Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32:Obfuscated-BUP,BUN,BQK [RESOLVED]

Started by ezkeys , Nov 18 2007 10:12 AM

  • This topic is locked This topic is locked

#1
ezkeys
Posted 18 November 2007 - 10:12 AM

ezkeys

    New Member

  • Member
  • Pip
  • 6 posts
Hello- I was having problems with redirects upon right clicking search material. Avast found trojans on scan, and has since popped up in the middle of surfing at times with trojan found. I followed your sites direction before posting and seem to have stopped the redirects. However, I still get the Avast warning, and Panda shows tons of stuff. Spybot also finds a bug, suggests fixing, but upon rescan it appears again. Your help would be GREATLY appreciated!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:19:28 PM, on 11/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...n&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {d87011e6-1dd1-11b2-b94f-9d7e86a4b06a} - C:\WINDOWS\tsbkfone.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lgnchuzo] rundll32.exe "C:\Program Files\lgnchuzo\nalylifm.dll",Init
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FirePod Control Panel.lnk = C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Search - ?p=ZN
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatro...an/pestscan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety....lscbase7617.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1143421340968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7594 bytes



SmitFraudFix v2.253

Scan done at 19:35:36.90, Sat 11/17/2007
Run from C:\Documents and Settings\HomeBase\Desktop\Recommended Software From Geeks To Go\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{5E846CC3-6B2C-43C2-AAA4-70A73FCCA352}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5E846CC3-6B2C-43C2-AAA4-70A73FCCA352}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{5E846CC3-6B2C-43C2-AAA4-70A73FCCA352}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



AND PANDA'S REPORT:


Incident Status Location

Spyware:spyware/virtumonde Not disinfected c:\windows\system32\vtstt.dll
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{9AFB8248-617F-460d-9366-D71CDEDA3179}
Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9FF05104-B030-46FC-94B8-81276E4E27DF}
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\HomeBase\Application Data\Mozilla\Firefox\Profiles\j3uiie8n.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\HomeBase\Application Data\Mozilla\Firefox\Profiles\j3uiie8n.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\HomeBase\Application Data\Mozilla\Firefox\Profiles\j3uiie8n.default\cookies.txt[.com.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\HomeBase\Application Data\Mozilla\Firefox\Profiles\j3uiie8n.default\cookies.txt[.did-it.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\HomeBase\Application Data\Mozilla\Firefox\Profiles\j3uiie8n.default\cookies.txt[.go.com/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\HomeBase\Application Data\Mozilla\Firefox\Profiles\j3uiie8n.default\cookies.txt[.gostats.com/]
Spyware:Cookie/Inet-Traffic Not disinfected C:\Documents and Settings\HomeBase\Application Data\Mozilla\Firefox\Profiles\j3uiie8n.default\cookies.txt[.inet-traffic.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\HomeBase\Application Data\Mozilla\Firefox\Profiles\j3uiie8n.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\HomeBase\Application Data\Mozilla\Firefox\Profiles\j3uiie8n.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\HomeBase\Application Data\Mozilla\Firefox\Profiles\j3uiie8n.default\cookies.txt[.searchportal.information.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\HomeBase\Application Data\Mozilla\Firefox\Profiles\j3uiie8n.default\cookies.txt[.server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\HomeBase\Application Data\Mozilla\Firefox\Profiles\j3uiie8n.default\cookies.txt[.server.iad.liveperson.net/hc/5291901]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\HomeBase\Application Data\Mozilla\Firefox\Profiles\j3uiie8n.default\cookies.txt[.server.iad.liveperson.net/hc/61201819]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\HomeBase\Application Data\Mozilla\Firefox\Profiles\j3uiie8n.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\HomeBase\Application Data\Mozilla\Firefox\Profiles\j3uiie8n.default\cookies.txt[.www.burstbeacon.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\HomeBase\Desktop\Recommended Software From Geeks To Go\SmitfraudFix\Process.exe
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\HomeBase\Desktop\Recommended Software From Geeks To Go\SmitfraudFix\Reboot.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\HomeBase\Desktop\Recommended Software From Geeks To Go\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
Potentially unwanted tool:Application/WinXPPerformance Not disinfected C:\Program Files\WinPerformance\WinPerformance.exe
Adware:Adware/WinXPPerformance Not disinfected C:\WINDOWS\PerfInfo\tmp19248.exe

Edited by ezkeys, 18 November 2007 - 07:22 PM.

  • 0

Advertisements

#2
JSntgRvr
Posted 23 November 2007 - 09:29 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, ezkeys. :)

Welcome.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" on your next reply.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply along with a Hijackthis log.
  • Click Close to exit the program.

  • 0

#3
ezkeys
Posted 24 November 2007 - 12:45 AM

ezkeys

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
First and foremost... THANK YOU SO MUCH FOR YOUR HELP AND TIME!! MUCH APPRECIATED!!

Okay... Here are the logs you requested:

COMBOFIX:

ComboFix 07-11-19.3 - HomeBase 2007-11-23 22:47:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.551 [GMT -6:00]
Running from: C:\Documents and Settings\HomeBase\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\Quarantine

.
((((((((((((((((((((((((( Files Created from 2007-10-24 to 2007-11-24 )))))))))))))))))))))))))))))))
.

2007-11-21 09:13 <DIR> d-------- C:\Program Files\CCleaner
2007-11-20 16:17 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-20 16:17 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-20 13:36 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-20 12:21 <DIR> d-------- C:\Documents and Settings\HomeBase\.housecall6.6
2007-11-20 08:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-20 08:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-19 09:29 <DIR> d-------- C:\VundoFix Backups
2007-11-18 18:17 <DIR> d-------- C:\Documents and Settings\HomeBase\Application Data\Move Networks
2007-11-17 21:45 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-17 19:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-17 19:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-11-17 19:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-11-17 04:03 <DIR> d-------- C:\Documents and Settings\HomeBase\Application Data\System Tweaker
2007-11-17 03:12 <DIR> d-------- C:\Program Files\Uniblue
2007-11-17 03:12 <DIR> d-------- C:\Documents and Settings\HomeBase\Application Data\Uniblue
2007-11-12 19:52 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-12 09:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-11 09:59 <DIR> d-------- C:\WINDOWS\PerfInfo
2007-11-11 09:59 <DIR> d-------- C:\Program Files\PfMon
2007-11-11 09:59 102,400 --a------ C:\WINDOWS\tsbkfone.dll
2007-11-11 09:58 <DIR> d-------- C:\Program Files\lgnchuzo
2007-11-08 11:55 1,783,864 --a------ C:\WINDOWS\system32\WINPY.MB
2007-11-08 11:55 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll
2007-11-08 11:55 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll
2007-11-08 11:55 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2007-11-08 11:55 195,618 --a------ C:\WINDOWS\system32\dllcache\c_10002.nls
2007-11-08 11:55 177,698 --a------ C:\WINDOWS\system32\dllcache\c_10003.nls
2007-11-08 11:55 173,602 --a------ C:\WINDOWS\system32\dllcache\c_10008.nls
2007-11-08 11:55 116,285 --a------ C:\WINDOWS\system32\msdayi.tbl
2007-11-08 11:55 82,172 --a------ C:\WINDOWS\system32\dllcache\bopomofo.nls
2007-11-08 11:55 69,120 --a------ C:\WINDOWS\system32\WINGB.IME
2007-11-08 11:55 69,120 --a------ C:\WINDOWS\system32\dllcache\wingb.ime
2007-11-08 11:55 66,728 --a------ C:\WINDOWS\system32\dllcache\big5.nls
2007-11-08 11:55 45,109 --a------ C:\WINDOWS\system32\dllcache\imjpuex.exe
2007-11-08 11:55 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0804.dll
2007-11-08 11:55 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0412.dll
2007-11-08 11:55 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0411.dll
2007-11-08 11:55 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0404.dll
2007-11-08 11:55 6,144 --a------ C:\WINDOWS\system32\kbd101.dll
2007-11-08 11:55 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd106n.dll
2007-11-08 11:54 <DIR> d-------- C:\Program Files\Shuangs WAV to MP3 Converter
2007-11-08 11:54 156,672 --a------ C:\WINDOWS\system32\WINPY.IME
2007-11-08 11:54 156,672 --a------ C:\WINDOWS\system32\dllcache\winzm.ime
2007-11-08 11:54 156,672 --a------ C:\WINDOWS\system32\dllcache\winsp.ime
2007-11-08 11:54 156,672 --a------ C:\WINDOWS\system32\dllcache\winpy.ime
2007-11-08 11:54 94,720 --a------ C:\WINDOWS\system32\dllcache\imekr61.ime
2007-11-08 11:54 79,360 --a------ C:\WINDOWS\system32\winar30.ime
2007-11-08 11:54 78,336 --a------ C:\WINDOWS\system32\chajei.ime
2007-11-08 11:54 77,824 --a------ C:\WINDOWS\system32\dllcache\quick.ime
2007-11-08 11:54 65,536 --a------ C:\WINDOWS\system32\winime.ime
2007-11-08 11:54 65,536 --a------ C:\WINDOWS\system32\dllcache\winime.ime
2007-11-08 11:54 28,288 --a------ C:\WINDOWS\system32\dllcache\xjis.nls
2007-11-08 11:54 15,872 --a------ C:\WINDOWS\system32\dllcache\padrs404.dll
2007-11-08 11:54 11,776 --a------ C:\WINDOWS\system32\miniime.tpl
2007-11-08 09:22 <DIR> d-------- C:\Program Files\iTunes
2007-11-08 09:22 <DIR> d-------- C:\Program Files\iPod
2007-11-05 08:55 <DIR> d-------- C:\Documents and Settings\HomeBase\Application Data\Syntrillium
2007-11-04 23:50 <DIR> d-------- C:\Documents and Settings\HomeBase\Application Data\NetMedia Providers
2007-11-04 21:54 <DIR> d-------- C:\Documents and Settings\HomeBase\Application Data\Publish Providers
2007-11-04 21:47 <DIR> d-------- C:\Documents and Settings\HomeBase\Application Data\Sony
2007-11-04 21:45 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-11-04 21:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony
2007-11-04 21:42 <DIR> d-------- C:\Program Files\Sony
2007-11-04 21:40 <DIR> d-------- C:\Program Files\Sony Setup
2007-11-04 19:10 24,192 --a------ C:\Documents and Settings\HomeBase\usbsermptxp.sys
2007-11-04 19:10 22,768 --a------ C:\WINDOWS\system32\drivers\usbsermpt.sys
2007-11-04 19:10 22,768 --a------ C:\Documents and Settings\HomeBase\usbsermpt.sys
2007-11-04 18:42 <DIR> d-------- C:\Program Files\7-Zip
2007-11-04 16:53 <DIR> d-------- C:\Program Files\BitPim
2007-11-03 20:53 <DIR> d-------- C:\Program Files\Western Digital Technologies
2007-11-02 09:17 <DIR> d-------- C:\Program Files\AC3Filter
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-21 16:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-20 14:40 --------- d-----w C:\Program Files\Lavasoft
2007-11-20 14:40 --------- d-----w C:\Documents and Settings\Butch\Application Data\Lavasoft
2007-11-19 18:08 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-18 04:15 --------- d-----w C:\Program Files\Apoint2K
2007-11-18 01:35 3,258 ----a-w C:\WINDOWS\system32\tmp.reg
2007-11-16 14:45 --------- d-----w C:\Documents and Settings\HomeBase\Application Data\LimeWire
2007-11-16 14:29 --------- d-----w C:\Documents and Settings\HomeBase\Application Data\AdobeUM
2007-11-09 18:24 --------- d-----w C:\Program Files\Elaborate Bytes
2007-11-09 18:23 --------- d-----w C:\Program Files\SlySoft
2007-11-08 16:24 --------- d-----w C:\Documents and Settings\Butch\Application Data\Apple Computer
2007-11-08 15:21 --------- d-----w C:\Program Files\QuickTime
2007-11-08 15:18 --------- d-----w C:\Program Files\Apple Software Update
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 16:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-25 16:05 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-25 16:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-25 16:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-25 15:58 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-25 15:24 815,480 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-10-25 15:14 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-10-12 17:42 --------- d-----w C:\Documents and Settings\Butch\Application Data\U3
2007-10-07 16:20 --------- d-----w C:\Program Files\Java
2007-10-04 05:36 25,600 ----a-w C:\WINDOWS\system32\WS2Fix.exe
2007-07-14 07:08 1,092 -c--a-w C:\Documents and Settings\HomeBase\Application Data\wklnhst.dat
2006-02-14 20:41 3,900 -c--a-w C:\Documents and Settings\Butch\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d87011e6-1dd1-11b2-b94f-9d7e86a4b06a}]
2007-11-11 09:59 102400 --a------ C:\WINDOWS\tsbkfone.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 21:40]
"AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 05:19 C:\WINDOWS\AGRSMMSG.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 11:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 13:05]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-25 23:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 03:01]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-08-19 13:50]
"EarthLink Installer"=" /C" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-10-25 09:20]
"UVS10 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe" [2006-03-06 23:52]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [2007-01-04 15:38]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 13:39:35]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
FirePod Control Panel.lnk - C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe [2005-03-28 12:35:20]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2004-06-16 16:50:28]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2004-06-16 17:22:58]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32]

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys
S3 pae_1394;pae_1394;C:\WINDOWS\system32\Drivers\pae_1394.sys
S3 pae_avs;pae_avs;C:\WINDOWS\system32\Drivers\pae_avs.sys
S3 ps_1394;ps_1394;C:\WINDOWS\system32\Drivers\ps_1394.sys
S3 ps_avs;ps_avs;C:\WINDOWS\system32\Drivers\ps_avs.sys
S3 USB11LDR;USB Midi 1x1 Loader;C:\WINDOWS\system32\drivers\usb11ldr.sys
S3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;C:\WINDOWS\system32\drivers\usbmidim.sys
S3 USBMM1X1;USB Midi 1x1 USB Driver;C:\WINDOWS\system32\drivers\usbmm1x1.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-10 17:47:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-02-28 01:45:14 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1145925921.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-23 22:49:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????5?2?7?3??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-23 22:50:16
.
--- E O F ---


SUPERANTISPYWARE:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/24/2007 at 00:24 AM

Application Version : 3.9.1008

Core Rules Database Version : 3349
Trace Rules Database Version: 1349

Scan type : Complete Scan
Total Scan Time : 01:17:26

Memory items scanned : 427
Memory threats detected : 0
Registry items scanned : 6148
Registry threats detected : 6
File items scanned : 67559
File threats detected : 11

Trojan.Downloader-Gen/MobRules
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d87011e6-1dd1-11b2-b94f-9d7e86a4b06a}
HKCR\CLSID\{D87011E6-1DD1-11B2-B94F-9D7E86A4B06A}
HKCR\CLSID\{D87011E6-1DD1-11B2-B94F-9D7E86A4B06A}\InprocServer32
HKCR\CLSID\{D87011E6-1DD1-11B2-B94F-9D7E86A4B06A}\InprocServer32#ThreadingModel
HKCR\CLSID\{D87011E6-1DD1-11B2-B94F-9D7E86A4B06A}\InprocServer32#t
HKCR\CLSID\{D87011E6-1DD1-11B2-B94F-9D7E86A4B06A}\TreatAs
C:\WINDOWS\TSBKFONE.DLL

Adware.Tracking Cookie
C:\Documents and Settings\HomeBase\Cookies\[email protected][3].txt
C:\Documents and Settings\HomeBase\Cookies\homebase@web-stat[2].txt
C:\Documents and Settings\HomeBase\Cookies\homebase@revsci[1].txt
C:\Documents and Settings\HomeBase\Cookies\homebase@atwola[1].txt
C:\Documents and Settings\HomeBase\Cookies\[email protected][2].txt
C:\Documents and Settings\HomeBase\Cookies\homebase@tacoda[1].txt
C:\Documents and Settings\HomeBase\Cookies\[email protected][2].txt
C:\Documents and Settings\HomeBase\Cookies\homebase@realmedia[1].txt
C:\Documents and Settings\HomeBase\Cookies\[email protected][1].txt
C:\Documents and Settings\HomeBase\Cookies\homebase@doubleclick[1].txt


AND FINALLY... HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:49 AM, on 11/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...n&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FirePod Control Panel.lnk = C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatro...an/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety....lscbase7617.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1143421340968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8137 bytes


THANKS AGAIN... I LOOK FORWARD TO YOUR REPLY!
BUTCH
  • 0

#4
JSntgRvr
Posted 24 November 2007 - 09:55 AM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, ezkeys :)

Download the enclosed file and save it to your desktop. [attachment=16789:CFScript.txt]

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.
  • 0

#5
ezkeys
Posted 24 November 2007 - 10:13 AM

ezkeys

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
As per your instruction:


ComboFix 07-11-19.3 - HomeBase 2007-11-24 10:07:05.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.575 [GMT -6:00]
Running from: C:\Documents and Settings\HomeBase\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HomeBase\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\tsbkfone.dll
.

((((((((((((((((((((((((( Files Created from 2007-10-24 to 2007-11-24 )))))))))))))))))))))))))))))))
.

2007-11-23 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-23 23:02 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-23 23:02 <DIR> d-------- C:\Documents and Settings\HomeBase\Application Data\SUPERAntiSpyware.com
2007-11-21 09:13 <DIR> d-------- C:\Program Files\CCleaner
2007-11-20 16:17 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-20 16:17 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-20 13:36 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-20 12:21 <DIR> d-------- C:\Documents and Settings\HomeBase\.housecall6.6
2007-11-20 08:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-20 08:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-19 09:29 <DIR> d-------- C:\VundoFix Backups
2007-11-18 18:17 <DIR> d-------- C:\Documents and Settings\HomeBase\Application Data\Move Networks
2007-11-17 21:45 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-17 19:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-17 19:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-11-17 19:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-11-17 04:03 <DIR> d-------- C:\Documents and Settings\HomeBase\Application Data\System Tweaker
2007-11-17 03:12 <DIR> d-------- C:\Program Files\Uniblue
2007-11-17 03:12 <DIR> d-------- C:\Documents and Settings\HomeBase\Application Data\Uniblue
2007-11-12 19:52 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-12 09:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-11 09:59 <DIR> d-------- C:\WINDOWS\PerfInfo
2007-11-11 09:59 <DIR> d-------- C:\Program Files\PfMon
2007-11-11 09:58 <DIR> d-------- C:\Program Files\lgnchuzo
2007-11-08 11:55 1,783,864 --a------ C:\WINDOWS\system32\WINPY.MB
2007-11-08 11:55 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll
2007-11-08 11:55 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll
2007-11-08 11:55 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2007-11-08 11:55 195,618 --a------ C:\WINDOWS\system32\dllcache\c_10002.nls
2007-11-08 11:55 177,698 --a------ C:\WINDOWS\system32\dllcache\c_10003.nls
2007-11-08 11:55 173,602 --a------ C:\WINDOWS\system32\dllcache\c_10008.nls
2007-11-08 11:55 116,285 --a------ C:\WINDOWS\system32\msdayi.tbl
2007-11-08 11:55 82,172 --a------ C:\WINDOWS\system32\dllcache\bopomofo.nls
2007-11-08 11:55 69,120 --a------ C:\WINDOWS\system32\WINGB.IME
2007-11-08 11:55 69,120 --a------ C:\WINDOWS\system32\dllcache\wingb.ime
2007-11-08 11:55 66,728 --a------ C:\WINDOWS\system32\dllcache\big5.nls
2007-11-08 11:55 45,109 --a------ C:\WINDOWS\system32\dllcache\imjpuex.exe
2007-11-08 11:55 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0804.dll
2007-11-08 11:55 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0412.dll
2007-11-08 11:55 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0411.dll
2007-11-08 11:55 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0404.dll
2007-11-08 11:55 6,144 --a------ C:\WINDOWS\system32\kbd101.dll
2007-11-08 11:55 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd106n.dll
2007-11-08 11:54 <DIR> d-------- C:\Program Files\Shuangs WAV to MP3 Converter
2007-11-08 11:54 156,672 --a------ C:\WINDOWS\system32\WINPY.IME
2007-11-08 11:54 156,672 --a------ C:\WINDOWS\system32\dllcache\winzm.ime
2007-11-08 11:54 156,672 --a------ C:\WINDOWS\system32\dllcache\winsp.ime
2007-11-08 11:54 156,672 --a------ C:\WINDOWS\system32\dllcache\winpy.ime
2007-11-08 11:54 94,720 --a------ C:\WINDOWS\system32\dllcache\imekr61.ime
2007-11-08 11:54 79,360 --a------ C:\WINDOWS\system32\winar30.ime
2007-11-08 11:54 78,336 --a------ C:\WINDOWS\system32\chajei.ime
2007-11-08 11:54 77,824 --a------ C:\WINDOWS\system32\dllcache\quick.ime
2007-11-08 11:54 65,536 --a------ C:\WINDOWS\system32\winime.ime
2007-11-08 11:54 65,536 --a------ C:\WINDOWS\system32\dllcache\winime.ime
2007-11-08 11:54 28,288 --a------ C:\WINDOWS\system32\dllcache\xjis.nls
2007-11-08 11:54 15,872 --a------ C:\WINDOWS\system32\dllcache\padrs404.dll
2007-11-08 11:54 11,776 --a------ C:\WINDOWS\system32\miniime.tpl
2007-11-08 09:22 <DIR> d-------- C:\Program Files\iTunes
2007-11-08 09:22 <DIR> d-------- C:\Program Files\iPod
2007-11-05 08:55 <DIR> d-------- C:\Documents and Settings\HomeBase\Application Data\Syntrillium
2007-11-04 23:50 <DIR> d-------- C:\Documents and Settings\HomeBase\Application Data\NetMedia Providers
2007-11-04 21:54 <DIR> d-------- C:\Documents and Settings\HomeBase\Application Data\Publish Providers
2007-11-04 21:47 <DIR> d-------- C:\Documents and Settings\HomeBase\Application Data\Sony
2007-11-04 21:45 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-11-04 21:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony
2007-11-04 21:42 <DIR> d-------- C:\Program Files\Sony
2007-11-04 21:40 <DIR> d-------- C:\Program Files\Sony Setup
2007-11-04 19:10 24,192 --a------ C:\Documents and Settings\HomeBase\usbsermptxp.sys
2007-11-04 19:10 22,768 --a------ C:\WINDOWS\system32\drivers\usbsermpt.sys
2007-11-04 19:10 22,768 --a------ C:\Documents and Settings\HomeBase\usbsermpt.sys
2007-11-04 18:42 <DIR> d-------- C:\Program Files\7-Zip
2007-11-04 16:53 <DIR> d-------- C:\Program Files\BitPim
2007-11-03 20:53 <DIR> d-------- C:\Program Files\Western Digital Technologies
2007-11-02 09:17 <DIR> d-------- C:\Program Files\AC3Filter
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-24 06:52 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-21 16:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-20 14:40 --------- d-----w C:\Program Files\Lavasoft
2007-11-20 14:40 --------- d-----w C:\Documents and Settings\Butch\Application Data\Lavasoft
2007-11-18 04:15 --------- d-----w C:\Program Files\Apoint2K
2007-11-18 01:35 3,258 ----a-w C:\WINDOWS\system32\tmp.reg
2007-11-16 14:45 --------- d-----w C:\Documents and Settings\HomeBase\Application Data\LimeWire
2007-11-16 14:29 --------- d-----w C:\Documents and Settings\HomeBase\Application Data\AdobeUM
2007-11-09 18:24 --------- d-----w C:\Program Files\Elaborate Bytes
2007-11-09 18:23 --------- d-----w C:\Program Files\SlySoft
2007-11-08 16:24 --------- d-----w C:\Documents and Settings\Butch\Application Data\Apple Computer
2007-11-08 15:21 --------- d-----w C:\Program Files\QuickTime
2007-11-08 15:18 --------- d-----w C:\Program Files\Apple Software Update
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 16:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-25 16:05 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-25 16:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-25 16:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-25 15:58 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-25 15:24 815,480 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-10-25 15:14 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-10-12 17:42 --------- d-----w C:\Documents and Settings\Butch\Application Data\U3
2007-10-07 16:20 --------- d-----w C:\Program Files\Java
2007-10-04 05:36 25,600 ----a-w C:\WINDOWS\system32\WS2Fix.exe
2007-07-14 07:08 1,092 -c--a-w C:\Documents and Settings\HomeBase\Application Data\wklnhst.dat
2006-02-14 20:41 3,900 -c--a-w C:\Documents and Settings\Butch\Application Data\wklnhst.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\lgnchuzo ----

2007-11-11 09:58 61440 --a------ C:\Program Files\lgnchuzo\nalylifm.dll

---- Directory of C:\Program Files\PfMon ----


---- Directory of C:\WINDOWS\PerfInfo ----

2007-11-11 09:59 199764 --a------ C:\WINDOWS\PerfInfo\tmp19248.exe


((((((((((((((((((((((((((((( snapshot@2007-11-23_22.49.48.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-24 05:02:56 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-11-24 05:02:56 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-11-24 05:02:56 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2007-11-24 15:57:06 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_138.dat
+ 2007-11-24 15:57:04 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_614.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 21:40]
"AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 05:19 C:\WINDOWS\AGRSMMSG.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 11:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 13:05]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-25 23:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 03:01]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-08-19 13:50]
"EarthLink Installer"=" /C" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-10-25 09:20]
"UVS10 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe" [2006-03-06 23:52]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [2007-01-04 15:38]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 13:39:35]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
FirePod Control Panel.lnk - C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe [2005-03-28 12:35:20]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2004-06-16 16:50:28]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2004-06-16 17:22:58]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys
S3 pae_1394;pae_1394;C:\WINDOWS\system32\Drivers\pae_1394.sys
S3 pae_avs;pae_avs;C:\WINDOWS\system32\Drivers\pae_avs.sys
S3 ps_1394;ps_1394;C:\WINDOWS\system32\Drivers\ps_1394.sys
S3 ps_avs;ps_avs;C:\WINDOWS\system32\Drivers\ps_avs.sys
S3 USB11LDR;USB Midi 1x1 Loader;C:\WINDOWS\system32\drivers\usb11ldr.sys
S3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;C:\WINDOWS\system32\drivers\usbmidim.sys
S3 USBMM1X1;USB Midi 1x1 USB Driver;C:\WINDOWS\system32\drivers\usbmm1x1.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-10 17:47:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-02-28 01:45:14 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1145925921.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-24 10:09:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????5?2?7?3??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-24 10:10:06
C:\ComboFix2.txt ... 2007-11-23 22:50
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:47 AM, on 11/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...n&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FirePod Control Panel.lnk = C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatro...an/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety....lscbase7617.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1143421340968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8081 bytes



THANKS!!
  • 0

#6
JSntgRvr
Posted 24 November 2007 - 10:27 AM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, ezkeys :)

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\WINDOWS\PerfInfo
C:\Program Files\PfMon
C:\Program Files\lgnchuzo

The rest looks clear. How is the computer doing?
  • 0

#7
ezkeys
Posted 24 November 2007 - 10:36 AM

ezkeys

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Okay... found those files and deleted them. I assume I should empty them from the
recycle bin as well?

The computer seems to be doing much better!

Thanks!!
  • 0

#8
JSntgRvr
Posted 24 November 2007 - 04:35 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, ezkeys. :)

Yes, you should. Congratulations.Posted Image

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

    • Posted Image
  • If the disclaimer notice is displayed, select "2" and press Enter
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Set a new, clean Restore Point.
Create a Restore point (If the above process fails):
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • In the System Restore dialog box, click Create a restore point, and then click Next.
  • Type a description for your restore point, such as "After Cleanup", then click Create.
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

Best wishes! Posted Image
  • 0

#9
ezkeys
Posted 24 November 2007 - 05:05 PM

ezkeys

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Awesome!! Thank you so much! You guys do invalueable work and should be commended!
I intend on making a donation.

Thanks for the suggestions on programs, very helpful as well.

Once again... THANK YOU, THANK YOU!!!

MERRY CHRISTMAS AND HAPPY NEW YEAR!!

Sincerely,
Butch
  • 0

#10
JSntgRvr
Posted 27 November 2007 - 04:27 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP