TeamFortress

Constant Pop-ups. Can't install/update virus/scanner programs

10 posts in this topic

My original problem was that my computer started acting up recently with constant pop-ups from IE even though i use firefox. Also a pop up to install some program called VirusRemover2008 kept popping up earlier too.

After running an AVG scan (luckily i had it installed), it found the following which it moved to the Virus Vault:

Trojan Horse SHeur 2 .FJD

Trojan Horse BHO.GQR (x2)

Trojan Horse Vundo.BX

Trojan Horse Generic12.BET

Trojan Horse Downloader.Generic8.GWR

Trojan Horse SHeur 2.GAS (x2)

I managed to install MBAM by changing the .exe. And now I can install antivirus software, open regedit, visit tech websites and such. But I just wanted to be sure that its 100%, especially since I found this Avenger folder after running mbam and it contains files such as csrssc.exe. Also, I'm running AVG right now and its found Trojan Horse SHeur 2.GAS four times already. So I'm not sure if I'm completely in the clear yet.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:20:05 PM, on 12/20/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Pidgin\pidgin.exe

C:\Program Files\AVG\AVG8\avgui.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\AVG\AVG8\avgscanx.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\cmd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/MemberHome

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {3D3BF1F8-9696-4A5E-B4F1-49101C997B70} - http://www.earthcaller.com/VaxSIPUserAgentCAB.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dHRrIGJiYw\command.exe (file missing)

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O24 - Desktop Component 0: (no name) - http://fc07.deviantart.com/fs37/i/2008/244...y_aliveruka.jpg

--

End of file - 5217 bytes

Thanks!

Share this post


Link to post
Share on other sites

Hi and welcome to Malwarebytes forums, my name is Tom and I'll be assisting you today with malware removal.

At any point if you're unsure of the directions presented to you below, don't hesitate to come back for clarification. It may help if you print them out. Also please remember to subscribe or track this topic for replies so you'll be alerted when I post back continuing instructions.

Below you will find the results from my analysis of your HijackThis! log file. Please read all instructions carefully before performing any steps

To eliminate any potential conflicts with our removal methods please do not install any software of any type which you think may be helpful. In all likelihood they will not be of much use if any at all and may complicate things further.

Also please be sure to perform only the instructions I have posted and nothing more. Instructions are given in a specific order in many cases and attempts at steps which you may think are helpful, may not be. And please refrain from using any other tools unless instructed to do so, thanks.

Be sure to add all replies to this thread and this thread only, do not start a new thread. If you see another thread with a similar problem do not go ahead with any of those steps regardless of what you see. Do not jump into any ongoing threads, focus on yours.

Please do as instructed below in the order presented.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the 'Windows Advanced Options Menu' screen should appear;
  • Use the up down arrow keys to select the first option 'Safe Mode' to run Windows, then press Enter.
  • If it applies, select the operating system we're currently trying to remove malware from, then choose your usual account.
  • When prompted by Windows to accept working in safe mode, click 'Yes'
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum.

Share this post


Link to post
Share on other sites

SDFix: Version 1.240

Run by Owner on Sun 12/21/2008 at 06:39 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Checking Services :

Name :

TDSSserv.sys

Path :

\systemroot\system32\drivers\TDSSpqlt.sys

TDSSserv.sys - Deleted

Restoring Default Security Values

Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\drivers\TDSSpqlt.sys - Deleted

C:\WINDOWS\system32\TDSSmtvd.dat - Deleted

C:\WINDOWS\SYSTEM32\TDSSMTVD.dat - Deleted

Folder C:\Temp\tn3 - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-21 20:57:03

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00027207f20d]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]

"s1"=dword:2df9c43f

"s2"=dword:110480d0

"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools Lite\"

"h0"=dword:00000000

"khjeh"=hex:5d,fb,04,58,b6,30,74,0a,92,95,93,08,ef,cf,e8,a6,32,13,5a,62,84,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,df,54,68,55,a5,a2,ce,f0,fb,3e,74,41,61,b9,cb,d6,01,..

"khjeh"=hex:8d,c5,9d,98,e8,83,94,86,71,98,ee,d2,bc,17,af,5d,68,a7,f4,78,1e,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:d7,79,8e,fc,82,65,8c,6e,fb,88,71,84,90,a3,d3,63,23,a6,05,63,24,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00027207f20d]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools Lite\"

"h0"=dword:00000000

"khjeh"=hex:5d,fb,04,58,b6,30,74,0a,92,95,93,08,ef,cf,e8,a6,32,13,5a,62,84,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,df,54,68,55,a5,a2,ce,f0,fb,3e,74,41,61,b9,cb,d6,01,..

"khjeh"=hex:8d,c5,9d,98,e8,83,94,86,71,98,ee,d2,bc,17,af,5d,68,a7,f4,78,1e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:d7,79,8e,fc,82,65,8c,6e,fb,88,71,84,90,a3,d3,63,23,a6,05,63,24,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]

"OODEFRAG10.00.00.01WORKSTATION"="24F37AB44F493ACE154B887B15621A8A4FF5AD1DFDC298D68FACDDE4A8114878355BBBA7E66

33547ACD01D30FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEB

C

9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E667A2D97226D213B555A2D9

7

226D213B55500B16E6D0B6C2E496C2E0399AA6D23B1480A02C0C68F0F7B3DB8423A26E943DEA4288

5

BCDBD5A66138BB6FD52E91B8C9C8A11D48A039AF5707F1BA2C02941650E21EB86495A6095DF23188

E

2BA20F6B56EE267BCBB107D1F3976C21015EF4D347E6A22B7E17C9C09D87A294F46DB348E90ED9F8

8

76198157E1BC9ACE47693F9D5CF9213CD2C82BA3C8976FDEA75C4BE0A5F845CB1131C77A334F4204

E

042CC1189CAD52AD9508462471EBF861D0B9DAD4DCC1B58B108E0F502CAFD01910FD40CB26FA7EF4

E

AF7A6C7DB4C1F046288E6AC645AB376122E1AD4963D749EAB8BF7CAC914130ECD1E3DEB4185FFDA6

4

50500F5D640A40F5663F5255E9D96E3FBF4466D6A8F3D54F99CC75F99C83FA7C9ECCA66836C8E09C

F

01195A965FD4D768E2BF90C9442408BD01AC0F1C717A946FB51D43658019070FDC56CB79732483E3

7

C33D393D620EE0675057D188E2B1F47D33A5EAB981BA2681CDD858AF0DA8AA7B4E11B3D81245592D

F

3E869A1C805BB13EDDAB968DA15783E4D6B4DE377FF1BF077BEC55C1D3E9F22BB6A8C45ADBC2E6F0

B

144F901E988DA65DAABA1E5CE268C712BF3F7D98B400EC64208C8CBD42FF06AD965C0D6EAFA404FF

8

DE11E23BF344F488FED9CF56501EA3AA6E6E373462AF30E8EF673848D7D5D4B1E9FED7E68E6E1624

0

2426EF6752FB8A9C51528FA8055C8E869008F60AB14B17C0AD031AB8AE7E001928BC362ED2502721

F

AAEDD8136740D7F8AE8EC169C69FC221821F15E46261156DA62142DD347DA5ADB31BB605C126A5EC

A

E28B0660E60E1B5A119E4FAE02A4D6F151DF44D672D5D4A49072E28938DB736CA1523DADB39AC70D

0

D50F0FBE4F071D6F928AA69B19A46F97CC0DAE5F0FE5E86652C5E4FA72E82046D4BCC726EA959BE0

1

E493A034AFBBDDE4C57B37CC6FE3F759EF6068458D0364CD5492F991D41B72824ABBAA250D7F9F1A

7

C13193D2C31402FD4C2469BB1249BF5DC5B46D05C35E19C7DDBED5BE9F0ABB47B98926D7676A2839

8

B076CF04F9294367629CA48CBA41A7641C3C82A2FFA36D45A80057C15E51A5DB15DA7D11E70D06DD

4

C32D91FD40A65CEB28FD2E57FD7140783ED76DE8509D39EBB8843908E38E528C9FE68E700CCEEAA7

A

FCBEADB65143C99CE98D974940BE1200D44890C14FAFBFD399BEFAD07B55BF180D900F3285541792

3

97F53C46D0AF6535F9271CCADAC2BEF4C46B355491A47C272917CCE48089858F7578B8196EBC856E

8

D791D7482C39618ADBC7ABA2F062C"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4EBB1FB8-5FD5-403E-46E0-E7046CDA3017}]

"iajicbegojacebpgkd"=hex:6a,61,63,66,62,6c,63,70,68,6e,61,63,63,68,6f,6f,64,6a,6f,65,00,..

"hapgigoddgefdabd"=hex:6a,61,63,66,6b,6b,62,6b,68,65,65,6f,6f,6e,69,67,65,6a,6a,6b,00,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DF4E0B65-5B1A-5027-5FC6-BD815F967F06}]

"eanagmopjl"=hex:66,61,6c,63,67,68,6c,69,67,61,69,6e,00,31

"dakakdpn"=hex:64,62,6a,63,68,6b,70,6b,64,6d,6e,6d,6d,6b,61,6c,62,6d,64,67,69,..

"iafdfjkccgofopbigj"=hex:6b,61,62,67,69,67,66,62,67,61,63,66,64,6e,70,62,67,61,65,6a,70,..

"haddllaiafgimoeo"=hex:6b,61,62,67,69,67,66,62,67,61,63,66,64,6e,70,62,67,61,65,6a,70,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\h

Share this post


Link to post
Share on other sites

Next up:

Download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Share this post


Link to post
Share on other sites

ComboFix 08-12-21.04 - Owner 2008-12-22 11:40:05.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.636 [GMT -8:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\components

c:\windows\system32\dumphive.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\Process.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\tmp.reg

c:\windows\system32\VCCLSID.exe

c:\windows\system32\WS2Fix.exe

D:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))

.

2008-12-22 11:18 . 2008-12-22 11:19 <DIR> d-------- C:\32788R22FWJFW

2008-12-21 18:38 . 2008-12-21 18:38 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll

2008-12-21 18:35 . 2008-12-21 18:35 <DIR> d-------- c:\windows\ERUNT

2008-12-21 13:35 . 2008-12-21 21:01 <DIR> d-------- C:\SDFix

2008-12-21 01:44 . 2008-12-21 01:44 0 --a------ c:\windows\dir

2008-12-20 23:56 . 2008-12-21 18:23 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-12-20 21:52 . 2008-03-05 15:56 3,786,760 --a------ c:\windows\system32\D3DX9_37.dll

2008-12-20 21:51 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\system32\d3dx9_33.dll

2008-12-20 18:41 . 2008-12-20 18:41 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes

2008-12-20 18:39 . 2008-12-20 21:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-20 18:39 . 2008-12-20 18:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-20 18:39 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-20 18:39 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-20 16:00 . 2008-12-20 21:00 <DIR> d--hs---- c:\windows\dHRrIGJiYw

2008-12-19 23:00 . 2008-12-19 23:00 <DIR> d-------- c:\documents and settings\Owner\Application Data\Deusty

2008-12-19 22:59 . 2008-12-19 22:59 <DIR> d-------- c:\program files\Deusty

2008-12-19 19:04 . 2008-12-19 20:55 <DIR> d-------- c:\windows\system32\cap2

2008-12-19 19:04 . 2008-12-19 19:05 <DIR> d-------- c:\windows\system32\ain

2008-12-19 19:04 . 2008-12-19 19:04 <DIR> d-------- c:\temp\REX81

2008-12-19 19:04 . 2008-12-21 20:56 <DIR> d-------- C:\Temp

2008-11-30 23:40 . 2008-11-30 23:40 <DIR> d-------- c:\documents and settings\Owner\Application Data\dvdcss

2008-11-30 23:38 . 2008-11-30 23:38 <DIR> d-------- c:\documents and settings\Owner\Application Data\vlc

2008-11-30 22:51 . 2008-04-13 16:12 218,624 --a------ c:\windows\system32\uxtheme.uxtender

2008-11-28 19:14 . 2008-11-28 19:15 <DIR> d-------- c:\program files\iTunes

2008-11-28 19:14 . 2008-11-28 19:14 <DIR> d-------- c:\program files\iPod

2008-11-28 19:14 . 2008-11-28 19:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-11-28 19:11 . 2008-11-28 19:12 <DIR> d-------- c:\program files\QuickTime

2008-11-27 23:49 . 2008-11-27 23:49 <DIR> d-------- c:\documents and settings\Owner\Application Data\Red Alert 3

2008-11-27 23:19 . 2008-11-27 23:19 <DIR> dr-h----- c:\documents and settings\Owner\Application Data\SecuROM

2008-11-27 23:19 . 2008-11-27 23:19 107,888 --a------ c:\windows\system32\CmdLineExt.dll

2008-11-27 22:53 . 2008-11-27 22:53 <DIR> d-------- c:\program files\Electronic Arts

2008-11-27 22:53 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll

2008-11-27 22:53 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll

2008-11-27 22:52 . 2008-11-27 22:52 <DIR> d-------- c:\windows\Logs

2008-11-27 22:52 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll

2008-11-27 22:52 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll

2008-11-27 22:52 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll

2008-11-27 22:52 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll

2008-11-27 22:48 . 2008-11-27 22:48 <DIR> d-------- c:\program files\DAEMON Tools Lite

2008-11-27 22:44 . 2008-11-27 22:44 717,296 --a------ c:\windows\system32\drivers\sptd.sys

2008-11-27 22:43 . 2008-11-27 22:43 <DIR> d-------- c:\documents and settings\Owner\Application Data\DAEMON Tools

2008-11-25 16:19 . 2008-11-25 16:20 <DIR> d-------- c:\program files\Pidgin

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-22 05:59 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-21 21:46 --------- d-----w c:\documents and settings\Owner\Application Data\.purple

2008-12-20 03:17 --------- d-----w c:\documents and settings\All Users\Application Data\avg8

2008-12-19 23:55 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-19 23:55 --------- d-----w c:\program files\HP

2008-12-11 05:43 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2008-12-02 00:00 --------- d-----w c:\program files\DivX

2008-12-01 06:54 --------- d-----w c:\program files\Steam

2008-12-01 06:51 218,624 ----a-w c:\windows\system32\uxtheme.dll

2008-12-01 06:23 --------- d-----w c:\program files\Microsoft Money 2006

2008-12-01 06:08 --------- d-----w c:\program files\FirstClass

2008-11-29 03:11 --------- d-----w c:\program files\Common Files\Apple

2008-11-28 08:19 --------- d-----w c:\program files\PeerGuardian2

2008-11-28 08:05 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint

2008-11-26 05:32 --------- d-----w c:\documents and settings\Owner\Application Data\gtk-2.0

2008-11-26 00:28 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip

2008-11-26 00:19 --------- d-----w c:\program files\Common Files\GTK

2008-11-18 02:14 9,019,392 ----a-w c:\windows\system32\wmploc.dll.tmp

2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll

2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll

2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll

2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll

2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll

2008-10-27 18:04 70,992 ----a-w c:\windows\system32\XAPOFX1_2.dll

2008-10-27 18:04 514,384 ----a-w c:\windows\system32\XAudio2_3.dll

2008-10-27 18:04 235,856 ----a-w c:\windows\system32\xactengine3_3.dll

2008-10-27 18:04 23,376 ----a-w c:\windows\system32\X3DAudio1_5.dll

2008-10-27 03:10 30 ----a-w c:\documents and settings\Owner\jagex_runescape_preferences.dat

2008-10-25 17:20 --------- d-----w c:\documents and settings\Mom\Application Data\Skype

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-22 02:51 --------- d-----w c:\program files\Microsoft Silverlight

2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll

2008-10-10 12:52 452,440 ----a-w c:\windows\system32\d3dx10_40.dll

2008-10-10 12:52 4,379,984 ----a-w c:\windows\system32\D3DX9_40.dll

2008-10-10 12:52 2,036,576 ----a-w c:\windows\system32\D3DCompiler_40.dll

2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll

2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll

2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll

2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll

2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll

2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe

2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll

2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll

2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll

2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll

2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe

2005-07-30 00:24 472 --sha-r c:\windows\dHRrIGJiYw\xJlOK3L2sT.vbs

2008-07-12 21:37 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071220080713\index.dat

2007-05-28 02:45 4,026,656 --sha-w c:\windows\system32\drivers\fidbox.dat

2007-05-28 02:45 141,856 --sha-w c:\windows\system32\drivers\fidbox2.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Power2GoExpress"="NA" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk

backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk

backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk

backup=c:\windows\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mom^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\Mom\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Dropbox.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Dropbox.lnk

backup=c:\windows\pss\Dropbox.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

--a------ 2005-06-06 23:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

--a------ 2008-08-08 04:11 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

--a------ 2004-08-22 16:05 81920 c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

--a------ 2007-08-24 07:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

--a------ 2004-11-03 13:03 125528 c:\program files\Common Files\AOL\1138786303\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]

--a------ 2007-02-05 14:52 849280 c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]

--a------ 2007-05-17 13:45 279912 c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2007-03-01 14:57 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2007-12-05 01:41 8523776 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]

--a------ 2002-09-13 22:42 212992 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]

--a------ 2005-02-25 17:24 966656 c:\windows\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

--a------ 2005-01-12 03:01 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

--a------ 2008-01-21 11:17 61440 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

--a------ 2008-11-30 20:04 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a------ 2006-07-15 05:22 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX6000]

--a------ 2007-04-10 13:46 996712 c:\windows\vVX6000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

--------- 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]

--a------ 2008-04-13 16:12 110592 c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2007-12-05 01:41 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

--a------ 2005-09-26 15:07 90112 c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"gusvc"=3 (0x3)

"Adobe LM Service"=3 (0x3)

"aawservice"=2 (0x2)

"WMPNetworkSvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1138786303\\EE\\AOLServiceHost.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Steam\\SteamApps\\a1engongst3r\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Pidgin\\pidgin.exe"=

"c:\\Program Files\\Steam\\SteamApps\\a1engongst3r\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-07-08 97928]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-08 231704]

S1 ws2ifsll;ws2ifsll;c:\windows\system32\drivers\ws2ifsll.sys []

S3 usbvm328;HP Camera;c:\windows\system32\Drivers\usbvm326.sys []

S3 vmfilter323;VC0326 filter service for Serome;c:\windows\system32\drivers\vmfilter323.sys [2008-06-26 475264]

S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\DRIVERS\VX6000Xp.sys [2008-10-04 2385896]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]

\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53fc49bc-f385-11da-b04c-0040ca93db3a}]

\Shell\AutoRun\command - H:\9.cmd

\Shell\explore\Command - H:\9.cmd

\Shell\open\Command - H:\9.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc3e7da9-9a4e-11da-831d-806d6172696f}]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - PROCEXP90

.

Contents of the 'Scheduled Tasks' folder

2008-12-20 c:\windows\Tasks\1-Click Maintenance.job

- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []

2008-12-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2007-06-02 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job

- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 14:52]

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AIM - c:\program files\AIM\aim.exe

MSConfigStartUp-AOL Spyware Protection - c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

MSConfigStartUp-ASM - c:\program files\AOL\Active Security Monitor\ASMonitor.exe

MSConfigStartUp-Jnskdfmf9eldfd - c:\docume~1\Owner\LOCALS~1\Temp\csrssc.exe

MSConfigStartUp-MSKDetectorExe - c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe

MSConfigStartUp-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe

MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe

MSConfigStartUp-PWRISOVM - c:\program files\PowerISO\PWRISOVM.EXE

MSConfigStartUp-QuickTime Plugin Install - c:\program files\QuickTime\Plugins\DeleteMe1.exe

MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

MSConfigStartUp-Uniblue SpyEraser - c:\program files\Uniblue\SpyEraser\SpyEraser.exe

MSConfigStartUp-VirusScan Online - c:\program files\McAfee.com\VSO\mcvsshld.exe

MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe

MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\YahooMessenger.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.netflix.com/MemberHome

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm

c:\windows\system32\msvcrt.dll - c:\windows\system32\mfc42.dll

c:\windows\system32\olepro32.dll

c:\windows\Downloaded Program Files\VaxSIPUserAgentCAB.ocx

O16 -: {3D3BF1F8-9696-4A5E-B4F1-49101C997B70}

hxxp://www.earthcaller.com/VaxSIPUserAgentCAB.cab

c:\windows\Downloaded Program Files\VaxSIPUserAgentCAB.inf

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oql3x384.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr_ymail&p=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr_ymail&p=

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oql3x384.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll

FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll

FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint_03050024.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE

FF - user.js: network.http.max-connections-per-server - 6

FF - user.js: network.http.max-persistent-connections-per-server - 3

FF - user.js: content.max.tokenizing.time - 1500000

FF - user.js: content.notify.interval - 750000

FF - user.js: nglayout.initialpaint.delay - 100

FF - user.js: content.switch.threshold - 750000

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

VBEFile=NOTEPAD.EXE %1

VBSFile=NOTEPAD.EXE %1

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-22 11:41:49

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)

c:\windows\system32\avgrsstx.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(764)

c:\windows\system32\avgrsstx.dll

.

Completion time: 2008-12-22 11:43:59

ComboFix-quarantined-files.txt 2008-12-22 19:42:42

Pre-Run: 43,456,421,888 bytes free

Post-Run: 43,574,185,984 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

376 --- E O F --- 2008-12-18 03:01:20

Share this post


Link to post
Share on other sites

Ok, that removed some stuff and we've a few more to remove.

Please open Notepad then copy & paste all the following text located inside the code box.

File::c:\windows\system32\drivers\ws2ifsll.sys
Driver::ws2ifsll
Folder::C:\32788R22FWJFWc:\windows\dHRrIGJiYwc:\windows\system32\cap2c:\windows\system32\ainC:\Tempc:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Drag the .txt file into combofix.exe as displayed in this .gif image:

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Share this post


Link to post
Share on other sites

ComboFix 08-12-21.04 - Owner 2008-12-22 12:51:03.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.428 [GMT -8:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

* Created a new restore point

FILE ::

c:\windows\system32\drivers\ws2ifsll.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DIFxAPI.dll

c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DifXInstall32.exe

c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\GEARAspiWDM.inf

c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\gearaspiwdmx86.cat

c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspi.dll

c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspiWDM.sys

C:\Temp

c:\temp\REX81\BDF.log

c:\windows\dHRrIGJiYw

c:\windows\dHRrIGJiYw\xJlOK3L2sT.vbs

c:\windows\system32\ain

c:\windows\system32\cap2

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_WS2IFSLL

-------\Service_ws2ifsll

((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))

.

2008-12-21 18:38 . 2008-12-21 18:38 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll

2008-12-21 18:35 . 2008-12-21 18:35 <DIR> d-------- c:\windows\ERUNT

2008-12-21 13:35 . 2008-12-21 21:01 <DIR> d-------- C:\SDFix

2008-12-21 01:44 . 2008-12-21 01:44 0 --a------ c:\windows\dir

2008-12-20 23:56 . 2008-12-21 18:23 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-12-20 21:52 . 2008-03-05 15:56 3,786,760 --a------ c:\windows\system32\D3DX9_37.dll

2008-12-20 21:51 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\system32\d3dx9_33.dll

2008-12-20 18:41 . 2008-12-20 18:41 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes

2008-12-20 18:39 . 2008-12-20 21:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-20 18:39 . 2008-12-20 18:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-20 18:39 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-20 18:39 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-19 23:00 . 2008-12-19 23:00 <DIR> d-------- c:\documents and settings\Owner\Application Data\Deusty

2008-12-19 22:59 . 2008-12-19 22:59 <DIR> d-------- c:\program files\Deusty

2008-11-30 23:40 . 2008-11-30 23:40 <DIR> d-------- c:\documents and settings\Owner\Application Data\dvdcss

2008-11-30 23:38 . 2008-11-30 23:38 <DIR> d-------- c:\documents and settings\Owner\Application Data\vlc

2008-11-30 22:51 . 2008-04-13 16:12 218,624 --a------ c:\windows\system32\uxtheme.uxtender

2008-11-28 19:14 . 2008-11-28 19:15 <DIR> d-------- c:\program files\iTunes

2008-11-28 19:14 . 2008-11-28 19:14 <DIR> d-------- c:\program files\iPod

2008-11-28 19:11 . 2008-11-28 19:12 <DIR> d-------- c:\program files\QuickTime

2008-11-27 23:49 . 2008-11-27 23:49 <DIR> d-------- c:\documents and settings\Owner\Application Data\Red Alert 3

2008-11-27 23:19 . 2008-11-27 23:19 <DIR> dr-h----- c:\documents and settings\Owner\Application Data\SecuROM

2008-11-27 23:19 . 2008-11-27 23:19 107,888 --a------ c:\windows\system32\CmdLineExt.dll

2008-11-27 22:53 . 2008-11-27 22:53 <DIR> d-------- c:\program files\Electronic Arts

2008-11-27 22:53 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll

2008-11-27 22:53 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll

2008-11-27 22:52 . 2008-11-27 22:52 <DIR> d-------- c:\windows\Logs

2008-11-27 22:52 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll

2008-11-27 22:52 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll

2008-11-27 22:52 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll

2008-11-27 22:52 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll

2008-11-27 22:48 . 2008-11-27 22:48 <DIR> d-------- c:\program files\DAEMON Tools Lite

2008-11-27 22:44 . 2008-11-27 22:44 717,296 --a------ c:\windows\system32\drivers\sptd.sys

2008-11-27 22:43 . 2008-11-27 22:43 <DIR> d-------- c:\documents and settings\Owner\Application Data\DAEMON Tools

2008-11-25 16:19 . 2008-11-25 16:20 <DIR> d-------- c:\program files\Pidgin

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-22 05:59 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-21 21:46 --------- d-----w c:\documents and settings\Owner\Application Data\.purple

2008-12-20 03:17 --------- d-----w c:\documents and settings\All Users\Application Data\avg8

2008-12-19 23:55 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-19 23:55 --------- d-----w c:\program files\HP

2008-12-11 05:43 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2008-12-02 00:00 --------- d-----w c:\program files\DivX

2008-12-01 06:54 --------- d-----w c:\program files\Steam

2008-12-01 06:23 --------- d-----w c:\program files\Microsoft Money 2006

2008-12-01 06:08 --------- d-----w c:\program files\FirstClass

2008-11-29 03:11 --------- d-----w c:\program files\Common Files\Apple

2008-11-28 08:19 --------- d-----w c:\program files\PeerGuardian2

2008-11-28 08:05 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint

2008-11-26 05:32 --------- d-----w c:\documents and settings\Owner\Application Data\gtk-2.0

2008-11-26 00:28 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip

2008-11-26 00:19 --------- d-----w c:\program files\Common Files\GTK

2008-10-27 03:10 30 ----a-w c:\documents and settings\Owner\jagex_runescape_preferences.dat

2008-10-25 17:20 --------- d-----w c:\documents and settings\Mom\Application Data\Skype

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-22 02:51 --------- d-----w c:\program files\Microsoft Silverlight

2008-07-12 21:37 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071220080713\index.dat

2007-05-28 02:45 4,026,656 --sha-w c:\windows\system32\drivers\fidbox.dat

2007-05-28 02:45 141,856 --sha-w c:\windows\system32\drivers\fidbox2.dat

.

((((((((((((((((((((((((((((( snapshot@2008-12-22_11.42.06.85 )))))))))))))))))))))))))))))))))))))))))

.

+ 2005-10-21 04:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Power2GoExpress"="NA" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk

backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk

backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk

backup=c:\windows\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mom^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\Mom\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Dropbox.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Dropbox.lnk

backup=c:\windows\pss\Dropbox.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

--a------ 2005-06-06 23:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

--a------ 2008-08-08 04:11 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

--a------ 2004-08-22 16:05 81920 c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

--a------ 2007-08-24 07:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

--a------ 2004-11-03 13:03 125528 c:\program files\Common Files\AOL\1138786303\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]

--a------ 2007-02-05 14:52 849280 c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]

--a------ 2007-05-17 13:45 279912 c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2007-03-01 14:57 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2007-12-05 01:41 8523776 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]

--a------ 2002-09-13 22:42 212992 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]

--a------ 2005-02-25 17:24 966656 c:\windows\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

--a------ 2005-01-12 03:01 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

--a------ 2008-01-21 11:17 61440 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

--a------ 2008-11-30 20:04 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a------ 2006-07-15 05:22 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX6000]

--a------ 2007-04-10 13:46 996712 c:\windows\vVX6000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

--------- 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]

--a------ 2008-04-13 16:12 110592 c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2007-12-05 01:41 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

--a------ 2005-09-26 15:07 90112 c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"gusvc"=3 (0x3)

"Adobe LM Service"=3 (0x3)

"aawservice"=2 (0x2)

"WMPNetworkSvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1138786303\\EE\\AOLServiceHost.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Steam\\SteamApps\\a1engongst3r\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Pidgin\\pidgin.exe"=

"c:\\Program Files\\Steam\\SteamApps\\a1engongst3r\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-07-08 97928]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-08 231704]

S3 usbvm328;HP Camera;c:\windows\system32\Drivers\usbvm326.sys []

S3 vmfilter323;VC0326 filter service for Serome;c:\windows\system32\drivers\vmfilter323.sys [2008-06-26 475264]

S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\DRIVERS\VX6000Xp.sys [2008-10-04 2385896]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]

\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53fc49bc-f385-11da-b04c-0040ca93db3a}]

\Shell\AutoRun\command - H:\9.cmd

\Shell\explore\Command - H:\9.cmd

\Shell\open\Command - H:\9.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc3e7da9-9a4e-11da-831d-806d6172696f}]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.

Contents of the 'Scheduled Tasks' folder

2008-12-20 c:\windows\Tasks\1-Click Maintenance.job

- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []

2008-12-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2007-06-02 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job

- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 14:52]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.netflix.com/MemberHome

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm

c:\windows\system32\msvcrt.dll - c:\windows\system32\mfc42.dll

c:\windows\system32\olepro32.dll

c:\windows\Downloaded Program Files\VaxSIPUserAgentCAB.ocx

O16 -: {3D3BF1F8-9696-4A5E-B4F1-49101C997B70}

hxxp://www.earthcaller.com/VaxSIPUserAgentCAB.cab

c:\windows\Downloaded Program Files\VaxSIPUserAgentCAB.inf

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oql3x384.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr_ymail&p=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr_ymail&p=

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oql3x384.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll

FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll

FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint_03050024.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE

FF - user.js: network.http.max-connections-per-server - 6

FF - user.js: network.http.max-persistent-connections-per-server - 3

FF - user.js: content.max.tokenizing.time - 1500000

FF - user.js: content.notify.interval - 750000

FF - user.js: nglayout.initialpaint.delay - 100

FF - user.js: content.switch.threshold - 750000

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-22 12:56:54

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)

c:\windows\system32\Ati2evxx.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\program files\AVG\AVG8\avgrsx.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2008-12-22 13:06:51 - machine was rebooted

ComboFix-quarantined-files.txt 2008-12-22 21:06:39

ComboFix2.txt 2008-12-22 19:44:00

Pre-Run: 43,605,037,056 bytes free

Post-Run: 43,478,458,368 bytes free

320 --- E O F --- 2008-12-18 03:01:20

Share this post


Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:44:54 PM, on 12/22/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Microsoft Office\Office12\WINWORD.EXE

C:\Program Files\AIM6\aim6.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/MemberHome

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {3D3BF1F8-9696-4A5E-B4F1-49101C997B70} - http://www.earthcaller.com/VaxSIPUserAgentCAB.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O24 - Desktop Component 0: (no name) - http://fc07.deviantart.com/fs37/i/2008/244...y_aliveruka.jpg

--

End of file - 4952 bytes

Share this post


Link to post
Share on other sites

Apologies for the long wait for my reply. Been hectic couple of days.

Both logs look good, just a few minor things to fix with HJT, no threats tho. Hows the machine performing now?

Open HJT, run a scan and have all widows and browsers closed, place a tick next to the following lines, if present then hit 'the '[Fix checked] button:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

Reboot, run another scan with HJT and if the lines above are no longer displayed in the resultant scan, then no need to post another HJT log

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.