Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Virus/Hijackthis Log [CLOSED]

Started by bwjudy , Sep 05 2008 09:27 AM

  • This topic is locked This topic is locked

#1
bwjudy
Posted 05 September 2008 - 09:27 AM

bwjudy

    Member

  • Member
  • PipPip
  • 12 posts
Hello! I am new to geekstogo, so be gentle...

My Client had a few viruses, one being Anti-Virus XP 2008 and whatever else comes along with that. I was having trouble removing FakeAlert-AG and New Malware.ca. I manually unregistered some dll's and ran smitfraud. I think i've removed most of the files, but this is my log just in case.

Thanks for any input!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:12, on 9/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINNT\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINNT\vsndo763.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINNT\Logi_MwX.Exe
C:\WINNT\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Ahead\Nero BackItUp\NBJ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\McAfee\MSC\McLgView.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [Persistence] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINNT\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [SNDO763] C:\WINNT\vsndo763.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\RunServices: [nsdcmd vid process] nsdcmdwin.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Owner\Desktop\InterCasino $$$.lnk (file missing)
O9 - Extra 'Tools' menuitem: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Owner\Desktop\InterCasino $$$.lnk (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Owner\Desktop\InterCasino $$$.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Owner\Desktop\InterCasino $$$.lnk (file missing) (HKCU)
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://riverbelle.m...lay/FlashAX.cab
O16 - DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} (CUpdateCtl Object) - http://update.hpphot.../HPSWUpdate.ocx
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitc...eInstallSBC.exe
O20 - Winlogon Notify: egsqelor - egsqelor32.dll (file missing)
O22 - SharedTaskScheduler: g980w3mefndsiza7srenjaebfhdsfd - {C5AF42A3-94F3-42BD-F434-3604812C897D} - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Distributed Transaction Coordinator MSDTCWebClient (MSDTCWebClient) - Unknown owner - C:\WINNT\system32\amr_cplo.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 8843 bytes
  • 0

Advertisements

#2
andrewuk
Posted 05 September 2008 - 12:04 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi bwjudy

welcome to geekstogo :)

a question first, what do you mean by My Client had a few viruses? your machine, or are you cleaning this machine for someone? or what?

andrewuk
  • 0

#3
bwjudy
Posted 05 September 2008 - 12:24 PM

bwjudy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
My client as in my mother. Sorry, sounded kind of childish to say mother.
  • 0

#4
andrewuk
Posted 05 September 2008 - 12:57 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


andrewuk
  • 0

#5
bwjudy
Posted 05 September 2008 - 02:34 PM

bwjudy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
When I try and run combofix on the pc, i get an error, "ComboFix has detected the presence of rootkit activity and needs to reboot the machine" Then it will reboot and relaunch combofix and get the same error continuously. It won't even get past the first stage. Any suggestions?
  • 0

#6
bwjudy
Posted 05 September 2008 - 02:46 PM

bwjudy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
nvm i ran it again and its completing the stages.
  • 0

#7
andrewuk
Posted 05 September 2008 - 02:54 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
ok, i will await the logs.

Edited by andrewuk, 05 September 2008 - 02:54 PM.

  • 0

#8
bwjudy
Posted 05 September 2008 - 03:12 PM

bwjudy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here are my new logs starting with combofix.

Thanks!

ComboFix 08-09-04.09 - Owner 2008-09-05 16:45:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1546 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\wsnpoem
C:\Documents and Settings\LocalService\Application Data\wsnpoem\audio.dll
C:\Program Files\Dynamic Toolbar
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\bubble.bmp
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\bubble16.bmp
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\celebs.bmp
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\gotb.bmp
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\highlight.bmp
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\hotstuff.bmp
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\hotstuffsm.bmp
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\movies.bmp
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\music.bmp
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\news.bmp
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\ngames.bmp
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\radio.bmp
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\REALBARTB0115.cfg
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\rollingstone.bmp
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\sports.bmp
C:\WINNT\system32\amr_cplo.exe
C:\WINNT\system32\AutoRun.inf
C:\WINNT\system32\config\systemprofile\Application Data\ShoppingReport
C:\WINNT\system32\config\systemprofile\Application Data\ShoppingReport\cs\Config.xml
C:\WINNT\system32\config\systemprofile\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\WINNT\system32\config\systemprofile\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\WINNT\system32\config\systemprofile\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\WINNT\system32\config\systemprofile\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\WINNT\system32\config\systemprofile\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\WINNT\system32\config\systemprofile\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\WINNT\system32\drivers\Qpn60.sys
C:\WINNT\system32\lphcn6lj0e1b9.exe
C:\WINNT\system32\wsnpoem
C:\WINNT\system32\wsnpoem\audio.dll
C:\WINNT\system32\wsnpoem\audio.dll.cla
C:\WINNT\system32\wsnpoem\video.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSDTCWEBCLIENT
-------\Legacy_NPF
-------\Legacy_QPN60
-------\Legacy_TCPSR
-------\Service_MSDTCWebClient
-------\Service_Qpn60
-------\Service_sysrest.sys
-------\Service_tcpsr


((((((((((((((((((((((((( Files Created from 2008-08-05 to 2008-09-05 )))))))))))))))))))))))))))))))
.

2008-09-05 11:19 . 2008-09-05 11:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-05 00:02 . 2008-09-05 09:08 3,230 --a------ C:\WINNT\system32\tmp.reg
2008-09-04 18:39 . 2008-09-04 18:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-04 18:22 . 2008-09-04 18:22 10,000 --a------ C:\WINNT\system32\kxnd73n3.dll
2008-08-28 23:04 . 2008-08-28 23:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\towers_pc
2008-08-28 22:50 . 2008-08-28 22:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Beanbag Studios
2008-08-28 21:15 . 2008-08-28 21:15 16,384 --ahs---- C:\WINNT\system32\3076p.dll
2008-08-27 16:54 . 2008-08-27 16:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-27 16:54 . 2008-08-27 16:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-26 11:21 . 2008-08-26 11:42 <DIR> d-------- C:\WINNT\system32\CatRoot_bak
2008-08-24 16:40 . 2008-09-05 16:31 <DIR> d-------- C:\WINNT\system32\config\systemprofile\Application Data\COMCASTTOOLBAR
2008-08-20 14:59 . 2008-08-22 16:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\gtk-2.0
2008-08-20 14:59 . 2008-08-20 14:59 <DIR> d-------- C:\Documents and Settings\Owner\.thumbnails
2008-08-20 14:57 . 2008-08-20 14:57 <DIR> d-------- C:\Program Files\GIMP-2.0
2008-08-20 14:57 . 2008-08-22 16:35 <DIR> d-------- C:\Documents and Settings\Owner\.gimp-2.4
2008-08-20 14:25 . 2008-08-20 14:25 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-15 23:46 . 2008-08-18 11:29 <DIR> d-------- C:\Program Files\Jewel Quest 2
2008-08-15 23:40 . 2008-08-29 00:49 270 --a-s---- C:\WINNT\system32\1473409161.dat
2008-08-12 19:42 . 2008-05-01 10:30 331,776 --------- C:\WINNT\system32\dllcache\msadce.dll
2008-08-10 20:56 . 2008-08-10 20:56 <DIR> d--h----- C:\WINNT\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-05 01:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-04 22:26 --------- d-----w C:\Program Files\McAfee
2008-09-04 22:15 --------- d-----w C:\Program Files\PartyGaming.Net
2008-09-02 19:36 --------- d-----w C:\Program Files\Slots Plus Casino
2008-08-31 00:10 --------- d-----w C:\Program Files\Sun Palace Casino
2008-08-29 22:35 --------- d-----w C:\Program Files\InterCasino $$$
2008-08-29 04:07 --------- d-----w C:\Program Files\Best Buy Games
2008-08-29 04:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-24 18:05 18,198 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-08-22 17:39 238,288 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-08-20 18:46 --------- d-----w C:\Program Files\Lavasoft
2008-08-20 18:30 --------- d-----w C:\Program Files\Java
2008-08-20 18:14 --------- d-----w C:\Program Files\bdpw6
2008-08-20 18:11 --------- d-----w C:\Program Files\Google
2008-08-20 18:09 --------- d-----w C:\Program Files\Gateway
2008-08-20 18:08 --------- d-----w C:\Program Files\Dogs Playing Poker
2008-08-20 18:07 --------- d-----w C:\Program Files\Yahoo!
2008-08-20 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-16 03:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\iWin
2008-08-15 04:11 --------- d-----w C:\Program Files\Yahoo! Games
2008-07-08 16:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\Arcsoft
2008-07-08 15:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\ComcastToolbar
2008-07-05 23:22 --------- d-----w C:\Program Files\ComcastToolbar
2008-07-05 19:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\McAfee
2008-07-05 19:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-05 18:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-05 18:30 --------- d-----w C:\Program Files\McAfee.com
2008-07-05 18:30 --------- d-----w C:\Program Files\Common Files\McAfee
2008-07-05 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-05 17:58 --------- d-----w C:\Program Files\Common Files\Scanner
2006-10-20 03:24 880 ----a-w C:\Program Files\Shortcut_to_Window_Washer.lnk
2006-09-02 17:18 371,712 ----a-w C:\Program Files\SmartDownload.exe
2006-07-20 14:30 44,823 ----a-w C:\Program Files\cats sun bathing.jpg
2006-07-15 03:36 13,736,064 ----a-w C:\Program Files\GoogleEarthWin.exe
2005-05-26 19:35 1,422 ----a-w C:\Program Files\ReadMe.txt
2002-09-11 14:26 63,730 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.

------- Sigcheck -------

2005-05-25 15:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINNT\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 13:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINNT\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINNT\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINNT\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 C:\WINNT\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINNT\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINNT\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 C:\WINNT\$NtUninstallKB951748$\tcpip.sys
2004-08-04 01:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINNT\ServicePackFiles\i386\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINNT\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 C:\WINNT\system32\dllcache\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 C:\WINNT\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5AF42A3-94F3-42BD-F434-3604812C897D}]
2008-09-04 18:22 10000 --a------ C:\WINNT\system32\kxnd73n3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 15360]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2004-09-07 1871872]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [2005-04-05 77824]
"Gateway Ink Monitor"="C:\Program Files\Gateway Utilities\GWInkMonitor.exe" [2003-06-24 303180]
"Persistence"="C:\WINNT\system32\igfxpers.exe" [2005-04-05 114688]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"WrtMon.exe"="C:\WINNT\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"SNDO763"="C:\WINNT\vsndo763.exe" [2005-01-18 32768]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2007-05-15 3975848]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [2001-07-09 155648]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 C:\WINNT\LOGI_MWX.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]
TotalMedia Backup Monitor.lnk - C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2008-01-25 270336]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{C5AF42A3-94F3-42BD-F434-3604812C897D}"= "C:\WINNT\system32\kxnd73n3.dll" [2008-09-04 10000]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
backup=C:\WINNT\pss\AT&T Self Support Tool.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcNotifier

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-03-11 22:34 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2003-06-07 07:32 50688 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-03-18 15:28 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 21:05 204288 C:\Program Files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 SocketLock;Raw Socket Lock Driver;C:\WINNT\system32\socketlock.sys [2005-02-16 3712]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINNT\system32\DRIVERS\AN983.sys [2004-08-03 36224]
S3 SNDO763;Dual Mode Camera (800A VGA);C:\WINNT\system32\DRIVERS\sndo763.sys [2005-01-21 220160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-lphcn6lj0e1b9 - C:\WINNT\system32\lphcn6lj0e1b9.exe
HKLM-RunServices-nsdcmd vid process - nsdcmdwin.exe
Notify-egsqelor - egsqelor.dll
MSConfigStartUp-First Principle Group - C:\Program Files\First Principle Group\fpg.exe
MSConfigStartUp-lphcn6lj0e1b9 - C:\WINNT\system32\lphcn6lj0e1b9.exe
MSConfigStartUp-mmtask - c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
MSConfigStartUp-MMTray - C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
MSConfigStartUp-Simple Star PhotoShow Media Manager - C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
MSConfigStartUp-YBrowser - C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\z5pnvajb.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-05 16:52:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\SBC Self Support Tool\SmartBridge\MotiveSB.exe
C:\WINNT\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\WINNT\system32\imapi.exe
C:\WINNT\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-09-05 17:03:36 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-09-05 21:03:30

Pre-Run: 90,380,001,280 bytes free
Post-Run: 90,319,798,272 bytes free

266 --- E O F --- 2008-08-23 01:09:43


----------------------------------------------------------------------------------------------------------------------------

HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:11:10, on 9/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINNT\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINNT\vsndo763.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINNT\Logi_MwX.Exe
C:\WINNT\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Ahead\Nero BackItUp\NBJ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: C:\WINNT\system32\kxnd73n3.dll - {C5AF42A3-94F3-42BD-F434-3604812C897D} - C:\WINNT\system32\kxnd73n3.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [Persistence] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINNT\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [SNDO763] C:\WINNT\vsndo763.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Owner\Desktop\InterCasino $$$.lnk (file missing)
O9 - Extra 'Tools' menuitem: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Owner\Desktop\InterCasino $$$.lnk (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Owner\Desktop\InterCasino $$$.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Owner\Desktop\InterCasino $$$.lnk (file missing) (HKCU)
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://riverbelle.m...lay/FlashAX.cab
O16 - DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} (CUpdateCtl Object) - http://update.hpphot.../HPSWUpdate.ocx
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitc...eInstallSBC.exe
O22 - SharedTaskScheduler: g980w3mefndsiza7srenjaebfhdsfd - {C5AF42A3-94F3-42BD-F434-3604812C897D} - C:\WINNT\system32\kxnd73n3.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 8687 bytes
  • 0

#9
andrewuk
Posted 05 September 2008 - 04:54 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
In this post we will scan a couple of suspicious looking files and clear some more malware. all going well it should only take 3 more posts from me to clear this all up.


====STEP 1====
Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\WINNT\system32\3076p.dll

Click on the submit button

Please also do the same with the following file:
C:\Program Files\SmartDownload.exe

Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal



====STEP 2====
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINNT\system32\kxnd73n3.dll
C:\WINNT\vsndo763.exe

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5AF42A3-94F3-42BD-F434-3604812C897D}]
[-HKEY_CLASSES_ROOT\CLSID\{C5AF42A3-94F3-42BD-F434-3604812C897D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SNDO763"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB}]
[-HKEY_CLASSES_ROOT\CLSID\{909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{EBF85371-A38F-485B-B28F-0B4C82D25937}]
[-HKEY_CLASSES_ROOT\CLSID\{EBF85371-A38F-485B-B28F-0B4C82D25937}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{C5AF42A3-94F3-42BD-F434-3604812C897D}"=-
[-HKEY_CLASSES_ROOT\CLSID\{C5AF42A3-94F3-42BD-F434-3604812C897D}]

DirLook::
C:\Program Files\bdpw6


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



In your next reply could i see:
1. the two jotti scan logs
2. the combofix log
3. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#10
bwjudy
Posted 07 September 2008 - 10:51 PM

bwjudy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here is the new log. I am also getting a buffer overflow error with file lsass.exe, not sure what that is all about.





ComboFix 08-09-05.02 - Owner 2008-09-06 13:41:00.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1341 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\kxnd73n3.dll
C:\WINNT\vsndo763.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-06 to 2008-09-06 )))))))))))))))))))))))))))))))
.

2008-09-05 11:19 . 2008-09-05 11:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-05 00:02 . 2008-09-05 09:08 3,230 --a------ C:\WINNT\system32\tmp.reg
2008-09-04 18:39 . 2008-09-04 18:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-28 23:04 . 2008-08-28 23:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\towers_pc
2008-08-28 22:50 . 2008-08-28 22:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Beanbag Studios
2008-08-28 21:15 . 2008-08-28 21:15 16,384 --ahs---- C:\WINNT\system32\3076p.dll
2008-08-27 16:54 . 2008-08-27 16:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-27 16:54 . 2008-08-27 16:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-26 11:21 . 2008-08-26 11:42 <DIR> d-------- C:\WINNT\system32\CatRoot_bak
2008-08-24 16:40 . 2008-09-05 16:31 <DIR> d-------- C:\WINNT\system32\config\systemprofile\Application Data\COMCASTTOOLBAR
2008-08-20 14:59 . 2008-08-22 16:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\gtk-2.0
2008-08-20 14:59 . 2008-08-20 14:59 <DIR> d-------- C:\Documents and Settings\Owner\.thumbnails
2008-08-20 14:57 . 2008-08-20 14:57 <DIR> d-------- C:\Program Files\GIMP-2.0
2008-08-20 14:57 . 2008-08-22 16:35 <DIR> d-------- C:\Documents and Settings\Owner\.gimp-2.4
2008-08-20 14:25 . 2008-08-20 14:25 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-15 23:46 . 2008-08-18 11:29 <DIR> d-------- C:\Program Files\Jewel Quest 2
2008-08-15 23:40 . 2008-08-29 00:49 270 --a-s---- C:\WINNT\system32\1473409161.dat
2008-08-12 19:42 . 2008-05-01 10:30 331,776 --------- C:\WINNT\system32\dllcache\msadce.dll
2008-08-10 20:56 . 2008-08-10 20:56 <DIR> d--h----- C:\WINNT\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-05 01:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-04 22:26 --------- d-----w C:\Program Files\McAfee
2008-09-04 22:15 --------- d-----w C:\Program Files\PartyGaming.Net
2008-09-02 19:36 --------- d-----w C:\Program Files\Slots Plus Casino
2008-08-31 00:10 --------- d-----w C:\Program Files\Sun Palace Casino
2008-08-29 22:35 --------- d-----w C:\Program Files\InterCasino $$$
2008-08-29 04:07 --------- d-----w C:\Program Files\Best Buy Games
2008-08-29 04:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-24 18:05 18,198 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-08-22 17:39 238,288 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-08-20 18:46 --------- d-----w C:\Program Files\Lavasoft
2008-08-20 18:30 --------- d-----w C:\Program Files\Java
2008-08-20 18:14 --------- d-----w C:\Program Files\bdpw6
2008-08-20 18:11 --------- d-----w C:\Program Files\Google
2008-08-20 18:09 --------- d-----w C:\Program Files\Gateway
2008-08-20 18:08 --------- d-----w C:\Program Files\Dogs Playing Poker
2008-08-20 18:07 --------- d-----w C:\Program Files\Yahoo!
2008-08-20 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-20 17:25 60,416 ----a-w C:\WINNT\system32\dllcache\msimn.exe
2008-08-16 03:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\iWin
2008-08-15 04:11 --------- d-----w C:\Program Files\Yahoo! Games
2008-07-19 02:10 94,920 ----a-w C:\WINNT\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINNT\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINNT\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINNT\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINNT\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINNT\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINNT\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINNT\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINNT\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINNT\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINNT\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINNT\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINNT\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINNT\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINNT\system32\dllcache\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINNT\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINNT\system32\muweb.dll
2008-07-08 16:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\Arcsoft
2008-07-08 15:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\ComcastToolbar
2008-07-07 20:32 253,952 ----a-w C:\WINNT\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINNT\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINNT\system32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINNT\system32\dllcache\mscms.dll
2008-06-24 14:57 3,592,192 ------w C:\WINNT\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINNT\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINNT\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINNT\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINNT\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINNT\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINNT\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINNT\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINNT\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINNT\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINNT\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINNT\system32\dllcache\bthport.sys
2006-10-20 03:24 880 ----a-w C:\Program Files\Shortcut_to_Window_Washer.lnk
2006-09-02 17:18 371,712 ----a-w C:\Program Files\SmartDownload.exe
2006-07-20 14:30 44,823 ----a-w C:\Program Files\cats sun bathing.jpg
2006-07-15 03:36 13,736,064 ----a-w C:\Program Files\GoogleEarthWin.exe
2005-05-26 19:35 1,422 ----a-w C:\Program Files\ReadMe.txt
2002-09-11 14:26 63,730 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\bdpw6 ----

2008-07-12 13:18 7270 --a------ C:\Program Files\bdpw6\winpok6.ini
2008-07-12 13:18 4602 --a------ C:\Program Files\bdpw6\PICK'EM POKER.err
2008-07-10 23:54 4757 --a------ C:\Program Files\bdpw6\DEUCES AND JOKER WILD.err
2008-07-10 23:45 9487 --a------ C:\Program Files\bdpw6\DOUBLE DOUBLE BONUS POKER.err
2008-07-10 23:41 4751 --a------ C:\Program Files\bdpw6\JOKER WILD - KINGS OR BETTER.err
2008-06-17 12:23 4746 --a------ C:\Program Files\bdpw6\FIVE JOKER POKER.err
2008-03-19 19:31 4837 --a------ C:\Program Files\bdpw6\DOUBLE DOUBLE JACKPOT POKER.err
2007-12-24 00:14 4343 --a------ C:\Program Files\bdpw6\LOOSE DEUCES.err
2007-09-22 19:53 4753 --a------ C:\Program Files\bdpw6\BONUS DEUCES WILD.err
2007-09-22 01:50 4600 --a------ C:\Program Files\bdpw6\DEUCES DELUXE.err
2007-07-10 00:02 4616 --a------ C:\Program Files\bdpw6\DEUCES WILD.err
2007-01-22 23:13 1477 --a------ C:\Program Files\bdpw6\JOKER WILD - ATLANTIC CITY.err
2006-09-24 14:26 4706 --a------ C:\Program Files\bdpw6\BONUS POKER DELUXE.err
2006-09-24 14:25 750 --a------ C:\Program Files\bdpw6\BONUS POKER.err
2006-04-11 23:48 4762 --a------ C:\Program Files\bdpw6\ALL AMERICAN POKER.err
2006-01-26 14:03 3918 --a------ C:\Program Files\bdpw6\JOKER WILD - 2 PAIR OR BETTER.err
2006-01-20 01:36 205 --a------ C:\Program Files\bdpw6\ACES AND EIGHTS.err
2006-01-20 01:34 199 --a------ C:\Program Files\bdpw6\DOUBLE JOKER POKER.err
2006-01-20 01:32 351 --a------ C:\Program Files\bdpw6\DOUBLE JACKPOT POKER.err
2006-01-19 13:06 2884 --a------ C:\Program Files\bdpw6\JACKS OR BETTER.err
2005-11-12 16:54 1267 --a------ C:\Program Files\bdpw6\DOUBLE BONUS POKER.err
2005-11-05 01:32 110 --a------ C:\Program Files\bdpw6\SEVENS WILD.err
2005-11-05 01:27 473 --a------ C:\Program Files\bdpw6\FOUR JOKER POKER.err
2005-02-18 22:10 112 --a------ C:\Program Files\bdpw6\JOKER WILD - ACES OR BETTER.err
2005-02-10 11:54 96 --a------ C:\Program Files\bdpw6\Strat 9-7 Super Pay.err
2005-02-10 11:52 200 --a------ C:\Program Files\bdpw6\User Defined.err
2005-02-10 11:51 102 --a------ C:\Program Files\bdpw6\Strat 8-5 Super Pay.err


------- Sigcheck -------

2005-05-25 15:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINNT\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 13:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINNT\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINNT\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINNT\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 C:\WINNT\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINNT\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINNT\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 C:\WINNT\$NtUninstallKB951748$\tcpip.sys
2004-08-04 01:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINNT\ServicePackFiles\i386\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINNT\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 C:\WINNT\system32\dllcache\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 C:\WINNT\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-09-05_17.02.59.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-05 20:32:22 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Cookies\index.dat
+ 2008-09-06 15:46:19 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Cookies\index.dat
- 2008-09-05 20:32:22 262,144 ----a-w C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-06 15:46:19 262,144 ----a-w C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-06 15:52:27 16,384 ----atw C:\WINNT\Temp\Perflib_Perfdata_a04.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 15360]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2004-09-07 1871872]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [2005-04-05 77824]
"Gateway Ink Monitor"="C:\Program Files\Gateway Utilities\GWInkMonitor.exe" [2003-06-24 303180]
"Persistence"="C:\WINNT\system32\igfxpers.exe" [2005-04-05 114688]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"WrtMon.exe"="C:\WINNT\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2007-05-15 3975848]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [2001-07-09 155648]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 C:\WINNT\LOGI_MWX.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]
TotalMedia Backup Monitor.lnk - C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2008-01-25 270336]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
backup=C:\WINNT\pss\AT&T Self Support Tool.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcNotifier

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-03-11 22:34 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2003-06-07 07:32 50688 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-03-18 15:28 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 21:05 204288 C:\Program Files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 SocketLock;Raw Socket Lock Driver;C:\WINNT\system32\socketlock.sys [2005-02-16 3712]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINNT\system32\DRIVERS\AN983.sys [2004-08-03 36224]
S3 SNDO763;Dual Mode Camera (800A VGA);C:\WINNT\system32\DRIVERS\sndo763.sys [2005-01-21 220160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-06 13:44:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-09-06 13:48:20
ComboFix-quarantined-files.txt 2008-09-06 17:47:16
ComboFix2.txt 2008-09-05 21:03:38

Pre-Run: 90,294,972,416 bytes free
Post-Run: 90,309,902,336 bytes free

249 --- E O F --- 2008-08-23 01:09:43
  • 0

#11
andrewuk
Posted 08 September 2008 - 05:40 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
could you also post the 2 jotti scan logs and a new hijackthis log.

also, that folder C:\Program Files\bdpw6 which has all the files such as:

C:\Program Files\bdpw6\BONUS DEUCES WILD.err
C:\Program Files\bdpw6\DEUCES DELUXE.err
C:\Program Files\bdpw6\DEUCES WILD.err
C:\Program Files\bdpw6\JOKER WILD - ATLANTIC.err

.....do you recognise them, they look suspicious to me.

andrewuk
  • 0

#12
andrewuk
Posted 13 September 2008 - 08:44 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP