Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Button Mgr v1.874- Is this malware? [RESOLVED]

Started by CarolinaPoorboy , Oct 27 2008 09:06 AM

  • This topic is locked This topic is locked

#1
CarolinaPoorboy
Posted 27 October 2008 - 09:06 AM

CarolinaPoorboy

    Member

  • Member
  • PipPip
  • 11 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:44 AM, on 10/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\admin\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1207282089937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1207282072750
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 6599 bytes
  • 0

Advertisements

#2
IndiGenus
Posted 27 October 2008 - 01:11 PM

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Hi and welcome to the forums here at G2G!

Please download SDFix and save it to your Desktop.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • Open the SDFix folder and double click on RunThis.bat to start the script.
  • Type Y and press Enter to begin the script.
  • It will start cleaning your PC and then prompt you to press any key to Reboot.
  • Press any key to restart the PC.
  • Your system will take longer than normal to restart as the fixtool will be removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished.
  • Press any key to end the script and to load your desktop icons.
  • A text file should automatically open, so please copy the contents and post them here. We also need you to post a new HijackThis log

  • 0

#3
CarolinaPoorboy
Posted 28 October 2008 - 07:39 AM

CarolinaPoorboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Still got error message 'TrayApp' needing a disk for something...

Thanks again, Poorboy.


~~~~~~~~~~~~~~~~~~~~~~~~

SDFix: Version 1.238
Run by admin on Tue 10/28/2008 at 04:55 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\admin\Desktop\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Resetting SecurityProviders Value
Resetting AppInit_DLLs value


Rebooting


Checking Files :

Trojan Files Found:

C:\Temp\1cb\syscheck.log - Deleted
C:\WINDOWS\wiaservv.log - Deleted
C:\WINDOWS\system32\dllcache\figaro.sys - Deleted
C:\WINDOWS\system32\wowfx.dll - Deleted
C:\WINDOWS\SYSTEM32\TDSSMTPE.DAT - Deleted



Folder C:\Temp\1cb - Removed
Folder C:\Temp\gbRve12 - Removed
Folder C:\Temp\tn3 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-28 05:07:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSmxoe.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSmxoe.sys"
"TDSSl"="\systemroot\system32\TDSSoitu.dll"
"tdssservers"="\systemroot\system32\TDSSmtpe.dat"
"tdssmain"="\systemroot\system32\TDSScrxx.dll"
"tdsslog"="\systemroot\system32\TDSSyavu.dll"
"tdssadw"="\systemroot\system32\TDSSnpur.dll"
"tdssinit"="\systemroot\system32\TDSSqxgx.dll"
"tdssurls"="\systemroot\system32\TDSSnmxh.log"
"tdsspanels"="\systemroot\system32\TDSSsahc.dll"
"tdssserf"="\systemroot\system32\TDSSehys.dll"
"tdsserrors"="\systemroot\system32\TDSSmaxt.log"
"TDSSproc"="\systemroot\system32\TDSSofxh.log"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSmxoe.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSmxoe.sys"
"TDSSl"="\systemroot\system32\TDSSoitu.dll"
"tdssservers"="\systemroot\system32\TDSSmtpe.dat"
"tdssmain"="\systemroot\system32\TDSScrxx.dll"
"tdsslog"="\systemroot\system32\TDSSyavu.dll"
"tdssadw"="\systemroot\system32\TDSSnpur.dll"
"tdssinit"="\systemroot\system32\TDSSqxgx.dll"
"tdssurls"="\systemroot\system32\TDSSnmxh.log"
"tdsspanels"="\systemroot\system32\TDSSsahc.dll"
"tdssserf"="\systemroot\system32\TDSSehys.dll"
"tdsserrors"="\systemroot\system32\TDSSmaxt.log"
"TDSSproc"="\systemroot\system32\TDSSofxh.log"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Documents and Settings\\admin\\Application Data\\mjusbsp\\magicJack.exe"="C:\\Documents and Settings\\admin\\Application Data\\mjusbsp\\magicJack.exe:*:Enabled:magicJack"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\DOCUME~1\admin\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 16 Jan 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 23 Jan 2003 65,952 ..SHR --- "C:\Program Files\Autodesk\Autodesk Express Viewer\Setup.exe"
Wed 15 Nov 2006 72,704 ..SHR --- "C:\Program Files\DssEvolution.com\KeyRipper\Setup.exe"
Sun 8 Jun 2008 390,656 ...H. --- "C:\Documents and Settings\admin\My Documents\Mick Zhou\~WRL1979.tmp"
Sat 19 Apr 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 15 May 2003 43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Thu 12 Jun 2008 827,000 A..H. --- "C:\Documents and Settings\admin\Application Data\mjusbsp\ar00000\install.exe"
Tue 22 Jul 2008 7,370,912 A..H. --- "C:\Documents and Settings\admin\Application Data\mjusbsp\in00000\setup.exe"
Tue 22 Jul 2008 827,056 A..H. --- "C:\Documents and Settings\admin\Application Data\mjusbsp\Upgrade\install2.exe"
Tue 22 Jul 2008 7,370,912 A..H. --- "C:\Documents and Settings\admin\Application Data\mjusbsp\Upgrade\setup2.exe"
Wed 4 Oct 2006 3,072,000 A..H. --- "C:\Documents and Settings\admin\Application Data\U3\temp\Launchpad Removal.exe"
Sat 5 Jan 2008 46,592 ...H. --- "C:\Documents and Settings\admin\My Documents\NICE\RM1\~WRL0420.tmp"

Finished!




~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:54 AM, on 10/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\MsiExec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\admin\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1207282089937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1207282072750
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 6786 bytes
  • 0

#4
IndiGenus
Posted 28 October 2008 - 08:03 AM

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
  • 0

#5
CarolinaPoorboy
Posted 29 October 2008 - 05:48 PM

CarolinaPoorboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ComboFix 08-10-29.04 - admin 2008-10-29 4:59:03.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.203 [GMT -4:00]
Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\ujij.scr
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\_006378_.tmp.dll
C:\WINDOWS\system32\_006379_.tmp.dll
C:\WINDOWS\system32\_006380_.tmp.dll
C:\WINDOWS\system32\_006381_.tmp.dll
C:\WINDOWS\system32\_006388_.tmp.dll
C:\WINDOWS\system32\_006390_.tmp.dll
C:\WINDOWS\system32\_006391_.tmp.dll
C:\WINDOWS\system32\_006393_.tmp.dll
C:\WINDOWS\system32\_006394_.tmp.dll
C:\WINDOWS\system32\_006397_.tmp.dll
C:\WINDOWS\system32\_006398_.tmp.dll
C:\WINDOWS\system32\_006400_.tmp.dll
C:\WINDOWS\system32\_006401_.tmp.dll
C:\WINDOWS\system32\_006402_.tmp.dll
C:\WINDOWS\system32\_006404_.tmp.dll
C:\WINDOWS\system32\_006405_.tmp.dll
C:\WINDOWS\system32\_006407_.tmp.dll
C:\WINDOWS\system32\_006408_.tmp.dll
C:\WINDOWS\system32\_006412_.tmp.dll
C:\WINDOWS\system32\_006413_.tmp.dll
C:\WINDOWS\system32\_006415_.tmp.dll
C:\WINDOWS\system32\_006418_.tmp.dll
C:\WINDOWS\system32\_006420_.tmp.dll
C:\WINDOWS\system32\_006422_.tmp.dll
C:\WINDOWS\system32\_006423_.tmp.dll
C:\WINDOWS\system32\_006424_.tmp.dll
C:\WINDOWS\system32\_006427_.tmp.dll
C:\WINDOWS\system32\_006428_.tmp.dll
C:\WINDOWS\system32\_006429_.tmp.dll
C:\WINDOWS\system32\_006430_.tmp.dll
C:\WINDOWS\system32\_006431_.tmp.dll
C:\WINDOWS\system32\_006436_.tmp.dll
C:\WINDOWS\system32\_006438_.tmp.dll
C:\WINDOWS\system32\MSINET.oca

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-29 )))))))))))))))))))))))))))))))
.

2008-10-28 04:51 . 2008-10-28 04:51 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-27 07:07 . 2008-10-27 07:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-27 07:07 . 2008-10-27 07:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-27 07:07 . 2008-10-27 07:07 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Malwarebytes
2008-10-27 07:07 . 2008-10-26 21:53 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-27 07:07 . 2008-10-26 21:53 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-27 06:12 . 2008-10-27 06:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-26 23:09 . 2008-10-26 23:09 <DIR> d-------- C:\Program Files\AOD
2008-10-26 23:09 . 2008-10-26 23:09 <DIR> d-------- C:\Program Files\AnswerWorks 4.0
2008-10-26 23:09 . 2008-10-26 23:09 <DIR> d-------- C:\Program Files\AIM6
2008-10-26 23:09 . 2008-10-27 05:47 <DIR> d-------- C:\Program Files\AIM
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Common Files\Java
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Common Files\HP
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Common Files\efax
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Avira
2008-10-26 23:07 . 2008-10-26 23:07 <DIR> d-------- C:\Program Files\eFax Messenger Plus
2008-10-26 23:07 . 2008-10-26 23:07 <DIR> d-------- C:\Program Files\EA Games
2008-10-26 23:07 . 2008-10-26 23:07 <DIR> d-------- C:\Program Files\DivX
2008-10-26 23:07 . 2008-10-26 23:07 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-10-26 23:07 . 2008-10-26 23:07 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-10-26 23:07 . 2008-10-26 23:07 <DIR> d-------- C:\Program Files\Common Files\Remote Control USB Driver
2008-10-26 23:07 . 2008-10-26 23:07 <DIR> d-------- C:\Program Files\Common Files\Remote Control Software Shared
2008-10-26 23:07 . 2008-10-26 23:07 <DIR> d-------- C:\Program Files\Common Files\Real
2008-10-26 23:07 . 2008-10-26 23:07 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2008-10-26 23:07 . 2008-10-26 23:07 <DIR> d-------- C:\Program Files\Common Files\NSV
2008-10-26 23:07 . 2008-10-26 23:07 <DIR> d-------- C:\Program Files\Common Files\mozilla.org
2008-10-26 23:06 . 2008-10-26 23:06 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-10-26 23:06 . 2008-10-26 23:06 <DIR> d-------- C:\Program Files\Loader
2008-10-26 23:06 . 2008-10-26 23:06 <DIR> d-------- C:\Program Files\JavaSoft
2008-10-26 23:06 . 2008-10-26 23:06 <DIR> d-------- C:\Program Files\IrfanView
2008-10-26 23:06 . 2008-10-26 23:06 <DIR> d-------- C:\Program Files\iPod
2008-10-26 23:06 . 2008-10-26 23:06 <DIR> d-------- C:\Program Files\inKline Global
2008-10-26 23:06 . 2008-10-26 23:06 <DIR> d-------- C:\Program Files\INITIO
2008-10-26 23:06 . 2008-10-26 23:06 <DIR> d-------- C:\Program Files\hp photosmart
2008-10-26 23:05 . 2008-10-26 23:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-10-26 23:05 . 2008-10-26 23:05 <DIR> d-------- C:\Program Files\mozilla.org
2008-10-26 23:05 . 2008-10-26 23:05 <DIR> d-------- C:\Program Files\mIRC
2008-10-26 23:05 . 2008-10-26 23:05 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\WUSB11 WLAN Monitor
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\Winamp
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\Viewpoint
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\VideoLAN
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\Support.com
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\SpyAssassin
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\SoftPlan Systems Inc
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\SharpC
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\RegCure
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\Real
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\Rapid.DeCoder
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\QuickTime
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\Plaxo
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\PartyPoker
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\PartyGaming
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\Overland
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\MUSICMATCH
2008-10-26 23:03 . 2008-10-26 23:03 <DIR> d-------- C:\Program Files\Yahoo!
2008-10-26 22:58 . 2008-10-26 22:58 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-10-26 22:45 . 2008-10-26 22:45 18,941 --a------ C:\WINDOWS\elyhyca.lib
2008-10-26 22:45 . 2008-10-26 22:45 17,852 --a------ C:\WINDOWS\caqygaqu.bin
2008-10-26 22:45 . 2008-10-26 22:45 17,054 --a------ C:\WINDOWS\ijabub.ban
2008-10-26 22:45 . 2008-10-26 22:45 16,100 --a------ C:\WINDOWS\diqawum._sy
2008-10-26 22:45 . 2008-10-26 22:45 15,863 --a------ C:\WINDOWS\zobovyji._sy
2008-10-26 22:45 . 2008-10-26 22:45 10,321 --a------ C:\WINDOWS\okykeguho.lib
2008-10-26 19:44 . 2008-10-26 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-10-26 14:35 . 2008-10-26 14:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-10-26 11:08 . 2008-10-26 11:10 <DIR> d-------- C:\WINDOWS\ShellNew
2008-10-09 13:31 . 2008-10-09 13:31 <DIR> d-------- C:\Documents and Settings\admin\Application Data\dvdcss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 11:20 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-10-27 03:08 --------- d-----w C:\Program Files\Common Files\Adobe
2008-10-27 03:07 --------- d-----w C:\Program Files\Google
2008-10-27 03:07 --------- d-----w C:\Program Files\eFax Messenger 4.2
2008-10-27 03:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-27 03:06 --------- d-----w C:\Program Files\Microsoft Broadband Networking
2008-10-27 02:34 --------- d-----w C:\Program Files\Logitech
2008-10-27 02:34 --------- d-----w C:\Program Files\HP
2008-10-27 02:33 --------- d-----w C:\Program Files\AutoCAD 2004
2008-10-27 01:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-09-26 17:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-09-26 17:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-09-26 17:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-09-26 01:28 --------- d-----w C:\Documents and Settings\admin\Application Data\mIRC
2008-09-19 21:54 100,912 ----a-w C:\Documents and Settings\admin\Application Data\GDIPFONTCACHEV1.DAT
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2007-12-20 00:07 0 --sha-w C:\Documents and Settings\admin\Application Data\GDIPFONTCACHEV17d7dd891b4f4074878521e530ba1e2bc.dat
2007-12-17 22:20 0 --sha-w C:\Documents and Settings\admin\Application Data\d30a475ddb5847764bfd135508b412fbeae602b1.dat
2004-06-13 18:15 449 ----a-w C:\Documents and Settings\admin\UpdateReg.reg
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-14 1576176]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"cdloader"="C:\Documents and Settings\admin\Application Data\mjusbsp\cdloader2.exe" [2008-07-22 50520]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-01-05 176128]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2002-07-22 577602]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-09 28672]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-13 98304]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Tweak UI"="TWEAKUI.CPL" [2003-05-01 C:\WINDOWS\system32\TWEAKUI.CPL]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-8796-100000000002}\SC_Acrobat.exe [2006-10-17 25214]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2003-12-05 169472]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-09-14 09:57 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Documents and Settings\\admin\\Application Data\\mjusbsp\\magicJack.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4676:UDP"= 4676:UDP:Windows Media Format SDK (iexplore.exe)
"4677:UDP"= 4677:UDP:Windows Media Format SDK (iexplore.exe)
"4679:UDP"= 4679:UDP:Windows Media Format SDK (iexplore.exe)

R2 SSIPDDP;SSIPDDP Parallel port device driver;C:\WINDOWS\System32\DRIVERS\SSIPDDP.SYS [1998-07-14 55296]
R3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys [2003-01-30 18864]
.
Contents of the 'Scheduled Tasks' folder

2008-10-29 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2008-10-25 18:02]

2008-10-25 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2008-10-25 18:02]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
Notify-dimsntfy - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\default.e4r\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-29 05:02:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-10-29 5:07:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-29 09:07:31

Pre-Run: 50,710,958,080 bytes free
Post-Run: 50,706,051,072 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

243 --- E O F --- 2008-10-29 05:03:32


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:55 PM, on 10/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\admin\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1207282089937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1207282072750
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 6957 bytes
  • 0

#6
IndiGenus
Posted 29 October 2008 - 08:44 PM

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
http://www.geekstogo...36#entry1362936

1. Open Notepad

2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.geekstogo.com/forum/Button-Mgr-v1-874-malware-t215761.html&pid=1362936#entry1362936

Collect::
C:\WINDOWS\elyhyca.lib
C:\WINDOWS\caqygaqu.bin
C:\WINDOWS\ijabub.ban
C:\WINDOWS\diqawum._sy
C:\WINDOWS\zobovyji._sy
C:\WINDOWS\okykeguho.lib


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#7
CarolinaPoorboy
Posted 30 October 2008 - 02:58 AM

CarolinaPoorboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ComboFix 08-10-30.04 - admin 2008-10-30 4:40:52.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.157 [GMT -4:00]
Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\admin\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\caqygaqu.bin
C:\WINDOWS\diqawum._sy
C:\WINDOWS\elyhyca.lib
C:\WINDOWS\ijabub.ban
C:\WINDOWS\okykeguho.lib
C:\WINDOWS\zobovyji._sy

.
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-30 )))))))))))))))))))))))))))))))
.

2008-10-29 19:26 . 2008-10-29 19:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-10-28 04:51 . 2008-10-28 04:51 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-27 07:07 . 2008-10-27 07:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-27 07:07 . 2008-10-27 07:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-27 07:07 . 2008-10-27 07:07 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Malwarebytes
2008-10-27 07:07 . 2008-10-26 21:53 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-27 07:07 . 2008-10-26 21:53 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-27 06:12 . 2008-10-27 06:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-26 23:09 . 2008-10-26 23:09 <DIR> d-------- C:\Program Files\AOD
2008-10-26 23:09 . 2008-10-26 23:09 <DIR> d-------- C:\Program Files\AnswerWorks 4.0
2008-10-26 23:09 . 2008-10-26 23:09 <DIR> d-------- C:\Program Files\AIM6
2008-10-26 23:09 . 2008-10-27 05:47 <DIR> d-------- C:\Program Files\AIM
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Common Files\Java
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Common Files\HP
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Common Files\efax
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-10-26 23:08 . 2008-10-26 23:08 <DIR> d-------- C:\Program Files\Avira
2008-10-26 23:07 . 2008-10-26 23:07 <DIR> d-------- C:\Program Files\eFax Messenger Plus
2008-10-26 23:07 . 2008-10-26 23:07 <DIR> d-------- C:\Program Files\EA Games
2008-10-26 23:07 . 2008-10-26 23:07 <DIR> d-------- C:\Program Files\DivX
2008-10-26 23:07 . 2008-10-26 23:07 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-10-26 23:07 . 2008-10-26 23:07 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-10-26 23:07 . 2008-10-26 23:07 <DIR> d-------- C:\Program Files\Common Files\Remote Control USB Driver
2008-10-26 23:07 . 2008-10-26 23:07 <DIR> d-------- C:\Program Files\Common Files\Remote Control Software Shared
2008-10-26 23:07 . 2008-10-26 23:07 <DIR> d-------- C:\Program Files\Common Files\Real
2008-10-26 23:07 . 2008-10-26 23:07 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2008-10-26 23:07 . 2008-10-26 23:07 <DIR> d-------- C:\Program Files\Common Files\NSV
2008-10-26 23:07 . 2008-10-26 23:07 <DIR> d-------- C:\Program Files\Common Files\mozilla.org
2008-10-26 23:06 . 2008-10-26 23:06 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-10-26 23:06 . 2008-10-26 23:06 <DIR> d-------- C:\Program Files\Loader
2008-10-26 23:06 . 2008-10-26 23:06 <DIR> d-------- C:\Program Files\JavaSoft
2008-10-26 23:06 . 2008-10-26 23:06 <DIR> d-------- C:\Program Files\IrfanView
2008-10-26 23:06 . 2008-10-26 23:06 <DIR> d-------- C:\Program Files\iPod
2008-10-26 23:06 . 2008-10-26 23:06 <DIR> d-------- C:\Program Files\inKline Global
2008-10-26 23:06 . 2008-10-26 23:06 <DIR> d-------- C:\Program Files\INITIO
2008-10-26 23:06 . 2008-10-26 23:06 <DIR> d-------- C:\Program Files\hp photosmart
2008-10-26 23:05 . 2008-10-26 23:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-10-26 23:05 . 2008-10-26 23:05 <DIR> d-------- C:\Program Files\mozilla.org
2008-10-26 23:05 . 2008-10-29 20:58 <DIR> d-------- C:\Program Files\mIRC
2008-10-26 23:05 . 2008-10-26 23:05 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\WUSB11 WLAN Monitor
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\Winamp
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\Viewpoint
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\VideoLAN
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\Support.com
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\SpyAssassin
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\SoftPlan Systems Inc
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\SharpC
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\RegCure
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\Real
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\Rapid.DeCoder
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\QuickTime
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\Plaxo
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\PartyPoker
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\PartyGaming
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\Overland
2008-10-26 23:04 . 2008-10-26 23:04 <DIR> d-------- C:\Program Files\MUSICMATCH
2008-10-26 23:03 . 2008-10-26 23:03 <DIR> d-------- C:\Program Files\Yahoo!
2008-10-26 22:58 . 2008-10-26 22:58 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-10-26 19:44 . 2008-10-26 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-10-26 14:35 . 2008-10-26 14:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-10-26 11:08 . 2008-10-26 11:10 <DIR> d-------- C:\WINDOWS\ShellNew
2008-10-09 13:31 . 2008-10-09 13:31 <DIR> d-------- C:\Documents and Settings\admin\Application Data\dvdcss
2008-09-26 13:57 . 2008-09-26 13:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-09-26 13:52 . 2008-09-26 13:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-09-14 11:12 . 2008-09-26 13:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-09-14 11:12 . 2008-09-26 13:57 2,106 --ah----- C:\IPH.PH
2008-09-14 11:12 . 2008-09-14 11:12 29 --a------ C:\WINDOWS\atid.ini
2008-09-13 09:33 . 2008-09-13 09:36 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-13 09:33 . 2008-09-13 09:36 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-13 09:33 . 2008-09-13 09:36 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-13 09:20 . 2007-10-25 23:36 8,454,656 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-09-13 09:19 . 2008-08-14 06:00 2,180,352 --a------ C:\WINDOWS\system32\ntoskrnl.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-30 08:39 --------- d-----w C:\Documents and Settings\admin\Application Data\mIRC
2008-10-27 11:20 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-10-27 03:08 --------- d-----w C:\Program Files\Common Files\Adobe
2008-10-27 03:07 --------- d-----w C:\Program Files\Google
2008-10-27 03:07 --------- d-----w C:\Program Files\eFax Messenger 4.2
2008-10-27 03:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-27 03:06 --------- d-----w C:\Program Files\Microsoft Broadband Networking
2008-10-27 02:34 --------- d-----w C:\Program Files\Logitech
2008-10-27 02:34 --------- d-----w C:\Program Files\HP
2008-10-27 02:33 --------- d-----w C:\Program Files\AutoCAD 2004
2008-10-27 01:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-09-19 21:54 100,912 ----a-w C:\Documents and Settings\admin\Application Data\GDIPFONTCACHEV1.DAT
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-20 05:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 09:22 2,057,728 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
2007-12-20 00:07 0 --sha-w C:\Documents and Settings\admin\Application Data\GDIPFONTCACHEV17d7dd891b4f4074878521e530ba1e2bc.dat
2007-12-17 22:20 0 --sha-w C:\Documents and Settings\admin\Application Data\d30a475ddb5847764bfd135508b412fbeae602b1.dat
2004-06-13 18:15 449 ----a-w C:\Documents and Settings\admin\UpdateReg.reg
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-14 1576176]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"cdloader"="C:\Documents and Settings\admin\Application Data\mjusbsp\cdloader2.exe" [2008-07-22 50520]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-01-05 176128]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2002-07-22 577602]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-09 28672]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-13 98304]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Tweak UI"="TWEAKUI.CPL" [2003-05-01 C:\WINDOWS\system32\TWEAKUI.CPL]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-8796-100000000002}\SC_Acrobat.exe [2006-10-17 25214]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2003-12-05 169472]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-09-14 09:57 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Documents and Settings\\admin\\Application Data\\mjusbsp\\magicJack.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4676:UDP"= 4676:UDP:Windows Media Format SDK (iexplore.exe)
"4677:UDP"= 4677:UDP:Windows Media Format SDK (iexplore.exe)
"4679:UDP"= 4679:UDP:Windows Media Format SDK (iexplore.exe)

R2 SSIPDDP;SSIPDDP Parallel port device driver;C:\WINDOWS\System32\DRIVERS\SSIPDDP.SYS [1998-07-14 55296]
R3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys [2003-01-30 18864]
.
Contents of the 'Scheduled Tasks' folder

2008-10-29 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2008-10-25 18:02]

2008-10-30 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2008-10-25 18:02]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-30 04:47:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-30 4:52:08
ComboFix-quarantined-files.txt 2008-10-30 08:52:05
ComboFix2.txt 2008-10-29 09:07:36

Pre-Run: 50,641,735,680 bytes free
Post-Run: 50,109,263,872 bytes free

198 --- E O F --- 2008-10-30 08:38:17

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:17 AM, on 10/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\admin\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1207282089937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1207282072750
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 6843 bytes
  • 0

#8
IndiGenus
Posted 30 October 2008 - 07:08 AM

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
First, use Use ATF Cleaner to remove temp files,
cookies, cache, ect...
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Run Panda's ActiveScan 2.0 from here and perform a full system scan.
  • Once you are on the Panda site click the "Scan your PC now" button
  • A new window will open...
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
  • If you are on a slow connection it will take about 15 minuites for the scanner to load.
  • Once scan is done, click "Export to:" and a save dialogue box will open
  • Save the log someplace you can find
  • Post the Panda scan results in your next reply

Also post a new Hijackthis log and let me know how it's running at this point.
  • 0

#9
CarolinaPoorboy
Posted 30 October 2008 - 10:45 AM

CarolinaPoorboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
IndiGenus,

I appreciate your patience...

On the Panda's ActiveScan 2.0, I only clicked the 'export to' tab and saved the dialog as instructed...I did not click any of the 'fix' or 'join' or 'repair' options...Did I do it correctly?

Also, in Control Panel 'add/remove programs', I still see 'Button Manager v1.874' and tried to remove it again and got error message 'setup.exe has encountered a problem and needs to close'...what is it for and should I try again to remove it?

As well, I do not see my 'Avira Antivirus' listed...is it disabled by a virus still?

Thanks again, Poorboy.


;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-10-30 12:32:45
PROTECTIONS: 1
MALWARE: 27
SUSPECTS: 3
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
Avira AntiVir PersonalEdition 8.0.1.30 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00040415 adware/wintools Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\aui
00100400 Application/Brutus.A HackTools No 0 Yes No C:\Documents and Settings\admin\My Documents\FTA\brutus-aet2.zip[BrutusA2.exe]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\admin\Cookies\admin@trafficmp[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\admin\Cookies\admin@tribalfusion[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\admin\Cookies\[email protected][2].txt
00185663 HackTool/NetCat.A HackTools No 0 No No C:\Documents and Settings\admin\My Documents\mike\hash\CryptLoad_1[1].0.4.rar[CryptLoad_1.0.4\router\FRITZ!Box\nc.exe]
00185663 HackTool/NetCat.A HackTools No 0 Yes No C:\Documents and Settings\admin\My Documents\mike\hash\CytLd\CryptLoad_1.0.3\router\FRITZ!Box\nc.exe
00185663 HackTool/NetCat.A HackTools No 0 No No C:\Documents and Settings\admin\My Documents\mike\hash\CytLd.rar[CryptLoad_1.0.3\router\FRITZ!Box\nc.exe]
00185663 HackTool/NetCat.A HackTools No 0 Yes No C:\Documents and Settings\admin\My Documents\mike\hash\CryptLoad_1[1].0.4\CryptLoad_1.0.4\router\FRITZ!Box\nc.exe
00421373 Adware/XPAntiSpyware2009 Adware No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP370\A0050362.dll
00421373 Adware/XPAntiSpyware2009 Adware No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP369\A0045228.dll
00431239 Adware/XPAntiSpyware2009 Adware No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP370\A0050380.dll
00431269 Adware/XPAntiSpyware2009 Adware No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP370\A0050378.exe
00431269 Adware/XPAntiSpyware2009 Adware No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP370\A0050365.exe
00431639 Adware/InternetSpeedMonitor Adware No 0 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP370\A0050357.exe
00431639 Adware/InternetSpeedMonitor Adware No 0 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP369\A0047386.exe
00431639 Adware/InternetSpeedMonitor Adware No 0 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP368\A0044604.exe
00431639 Adware/InternetSpeedMonitor Adware No 0 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP364\A0044232.exe
00431639 Adware/InternetSpeedMonitor Adware No 0 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP365\A0044257.exe
00431639 Adware/InternetSpeedMonitor Adware No 0 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP366\A0044281.exe
00431639 Adware/InternetSpeedMonitor Adware No 0 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP367\A0044316.exe
00431641 Adware/XPAntiSpyware2009 Adware No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP370\A0050345.exe
00431641 Adware/XPAntiSpyware2009 Adware No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP368\A0044618.exe
00431641 Adware/XPAntiSpyware2009 Adware No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP370\A0050344.exe
00431641 Adware/XPAntiSpyware2009 Adware No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP368\A0044836.exe
00431641 Adware/XPAntiSpyware2009 Adware No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP368\A0044837.exe
00431641 Adware/XPAntiSpyware2009 Adware No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP369\A0044838.exe
00431641 Adware/XPAntiSpyware2009 Adware No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP369\A0044839.exe
00431641 Adware/XPAntiSpyware2009 Adware No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP370\A0050343.exe
00431641 Adware/XPAntiSpyware2009 Adware No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP369\A0050342.exe
00431641 Adware/XPAntiSpyware2009 Adware No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP369\A0050341.exe
00431641 Adware/XPAntiSpyware2009 Adware No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP369\A0050335.exe
00431641 Adware/XPAntiSpyware2009 Adware No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP369\A0050334.exe
00958927 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\mozilla.org\Mozilla\plugins\npwthost.dll
00958927 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP369\A0049150.dll
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP374\A0051076.EXE
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP373\A0051010.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP374\A0051064.sys
02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP368\A0044619.sys
02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP370\A0050376.sys
02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP371\A0050638.sys
02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\Documents and Settings\admin\Desktop\SDFix\backups\backups.zip[backups/figaro.sys]
02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP370\A0050375.sys
02916589 Application/PassRock HackTools No 0 Yes No C:\Documents and Settings\admin\My Documents\VIEWSAT\Permenant Crack\keyfinder.exe
02918068 Adware/Look2Me Adware No 0 Yes No C:\Program Files\INITIO\Button Manager v1.874\inihid.exe
03074964 Trj/CI.A Virus/Trojan No 0 No No C:\Documents and Settings\admin\My Documents\VIEWSAT\Permenant Crack\keyfinder.exe[C:\Documents and Settings\admin\My Documents\VIEWSAT\Permenant Crack\keyfinder.exe][officekey.exe]
03738686 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\admin\Desktop\SDFix.exe[C:\Documents and Settings\admin\Desktop\SDFix.exe][SDFix\catchme.exe]
03738686 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP371\A0050566.exe
03738686 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\admin\Desktop\SDFix.exe[C:\Documents and Settings\admin\Desktop\SDFix.exe][SDFix\apps\Cghtme.exe]
03738686 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\admin\Desktop\SDFix\catchme.exe
03738686 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\admin\Desktop\SDFix\apps\Cghtme.exe
03738686 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP371\A0050567.exe
03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP370\A0050387.sys
03899005 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP373\A0051012.exe
03939303 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP370\A0050381.dll
03939307 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP370\A0050377.cpl
03939307 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP370\A0050366.cpl
03939307 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP369\A0050332.cpl
03939307 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP369\A0045235.cpl
03939308 Adware/XPAntiSpyware2009 Adware No 1 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP370\A0050379.dll
03939310 Adware/UltimateDefender Adware No 0 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP370\A0050384.dll
03972001 Adware/Xpantivirus2008 Adware No 0 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP370\A0050361.exe
03972001 Adware/Xpantivirus2008 Adware No 0 Yes No C:\System Volume Information\_restore{15892183-7011-44FC-B088-E8910F60B8D0}\RP369\A0045227.exe
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location
;===============================================================================
=================================================================================
===================
No C:\Documents and Settings\admin\Desktop\ComboFix.exe[32788R22FWJFW\psexec.cfexe]
No C:\Documents and Settings\admin\My Documents\Downloads\mirc631.exe[²ÖÇ\mirc631.exe][mirc.exe]
No C:\Program Files\mIRC\mirc.exe
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description
;===============================================================================
=================================================================================
===================
182048 HIGH MS07-069
182046 HIGH MS07-067
176382 HIGH MS07-057
170906 HIGH MS07-045
170904 HIGH MS07-043
164913 HIGH MS07-033
160623 HIGH MS07-027
150253 HIGH MS07-016
141030 HIGH MS06-072
137568 HIGH MS06-067
126083 HIGH MS06-042
120814 HIGH MS06-021
114664 HIGH MS06-013
;===============================================================================
=================================================================================
===================



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:07 PM, on 10/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\admin\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1207282089937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1207282072750
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 7234 bytes

Edited by CarolinaPoorboy, 30 October 2008 - 01:21 PM.

  • 0

#10
IndiGenus
Posted 30 October 2008 - 11:50 AM

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Hi,

Did you run MalwareBytes'? If so post the log if anything was found.


On the Panda's ActiveScan 2.0, I only clicked the 'export to' tab and saved the dialog as instructed...I did not click any of the 'fix' or 'join' or 'repair' options...Did I do it correctly?

Perfect, yes. I need to add that to my instructions. Most of what Panda found is either false positives, or in restore points (which we'll clean out soon).


Also, in Control Panel 'add/remove programs', I still see 'Button Manager v1.874' and have not tried to remove it again...what is it for and should I try again to remove it?

It's adware, as picked up by Panda:

02918068 Adware/Look2Me Adware No 0 Yes No C:\Program Files\INITIO\Button Manager v1.874\inihid.exe

If you cannot remove it from Add or Remove Programs then delete the folder (many adware programs will not remove from Add or Remove Programs in CP):

C:\Program Files\INITIO


As well, I do not see my 'Avira Antivirus' listed...is it disabled by a virus still?

Hmm? I see it running fine in your HJT log. Double check that if you would.

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min


  • 0

Advertisements

#11
CarolinaPoorboy
Posted 30 October 2008 - 01:25 PM

CarolinaPoorboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I deleted INITIO and cleared recycle bin...

Sorry...This was the log...I rechecked it-

Malwarebytes' Anti-Malware 1.30
Database version: 1340
Windows 5.1.2600 Service Pack 2

10/30/2008 10:23:37 AM
mbam-log-2008-10-30 (10-23-37).txt

Scan type: Quick Scan
Objects scanned: 50692
Time elapsed: 4 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by CarolinaPoorboy, 30 October 2008 - 01:30 PM.

  • 0

#12
IndiGenus
Posted 30 October 2008 - 02:45 PM

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Did you download or know what these tools are for? If you are not aware of them I would recommend deleting them.

C:\Documents and Settings\admin\My Documents\FTA\brutus-aet2.zip
C:\Documents and Settings\admin\My Documents\mike\hash\CryptLoad_1[1].0.4.rar
C:\Documents and Settings\admin\My Documents\mike\hash\CytLd\CryptLoad_1.0.3\router\FRITZ!Box\nc.exe
C:\Documents and Settings\admin\My Documents\mike\hash\CytLd.rar[CryptLoad_1.0.3\router\FRITZ!Box\nc.exe]
C:\Documents and Settings\admin\My Documents\mike\hash\CryptLoad_1[1].0.4\CryptLoad_1.0.4\router\FRITZ!Box\nc.exe
C:\Documents and Settings\admin\My Documents\VIEWSAT\Permenant Crack\keyfinder.exe


You should also delete the SDFix tool and folder:

C:\Documents and Settings\admin\Desktop\SDFix.exe
C:\Documents and Settings\admin\Desktop\SDFix


We can also clean up from combofix:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


  • Posted Image
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.


Let me know how it's running otherwise.
  • 0

#13
CarolinaPoorboy
Posted 30 October 2008 - 06:45 PM

CarolinaPoorboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I hopefully deleted all of the files that you noted...Not sure what they were, some were in my son's folder of old files he had before he moved out...I also emptied the recycle bin afterwards.

Also did ComboFix /u as requested.

Note- Button Manager v1.874 still unable to delete.

Anyhow, here is a new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:48 PM, on 10/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\admin\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1207282089937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1207282072750
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 7011 bytes

Edited by CarolinaPoorboy, 30 October 2008 - 06:51 PM.

  • 0

#14
IndiGenus
Posted 30 October 2008 - 06:52 PM

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Looks ok....how's it running now? Any problems?
  • 0

#15
CarolinaPoorboy
Posted 31 October 2008 - 07:40 PM

CarolinaPoorboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Runs fast, but still get error messages on start-up...

1- is from an HP printer I tried to uninstall and reinstall...I was unable to use 'add/remove programs' as I kept getting error messages.

The other is an error in loading Avira Antivirus...I tried to uninstall from 'add/remove programs' and was not able to...

Is there another way to uninstall the programs and reinstall them?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP