . 2008-08-25 20:56 <DIR> d-------- C:\Documents and Settings\Karrie\Application Data\Malwarebytes
2008-08-25 20:56 . 2008-08-25 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-25 19:42 . 2008-08-25 19:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-25 07:03 . 2008-08-25 07:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-24 22:44 . 2008-08-24 22:44 <DIR> d-------- C:\Documents and Settings\Karrie\Application Data\SUPERAntiSpyware.com
2008-08-24 12:17 . 2008-09-04 19:26 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-24 12:17 . 2008-08-24 12:17 <DIR> d-------- C:\Documents and Settings\Tony Lucchi\Application Data\SUPERAntiSpyware.com
2008-08-24 12:17 . 2008-08-24 12:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-24 12:16 . 2008-09-02 23:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-24 11:29 . 2008-08-24 11:29 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-08-24 11:27 . 2008-08-24 11:28 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-23 12:40 . 2008-08-23 12:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-08-23 09:53 . 2008-09-02 21:25 <DIR> d-------- C:\Program Files\True Sword 5
2008-08-23 09:53 . 2008-08-23 09:53 <DIR> d-------- C:\Documents and Settings\Tony Lucchi\Application Data\True Sword
2008-08-22 22:23 . 2008-08-22 22:23 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-22 21:37 . 2008-08-23 10:20 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-22 21:12 . 2008-08-25 20:56 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-22 20:08 . 2008-08-22 20:08 <DIR> d--h----- C:\WINDOWS\PIF
2008-08-18 22:10 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-18 22:10 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-10 15:42 . 2008-08-10 15:42 <DIR> d-------- C:\Program Files\MSN Games
2008-08-10 00:05 . 2008-08-10 00:05 880,560 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-08-10 00:05 . 2008-08-10 00:05 108,368 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-08-10 00:05 . 2008-08-10 00:05 99,568 --a------ C:\WINDOWS\system32\isafeif.dll
2008-08-10 00:05 . 2008-08-10 00:05 91,376 --a------ C:\WINDOWS\system32\isafprod.dll
2008-08-10 00:05 . 2008-08-10 00:05 83,256 --a------ C:\WINDOWS\system32\vetredir.dll
2008-08-10 00:05 . 2008-08-10 00:05 32,240 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-08-10 00:05 . 2008-08-10 00:05 26,352 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2008-08-10 00:05 . 2008-08-10 00:05 21,488 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-08-10 00:05 . 2008-08-10 00:05 21,104 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2008-08-10 00:04 . 2008-08-10 00:04 <DIR> d-------- C:\Program Files\CA
2008-08-10 00:04 . 2008-08-10 00:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2008-08-09 23:53 . 2004-01-05 00:27 38,867 --------- C:\WINDOWS\hpomdl03.dat
2008-08-09 23:53 . 2008-08-09 23:58 29,566 --a------ C:\WINDOWS\hpoins03.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-02 02:26 --------- d-----w C:\Program Files\Palm
2008-09-01 20:26 --------- d-----w C:\Program Files\WebEx
2008-08-01 04:12 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2008-08-01 04:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-01 04:06 --------- d-----w C:\Program Files\Linksys
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-09 03:54 --------- d-----w C:\Program Files\Java
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

((((((((((((((((((((((((((((( snapshot@2008-09-04_21.21.59.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-30 17:39:58 128,256 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL" [2003-07-28 49152]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-04 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 4841472]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-28 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-08-10 181488]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-08-10 234736]
"nwiz"="nwiz.exe" [2003-07-28 C:\WINDOWS\system32\nwiz.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 C:\WINDOWS\ltmsg.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 471040]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]
R2 LinksysUpdater;Linksys Updater;C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-05-08 204800]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-06 15:06:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-06 15:08:04
ComboFix-quarantined-files.txt 2008-09-06 22:07:46
ComboFix2.txt 2008-09-05 04:24:02
ComboFix3.txt 2008-09-01 22:46:31

Pre-Run: 109,435,953,152 bytes free
Post-Run: 109,454,536,704 bytes free

142 --- E O F --- 2008-08-19 05:41:10

#15
greyknight17

Posted 07 September 2008 - 07:51 AM

Malware Expert

Visiting Consultant
16,560 posts

You can just go to Start > Run and copy/paste each of the below entries into it and hit ENTER:

C:\Documents and Settings\Karrie\Cookies\
C:\Documents and Settings\Tony Lucchi\Cookies\

That will bring up the cookies folder for you. Then you can do a select all and delete all the cookies inside that folder.

When your virus scanner picks something up, it will usually tell you what it found and where it found it.