[Resolved] smitfraud

Welcome to your place for tech questions! ( Log In or Join today ) Get answers from experts today. (it's 100% free) Virus removal forum

What the Tech > Spyware / Malware / Virus Removal > Virus, Spyware & Malware Removal

2 Pages

1 2 >

[Resolved] smitfraud, Need Help Removing Smitfraud

Options

Nancy1960 View Member Profile	Jan 21 2008, 05:49 PM Post #1
New Member Group: New Member Posts: 10 Joined: 21-January 08 Member No.: 76,183 Operating System: xp	Hello. I have been trying to get rid of smitfraud for days now. I have tried all the advice ive found on various sites , all to no avail. I added sygate firewall as an added precaution and it has stopped all the popups I was getting from the smitfraud, because I blocked explore.exe from getting out and also NT kernal and system . I have no clue as to how those two process are involved but it keeps the popups from coming up . Hijack log is below. Thanks for any help you can give me . Nancy Logfile of HijackThis v1.99.1 Scan saved at 17:41, on 2008-01-21 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\stsystra.exe C:\PROGRA~1\SYSTEM~1\WScheduler.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/?.src=fp R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: (no name) - {0228FED3-6E02-488B-A8C6-ACDF372FAF66} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: (no name) - {DD801250-6AC3-4139-B11E-EC8D8E6336E1} - (no file) O2 - BHO: (no name) - {EEE9A1A3-20E6-4037-A7D5-19BC455DDA7D} - (no file) O2 - BHO: 0 - {F3884342-070E-4632-139C-C67967A8FCF7} - (no file) O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [WScheduler] C:\PROGRA~1\SYSTEM~1\WScheduler.exe /LOGON O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O11 - Options group: [INTERNATIONAL] International* O15 - Trusted Zone: www.select2perform.com O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com/cabs/QOLCheck.ocx O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab O20 - Winlogon Notify: pmnkhig - pmnkhig.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Rorschach112 View Member Profile	Jan 26 2008, 09:21 AM Post #2
Retired Staff-Malware Expert Group: Authentic Member Posts: 3,651 Joined: 29-September 07 Member No.: 73,164 Operating System: Windows XP	Hello Please download Deckard's System Scanner (DSS) and save it to your Desktop. Close all other windows before proceeding. Double-click on dss.exe and follow the prompts. If your anti-virus or firewall complains, please allow this script to run as it is not malicious. When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Nancy1960 View Member Profile	Jan 27 2008, 09:47 AM Post #3
New Member Group: New Member Posts: 10 Joined: 21-January 08 Member No.: 76,183 Operating System: xp	Thanks for answering Here are my logs. Deckard's System Scanner v20071014.68 Run by NancyJ on 2008-01-27 09:40:05 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 3 Restore Point(s) -- 3: 2008-01-27 15:40:09 UTC - RP3 - Deckard's System Scanner Restore Point 2: 2008-01-27 09:00:30 UTC - RP2 - Software Distribution Service 3.0 1: 2008-01-21 22:31:55 UTC - RP1 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as NancyJ.exe) ---------------------------------------------- Unable to find log (file not found); running clone. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-01-27 09:42:30 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Sygate\SPF\Smc.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\explorer.exe C:\WINDOWS\stsystra.exe C:\Program Files\SystemScheduler\WScheduler.exe C:\Program Files\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Grisoft\AVG7\avgamsvr.exe C:\Program Files\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Grisoft\AVG7\avgemc.exe C:\WINDOWS\ehome\ehrecvr.exe C:\WINDOWS\ehome\ehSched.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\Documents and Settings\NancyJ\Desktop\dss.exe C:\Program Files\Hijackthis\NancyJ.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/?.src=fp R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch O2 - BHO: (no name) - {0228FED3-6E02-488B-A8C6-ACDF372FAF66} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL O2 - BHO: (no name) - {DD801250-6AC3-4139-B11E-EC8D8E6336E1} - (no file) O2 - BHO: (no name) - {EEE9A1A3-20E6-4037-A7D5-19BC455DDA7D} - (no file) O2 - BHO: 0 - {F3884342-070E-4632-139C-C67967A8FCF7} - (no file) O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [WScheduler] C:\PROGRA~1\SYSTEM~1\WScheduler.exe /LOGON O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O15 - Trusted Zone: https://online.musicmatch.com (HKLM) O15 - Trusted Zone: .www.select2perform.com (HKCU) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/3/9...heckControl.cab O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com/cabs/QOLCheck.ocx O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} () - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab O20 - Winlogon Notify: pmnkhig - C:\WINDOWS\system32\pmnkhig.dll (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe -- End of file - 5619 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver> R1 ipfltdrvv - c:\windows\system32\drivers\ipfltdrvv.sys R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt> R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver> S3 catchme - c:\docume~1\nancyj\locals~1\temp\catchme.sys (file missing) S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus> S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- All services whitelisted. -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Scheduled Tasks ------------------------------------------------------------- 2008-01-21 12:24:05 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -- Files created between 2007-12-27 and 2008-01-27 ----------------------------- 2008-01-21 12:03:28 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus> 2008-01-20 22:10:56 0 d-------- C:\Program Files\Eusing Free Registry Cleaner 2008-01-20 22:01:16 0 d-------- C:\Documents and Settings\NancyJ\Application Data\Uniblue 2008-01-18 09:43:40 806 --a------ C:\WINDOWS\system32\tmp.reg 2008-01-18 09:27:49 0 d-------- C:\Program Files\JustZIPit 2008-01-18 09:02:26 1238674 --a------ C:\MGtools.exe 2008-01-18 09:00:17 0 dr-h----- C:\Documents and Settings\NancyJ\Recent 2008-01-17 21:07:58 0 d-------- C:\Program Files\Trend Micro 2008-01-17 21:00:17 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia 2008-01-17 20:59:52 0 dr------- C:\Documents and Settings\NetworkService\Favorites 2008-01-17 20:24:38 60496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver> 2008-01-17 20:24:37 21075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt> 2008-01-17 20:24:17 0 d-------- C:\Program Files\Sygate 2008-01-17 09:30:45 0 d-------- C:\Program Files\Alwil Software 2008-01-16 23:36:48 0 d-------- C:\VundoFix Backups 2008-01-16 23:07:24 0 d-------- C:\Program Files\CCleaner 2008-01-16 20:08:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-01-16 19:59:00 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-01-16 19:52:12 0 d-------- C:\Documents and Settings\NancyJ\Application Data\True Sword 2008-01-16 19:50:55 0 d-------- C:\Program Files\True Sword 4 2008-01-16 19:42:25 0 d-------- C:\Program Files\XoftSpySE 2008-01-16 18:33:59 0 dr------- C:\Documents and Settings\LocalService\Favorites 2008-01-16 18:13:50 0 d-------- C:\Program Files\Dot1XCfg 2008-01-16 18:10:24 0 d--hs---- C:\WINDOWS\TmFuY3lK 2008-01-16 18:10:16 86016 --a------ C:\WINDOWS\system32\drivers\ipfltdrvv.sys 2008-01-16 18:10:07 0 d-------- C:\WINDOWS\system32\edcA01 2007-12-30 18:02:23 0 d-------- C:\Documents and Settings\NancyJ\Application Data\wsInspector 2007-12-30 17:57:32 0 d-------- C:\Program Files\Startup Inspector for Windows 2007-12-29 13:00:45 0 d-------- C:\Program Files\Apple Software Update 2007-12-29 13:00:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple -- Find3M Report --------------------------------------------------------------- 2008-01-27 09:31:35 0 d-------- C:\Program Files\World of Warcraft 2008-01-27 00:00:01 0 d-------- C:\Program Files\SystemScheduler 2008-01-23 10:37:26 6686 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys 2008-01-23 10:37:26 104 -r-hs---- C:\WINDOWS\system32\7EE836C30B.sys 2008-01-20 11:04:30 0 d-------- C:\Documents and Settings\NancyJ\Application Data\AVG7 2008-01-18 09:09:56 0 d-------- C:\Program Files\Messenger 2008-01-17 11:31:53 0 d-------- C:\Program Files\Google 2008-01-16 23:03:57 0 d-------- C:\Program Files\Windows Plus 2008-01-16 23:03:56 0 d-------- C:\Program Files\QuickTime 2008-01-16 20:42:12 0 d-------- C:\Program Files\Common Files 2008-01-13 10:23:43 0 d-------- C:\Documents and Settings\NancyJ\Application Data\SecondLife 2007-12-19 19:09:16 0 d-------- C:\Documents and Settings\NancyJ\Application Data\Corel -- Registry Dump --------------------------------------------------------------- Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0228FED3-6E02-488B-A8C6-ACDF372FAF66}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD801250-6AC3-4139-B11E-EC8D8E6336E1}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE9A1A3-20E6-4037-A7D5-19BC455DDA7D}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3884342-070E-4632-139C-C67967A8FCF7}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 22:20 C:\WINDOWS\stsystra.exe] "WScheduler"="C:\PROGRA~1\SYSTEM~1\WScheduler.exe" [2007-06-25 20:19] "SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-17 08:11] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkhig] pmnkhig.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk] backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] AutoRun\command- E:\setup.exe -- End of Deckard's System Scanner: finished at 2008-01-27 09:43:06 ------------ Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Professional (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Intel® Pentium® D CPU 2.80GHz CPU 1: Intel® Pentium® D CPU 2.80GHz Percentage of Memory in Use: 40% Physical Memory (total/avail): 1022.07 MiB / 605.77 MiB Pagefile Memory (total/avail): 2459.16 MiB / 2129.88 MiB Virtual Memory (total/avail): 2047.88 MiB / 1917.75 MiB A: is Removable (No Media) C: is Fixed (NTFS) - 69.79 GiB total, 39.25 GiB free. D: is CDROM (No Media) \\.\PHYSICALDRIVE0 - ST380819AS - 74.5 GiB - 3 partitions \PARTITION0 - Unknown - 54.88 MiB \PARTITION1 (bootable) - Installable File System - 69.79 GiB - C: \PARTITION2 - Unknown - 4.64 GiB -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is enabled. FirstRunDisabled is set. FW: Sygate Personal Firewall v4.6 (Sygate Technologies, Inc.) AV: AVG 7.5.516 v7.5.516 (Grisoft) [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\NancyJ\Application Data CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=NANCY ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\NancyJ LOGONSERVER=\\NANCY NUMBER_OF_PROCESSORS=2 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\ATI Technologies\ATI.ACE PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 4, GenuineIntel PROCESSOR_LEVEL=15 PROCESSOR_REVISION=0404 ProgramFiles=C:\Program Files PROMPT=$P$G SESSIONNAME=Console SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\ SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\NancyJ\LOCALS~1\Temp TMP=C:\DOCUME~1\NancyJ\LOCALS~1\Temp USERDOMAIN=NANCY USERNAME=NancyJ USERPROFILE=C:\Documents and Settings\NancyJ windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- NancyJ (admin) Administrator (admin) -- Add/Remove Programs --------------------------------------------------------- --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205} --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6} --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382} --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629} --> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095} --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747} Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01} Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001} Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log AOLIcon --> MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C} Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4} ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe ATI Catalyst Control Center --> MsiExec.exe /I{22C97984-6A68-4140-872E-B2F5123A7387} ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe" ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe" Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf Dell CinePlayer --> MsiExec.exe /I{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54} Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76} Dell Support 3.1 --> MsiExec.exe /X{548EEA8E-8299-497F-8057-811D2D7097DC} Digital Content Portal --> MsiExec.exe /I{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33} Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText Documentation & Support Launcher --> MsiExec.exe /X{B0DF58A2-40DF-4465-AA56-38623EC9938C} EducateU --> MsiExec.exe /I{A683A2C0-821C-486F-858C-FA634DB5E864} ELIcon --> MsiExec.exe /I{4667B940-BB01-428B-986E-A0CC46497BF7} Eusing Free Registry Cleaner --> C:\PROGRA~1\EUSING~1\UNWISE.EXE C:\PROGRA~1\EUSING~1\INSTALL.LOG Games, Music, & Photos Launcher --> MsiExec.exe /X{B6884A07-0305-47AE-9969-8F26FADC17DE} GemMaster Mystic --> "C:\Program Files\GemMaster\uninstallgemmaster.exe" High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe" HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall HP PSC & OfficeJet 5.3.B --> "C:\Program Files\HP\Digital Imaging\{49FB31C1-26EC-44c6-AB47-73C66E2BC41E}\setup\hpzscr01.exe" -datfile hposcr07.dat IGN Download Manager 2.3.2 --> C:\Program Files\IGN\Download Manager\uninst.exe iLive Seminar 4.0.2 Build 6 --> C:\WINDOWS\UNWISE.EXE C:\WINDOWS\INSTALL.LOG Intel® PRO Network Connections Drivers --> Prounstl.exe Intel® PROSet for Wired Connections --> MsiExec.exe /I{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA} Jasc Paint Shop Pro 9 --> MsiExec.exe /I{F843C6A3-224D-4615-94F8-3C461BD9AEA0} Jasc Paint Shop Pro 9.01 - (9.0.1.1) --> C:\Program Files\Jasc Software Inc\Paint Shop Pro 9\Unwise.exe /R /U C:\PROGRA~1\JASCSO~1\PAINTS~1\INSTALL.LOG Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030} Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\Setup.exe" -l0x9 UNINSTALL Logitech QuickCam --> MsiExec.exe /I{0496D9E9-224B-4AFA-8F37-23B98D52F1EB} Logitech® Camera Driver --> "C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT MCU --> MsiExec.exe /I{D2988E9B-C73F-422C-AD4B-A66EBE257120} Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7} Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B} Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel Move Networks Player for Internet Explorer --> "C:\Documents and Settings\NancyJ\Application Data\Move Networks\ie_bin\unins000.exe" Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9 -uninst MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText NetZeroInstallers --> MsiExec.exe /X{352310C3-E46B-42D3-8F32-54721FDD72D9} QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks\|RealPlayer\|6.0 Roxio DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6} Roxio RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382} Roxio RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629} Roxio RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205} SecondLife (remove only) --> "C:\Program Files\SecondLife\uninst.exe" /P="SecondLife" Sonic Activation Module --> MsiExec.exe /I{5B6BE547-21E2-49CA-B2E2-6A5F470593B1} Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011} Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E} Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe" Sygate Personal Firewall --> MsiExec.exe /I{F34D9A5F-484A-4E31-A9D3-908CB265B289} System Scheduler 3.73 --> "C:\Program Files\SystemScheduler\unins000.exe" Uninstall Startup Inspector --> "C:\Program Files\Startup Inspector for Windows\unins000.exe" Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4" Windows XP Media Center Edition 2005 KB908246 --> "C:\WINDOWS\$NtUninstallKB908246$\spuninst\spuninst.exe" Windows XP Media Center Edition 2005 KB912067 --> WordPerfect Office 12 --> MsiExec.exe /I{AF19F291-F22F-4798-9662-525305AE9E48} World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG -- Application Event Log ------------------------------------------------------- Event Record #/Type3976 / Error Event Submitted/Written: 01/21/2008 07:31:08 PM Event ID/Source: 1002 / Application Hang Event Description: Hanging application iexplore.exe, version 7.0.6000.16574, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Event Record #/Type3951 / Warning Event Submitted/Written: 01/21/2008 10:00:08 AM Event ID/Source: 1001 / MsiInstaller Event Description: Detection of product '{30465B6C-B53F-49A1-9EBA-A3F187AD502E}', feature 'SoleFeature' failed during request for component '{D2D7B4BF-6CCA-11D5-8B3F-00105A9846E9}' Event Record #/Type3950 / Warning Event Submitted/Written: 01/21/2008 10:00:08 AM Event ID/Source: 1004 / MsiInstaller Event Description: Detection of product '{30465B6C-B53F-49A1-9EBA-A3F187AD502E}', feature 'SoleFeature', component '{5CC2D105-A760-4EC4-8B74-750194E57B99}' failed. The resource 'C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe' does not exist. Event Record #/Type3948 / Error Event Submitted/Written: 01/21/2008 10:00:07 AM Event ID/Source: 11706 / MsiInstaller Event Description: Product: Sonic Update Manager -- Error 1706. An installation package for the product Sonic Update Manager cannot be found. Try the installation again using a valid copy of the installation package 'UM.MSI'. Event Record #/Type3947 / Warning Event Submitted/Written: 01/21/2008 10:00:02 AM Event ID/Source: 1001 / MsiInstaller Event Description: Detection of product '{30465B6C-B53F-49A1-9EBA-A3F187AD502E}', feature 'SoleFeature' failed during request for component '{D2D7B4BF-6CCA-11D5-8B3F-00105A9846E9}' -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type10549 / Warning Event Submitted/Written: 01/27/2008 09:07:43 AM Event ID/Source: 36 / W32Time Event Description: The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized. Event Record #/Type10543 / Warning Event Submitted/Written: 01/26/2008 00:06:03 PM Event ID/Source: 4226 / Tcpip Event Description: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. Event Record #/Type10542 / Warning Event Submitted/Written: 01/26/2008 11:48:14 AM Event ID/Source: 4226 / Tcpip Event Description: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. Event Record #/Type10541 / Warning Event Submitted/Written: 01/26/2008 09:08:41 AM Event ID/Source: 36 / W32Time Event Description: The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized. Event Record #/Type10540 / Warning Event Submitted/Written: 01/25/2008 09:07:39 AM Event ID/Source: 36 / W32Time Event Description: The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized. -- End of Deckard's System Scanner: finished at 2008-01-27 09:43:06 ------------

Rorschach112 View Member Profile	Jan 27 2008, 11:33 AM Post #4
Retired Staff-Malware Expert Group: Authentic Member Posts: 3,651 Joined: 29-September 07 Member No.: 73,164 Operating System: Windows XP	Hello You have two firewalls running, this causes a lot of problems so you need to disable Windows Firewall 1. Click Start, click Run, type Firewall.cpl, and then click OK. 2. On the General tab, click Off (not recommended), and then click OK. Download ComboFix from one of the locations below, and save it to your Desktop. Link 1 Link 2 Link 3 Double click combofix.exe and follow the prompts. When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Nancy1960 View Member Profile	Jan 27 2008, 01:44 PM Post #5
New Member Group: New Member Posts: 10 Joined: 21-January 08 Member No.: 76,183 Operating System: xp	Here are the logs : ComboFix 08-01-23.1C - NancyJ 2008-01-27 13:30:10.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.701 [GMT -6:00] Running from: C:\Documents and Settings\NancyJ\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\temp\tn3 C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete . ---- Previous Run ------- . C:\Program Files\Helper C:\Program Files\Messenger\certemo.html C:\Program Files\Temporary C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\temp\tn3 C:\WINDOWS\system32\aycdd.ini C:\WINDOWS\system32\aycdd.ini2 C:\WINDOWS\system32\e9 C:\WINDOWS\system32\e9\farstadcom2.exe C:\WINDOWS\system32\icroso~1 C:\WINDOWS\system32\icroso~1\?icrosoft\ C:\WINDOWS\system32\p2 C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\t8 C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_CMDSERVICE -------\LEGACY_NETWORK_MONITOR ((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 ))))))))))))))))))))))))))))))) . 2008-01-27 13:36 . 2008-01-27 13:36 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk 2008-01-27 13:34 . 2008-01-27 13:34 <DIR> d-------- C:\Temp\tn3 2008-01-27 09:39 . 2008-01-27 09:39 <DIR> d-------- C:\Deckard 2008-01-26 12:34 . 2004-08-10 04:00 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll 2008-01-21 17:55 . 2008-01-21 17:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-01-21 17:55 . 2008-01-21 17:55 1,409 --a------ C:\WINDOWS\QTFont.for 2008-01-21 12:03 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS 2008-01-21 11:46 . 2008-01-21 11:46 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-01-21 11:46 . 2008-01-21 11:46 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-01-20 22:10 . 2008-01-20 22:21 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner 2008-01-18 09:43 . 2008-01-21 13:02 806 --a------ C:\WINDOWS\system32\tmp.reg 2008-01-18 09:27 . 2008-01-19 22:35 <DIR> d-------- C:\Program Files\JustZIPit 2008-01-18 09:02 . 2008-01-18 09:02 1,238,674 --a------ C:\MGtools.exe 2008-01-18 08:59 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-17 21:07 . 2008-01-17 21:07 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-17 20:24 . 2008-01-17 20:24 <DIR> d-------- C:\Program Files\Sygate 2008-01-17 20:24 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll 2008-01-17 20:24 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys 2008-01-17 20:24 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys 2008-01-17 20:24 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys 2008-01-17 20:24 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys 2008-01-17 20:24 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys 2008-01-17 20:24 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys 2008-01-17 09:30 . 2008-01-17 09:30 <DIR> d-------- C:\Program Files\Alwil Software 2008-01-16 23:36 . 2008-01-16 23:36 <DIR> d-------- C:\VundoFix Backups 2008-01-16 23:07 . 2008-01-16 23:07 <DIR> d-------- C:\Program Files\CCleaner 2008-01-16 19:50 . 2008-01-17 00:15 <DIR> d-------- C:\Program Files\True Sword 4 2008-01-16 19:42 . 2008-01-17 00:14 <DIR> d-------- C:\Program Files\XoftSpySE 2008-01-16 18:13 . 2008-01-16 23:03 <DIR> d-------- C:\Program Files\Dot1XCfg 2008-01-16 18:10 . 2008-01-16 20:02 <DIR> d--hs---- C:\WINDOWS\TmFuY3lK 2008-01-16 18:10 . 2008-01-16 19:09 <DIR> d-------- C:\WINDOWS\system32\edcA01 2008-01-16 18:10 . 2008-01-16 18:10 <DIR> d-------- C:\Temp\Ryuan1 2008-01-16 18:10 . 2008-01-16 18:10 86,016 --a------ C:\WINDOWS\system32\drivers\ipfltdrvv.sys 2007-12-30 17:57 . 2007-12-30 17:58 <DIR> d-------- C:\Program Files\Startup Inspector for Windows 2007-12-29 13:00 . 2007-12-29 13:00 <DIR> d-------- C:\Program Files\Apple Software Update . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-27 15:57 --------- d-----w C:\Program Files\World of Warcraft 2008-01-27 06:00 --------- d-----w C:\Program Files\SystemScheduler 2008-01-17 17:31 --------- d-----w C:\Program Files\Google 2008-01-17 05:03 --------- d-----w C:\Program Files\Windows Plus 2008-01-17 05:03 --------- d-----w C:\Program Files\QuickTime 2006-06-04 02:00 88 --sh--r C:\WINDOWS\system32\0BC336E87E.sys 2005-07-29 22:24 472 --sha-r C:\WINDOWS\TmFuY3lK\nAIRsa54.vbs . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0228FED3-6E02-488B-A8C6-ACDF372FAF66}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD801250-6AC3-4139-B11E-EC8D8E6336E1}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE9A1A3-20E6-4037-A7D5-19BC455DDA7D}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3884342-070E-4632-139C-C67967A8FCF7}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 22:20 339968 C:\WINDOWS\stsystra.exe] "WScheduler"="C:\PROGRA~1\SYSTEM~1\WScheduler.exe" [2007-06-25 20:19 75264] "SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-17 08:11 579072] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 07:12 219136] "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-06 23:06 5181440] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkhig] pmnkhig.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk] backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM] --a------ 2006-04-27 18:38 20480 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe R1 ipfltdrvv;ipfltdrvv;C:\WINDOWS\system32\drivers\ipfltdrvv.sys [2008-01-16 18:10] R3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);C:\WINDOWS\system32\DRIVERS\CamDrL20.sys [2004-05-21 13:16] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] \Shell\AutoRun\command - E:\setup.exe . Contents of the 'Scheduled Tasks' folder "2008-01-21 18:24:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-27 13:36:47 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-01-27 13:39:33 - machine was rebooted [NancyJ] ComboFix-quarantined-files.txt 2008-01-27 19:39:31 . 2008-01-27 09:01:01 --- E O F --- Logfile of HijackThis v1.99.1 Scan saved at 1:41:02 PM, on 1/27/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\stsystra.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/?.src=fp R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: (no name) - {0228FED3-6E02-488B-A8C6-ACDF372FAF66} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: (no name) - {DD801250-6AC3-4139-B11E-EC8D8E6336E1} - (no file) O2 - BHO: (no name) - {EEE9A1A3-20E6-4037-A7D5-19BC455DDA7D} - (no file) O2 - BHO: 0 - {F3884342-070E-4632-139C-C67967A8FCF7} - (no file) O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [WScheduler] C:\PROGRA~1\SYSTEM~1\WScheduler.exe /LOGON O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O11 - Options group: [INTERNATIONAL] International* O15 - Trusted Zone: www.select2perform.com O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com/cabs/QOLCheck.ocx O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab O20 - Winlogon Notify: pmnkhig - pmnkhig.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Rorschach112 View Member Profile	Jan 27 2008, 04:45 PM Post #6
Retired Staff-Malware Expert Group: Authentic Member Posts: 3,651 Joined: 29-September 07 Member No.: 73,164 Operating System: Windows XP	Hello 1. Close any open browsers. 2. Open notepad and copy/paste the text in the quotebox below into it: QUOTE File:: C:\WINDOWS\system32\drivers\core.cache.dsk C:\WINDOWS\system32\drivers\ipfltdrvv.sys Folder:: C:\Temp\tn3 C:\Program Files\Dot1XCfg C:\WINDOWS\TmFuY3lK C:\WINDOWS\system32\edcA01 C:\Temp\Ryuan1 Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] Driver:: ipfltdrvv Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at "C:\ComboFix.txt" Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall 1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present): O2 - BHO: (no name) - {0228FED3-6E02-488B-A8C6-ACDF372FAF66} - (no file) O2 - BHO: (no name) - {DD801250-6AC3-4139-B11E-EC8D8E6336E1} - (no file) O2 - BHO: (no name) - {EEE9A1A3-20E6-4037-A7D5-19BC455DDA7D} - (no file) O2 - BHO: 0 - {F3884342-070E-4632-139C-C67967A8FCF7} - (no file) O20 - Winlogon Notify: pmnkhig - pmnkhig.dll (file missing) 2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis. Reboot and post a new HijackThis log

Nancy1960 View Member Profile	Jan 27 2008, 05:13 PM Post #7
New Member Group: New Member Posts: 10 Joined: 21-January 08 Member No.: 76,183 Operating System: xp	Okay, Heres the new Hijack log : Logfile of HijackThis v1.99.1 Scan saved at 5:11:52 PM, on 1/27/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\stsystra.exe C:\PROGRA~1\SYSTEM~1\WScheduler.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/?.src=fp R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [WScheduler] C:\PROGRA~1\SYSTEM~1\WScheduler.exe /LOGON O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O11 - Options group: [INTERNATIONAL] International* O15 - Trusted Zone: www.select2perform.com O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com/cabs/QOLCheck.ocx O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Rorschach112 View Member Profile	Jan 27 2008, 05:19 PM Post #8
Retired Staff-Malware Expert Group: Authentic Member Posts: 3,651 Joined: 29-September 07 Member No.: 73,164 Operating System: Windows XP	Can you post the ComboFix log as well

Nancy1960 View Member Profile	Jan 27 2008, 07:27 PM Post #9
New Member Group: New Member Posts: 10 Joined: 21-January 08 Member No.: 76,183 Operating System: xp	Yes, sorry. I believe this is it : ComboFix 08-01-23.1C - NancyJ 2008-01-27 16:55:42.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.624 [GMT -6:00] Running from: C:\Documents and Settings\NancyJ\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\NancyJ\Desktop\cfscript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\temp\tn3 C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete . ((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 ))))))))))))))))))))))))))))))) . 2008-01-27 16:59 . 2008-01-27 16:59 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk 2008-01-27 16:58 . 2008-01-27 16:58 <DIR> d-------- C:\Temp\tn3 2008-01-27 09:39 . 2008-01-27 09:39 <DIR> d-------- C:\Deckard 2008-01-26 12:34 . 2004-08-10 04:00 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll 2008-01-21 12:03 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS 2008-01-21 11:46 . 2008-01-21 11:46 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-01-21 11:46 . 2008-01-21 11:46 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-01-20 22:10 . 2008-01-20 22:21 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner 2008-01-18 09:43 . 2008-01-21 13:02 806 --a------ C:\WINDOWS\system32\tmp.reg 2008-01-18 09:27 . 2008-01-19 22:35 <DIR> d-------- C:\Program Files\JustZIPit 2008-01-18 09:02 . 2008-01-18 09:02 1,238,674 --a------ C:\MGtools.exe 2008-01-18 08:59 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-17 21:07 . 2008-01-17 21:07 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-17 20:24 . 2008-01-17 20:24 <DIR> d-------- C:\Program Files\Sygate 2008-01-17 20:24 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll 2008-01-17 20:24 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys 2008-01-17 20:24 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys 2008-01-17 20:24 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys 2008-01-17 20:24 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys 2008-01-17 20:24 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys 2008-01-17 20:24 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys 2008-01-17 09:30 . 2008-01-17 09:30 <DIR> d-------- C:\Program Files\Alwil Software 2008-01-16 23:36 . 2008-01-16 23:36 <DIR> d-------- C:\VundoFix Backups 2008-01-16 23:07 . 2008-01-16 23:07 <DIR> d-------- C:\Program Files\CCleaner 2008-01-16 19:50 . 2008-01-17 00:15 <DIR> d-------- C:\Program Files\True Sword 4 2008-01-16 19:42 . 2008-01-17 00:14 <DIR> d-------- C:\Program Files\XoftSpySE 2008-01-16 18:13 . 2008-01-16 23:03 <DIR> d-------- C:\Program Files\Dot1XCfg 2008-01-16 18:10 . 2008-01-16 20:02 <DIR> d--hs---- C:\WINDOWS\TmFuY3lK 2008-01-16 18:10 . 2008-01-16 19:09 <DIR> d-------- C:\WINDOWS\system32\edcA01 2008-01-16 18:10 . 2008-01-16 18:10 <DIR> d-------- C:\Temp\Ryuan1 2008-01-16 18:10 . 2008-01-16 18:10 86,016 --a------ C:\WINDOWS\system32\drivers\ipfltdrvv.sys 2007-12-30 17:57 . 2007-12-30 17:58 <DIR> d-------- C:\Program Files\Startup Inspector for Windows 2007-12-29 13:00 . 2007-12-29 13:00 <DIR> d-------- C:\Program Files\Apple Software Update . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-27 15:57 --------- d-----w C:\Program Files\World of Warcraft 2008-01-27 06:00 --------- d-----w C:\Program Files\SystemScheduler 2008-01-17 17:31 --------- d-----w C:\Program Files\Google 2008-01-17 05:03 --------- d-----w C:\Program Files\Windows Plus 2008-01-17 05:03 --------- d-----w C:\Program Files\QuickTime 2006-06-04 02:00 88 --sh--r C:\WINDOWS\system32\0BC336E87E.sys 2005-07-29 22:24 472 --sha-r C:\WINDOWS\TmFuY3lK\nAIRsa54.vbs . ((((((((((((((((((((((((((((( snapshot@2008-01-27_13.39.20.07 ))))))))))))))))))))))))))))))))))))))))) . - 2008-01-27 19:29:50 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT + 2008-01-27 22:55:35 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT - 2008-01-27 19:29:50 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat + 2008-01-27 22:55:35 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat - 2008-01-27 19:29:50 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT + 2008-01-27 22:55:35 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT - 2008-01-27 19:29:50 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat + 2008-01-27 22:55:36 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat - 2008-01-27 19:29:50 5,087,232 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT + 2008-01-27 22:55:36 5,095,424 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT - 2008-01-27 19:29:50 24,576 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat + 2008-01-27 22:55:36 24,576 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0228FED3-6E02-488B-A8C6-ACDF372FAF66}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD801250-6AC3-4139-B11E-EC8D8E6336E1}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE9A1A3-20E6-4037-A7D5-19BC455DDA7D}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3884342-070E-4632-139C-C67967A8FCF7}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 22:20 339968 C:\WINDOWS\stsystra.exe] "WScheduler"="C:\PROGRA~1\SYSTEM~1\WScheduler.exe" [2007-06-25 20:19 75264] "SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-17 08:11 579072] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 07:12 219136] "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-06 23:06 5181440] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkhig] pmnkhig.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk] backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM] --a------ 2006-04-27 18:38 20480 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe R1 ipfltdrvv;ipfltdrvv;C:\WINDOWS\system32\drivers\ipfltdrvv.sys [2008-01-16 18:10] R3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);C:\WINDOWS\system32\DRIVERS\CamDrL20.sys [2004-05-21 13:16] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] \Shell\AutoRun\command - E:\setup.exe . Contents of the 'Scheduled Tasks' folder "2008-01-21 18:24:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-27 17:00:19 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-01-27 17:03:11 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-27 23:03:09 ComboFix2.txt 2008-01-27 19:39:33 . 2008-01-27 09:01:01 --- E O F ---

Rorschach112 View Member Profile	Jan 27 2008, 07:29 PM Post #10
Retired Staff-Malware Expert Group: Authentic Member Posts: 3,651 Joined: 29-September 07 Member No.: 73,164 Operating System: Windows XP	Hello Please download Deckard's System Scanner (DSS) and save it to your Desktop. Close all other windows before proceeding. Double-click on dss.exe and follow the prompts. If your anti-virus or firewall complains, please allow this script to run as it is not malicious. When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Nancy1960 View Member Profile	Jan 27 2008, 07:33 PM Post #11
New Member Group: New Member Posts: 10 Joined: 21-January 08 Member No.: 76,183 Operating System: xp	Ok i did do that, I will try it again ...

Nancy1960 View Member Profile	Jan 27 2008, 07:42 PM Post #12
New Member Group: New Member Posts: 10 Joined: 21-January 08 Member No.: 76,183 Operating System: xp	The DSS.exe scan only opened one log window this time. Here it is : Deckard's System Scanner v20071014.68 Run by NancyJ on 2008-01-27 19:37:33 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as NancyJ.exe) ---------------------------------------------- Unable to find log (file not found); running clone. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-01-27 19:38:17 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Sygate\SPF\Smc.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\explorer.exe C:\WINDOWS\stsystra.exe C:\Program Files\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Grisoft\AVG7\avgamsvr.exe C:\Program Files\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Grisoft\AVG7\avgemc.exe C:\WINDOWS\ehome\ehrecvr.exe C:\WINDOWS\ehome\ehSched.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Documents and Settings\NancyJ\Desktop\dss.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/?.src=fp R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [WScheduler] C:\PROGRA~1\SYSTEM~1\WScheduler.exe /LOGON O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O15 - Trusted Zone: https://online.musicmatch.com (HKLM) O15 - Trusted Zone: .www.select2perform.com (HKCU) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/3/9...heckControl.cab O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com/cabs/QOLCheck.ocx O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} () - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe -- End of file - 5194 bytes -- Files created between 2007-12-27 and 2008-01-27 ----------------------------- 2008-01-21 12:03:28 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus> 2008-01-20 22:10:56 0 d-------- C:\Program Files\Eusing Free Registry Cleaner 2008-01-20 22:01:16 0 d-------- C:\Documents and Settings\NancyJ\Application Data\Uniblue 2008-01-18 09:43:40 806 --a------ C:\WINDOWS\system32\tmp.reg 2008-01-18 09:27:49 0 d-------- C:\Program Files\JustZIPit 2008-01-18 09:02:26 1238674 --a------ C:\MGtools.exe 2008-01-18 09:00:17 0 dr-h----- C:\Documents and Settings\NancyJ\Recent 2008-01-17 21:07:58 0 d-------- C:\Program Files\Trend Micro 2008-01-17 21:00:17 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia 2008-01-17 20:59:52 0 dr------- C:\Documents and Settings\NetworkService\Favorites 2008-01-17 20:24:38 60496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver> 2008-01-17 20:24:37 21075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt> 2008-01-17 20:24:17 0 d-------- C:\Program Files\Sygate 2008-01-17 09:30:45 0 d-------- C:\Program Files\Alwil Software 2008-01-16 23:36:48 0 d-------- C:\VundoFix Backups 2008-01-16 23:07:24 0 d-------- C:\Program Files\CCleaner 2008-01-16 20:08:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-01-16 19:59:00 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-01-16 19:52:12 0 d-------- C:\Documents and Settings\NancyJ\Application Data\True Sword 2008-01-16 19:50:55 0 d-------- C:\Program Files\True Sword 4 2008-01-16 19:42:25 0 d-------- C:\Program Files\XoftSpySE 2008-01-16 18:33:59 0 dr------- C:\Documents and Settings\LocalService\Favorites 2008-01-16 18:13:50 0 d-------- C:\Program Files\Dot1XCfg 2008-01-16 18:10:24 0 d--hs---- C:\WINDOWS\TmFuY3lK 2008-01-16 18:10:16 86016 --a------ C:\WINDOWS\system32\drivers\ipfltdrvv.sys 2008-01-16 18:10:07 0 d-------- C:\WINDOWS\system32\edcA01 2007-12-30 18:02:23 0 d-------- C:\Documents and Settings\NancyJ\Application Data\wsInspector 2007-12-30 17:57:32 0 d-------- C:\Program Files\Startup Inspector for Windows 2007-12-29 13:00:45 0 d-------- C:\Program Files\Apple Software Update 2007-12-29 13:00:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple -- Find3M Report --------------------------------------------------------------- 2008-01-27 17:15:08 0 d-------- C:\Program Files\World of Warcraft 2008-01-27 00:00:01 0 d-------- C:\Program Files\SystemScheduler 2008-01-23 10:37:26 6686 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys 2008-01-23 10:37:26 104 -r-hs---- C:\WINDOWS\system32\7EE836C30B.sys 2008-01-20 11:04:30 0 d-------- C:\Documents and Settings\NancyJ\Application Data\AVG7 2008-01-18 09:09:56 0 d-------- C:\Program Files\Messenger 2008-01-17 11:31:53 0 d-------- C:\Program Files\Google 2008-01-16 23:03:57 0 d-------- C:\Program Files\Windows Plus 2008-01-16 23:03:56 0 d-------- C:\Program Files\QuickTime 2008-01-16 20:42:12 0 d-------- C:\Program Files\Common Files 2008-01-13 10:23:43 0 d-------- C:\Documents and Settings\NancyJ\Application Data\SecondLife 2007-12-19 19:09:16 0 d-------- C:\Documents and Settings\NancyJ\Application Data\Corel -- Registry Dump --------------------------------------------------------------- Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SigmatelSysTrayApp"="stsystra.exe" [03/22/2005 10:20 PM C:\WINDOWS\stsystra.exe] "WScheduler"="C:\PROGRA~1\SYSTEM~1\WScheduler.exe" [06/25/2007 08:19 PM] "SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [10/15/2004 07:40 PM] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/17/2008 08:11 AM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 04:00 AM] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk] backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] AutoRun\command- E:\setup.exe -- End of Deckard's System Scanner: finished at 2008-01-27 19:38:38 ------------

Rorschach112 View Member Profile	Jan 27 2008, 07:46 PM Post #13
Retired Staff-Malware Expert Group: Authentic Member Posts: 3,651 Joined: 29-September 07 Member No.: 73,164 Operating System: Windows XP	Hello 1. Close any open browsers. 2. Open notepad and copy/paste the text in the quotebox below into it: QUOTE File:: C:\WINDOWS\system32\drivers\ipfltdrvv.sys E:\setup.exe Folder:: C:\Program Files\Dot1XCfg C:\WINDOWS\TmFuY3lK C:\WINDOWS\system32\edcA01 Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] Driver:: ipfltdrvv Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at "C:\ComboFix.txt" Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Also post a new HijackThis log

Nancy1960 View Member Profile	Jan 27 2008, 08:02 PM Post #14
New Member Group: New Member Posts: 10 Joined: 21-January 08 Member No.: 76,183 Operating System: xp	Here are the logs : ComboFix 08-01-23.1C - NancyJ 2008-01-27 19:51:55.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.687 [GMT -6:00] Running from: C:\Documents and Settings\NancyJ\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\NancyJ\Desktop\cfscript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE C:\WINDOWS\system32\drivers\ipfltdrvv.sys E:\setup.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\Dot1XCfg C:\temp\tn3 C:\WINDOWS\system32\drivers\core.cache.dsk C:\WINDOWS\system32\drivers\ipfltdrvv.sys C:\WINDOWS\system32\edcA01 C:\WINDOWS\TmFuY3lK C:\WINDOWS\TmFuY3lK\nAIRsa54.vbs . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_IPFLTDRVV -------\ipfltdrvv ((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-28 ))))))))))))))))))))))))))))))) . 2008-01-27 09:39 . 2008-01-27 09:39 <DIR> d-------- C:\Deckard 2008-01-26 12:34 . 2004-08-10 04:00 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll 2008-01-21 12:03 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS 2008-01-21 11:46 . 2008-01-21 11:46 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-01-21 11:46 . 2008-01-21 11:46 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-01-20 22:10 . 2008-01-20 22:21 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner 2008-01-18 09:43 . 2008-01-21 13:02 806 --a------ C:\WINDOWS\system32\tmp.reg 2008-01-18 09:27 . 2008-01-19 22:35 <DIR> d-------- C:\Program Files\JustZIPit 2008-01-18 09:02 . 2008-01-18 09:02 1,238,674 --a------ C:\MGtools.exe 2008-01-18 08:59 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-17 21:07 . 2008-01-17 21:07 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-17 20:24 . 2008-01-17 20:24 <DIR> d-------- C:\Program Files\Sygate 2008-01-17 20:24 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll 2008-01-17 20:24 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys 2008-01-17 20:24 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys 2008-01-17 20:24 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys 2008-01-17 20:24 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys 2008-01-17 20:24 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys 2008-01-17 20:24 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys 2008-01-17 09:30 . 2008-01-17 09:30 <DIR> d-------- C:\Program Files\Alwil Software 2008-01-16 23:36 . 2008-01-16 23:36 <DIR> d-------- C:\VundoFix Backups 2008-01-16 23:07 . 2008-01-16 23:07 <DIR> d-------- C:\Program Files\CCleaner 2008-01-16 19:50 . 2008-01-17 00:15 <DIR> d-------- C:\Program Files\True Sword 4 2008-01-16 19:42 . 2008-01-17 00:14 <DIR> d-------- C:\Program Files\XoftSpySE 2008-01-16 18:10 . 2008-01-16 18:10 <DIR> d-------- C:\Temp\Ryuan1 2007-12-30 17:57 . 2007-12-30 17:58 <DIR> d-------- C:\Program Files\Startup Inspector for Windows 2007-12-29 13:00 . 2007-12-29 13:00 <DIR> d-------- C:\Program Files\Apple Software Update . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-27 23:15 --------- d-----w C:\Program Files\World of Warcraft 2008-01-27 06:00 --------- d-----w C:\Program Files\SystemScheduler 2008-01-17 17:31 --------- d-----w C:\Program Files\Google 2008-01-17 05:03 --------- d-----w C:\Program Files\Windows Plus 2008-01-17 05:03 --------- d-----w C:\Program Files\QuickTime 2006-06-04 02:00 88 --sh--r C:\WINDOWS\system32\0BC336E87E.sys . ((((((((((((((((((((((((((((( snapshot@2008-01-27_13.39.20.07 ))))))))))))))))))))))))))))))))))))))))) . - 2008-01-27 19:29:50 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT + 2008-01-28 01:51:36 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT - 2008-01-27 19:29:50 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat + 2008-01-28 01:51:37 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat - 2008-01-27 19:29:50 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT + 2008-01-28 01:51:37 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT - 2008-01-27 19:29:50 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat + 2008-01-28 01:51:37 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat - 2008-01-27 19:29:50 5,087,232 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT + 2008-01-28 01:51:37 5,095,424 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT - 2008-01-27 19:29:50 24,576 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat + 2008-01-28 01:51:37 24,576 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 22:20 339968 C:\WINDOWS\stsystra.exe] "WScheduler"="C:\PROGRA~1\SYSTEM~1\WScheduler.exe" [2007-06-25 20:19 75264] "SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-17 08:11 579072] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 07:12 219136] "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-06 23:06 5181440] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk] backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM] --a------ 2006-04-27 18:38 20480 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe R3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);C:\WINDOWS\system32\DRIVERS\CamDrL20.sys [2004-05-21 13:16] . Contents of the 'Scheduled Tasks' folder "2008-01-21 18:24:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-27 19:56:39 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-01-27 19:59:11 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-28 01:59:09 ComboFix2.txt 2008-01-27 23:03:11 ComboFix3.txt 2008-01-27 19:39:33 . 2008-01-27 09:01:01 --- E O F --- Logfile of HijackThis v1.99.1 Scan saved at 8:00:29 PM, on 1/27/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\stsystra.exe C:\PROGRA~1\SYSTEM~1\WScheduler.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/?.src=fp R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [WScheduler] C:\PROGRA~1\SYSTEM~1\WScheduler.exe /LOGON O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O11 - Options group: [INTERNATIONAL] International* O15 - Trusted Zone: www.select2perform.com O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com/cabs/QOLCheck.ocx O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Rorschach112 View Member Profile	Jan 27 2008, 10:21 PM Post #15
Retired Staff-Malware Expert Group: Authentic Member Posts: 3,651 Joined: 29-September 07 Member No.: 73,164 Operating System: Windows XP	Hello Download and scan with SUPERAntiSpyware Free for Home Users Double-click SUPERAntiSpyware.exe and use the default settings for installation. An icon will be created on your desktop. Double-click that icon to launch the program. If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.) Under "*Configuration and Preferences", click the Preferences* button. Click the Scanning Control tab. Under Scanner Options make sure the following are checked (leave all others unchecked): Close browsers before scanning. Scan for tracking cookies. Terminate memory threats before quarantining. Click the "Close" button to leave the control center screen. Back on the main screen, under "*Scan for Harmful Software" click Scan your computer. On the left, make sure you check C:\Fixed Drive. On the right, under "Complete Scan", choose Perform Complete Scan. Click "Next" to start the scan. Please be patient while it scans your computer. After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK". Make sure everything has a checkmark next to it and click "Next". A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu. If asked if you want to reboot, click "Yes". To retrieve the removal information after reboot, launch SUPERAntispyware again. Click Preferences, then click the Statistics/Logs tab.* Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. If there are several logs, click the current dated log and press View log. A text file will open in your default text editor. Please copy and paste the Scan Log results in your next reply. Click Close to exit the program. Also tell me how your PC is running

« Next Oldest · Virus, Spyware & Malware Removal · Next Newest »

2 Pages

1 2 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies	Topic Starter	Views	Last Action
Virus, Spyware & Malware Removal [Resolved] Audio Advertisements Play in the Background of my Computer	8	Andy B	4,810	5th April 2010 - 01:47 PM Last post by: gringo_pr
Virus, Spyware & Malware Removal [Resolved] My Browser Keeps Being Hijacked	10	skid360	2,038	14th September 2007 - 09:20 PM Last post by: Trevuren
Virus, Spyware & Malware Removal [Resolved] Help Needed Pop Ups, Winantivirus, & Software In S 123	39	catcher33	4,364	16th September 2007 - 12:42 AM Last post by: Gary R
Virus, Spyware & Malware Removal Smitfraud.c removal	10	westernmac	2,185	6th July 2005 - 08:36 AM Last post by: pskelley
Virus, Spyware & Malware Removal Smitfraud Error Warning Wont Go Away !	3	Ranmier	1,214	28th April 2005 - 12:52 PM Last post by: Daemon