Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] VUNDO / mljji.dll infection


  • This topic is locked This topic is locked
15 replies to this topic

#1 timos

timos

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 09 January 2008 - 12:46 AM

Any help on this would be greatly appreciated!
I was running mcafee when infection occured, now almost a week ago, bringing computer and me to the knees. Mcaffee warning ("Vundo") message 'shimmered', stating could not isolate, kept coming up, over and over again, then froze. Thereafter, boot and overall performance exceedingly slow, windows explorer screens disappearing, etc. Attempts at manual registry deletion of "mljji" entries necessitated windows reload. Mcaffe replaced with AVAST. Others tried as well. Avast gives "Win32: TratBHO [trj] warning on boot, inconsistent responses to isolate/chest, delete, move/rename attempts, i.e. sometimes mljji.dll seemingly disappears from system32, sometimes it does not. mljji.dll seems to sneak out of avast chest/isolation, reflected as follows

********************************************************************************
***************************************
Scanning of selected files
------------------------------------------------------------------------------------------
Program will try to scan 1 selected file(s) in the Chest

Move files to temporary folder: C:\DOCUME~1\Timothy\LOCALS~1\Temp\_avast4_\unp46977517.tmp
FileID: 0000000040 Original file name: C:\WINDOWS\system32\mljji.dll New folder: C:\DOCUME~1\Timothy\LOCALS~1\Temp\_avast4_\unp46977517.tmp\40.dll

Scan files in the temporary folder: C:\DOCUME~1\Timothy\LOCALS~1\Temp\_avast4_\unp46977517.tmp
C:\DOCUME~1\Timothy\LOCALS~1\Temp\_avast4_\unp46977517.tmp\40.dll Win32:TratBHO [Trj]
------------------------------------------------------------------------------------------
Action was completed successfully!
********************************************************************************
*************************************

BUT no file seen there. However, Avast did appear to move / rename file successfully, without file absconding. There it sits renamed in avast created 'moved mljji.dll' subdirectory of program directory, taunting me. Size reflected there is 336 KB (344,576 bytes)

mljji.dll is always back upon reboot. I have tried vundo fix repeatedly, to no avail, as well as virtumundobegone.

Here is latest HIJACK THIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:56 AM, on 1/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\SERA 3.0\VPN Client\cvpnd.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Adelphia HSAgent\bin\tgcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adelphia HSAgent\bin\tgcmd .exe
C:\Program Files\Common Files\AOL\1115497508\ee\aolsoftware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\AOL\1115497508\ee\aolsoftware .exe
c:\program files\common files\aol\1115497508\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1115497508\ee\aolsoftware.exe
c:\program files\common files\aol\1115497508\ee\aolsoftware .exe
C:\Program Files\Nero\Nero 7\Nero StartSmart\NeroStartSmart.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\My Downloads\programs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad

Blocker\SABBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: {5ac29a0c-74e3-a6aa-5b34-1fce8e1804ce} - {ec4081e8-ecf1-43b5-aa6a-3e47c0a92ca5} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super

Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1115497508\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [tgcmd] "c:\Program Files\Adelphia HSAgent\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PODF97~3.EXE" -Run
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common

Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Memorex Autorun.lnk = E:\autorun.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02

\bin\ssv.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {8B65C874-0B5A-409A-A481-17D7A1CEED27} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {E9173ECA-1F4F-41ed-AF1F-8F723DFE3458} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O9 - Extra button: (no name) - {E9173ECA-1F4F-41ed-AF1F-8F723DFE3458} - (no file) (HKCU)
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.co...g-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.po...l-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst3_x.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) -

http://supportsoft.a...ad/tgctlins.cab
O16 - DPF: {10B80396-96A7-11D3-B7A6-00A0C94C6AE0} (ParallelGraphics Cortona VRML 1.0 to VRML 2.0 convertor) -

http://www.parallelg.../cortvrml10.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft....204&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol....ed/mcinsctl/en-

us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.mi...b?1199481226109
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) -

http://www.cortona3d...in/cortvrml.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) -

http://www.qatrainin...t/lab/msrdp.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-

centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol....red/mcgdmgr/en-

us/1,0,0,20/McGDMgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...iss-loc/vso/en-

us/tools/mcfscan/1,5,0,4298/mcfscan.cab
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O20 - Winlogon Notify: vtuvvsr - vtuvvsr.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common

Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\SERA 3.0\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program

Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad

Blocker\SABSVC.EXE
O23 - Service: VPN 5000 Service 1.00.00 (VPN5000Service) - Unknown owner - C:\Program Files\IntraPort

Client\vpn5000service.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11083 bytes


THANKS IN ADVANCE FOR ANY HELP!!

    Advertisements

Register to Remove


#2 timos

timos

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 12 January 2008 - 05:05 PM

Still awaiting help here, please. Updated Hijack log attached. Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:41 AM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\SERA 3.0\VPN Client\cvpnd.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adelphia HSAgent\bin\tgcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
C:\Program Files\Common Files\AOL\1115497508\ee\aolsoftware.exe
C:\Program Files\Adelphia HSAgent\bin\tgcmd .exe
C:\Program Files\Common Files\AOL\1115497508\ee\aolsoftware .exe
c:\program files\common files\aol\1115497508\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1115497508\ee\aolsoftware.exe
c:\program files\common files\aol\1115497508\ee\aolsoftware .exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Timothy\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: {5ac29a0c-74e3-a6aa-5b34-1fce8e1804ce} - {ec4081e8-ecf1-43b5-aa6a-3e47c0a92ca5} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1115497508\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [tgcmd] "c:\Program Files\Adelphia HSAgent\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PODF97~3.EXE" -Run
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {8B65C874-0B5A-409A-A481-17D7A1CEED27} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {E9173ECA-1F4F-41ed-AF1F-8F723DFE3458} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O9 - Extra button: (no name) - {E9173ECA-1F4F-41ed-AF1F-8F723DFE3458} - (no file) (HKCU)
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.co...g-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.po...l-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst3_x.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.a...ad/tgctlins.cab
O16 - DPF: {10B80396-96A7-11D3-B7A6-00A0C94C6AE0} (ParallelGraphics Cortona VRML 1.0 to VRML 2.0 convertor) - http://www.parallelg.../cortvrml10.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol....83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1199481226109
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.cortona3d...in/cortvrml.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.qatrainin...t/lab/msrdp.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol....,20/McGDMgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...298/mcfscan.cab
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O20 - Winlogon Notify: vtuvvsr - vtuvvsr.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\SERA 3.0\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: VPN 5000 Service 1.00.00 (VPN5000Service) - Unknown owner - C:\Program Files\IntraPort Client\vpn5000service.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10853 bytes

#3 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 January 2008 - 09:11 AM

Hello and Welcome to the forum.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.

Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
  • Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
  • Please do not re-connect your machine back to the Internet until Combofix has completely finished.
--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#4 timos

timos

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 13 January 2008 - 11:06 AM

LDTate:

Hi, and thanks so much for your help.

Of note (or perhaps not), my system performance had dramatically improved since my original post here and original detected onset (about 10 days ago). Speed has become seemingly normal. However, Avast was still showing mljji.dll infection on boot (and otherwise). Further, Avast, Super Ad Blocker and other program (full) scans were showing varoius VUNDO infections. Just last night, using file research center, find out what's running on your computer, i was directed to and deleted several different variations of VUNDO.

Also of note, after the original detected onset and manual registry tinkering, I had to reinstall or overinstall Windows XP from OEM disc, and I did subsequently reinstall SERVICE PACK 2 (while infected!)

Third, just now (after running COMBOFIX), AOL Spyware showed BIFROST backdoor, which I blocked. This is very first inkling of that.

Below are COMBO and updated HIJACK logs:





ComboFix 08-01-13.1 - Timothy 2008-01-13 11:09:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.265 [GMT -5:00]
Running from: C:\Documents and Settings\Timothy\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Alwil Software\Avast4\ashDisp .exe
C:\Program Files\Common Files\AOL\1115497508\ee\AOLSoftware.exe
C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\Pure Networks\Port Magic\PO4A1A~1 .EXE
C:\Program Files\Pure Networks\Port Magic\PO4A1A~2 .EXE
C:\Program Files\Pure Networks\Port Magic\PO4A1A~3 .EXE
C:\Program Files\Pure Networks\Port Magic\PO4A1A~4 .EXE
C:\Program Files\Pure Networks\Port Magic\PO579B~1 .EXE
C:\Program Files\Pure Networks\Port Magic\PO579B~2 .EXE
C:\Program Files\Pure Networks\Port Magic\PO579B~3 .EXE
C:\Program Files\Pure Networks\Port Magic\PO579B~4 .EXE
C:\Program Files\Pure Networks\Port Magic\PO6634~1 .EXE
C:\Program Files\Pure Networks\Port Magic\PO6634~2 .EXE
C:\Program Files\Pure Networks\Port Magic\PO6634~3 .EXE
C:\Program Files\Pure Networks\Port Magic\PO6634~4 .EXE
C:\Program Files\Pure Networks\Port Magic\PODF97~1 .EXE
C:\Program Files\Pure Networks\Port Magic\PODF97~2 .EXE
C:\Program Files\Pure Networks\Port Magic\PORTAO~1 .EXE
C:\Program Files\Pure Networks\Port Magic\PORTAO~2 .EXE
C:\Program Files\Pure Networks\Port Magic\PORTAO~3 .EXE
C:\Program Files\Pure Networks\Port Magic\PORTAO~4 .EXE
C:\Program Files\Pure Networks\Port Magic\PortAOL .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\REGSHAVE\REGSHAVE.EXE
C:\WINDOWS\cookies.ini
C:\WINDOWS\IME\IMJP8_1\IMJPMIG .EXE
C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\system32\uninstall.exe

<pre>
C:\Program Files\Alwil Software\Avast4\ashDisp .exe ---> QooBox
C:\Program Files\Common Files\aol\1115497508\EE\AOLSoftware .exe ---> AOLSoftware.exe
C:\Program Files\Common Files\Roxio Shared\System\EngUtil .exe ---> EngUtil.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent .exe ---> diagent.exe
C:\Program Files\Messenger\msmsgs .exe ---> QooBox
C:\Program Files\Pure Networks\Port Magic\PODF97~2 .EXE ---> QooBox
C:\Program Files\QuickTime\qttask				   .exe ---> qttask.exe
C:\Program Files\REGSHAVE\REGSHAVE .EXE ---> REGSHAVE.EXE
C:\WINDOWS\IME\IMJP8_1\IMJPMIG .EXE ---> QooBox
C:\WINDOWS\IME\IMKR6_1\IMEKRMIG .EXE ---> IMEKRMIG.EXE
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe ---> QooBox
</pre>
.
.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-13 11:08 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-12 11:17 . 2008-01-12 11:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-01-12 11:17 . 2008-01-12 11:17 <DIR> d-------- C:\Documents and Settings\Timothy\Application Data\Malwarebytes
2008-01-10 01:25 . 1999-08-26 04:02 216,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\udfreadr.BAK
2008-01-09 14:39 . 2008-01-11 09:32 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-09 11:19 . 2008-01-10 17:28 <DIR> d-------- C:\Program Files\moved mljji dll bug 2
2008-01-09 01:58 . 2008-01-09 01:58 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-09 01:17 . 2007-07-09 08:09 584,192 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2008-01-08 23:06 . 2008-01-08 23:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-01-08 20:08 . 2008-01-08 20:08 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2008-01-08 19:57 . 2008-01-08 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-01-08 13:44 . 2008-01-09 14:40 <DIR> d-------- C:\Documents and Settings\Timothy\Application Data\Ahead
2008-01-08 13:40 . 2008-01-08 13:40 <DIR> d-------- C:\Program Files\Nero
2008-01-08 13:40 . 2008-01-08 20:00 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-01-07 00:41 . 2008-01-07 09:02 <DIR> d-------- C:\Documents and Settings\Timothy\Application Data\PrevxCSI
2008-01-07 00:41 . 2008-01-07 00:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-06 23:53 . 2008-01-12 11:11 <DIR> d-------- C:\Program Files\SuperAdBlocker.com
2008-01-06 23:53 . 2008-01-06 23:53 <DIR> d-------- C:\Documents and Settings\Timothy\Application Data\SuperAdBlocker.com
2008-01-06 22:23 . 2008-01-06 22:23 164 --a------ C:\install.dat
2008-01-06 21:00 . 2008-01-06 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-06 20:59 . 2008-01-06 22:51 <DIR> d-------- C:\Program Files\Security Task Manager
2008-01-06 19:52 . 2008-01-13 11:18 2,206 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl
2008-01-06 15:07 . 2008-01-13 00:51 <DIR> d-------- C:\Program Files\moved mljji dll bug
2008-01-05 11:37 . 2008-01-06 23:45 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-05 11:37 . 2008-01-06 23:45 <DIR> d-------- C:\Documents and Settings\Timothy\Application Data\SUPERAntiSpyware.com
2008-01-05 11:37 . 2008-01-05 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-05 10:16 . 2008-01-05 10:17 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-04 21:50 . 2008-01-04 21:50 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-04 21:50 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-01-04 21:50 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2008-01-04 21:50 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2008-01-04 21:50 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2008-01-04 21:50 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2008-01-04 21:50 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2008-01-04 21:50 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2008-01-04 19:46 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\SYSTEM32\secupd.sig
2008-01-04 19:46 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\SYSTEM32\secupd.dat
2008-01-04 19:45 . 2004-08-04 02:56 380,416 --------- C:\WINDOWS\SYSTEM32\irprops.cpl
2008-01-04 19:44 . 2004-08-04 00:22 23,024 --a------ C:\WINDOWS\SYSTEM32\ieuinit.inf
2008-01-04 19:44 . 2004-07-17 13:40 19,528 --a------ C:\WINDOWS\002689_.tmp
2008-01-04 18:07 . 2004-08-04 02:56 614,912 --a------ C:\WINDOWS\SYSTEM32\h323msp.dll
2008-01-04 18:07 . 2004-08-04 02:56 331,264 --a------ C:\WINDOWS\SYSTEM32\ipnathlp.dll
2008-01-04 18:07 . 2004-08-04 02:56 265,728 --a------ C:\WINDOWS\SYSTEM32\h323.tsp
2008-01-04 17:36 . 2007-07-12 02:22 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-01-04 16:48 . 2005-10-20 17:20 1,082,368 --a------ C:\WINDOWS\SYSTEM32\esent.dll
2008-01-04 16:18 . 2004-08-04 02:56 351,232 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2008-01-04 16:18 . 2004-08-04 02:56 18,944 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2008-01-04 16:17 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-01-04 16:17 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-01-04 16:10 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl
2008-01-04 15:55 . 2002-09-03 14:31 10,096,640 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxcht.dll
2008-01-04 15:54 . 2001-08-17 22:36 312,832 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_aqueue.dll
2008-01-04 15:53 . 2001-07-21 18:52 25,645 --a------ C:\WINDOWS\SYSTEM32\CNBJHLP.HLP
2008-01-04 15:53 . 2001-07-21 18:52 787 --a------ C:\WINDOWS\SYSTEM32\CNBJHLP.CNT
2008-01-04 15:53 . 2008-01-04 15:53 0 --a------ C:\WINDOWS\control.ini
2008-01-04 15:52 . 2008-01-04 15:52 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-01-04 15:52 . 2008-01-04 15:52 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
2008-01-04 15:52 . 2008-01-04 15:52 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2008-01-04 15:52 . 2008-01-04 15:52 749 -rah----- C:\WINDOWS\SYSTEM32\nwc.cpl.manifest
2008-01-04 15:52 . 2008-01-04 15:52 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2008-01-04 15:52 . 2008-01-04 15:52 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2008-01-04 15:49 . 2007-07-30 19:19 1,712,984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-01-04 15:47 . 2004-08-04 00:59 57,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\redbook.sys
2008-01-04 15:47 . 2004-08-04 01:07 52,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\dmusic.sys
2008-01-04 15:47 . 2006-06-14 03:47 6,400 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\splitter.sys
2008-01-04 15:45 . 2004-08-04 02:56 130,048 --a------ C:\WINDOWS\SYSTEM32\ksproxy.ax
2008-01-04 15:45 . 2004-08-04 02:56 4,096 --a------ C:\WINDOWS\SYSTEM32\ksuser.dll
2008-01-04 15:44 . 2004-08-04 03:01 40,840 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\termdd.sys
2008-01-04 15:43 . 2004-08-04 01:01 196,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\rdpdr.sys
2008-01-04 15:41 . 2002-09-03 14:50 1,086,182 -ra------ C:\WINDOWS\SET116.tmp
2008-01-04 15:41 . 2002-09-03 14:40 13,608 -ra------ C:\WINDOWS\SET12B.tmp
2008-01-04 15:41 . 2002-09-03 15:06 7,046 -ra------ C:\WINDOWS\SET149.tmp
2008-01-03 22:50 . 2008-01-03 22:50 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-03 22:50 . 2008-01-03 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-03 01:40 . 2008-01-03 01:36 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-01-03 01:36 . 2008-01-03 01:40 <DIR> d-------- C:\Documents and Settings\Timothy\.housecall6.6
2007-12-31 22:03 . 2008-01-02 07:15 1,031,518 --ahs---- C:\WINDOWS\SYSTEM32\xbaxqgdu.ini
2007-12-29 10:19 . 2008-01-03 11:18 <DIR> d-------- C:\Program Files\Doblon
2007-12-29 10:09 . 2008-01-03 00:41 28,672 --a------ C:\WINDOWS\SYSTEM32\DSentry .exe
2007-12-29 09:32 . 2007-12-29 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\YoGen
2007-12-28 15:51 . 2007-12-28 15:57 24 ---hs---- C:\WINDOWS\SFA964AF7.tmp
2007-12-28 15:49 . 2007-12-28 15:49 <DIR> d-------- C:\Program Files\SlySoft
2007-12-21 09:01 . 2008-01-05 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-14 02:58 . 2007-12-14 02:58 <DIR> d-------- C:\Documents and Settings\Linda\Application Data\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 16:17 --------- d-----w C:\Program Files\REGSHAVE
2008-01-13 16:17 --------- d-----w C:\Program Files\QuickTime
2008-01-12 04:08 --------- d-----w C:\Program Files\RegScrubXP
2008-01-11 16:32 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-01-11 14:50 28,164 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-01-10 03:29 --------- d-----w C:\Program Files\Roxio
2008-01-08 16:47 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
2008-01-07 04:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-07 04:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-07 04:38 --------- d-----w C:\Program Files\Google
2008-01-07 04:38 --------- d-----w C:\Documents and Settings\Timothy\Application Data\Roxio
2008-01-05 23:40 --------- d-----w C:\Program Files\ItsDeductible2005
2008-01-05 23:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-05 23:23 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-05 21:32 --------- d-----w C:\Program Files\McAfee.com
2008-01-05 21:16 --------- d-----w C:\Program Files\NCH Swift Sound
2008-01-05 21:14 --------- d-----w C:\Program Files\QUICKENW
2008-01-05 14:03 --------- d-----w C:\Program Files\Java
2008-01-03 13:56 --------- d-----w C:\Documents and Settings\Timothy\Application Data\LimeWire
2007-12-22 13:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-12-22 05:13 82,664 ----a-w C:\Documents and Settings\Timothy\Application Data\GDIPFONTCACHEV1.DAT
2007-12-18 14:46 --------- d-----w C:\Program Files\ItsDeductibleEX
2007-12-04 14:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-12-02 16:24 --------- d-----w C:\Program Files\Rintox Virtual Piano
2007-12-02 16:23 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-12-02 16:23 286,720 ------w C:\WINDOWS\Setup1.exe
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2006-02-06 05:35 315 ----a-w C:\Program Files\bible.win
.
<pre>
----a-w		 1,855,488 2008-01-12 16:08:26  C:\Program Files\adelphia hsagent\bin\tgcmd .exe
----a-w		   132,496 2008-01-12 16:08:24  C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w		   319,488 2008-01-07 04:27:52  C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe
----a-w		   868,352 2008-01-07 04:27:52  C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
----a-w			57,344 2008-01-05 20:24:36  C:\Program Files\SlySoft\CloneCD\CloneCDTray .exe
----a-w		 1,318,912 2008-01-07 04:28:10  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w			20,992 2008-01-05 00:04:36  C:\Program Files\Ulead Systems\Ulead PhotoImpact\SSaver\Ussshreg .exe
----a-w			28,672 2008-01-03 05:41:01  C:\WINDOWS\SYSTEM32\DSentry .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SuperAdBlocker"="C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe" [2007-08-01 09:28 1564672]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.exe" [2005-07-12 00:17 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 33280 C:\WINDOWS\SYSTEM32\rundll32.exe]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2008-01-13 09:01 135264]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2008-01-13 09:01 65536]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2008-01-13 09:01 53248]
"HostManager"="C:\Program Files\Common Files\AOL\1115497508\ee\AOLSoftware.exe" [2008-01-13 09:01 50736]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PODF97~3.exe" [ ]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 00:31 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 05:00 44032]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 00:59 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL [2006-11-07 12:58 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL 2007-08-01 09:28 176128 C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvvsr]
vtuvvsr.dll

R1 SABDIFSV;SABDIFSV;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABDIFSV.SYS [2005-09-21 11:17]
R1 SABKUTIL;SABKUTIL;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [2007-02-20 16:02]
S2 StudioPro;StudioPro webcam;C:\WINDOWS\system32\DRIVERS\StudioPro.sys [2007-01-05 21:18]
S3 EuMusDesignVirtualAudioCableWdm;StudioPro audio (WDM);C:\WINDOWS\system32\DRIVERS\vrtaucbl.sys [2007-04-22 19:27]

.
**************************************************************************

disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk not found C:\

**************************************************************************
.
Completion time: 2008-01-13 11:25:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 16:24:28
.
2008-01-09 22:35:21 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:58 AM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\SERA 3.0\VPN Client\cvpnd.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\AOL\1115497508\ee\AOLSoftware.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\program files\common files\aol\1115497508\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1115497508\ee\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Documents and Settings\Timothy\Desktop\HijackThis.exe

O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1115497508\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PODF97~3.EXE" -Run
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {8B65C874-0B5A-409A-A481-17D7A1CEED27} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {E9173ECA-1F4F-41ed-AF1F-8F723DFE3458} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O9 - Extra button: (no name) - {E9173ECA-1F4F-41ed-AF1F-8F723DFE3458} - (no file) (HKCU)
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.co...g-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.po...l-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst3_x.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.a...ad/tgctlins.cab
O16 - DPF: {10B80396-96A7-11D3-B7A6-00A0C94C6AE0} (ParallelGraphics Cortona VRML 1.0 to VRML 2.0 convertor) - http://www.parallelg.../cortvrml10.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol....83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1199481226109
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.cortona3d...in/cortvrml.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.qatrainin...t/lab/msrdp.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol....,20/McGDMgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...298/mcfscan.cab
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O20 - Winlogon Notify: vtuvvsr - vtuvvsr.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\SERA 3.0\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: VPN 5000 Service 1.00.00 (VPN5000Service) - Unknown owner - C:\Program Files\IntraPort Client\vpn5000service.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9970 bytes

#5 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 January 2008 - 11:22 AM

Open notepad and copy/paste the text in the codebox below into it:

[b]File::[/b]
C:\WINDOWS\SET116.tmp
C:\WINDOWS\SET12B.tmp
C:\WINDOWS\SET149.tmp
C:\WINDOWS\SYSTEM32\xbaxqgdu.ini
C:\WINDOWS\SFA964AF7.tmp

[b]Folder::[/b]
C:\Program Files\moved mljji dll bug 2
C:\Program Files\moved mljji dll bug

[b]RenV::[/b]
C:\Program Files\adelphia hsagent\bin\tgcmd .exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact\SSaver\Ussshreg .exe
C:\WINDOWS\SYSTEM32\DSentry .exe

[b]Registry::[/b]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvvsr]



Save this as Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.


Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#6 timos

timos

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 13 January 2008 - 01:02 PM

LDTate:

I note nothing remarkable about the computer's bahavior. Speed is ok/good, like it has been now already for several days (prior to combofix today).

I am getting AOL spyware protection notice regarding BIFROST backdoor around time COMBOFIX is completing scan/generating log. I can't readily turn off this apparently active monitor.

I note that two of the files subject of the CFScript:

C:\Program Files\adelphia hsagent\bin\tgcmd .exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe

are related to files I discussed earlier (Just last night, using file research center, find out what's running on your computer, i was directed to and deleted several different variations of VUNDO that were moved/renamed). In both cases there were similar files (exactly the same but for space before .exe). The files without spaces scanned as VUNDO by Avast, and were deleted/moved to chest.

Below are updated COMBOFIX and HIJACK logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:35 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\SERA 3.0\VPN Client\cvpnd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\AOL\1115497508\ee\AOLSoftware.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
c:\program files\common files\aol\1115497508\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1115497508\ee\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Documents and Settings\Timothy\Desktop\HijackThis.exe

O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1115497508\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PODF97~3.EXE" -Run
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {8B65C874-0B5A-409A-A481-17D7A1CEED27} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {E9173ECA-1F4F-41ed-AF1F-8F723DFE3458} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O9 - Extra button: (no name) - {E9173ECA-1F4F-41ed-AF1F-8F723DFE3458} - (no file) (HKCU)
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.co...g-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.po...l-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst3_x.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.a...ad/tgctlins.cab
O16 - DPF: {10B80396-96A7-11D3-B7A6-00A0C94C6AE0} (ParallelGraphics Cortona VRML 1.0 to VRML 2.0 convertor) - http://www.parallelg.../cortvrml10.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol....83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1199481226109
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.cortona3d...in/cortvrml.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.qatrainin...t/lab/msrdp.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol....,20/McGDMgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...298/mcfscan.cab
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O20 - Winlogon Notify: vtuvvsr - vtuvvsr.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\SERA 3.0\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: VPN 5000 Service 1.00.00 (VPN5000Service) - Unknown owner - C:\Program Files\IntraPort Client\vpn5000service.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9681 bytes






ComboFix 08-01-13.1 - Timothy 2008-01-13 13:28:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.201 [GMT -5:00]
Running from: C:\Documents and Settings\Timothy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Timothy\Desktop\CFScript
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\xbaxqgdu.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-13 11:08 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-12 11:17 . 2008-01-12 11:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-01-12 11:17 . 2008-01-12 11:17 <DIR> d-------- C:\Documents and Settings\Timothy\Application Data\Malwarebytes
2008-01-10 01:25 . 1999-08-26 04:02 216,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\udfreadr.BAK
2008-01-09 14:39 . 2008-01-11 09:32 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-09 11:19 . 2008-01-10 17:28 <DIR> d-------- C:\Program Files\moved mljji dll bug 2
2008-01-09 01:58 . 2008-01-09 01:58 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-09 01:17 . 2007-07-09 08:09 584,192 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2008-01-08 23:06 . 2008-01-08 23:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-01-08 20:08 . 2008-01-08 20:08 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2008-01-08 19:57 . 2008-01-08 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-01-08 13:44 . 2008-01-09 14:40 <DIR> d-------- C:\Documents and Settings\Timothy\Application Data\Ahead
2008-01-08 13:40 . 2008-01-08 13:40 <DIR> d-------- C:\Program Files\Nero
2008-01-08 13:40 . 2008-01-08 20:00 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-01-07 00:41 . 2008-01-07 09:02 <DIR> d-------- C:\Documents and Settings\Timothy\Application Data\PrevxCSI
2008-01-07 00:41 . 2008-01-07 00:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-06 23:53 . 2008-01-12 11:11 <DIR> d-------- C:\Program Files\SuperAdBlocker.com
2008-01-06 23:53 . 2008-01-06 23:53 <DIR> d-------- C:\Documents and Settings\Timothy\Application Data\SuperAdBlocker.com
2008-01-06 22:23 . 2008-01-06 22:23 164 --a------ C:\install.dat
2008-01-06 21:00 . 2008-01-06 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-06 20:59 . 2008-01-06 22:51 <DIR> d-------- C:\Program Files\Security Task Manager
2008-01-06 19:52 . 2008-01-13 11:34 2,206 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl
2008-01-06 15:07 . 2008-01-13 00:51 <DIR> d-------- C:\Program Files\moved mljji dll bug
2008-01-05 11:37 . 2008-01-06 23:45 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-05 11:37 . 2008-01-06 23:45 <DIR> d-------- C:\Documents and Settings\Timothy\Application Data\SUPERAntiSpyware.com
2008-01-05 11:37 . 2008-01-05 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-05 10:16 . 2008-01-05 10:17 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-04 21:50 . 2008-01-04 21:50 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-04 21:50 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-01-04 21:50 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2008-01-04 21:50 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2008-01-04 21:50 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2008-01-04 21:50 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2008-01-04 21:50 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2008-01-04 21:50 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2008-01-04 19:46 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\SYSTEM32\secupd.sig
2008-01-04 19:46 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\SYSTEM32\secupd.dat
2008-01-04 19:45 . 2004-08-04 02:56 380,416 --------- C:\WINDOWS\SYSTEM32\irprops.cpl
2008-01-04 19:44 . 2004-08-04 00:22 23,024 --a------ C:\WINDOWS\SYSTEM32\ieuinit.inf
2008-01-04 19:44 . 2004-07-17 13:40 19,528 --a------ C:\WINDOWS\002689_.tmp
2008-01-04 18:07 . 2004-08-04 02:56 614,912 --a------ C:\WINDOWS\SYSTEM32\h323msp.dll
2008-01-04 18:07 . 2004-08-04 02:56 331,264 --a------ C:\WINDOWS\SYSTEM32\ipnathlp.dll
2008-01-04 18:07 . 2004-08-04 02:56 265,728 --a------ C:\WINDOWS\SYSTEM32\h323.tsp
2008-01-04 17:36 . 2007-07-12 02:22 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-01-04 16:48 . 2005-10-20 17:20 1,082,368 --a------ C:\WINDOWS\SYSTEM32\esent.dll
2008-01-04 16:18 . 2004-08-04 02:56 351,232 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2008-01-04 16:18 . 2004-08-04 02:56 18,944 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2008-01-04 16:17 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-01-04 16:17 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-01-04 16:10 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl
2008-01-04 15:55 . 2002-09-03 14:31 10,096,640 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxcht.dll
2008-01-04 15:54 . 2001-08-17 22:36 312,832 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_aqueue.dll
2008-01-04 15:53 . 2001-07-21 18:52 25,645 --a------ C:\WINDOWS\SYSTEM32\CNBJHLP.HLP
2008-01-04 15:53 . 2001-07-21 18:52 787 --a------ C:\WINDOWS\SYSTEM32\CNBJHLP.CNT
2008-01-04 15:53 . 2008-01-04 15:53 0 --a------ C:\WINDOWS\control.ini
2008-01-04 15:52 . 2008-01-04 15:52 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-01-04 15:52 . 2008-01-04 15:52 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
2008-01-04 15:52 . 2008-01-04 15:52 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2008-01-04 15:52 . 2008-01-04 15:52 749 -rah----- C:\WINDOWS\SYSTEM32\nwc.cpl.manifest
2008-01-04 15:52 . 2008-01-04 15:52 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2008-01-04 15:52 . 2008-01-04 15:52 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2008-01-04 15:49 . 2007-07-30 19:19 1,712,984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-01-04 15:47 . 2004-08-04 00:59 57,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\redbook.sys
2008-01-04 15:47 . 2004-08-04 01:07 52,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\dmusic.sys
2008-01-04 15:47 . 2006-06-14 03:47 6,400 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\splitter.sys
2008-01-04 15:45 . 2004-08-04 02:56 130,048 --a------ C:\WINDOWS\SYSTEM32\ksproxy.ax
2008-01-04 15:45 . 2004-08-04 02:56 4,096 --a------ C:\WINDOWS\SYSTEM32\ksuser.dll
2008-01-04 15:44 . 2004-08-04 03:01 40,840 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\termdd.sys
2008-01-04 15:43 . 2004-08-04 01:01 196,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\rdpdr.sys
2008-01-04 15:41 . 2002-09-03 14:50 1,086,182 -ra------ C:\WINDOWS\SET116.tmp
2008-01-04 15:41 . 2002-09-03 14:40 13,608 -ra------ C:\WINDOWS\SET12B.tmp
2008-01-04 15:41 . 2002-09-03 15:06 7,046 -ra------ C:\WINDOWS\SET149.tmp
2008-01-03 22:50 . 2008-01-03 22:50 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-03 22:50 . 2008-01-03 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-03 01:40 . 2008-01-03 01:36 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-01-03 01:36 . 2008-01-03 01:40 <DIR> d-------- C:\Documents and Settings\Timothy\.housecall6.6
2007-12-29 10:19 . 2008-01-03 11:18 <DIR> d-------- C:\Program Files\Doblon
2007-12-29 10:09 . 2008-01-03 00:41 28,672 --a------ C:\WINDOWS\SYSTEM32\DSentry .exe
2007-12-29 09:32 . 2007-12-29 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\YoGen
2007-12-28 15:51 . 2007-12-28 15:57 24 ---hs---- C:\WINDOWS\SFA964AF7.tmp
2007-12-28 15:49 . 2007-12-28 15:49 <DIR> d-------- C:\Program Files\SlySoft
2007-12-21 09:01 . 2008-01-05 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-14 02:58 . 2007-12-14 02:58 <DIR> d-------- C:\Documents and Settings\Linda\Application Data\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 16:17 --------- d-----w C:\Program Files\REGSHAVE
2008-01-13 16:17 --------- d-----w C:\Program Files\QuickTime
2008-01-12 04:08 --------- d-----w C:\Program Files\RegScrubXP
2008-01-11 16:32 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-01-11 14:50 28,164 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-01-10 03:29 --------- d-----w C:\Program Files\Roxio
2008-01-08 16:47 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
2008-01-07 04:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-07 04:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-07 04:38 --------- d-----w C:\Program Files\Google
2008-01-07 04:38 --------- d-----w C:\Documents and Settings\Timothy\Application Data\Roxio
2008-01-05 23:40 --------- d-----w C:\Program Files\ItsDeductible2005
2008-01-05 23:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-05 23:23 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-05 21:32 --------- d-----w C:\Program Files\McAfee.com
2008-01-05 21:16 --------- d-----w C:\Program Files\NCH Swift Sound
2008-01-05 21:14 --------- d-----w C:\Program Files\QUICKENW
2008-01-05 14:03 --------- d-----w C:\Program Files\Java
2008-01-03 13:56 --------- d-----w C:\Documents and Settings\Timothy\Application Data\LimeWire
2007-12-22 13:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-12-22 05:13 82,664 ----a-w C:\Documents and Settings\Timothy\Application Data\GDIPFONTCACHEV1.DAT
2007-12-18 14:46 --------- d-----w C:\Program Files\ItsDeductibleEX
2007-12-04 14:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-12-02 16:24 --------- d-----w C:\Program Files\Rintox Virtual Piano
2007-12-02 16:23 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-12-02 16:23 286,720 ------w C:\WINDOWS\Setup1.exe
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2006-02-06 05:35 315 ----a-w C:\Program Files\bible.win
.
<pre>
----a-w		 1,855,488 2008-01-12 16:08:26  C:\Program Files\adelphia hsagent\bin\tgcmd .exe
----a-w		   132,496 2008-01-12 16:08:24  C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w		   319,488 2008-01-07 04:27:52  C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe
----a-w		   868,352 2008-01-07 04:27:52  C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
----a-w			57,344 2008-01-05 20:24:36  C:\Program Files\SlySoft\CloneCD\CloneCDTray .exe
----a-w		 1,318,912 2008-01-07 04:28:10  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w			20,992 2008-01-05 00:04:36  C:\Program Files\Ulead Systems\Ulead PhotoImpact\SSaver\Ussshreg .exe
----a-w			28,672 2008-01-03 05:41:01  C:\WINDOWS\SYSTEM32\DSentry .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-13_11.24.14.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-13 16:09:37 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-13 18:28:18 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 16:09:37 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-13 18:28:18 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 16:09:37 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-13 18:28:18 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-13 16:09:37 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-13 18:28:18 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 16:09:38 12,107,776 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-13 18:28:19 12,115,968 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-13 16:09:38 598,016 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 18:28:19 598,016 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 16:34:34 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_55c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SuperAdBlocker"="C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe" [2007-08-01 09:28 1564672]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.exe" [2005-07-12 00:17 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 33280 C:\WINDOWS\SYSTEM32\rundll32.exe]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2008-01-13 09:01 135264]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2008-01-13 09:01 65536]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2008-01-13 09:01 53248]
"HostManager"="C:\Program Files\Common Files\AOL\1115497508\ee\AOLSoftware.exe" [2008-01-13 09:01 50736]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PODF97~3.exe" [ ]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 00:31 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 05:00 44032]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 00:59 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL [2006-11-07 12:58 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL 2007-08-01 09:28 176128 C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvvsr]
vtuvvsr.dll

R1 SABDIFSV;SABDIFSV;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABDIFSV.SYS [2005-09-21 11:17]
R1 SABKUTIL;SABKUTIL;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [2007-02-20 16:02]
S2 StudioPro;StudioPro webcam;C:\WINDOWS\system32\DRIVERS\StudioPro.sys [2007-01-05 21:18]
S3 EuMusDesignVirtualAudioCableWdm;StudioPro audio (WDM);C:\WINDOWS\system32\DRIVERS\vrtaucbl.sys [2007-04-22 19:27]

.
**************************************************************************

disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk not found C:\

**************************************************************************
.
Completion time: 2008-01-13 13:35:07
ComboFix-quarantined-files.txt 2008-01-13 18:34:15
ComboFix2.txt 2008-01-13 16:25:20
.
2008-01-09 22:35:21 --- E O F ---

#7 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 January 2008 - 01:20 PM

Looking at your combofix scan, you'll notice the ones listed in the Codebox.
Those were legit files that were are infected. We will try to fix them. If they can't be fixed you'll need to re-install them.

Open notepad and copy/paste the text in the Code box below into it:

[b]File::[/b]
C:\WINDOWS\002689_.tmp
C:\WINDOWS\SET116.tmp
C:\WINDOWS\SET12B.tmp
C:\WINDOWS\SET149.tmp
C:\WINDOWS\SFA964AF7.tmp

[b]Folder::[/b]
C:\Program Files\moved mljji dll bug 2
C:\Documents and Settings\All Users\Application Data\SecTaskMan
C:\Program Files\moved mljji dll bug
C:\Documents and Settings\All Users\Application Data\Viewpoint

[b]RenV::[/b]
C:\Program Files\adelphia hsagent\bin\tgcmd .exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact\SSaver\Ussshreg .exe
C:\WINDOWS\SYSTEM32\DSentry .exe


Save this as Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.


Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#8 timos

timos

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 13 January 2008 - 02:02 PM

LDTate:

I note nothing remarkable regarding computer's performance.

Upadated COMBOFIX and HIJACK logs below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:50 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\SERA 3.0\VPN Client\cvpnd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\AOL\1115497508\ee\AOLSoftware.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
c:\program files\common files\aol\1115497508\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1115497508\ee\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Timothy\Desktop\HijackThis.exe

O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1115497508\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PODF97~3.EXE" -Run
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {8B65C874-0B5A-409A-A481-17D7A1CEED27} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {E9173ECA-1F4F-41ed-AF1F-8F723DFE3458} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O9 - Extra button: (no name) - {E9173ECA-1F4F-41ed-AF1F-8F723DFE3458} - (no file) (HKCU)
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.co...g-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.po...l-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst3_x.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.a...ad/tgctlins.cab
O16 - DPF: {10B80396-96A7-11D3-B7A6-00A0C94C6AE0} (ParallelGraphics Cortona VRML 1.0 to VRML 2.0 convertor) - http://www.parallelg.../cortvrml10.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol....83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1199481226109
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.cortona3d...in/cortvrml.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.qatrainin...t/lab/msrdp.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol....,20/McGDMgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...298/mcfscan.cab
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O20 - Winlogon Notify: vtuvvsr - vtuvvsr.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\SERA 3.0\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: VPN 5000 Service 1.00.00 (VPN5000Service) - Unknown owner - C:\Program Files\IntraPort Client\vpn5000service.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9681 bytes






ComboFix 08-01-13.1 - Timothy 2008-01-13 14:45:09.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.252 [GMT -5:00]
Running from: C:\Documents and Settings\Timothy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Timothy\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-13 11:08 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-12 11:17 . 2008-01-12 11:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-01-12 11:17 . 2008-01-12 11:17 <DIR> d-------- C:\Documents and Settings\Timothy\Application Data\Malwarebytes
2008-01-10 01:25 . 1999-08-26 04:02 216,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\udfreadr.BAK
2008-01-09 14:39 . 2008-01-11 09:32 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-09 11:19 . 2008-01-10 17:28 <DIR> d-------- C:\Program Files\moved mljji dll bug 2
2008-01-09 01:58 . 2008-01-09 01:58 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-09 01:17 . 2007-07-09 08:09 584,192 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2008-01-08 23:06 . 2008-01-08 23:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-01-08 20:08 . 2008-01-08 20:08 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2008-01-08 19:57 . 2008-01-08 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-01-08 13:44 . 2008-01-09 14:40 <DIR> d-------- C:\Documents and Settings\Timothy\Application Data\Ahead
2008-01-08 13:40 . 2008-01-08 13:40 <DIR> d-------- C:\Program Files\Nero
2008-01-08 13:40 . 2008-01-08 20:00 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-01-07 00:41 . 2008-01-07 09:02 <DIR> d-------- C:\Documents and Settings\Timothy\Application Data\PrevxCSI
2008-01-07 00:41 . 2008-01-07 00:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-06 23:53 . 2008-01-12 11:11 <DIR> d-------- C:\Program Files\SuperAdBlocker.com
2008-01-06 23:53 . 2008-01-06 23:53 <DIR> d-------- C:\Documents and Settings\Timothy\Application Data\SuperAdBlocker.com
2008-01-06 22:23 . 2008-01-06 22:23 164 --a------ C:\install.dat
2008-01-06 21:00 . 2008-01-06 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-06 20:59 . 2008-01-06 22:51 <DIR> d-------- C:\Program Files\Security Task Manager
2008-01-06 19:52 . 2008-01-13 11:34 2,206 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl
2008-01-06 15:07 . 2008-01-13 00:51 <DIR> d-------- C:\Program Files\moved mljji dll bug
2008-01-05 11:37 . 2008-01-06 23:45 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-05 11:37 . 2008-01-06 23:45 <DIR> d-------- C:\Documents and Settings\Timothy\Application Data\SUPERAntiSpyware.com
2008-01-05 11:37 . 2008-01-05 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-05 10:16 . 2008-01-05 10:17 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-04 21:50 . 2008-01-04 21:50 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-04 21:50 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-01-04 21:50 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2008-01-04 21:50 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2008-01-04 21:50 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2008-01-04 21:50 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2008-01-04 21:50 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2008-01-04 21:50 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2008-01-04 19:46 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\SYSTEM32\secupd.sig
2008-01-04 19:46 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\SYSTEM32\secupd.dat
2008-01-04 19:45 . 2004-08-04 02:56 380,416 --------- C:\WINDOWS\SYSTEM32\irprops.cpl
2008-01-04 19:44 . 2004-08-04 00:22 23,024 --a------ C:\WINDOWS\SYSTEM32\ieuinit.inf
2008-01-04 19:44 . 2004-07-17 13:40 19,528 --a------ C:\WINDOWS\002689_.tmp
2008-01-04 18:07 . 2004-08-04 02:56 614,912 --a------ C:\WINDOWS\SYSTEM32\h323msp.dll
2008-01-04 18:07 . 2004-08-04 02:56 331,264 --a------ C:\WINDOWS\SYSTEM32\ipnathlp.dll
2008-01-04 18:07 . 2004-08-04 02:56 265,728 --a------ C:\WINDOWS\SYSTEM32\h323.tsp
2008-01-04 17:36 . 2007-07-12 02:22 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-01-04 16:48 . 2005-10-20 17:20 1,082,368 --a------ C:\WINDOWS\SYSTEM32\esent.dll
2008-01-04 16:18 . 2004-08-04 02:56 351,232 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2008-01-04 16:18 . 2004-08-04 02:56 18,944 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2008-01-04 16:17 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-01-04 16:17 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-01-04 16:10 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl
2008-01-04 15:55 . 2002-09-03 14:31 10,096,640 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxcht.dll
2008-01-04 15:54 . 2001-08-17 22:36 312,832 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_aqueue.dll
2008-01-04 15:53 . 2001-07-21 18:52 25,645 --a------ C:\WINDOWS\SYSTEM32\CNBJHLP.HLP
2008-01-04 15:53 . 2001-07-21 18:52 787 --a------ C:\WINDOWS\SYSTEM32\CNBJHLP.CNT
2008-01-04 15:53 . 2008-01-04 15:53 0 --a------ C:\WINDOWS\control.ini
2008-01-04 15:52 . 2008-01-04 15:52 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-01-04 15:52 . 2008-01-04 15:52 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
2008-01-04 15:52 . 2008-01-04 15:52 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2008-01-04 15:52 . 2008-01-04 15:52 749 -rah----- C:\WINDOWS\SYSTEM32\nwc.cpl.manifest
2008-01-04 15:52 . 2008-01-04 15:52 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2008-01-04 15:52 . 2008-01-04 15:52 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2008-01-04 15:49 . 2007-07-30 19:19 1,712,984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-01-04 15:47 . 2004-08-04 00:59 57,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\redbook.sys
2008-01-04 15:47 . 2004-08-04 01:07 52,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\dmusic.sys
2008-01-04 15:47 . 2006-06-14 03:47 6,400 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\splitter.sys
2008-01-04 15:45 . 2004-08-04 02:56 130,048 --a------ C:\WINDOWS\SYSTEM32\ksproxy.ax
2008-01-04 15:45 . 2004-08-04 02:56 4,096 --a------ C:\WINDOWS\SYSTEM32\ksuser.dll
2008-01-04 15:44 . 2004-08-04 03:01 40,840 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\termdd.sys
2008-01-04 15:43 . 2004-08-04 01:01 196,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\rdpdr.sys
2008-01-04 15:41 . 2002-09-03 14:50 1,086,182 -ra------ C:\WINDOWS\SET116.tmp
2008-01-04 15:41 . 2002-09-03 14:40 13,608 -ra------ C:\WINDOWS\SET12B.tmp
2008-01-04 15:41 . 2002-09-03 15:06 7,046 -ra------ C:\WINDOWS\SET149.tmp
2008-01-03 22:50 . 2008-01-03 22:50 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-03 22:50 . 2008-01-03 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-03 01:40 . 2008-01-03 01:36 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-01-03 01:36 . 2008-01-03 01:40 <DIR> d-------- C:\Documents and Settings\Timothy\.housecall6.6
2007-12-29 10:19 . 2008-01-03 11:18 <DIR> d-------- C:\Program Files\Doblon
2007-12-29 10:09 . 2008-01-03 00:41 28,672 --a------ C:\WINDOWS\SYSTEM32\DSentry .exe
2007-12-29 09:32 . 2007-12-29 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\YoGen
2007-12-28 15:51 . 2007-12-28 15:57 24 ---hs---- C:\WINDOWS\SFA964AF7.tmp
2007-12-28 15:49 . 2007-12-28 15:49 <DIR> d-------- C:\Program Files\SlySoft
2007-12-21 09:01 . 2008-01-05 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-14 02:58 . 2007-12-14 02:58 <DIR> d-------- C:\Documents and Settings\Linda\Application Data\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 18:38 --------- d-----w C:\Program Files\America Online 9.0
2008-01-13 16:17 --------- d-----w C:\Program Files\REGSHAVE
2008-01-13 16:17 --------- d-----w C:\Program Files\QuickTime
2008-01-12 04:08 --------- d-----w C:\Program Files\RegScrubXP
2008-01-11 16:32 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-01-11 14:50 28,164 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-01-10 03:29 --------- d-----w C:\Program Files\Roxio
2008-01-08 16:47 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
2008-01-07 04:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-07 04:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-07 04:38 --------- d-----w C:\Program Files\Google
2008-01-07 04:38 --------- d-----w C:\Documents and Settings\Timothy\Application Data\Roxio
2008-01-05 23:40 --------- d-----w C:\Program Files\ItsDeductible2005
2008-01-05 23:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-05 23:23 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-05 21:32 --------- d-----w C:\Program Files\McAfee.com
2008-01-05 21:16 --------- d-----w C:\Program Files\NCH Swift Sound
2008-01-05 21:14 --------- d-----w C:\Program Files\QUICKENW
2008-01-05 14:03 --------- d-----w C:\Program Files\Java
2008-01-03 13:56 --------- d-----w C:\Documents and Settings\Timothy\Application Data\LimeWire
2007-12-22 13:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-12-22 05:13 82,664 ----a-w C:\Documents and Settings\Timothy\Application Data\GDIPFONTCACHEV1.DAT
2007-12-18 14:46 --------- d-----w C:\Program Files\ItsDeductibleEX
2007-12-04 14:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-12-02 16:24 --------- d-----w C:\Program Files\Rintox Virtual Piano
2007-12-02 16:23 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-12-02 16:23 286,720 ------w C:\WINDOWS\Setup1.exe
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2006-02-06 05:35 315 ----a-w C:\Program Files\bible.win
.
<pre>
----a-w		 1,855,488 2008-01-12 16:08:26  C:\Program Files\adelphia hsagent\bin\tgcmd .exe
----a-w		   132,496 2008-01-12 16:08:24  C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w		   319,488 2008-01-07 04:27:52  C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe
----a-w		   868,352 2008-01-07 04:27:52  C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
----a-w			57,344 2008-01-05 20:24:36  C:\Program Files\SlySoft\CloneCD\CloneCDTray .exe
----a-w		 1,318,912 2008-01-07 04:28:10  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w			20,992 2008-01-05 00:04:36  C:\Program Files\Ulead Systems\Ulead PhotoImpact\SSaver\Ussshreg .exe
----a-w			28,672 2008-01-03 05:41:01  C:\WINDOWS\SYSTEM32\DSentry .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-13_11.24.14.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-13 16:09:37 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-13 19:45:04 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 16:09:37 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-13 19:45:04 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 16:09:37 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-13 19:45:04 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-13 16:09:37 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-13 19:45:04 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 16:09:38 12,107,776 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-13 19:45:05 12,115,968 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-13 16:09:38 598,016 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 19:45:05 598,016 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 16:34:34 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_55c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SuperAdBlocker"="C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe" [2007-08-01 09:28 1564672]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.exe" [2005-07-12 00:17 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 33280 C:\WINDOWS\SYSTEM32\rundll32.exe]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2008-01-13 09:01 135264]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2008-01-13 09:01 65536]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2008-01-13 09:01 53248]
"HostManager"="C:\Program Files\Common Files\AOL\1115497508\ee\AOLSoftware.exe" [2008-01-13 09:01 50736]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PODF97~3.exe" [ ]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 00:31 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 05:00 44032]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 00:59 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL [2006-11-07 12:58 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL 2007-08-01 09:28 176128 C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvvsr]
vtuvvsr.dll

R1 SABDIFSV;SABDIFSV;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABDIFSV.SYS [2005-09-21 11:17]
R1 SABKUTIL;SABKUTIL;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [2007-02-20 16:02]
S2 StudioPro;StudioPro webcam;C:\WINDOWS\system32\DRIVERS\StudioPro.sys [2007-01-05 21:18]
S3 EuMusDesignVirtualAudioCableWdm;StudioPro audio (WDM);C:\WINDOWS\system32\DRIVERS\vrtaucbl.sys [2007-04-22 19:27]

.
**************************************************************************

disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk not found C:\

**************************************************************************
.
Completion time: 2008-01-13 14:50:44
ComboFix-quarantined-files.txt 2008-01-13 19:49:52
ComboFix2.txt 2008-01-13 18:35:08
ComboFix3.txt 2008-01-13 16:25:20
.
2008-01-09 22:35:21 --- E O F ---

#9 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 January 2008 - 02:11 PM

That's not showing any files / folders being removed. Delete any CFScript.txt files on your desktop and try it again please.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#10 timos

timos

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 13 January 2008 - 03:15 PM

LDTate:


Combo still showing no file deletions althought I have run and rerun and rerun with your most recent CFScript.txt. Please see below:

ComboFix 08-01-13.1 - Timothy 2008-01-13 16:08:39.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.230 [GMT -5:00]
Running from: C:\Documents and Settings\Timothy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Timothy\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-13 15:56 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-12 11:17 . 2008-01-12 11:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-01-12 11:17 . 2008-01-12 11:17 <DIR> d-------- C:\Documents and Settings\Timothy\Application Data\Malwarebytes
2008-01-10 01:25 . 1999-08-26 04:02 216,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\udfreadr.BAK
2008-01-09 14:39 . 2008-01-11 09:32 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-09 11:19 . 2008-01-10 17:28 <DIR> d-------- C:\Program Files\moved mljji dll bug 2
2008-01-09 01:58 . 2008-01-09 01:58 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-09 01:17 . 2007-07-09 08:09 584,192 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2008-01-08 23:06 . 2008-01-08 23:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-01-08 20:08 . 2008-01-08 20:08 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2008-01-08 19:57 . 2008-01-08 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-01-08 13:44 . 2008-01-09 14:40 <DIR> d-------- C:\Documents and Settings\Timothy\Application Data\Ahead
2008-01-08 13:40 . 2008-01-08 13:40 <DIR> d-------- C:\Program Files\Nero
2008-01-08 13:40 . 2008-01-08 20:00 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-01-07 00:41 . 2008-01-07 09:02 <DIR> d-------- C:\Documents and Settings\Timothy\Application Data\PrevxCSI
2008-01-07 00:41 . 2008-01-07 00:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-06 23:53 . 2008-01-12 11:11 <DIR> d-------- C:\Program Files\SuperAdBlocker.com
2008-01-06 23:53 . 2008-01-06 23:53 <DIR> d-------- C:\Documents and Settings\Timothy\Application Data\SuperAdBlocker.com
2008-01-06 22:23 . 2008-01-06 22:23 164 --a------ C:\install.dat
2008-01-06 21:00 . 2008-01-06 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-06 20:59 . 2008-01-06 22:51 <DIR> d-------- C:\Program Files\Security Task Manager
2008-01-06 19:52 . 2008-01-13 15:35 2,206 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl
2008-01-06 15:07 . 2008-01-13 00:51 <DIR> d-------- C:\Program Files\moved mljji dll bug
2008-01-05 11:37 . 2008-01-06 23:45 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-05 11:37 . 2008-01-06 23:45 <DIR> d-------- C:\Documents and Settings\Timothy\Application Data\SUPERAntiSpyware.com
2008-01-05 11:37 . 2008-01-05 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-05 10:16 . 2008-01-05 10:17 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-04 21:50 . 2008-01-04 21:50 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-04 21:50 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-01-04 21:50 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2008-01-04 21:50 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2008-01-04 21:50 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2008-01-04 21:50 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2008-01-04 21:50 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2008-01-04 21:50 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2008-01-04 19:46 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\SYSTEM32\secupd.sig
2008-01-04 19:46 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\SYSTEM32\secupd.dat
2008-01-04 19:45 . 2004-08-04 02:56 380,416 --------- C:\WINDOWS\SYSTEM32\irprops.cpl
2008-01-04 19:44 . 2004-08-04 00:22 23,024 --a------ C:\WINDOWS\SYSTEM32\ieuinit.inf
2008-01-04 19:44 . 2004-07-17 13:40 19,528 --a------ C:\WINDOWS\002689_.tmp
2008-01-04 18:07 . 2004-08-04 02:56 614,912 --a------ C:\WINDOWS\SYSTEM32\h323msp.dll
2008-01-04 18:07 . 2004-08-04 02:56 331,264 --a------ C:\WINDOWS\SYSTEM32\ipnathlp.dll
2008-01-04 18:07 . 2004-08-04 02:56 265,728 --a------ C:\WINDOWS\SYSTEM32\h323.tsp
2008-01-04 17:36 . 2007-07-12 02:22 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-01-04 16:48 . 2005-10-20 17:20 1,082,368 --a------ C:\WINDOWS\SYSTEM32\esent.dll
2008-01-04 16:18 . 2004-08-04 02:56 351,232 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2008-01-04 16:18 . 2004-08-04 02:56 18,944 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2008-01-04 16:17 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-01-04 16:17 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-01-04 16:10 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl
2008-01-04 15:55 . 2002-09-03 14:31 10,096,640 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxcht.dll
2008-01-04 15:54 . 2001-08-17 22:36 312,832 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_aqueue.dll
2008-01-04 15:53 . 2001-07-21 18:52 25,645 --a------ C:\WINDOWS\SYSTEM32\CNBJHLP.HLP
2008-01-04 15:53 . 2001-07-21 18:52 787 --a------ C:\WINDOWS\SYSTEM32\CNBJHLP.CNT
2008-01-04 15:53 . 2008-01-04 15:53 0 --a------ C:\WINDOWS\control.ini
2008-01-04 15:52 . 2008-01-04 15:52 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-01-04 15:52 . 2008-01-04 15:52 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
2008-01-04 15:52 . 2008-01-04 15:52 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2008-01-04 15:52 . 2008-01-04 15:52 749 -rah----- C:\WINDOWS\SYSTEM32\nwc.cpl.manifest
2008-01-04 15:52 . 2008-01-04 15:52 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2008-01-04 15:52 . 2008-01-04 15:52 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2008-01-04 15:49 . 2007-07-30 19:19 1,712,984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-01-04 15:47 . 2004-08-04 00:59 57,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\redbook.sys
2008-01-04 15:47 . 2004-08-04 01:07 52,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\dmusic.sys
2008-01-04 15:47 . 2006-06-14 03:47 6,400 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\splitter.sys
2008-01-04 15:45 . 2004-08-04 02:56 130,048 --a------ C:\WINDOWS\SYSTEM32\ksproxy.ax
2008-01-04 15:45 . 2004-08-04 02:56 4,096 --a------ C:\WINDOWS\SYSTEM32\ksuser.dll
2008-01-04 15:44 . 2004-08-04 03:01 40,840 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\termdd.sys
2008-01-04 15:43 . 2004-08-04 01:01 196,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\rdpdr.sys
2008-01-04 15:41 . 2002-09-03 14:50 1,086,182 -ra------ C:\WINDOWS\SET116.tmp
2008-01-04 15:41 . 2002-09-03 14:40 13,608 -ra------ C:\WINDOWS\SET12B.tmp
2008-01-04 15:41 . 2002-09-03 15:06 7,046 -ra------ C:\WINDOWS\SET149.tmp
2008-01-03 22:50 . 2008-01-03 22:50 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-03 22:50 . 2008-01-03 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-03 01:40 . 2008-01-03 01:36 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-01-03 01:36 . 2008-01-03 01:40 <DIR> d-------- C:\Documents and Settings\Timothy\.housecall6.6
2007-12-29 10:19 . 2008-01-03 11:18 <DIR> d-------- C:\Program Files\Doblon
2007-12-29 10:09 . 2008-01-03 00:41 28,672 --a------ C:\WINDOWS\SYSTEM32\DSentry .exe
2007-12-29 09:32 . 2007-12-29 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\YoGen
2007-12-28 15:51 . 2007-12-28 15:57 24 ---hs---- C:\WINDOWS\SFA964AF7.tmp
2007-12-28 15:49 . 2007-12-28 15:49 <DIR> d-------- C:\Program Files\SlySoft
2007-12-21 09:01 . 2008-01-05 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-14 02:58 . 2007-12-14 02:58 <DIR> d-------- C:\Documents and Settings\Linda\Application Data\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 18:38 --------- d-----w C:\Program Files\America Online 9.0
2008-01-13 16:17 --------- d-----w C:\Program Files\REGSHAVE
2008-01-13 16:17 --------- d-----w C:\Program Files\QuickTime
2008-01-12 04:08 --------- d-----w C:\Program Files\RegScrubXP
2008-01-11 16:32 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-01-11 14:50 28,164 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-01-10 03:29 --------- d-----w C:\Program Files\Roxio
2008-01-08 16:47 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
2008-01-07 04:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-07 04:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-07 04:38 --------- d-----w C:\Program Files\Google
2008-01-07 04:38 --------- d-----w C:\Documents and Settings\Timothy\Application Data\Roxio
2008-01-05 23:40 --------- d-----w C:\Program Files\ItsDeductible2005
2008-01-05 23:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-05 23:23 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-05 21:32 --------- d-----w C:\Program Files\McAfee.com
2008-01-05 21:16 --------- d-----w C:\Program Files\NCH Swift Sound
2008-01-05 21:14 --------- d-----w C:\Program Files\QUICKENW
2008-01-05 14:03 --------- d-----w C:\Program Files\Java
2008-01-03 13:56 --------- d-----w C:\Documents and Settings\Timothy\Application Data\LimeWire
2007-12-22 13:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-12-22 05:13 82,664 ----a-w C:\Documents and Settings\Timothy\Application Data\GDIPFONTCACHEV1.DAT
2007-12-18 14:46 --------- d-----w C:\Program Files\ItsDeductibleEX
2007-12-04 14:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-12-02 16:24 --------- d-----w C:\Program Files\Rintox Virtual Piano
2007-12-02 16:23 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-12-02 16:23 286,720 ------w C:\WINDOWS\Setup1.exe
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2006-02-06 05:35 315 ----a-w C:\Program Files\bible.win
.
<pre>
----a-w		 1,855,488 2008-01-12 16:08:26  C:\Program Files\adelphia hsagent\bin\tgcmd .exe
----a-w		   132,496 2008-01-12 16:08:24  C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w		   319,488 2008-01-07 04:27:52  C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe
----a-w		   868,352 2008-01-07 04:27:52  C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
----a-w			57,344 2008-01-05 20:24:36  C:\Program Files\SlySoft\CloneCD\CloneCDTray .exe
----a-w		 1,318,912 2008-01-07 04:28:10  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w			20,992 2008-01-05 00:04:36  C:\Program Files\Ulead Systems\Ulead PhotoImpact\SSaver\Ussshreg .exe
----a-w			28,672 2008-01-03 05:41:01  C:\WINDOWS\SYSTEM32\DSentry .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-13_11.24.14.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-13 16:09:37 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-13 21:08:35 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 16:09:37 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-13 21:08:35 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 16:09:37 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-13 21:08:35 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-13 16:09:37 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-13 21:08:35 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 16:09:38 12,107,776 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-13 21:08:35 12,124,160 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-13 16:09:38 598,016 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 21:08:35 598,016 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 20:34:45 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_560.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SuperAdBlocker"="C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe" [2007-08-01 09:28 1564672]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.exe" [2005-07-12 00:17 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 33280 C:\WINDOWS\SYSTEM32\rundll32.exe]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2008-01-13 09:01 135264]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2008-01-13 09:01 65536]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2008-01-13 09:01 53248]
"HostManager"="C:\Program Files\Common Files\AOL\1115497508\ee\AOLSoftware.exe" [2008-01-13 09:01 50736]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PODF97~3.exe" [ ]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 00:31 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 05:00 44032]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 00:59 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL [2006-11-07 12:58 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL 2007-08-01 09:28 176128 C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvvsr]
vtuvvsr.dll

R1 SABDIFSV;SABDIFSV;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABDIFSV.SYS [2005-09-21 11:17]
R1 SABKUTIL;SABKUTIL;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [2007-02-20 16:02]
S2 StudioPro;StudioPro webcam;C:\WINDOWS\system32\DRIVERS\StudioPro.sys [2007-01-05 21:18]
S3 EuMusDesignVirtualAudioCableWdm;StudioPro audio (WDM);C:\WINDOWS\system32\DRIVERS\vrtaucbl.sys [2007-04-22 19:27]

.
**************************************************************************

disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk not found C:\

**************************************************************************
.
Completion time: 2008-01-13 16:11:29
ComboFix-quarantined-files.txt 2008-01-13 21:10:36
ComboFix2.txt 2008-01-13 18:35:08
ComboFix3.txt 2008-01-13 16:25:20
.
2008-01-09 22:35:21 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:26 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\SERA 3.0\VPN Client\cvpnd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
c:\program files\common files\aol\1115497508\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Timothy\Desktop\HijackThis.exe

O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1115497508\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PODF97~3.EXE" -Run
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {8B65C874-0B5A-409A-A481-17D7A1CEED27} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {E9173ECA-1F4F-41ed-AF1F-8F723DFE3458} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O9 - Extra button: (no name) - {E9173ECA-1F4F-41ed-AF1F-8F723DFE3458} - (no file) (HKCU)
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.co...g-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.po...l-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst3_x.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.a...ad/tgctlins.cab
O16 - DPF: {10B80396-96A7-11D3-B7A6-00A0C94C6AE0} (ParallelGraphics Cortona VRML 1.0 to VRML 2.0 convertor) - http://www.parallelg.../cortvrml10.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol....83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1199481226109
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.cortona3d...in/cortvrml.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.qatrainin...t/lab/msrdp.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol....,20/McGDMgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...298/mcfscan.cab
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O20 - Winlogon Notify: vtuvvsr - vtuvvsr.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\SERA 3.0\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: VPN 5000 Service 1.00.00 (VPN5000Service) - Unknown owner - C:\Program Files\IntraPort Client\vpn5000service.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9455 bytes

    Advertisements

Register to Remove


#11 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 January 2008 - 03:22 PM

Download Avenger by Swandog, and unzip it to your desktop or somewhere you can find it. (Do not run it yet).
http://swandog46.gee...com/avenger.zip

Note: The Avenger must be run from a user account with administrator privileges,

and ONLY works on Windows 2000 and XP, and only on 32-bit versions!
If yours is a 64 bit version, do not use it, let me know.


Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK.

Click Format, and ensure Word Wrap is unchecked.

Copy and Paste all the text inside the box below into Notepad.

Now save the file as RemoveFiles.txt in a location where you can find it.


Files to delete: 
C:\WINDOWS\002689_.tmp
C:\WINDOWS\SET116.tmp
C:\WINDOWS\SET12B.tmp
C:\WINDOWS\SET149.tmp
C:\WINDOWS\SFA964AF7.tmp 
C:\Program Files\adelphia hsagent\bin\tgcmd .exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact\SSaver\Ussshreg .exe
C:\WINDOWS\SYSTEM32\DSentry .exe

Folders to delete: 
C:\Program Files\moved mljji dll bug 2
C:\Documents and Settings\All Users\Application Data\SecTaskMan
C:\Program Files\moved mljji dll bug
C:\Documents and Settings\All Users\Application Data\Viewpoint


Start Avenger by double clicking on Avenger.exe.

Check Load script from file:

Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.

Double click it to enter it into Avenger.

Click the green traffic light symbol.

You will be asked if you want to execute the script, answer Yes.

At this point you may get prompts from your protection systems, allow them please.

Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.

Answer Yes, and allow your computer to re-boot.

Upon re-boot a command window will briefly appear on screen (this is normal).

A Notepad text file will be created C:\avenger.txt.

Copy and Paste it into your next post please, along with a new HJT log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#12 timos

timos

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 13 January 2008 - 03:50 PM

LDTate:

Avenger.txt, updated HIJACK, attached:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\slfmlyae

*******************

Script file located at: \??\C:\Documents and Settings\ptdaejyj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\002689_.tmp deleted successfully.
File C:\WINDOWS\SET116.tmp deleted successfully.
File C:\WINDOWS\SET12B.tmp deleted successfully.
File C:\WINDOWS\SET149.tmp deleted successfully.
File C:\WINDOWS\SFA964AF7.tmp deleted successfully.
File C:\Program Files\adelphia hsagent\bin\tgcmd .exe deleted successfully.
File C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe deleted successfully.
File C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe deleted successfully.
File C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe deleted successfully.
File C:\Program Files\SlySoft\CloneCD\CloneCDTray .exe deleted successfully.
File C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe deleted successfully.
File C:\Program Files\Ulead Systems\Ulead PhotoImpact\SSaver\Ussshreg .exe deleted successfully.
File C:\WINDOWS\SYSTEM32\DSentry .exe deleted successfully.
Folder C:\Program Files\moved mljji dll bug 2 deleted successfully.
Folder C:\Documents and Settings\All Users\Application Data\SecTaskMan deleted successfully.
Folder C:\Program Files\moved mljji dll bug deleted successfully.
Folder C:\Documents and Settings\All Users\Application Data\Viewpoint deleted successfully.

Completed script processing.

*******************

Finished! Terminate.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:49 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\SERA 3.0\VPN Client\cvpnd.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\AOL\1115497508\ee\AOLSoftware.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\program files\common files\aol\1115497508\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1115497508\ee\aolsoftware.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Documents and Settings\Timothy\Desktop\HijackThis.exe

O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1115497508\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PODF97~3.EXE" -Run
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {8B65C874-0B5A-409A-A481-17D7A1CEED27} - C:\WINDOWS\system32\comdlg32.ocx
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {E9173ECA-1F4F-41ed-AF1F-8F723DFE3458} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O9 - Extra button: (no name) - {E9173ECA-1F4F-41ed-AF1F-8F723DFE3458} - (no file) (HKCU)
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.co...g-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.po...l-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst3_x.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.a...ad/tgctlins.cab
O16 - DPF: {10B80396-96A7-11D3-B7A6-00A0C94C6AE0} (ParallelGraphics Cortona VRML 1.0 to VRML 2.0 convertor) - http://www.parallelg.../cortvrml10.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol....83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1199481226109
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.cortona3d...in/cortvrml.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.qatrainin...t/lab/msrdp.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol....,20/McGDMgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...298/mcfscan.cab
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O20 - Winlogon Notify: vtuvvsr - vtuvvsr.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\SERA 3.0\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: VPN 5000 Service 1.00.00 (VPN5000Service) - Unknown owner - C:\Program Files\IntraPort Client\vpn5000service.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9993 bytes

#13 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 January 2008 - 04:00 PM

You will need to re-install these:
Easy CD Creator 6
SlySoft\CloneCD
SUPERAntiSpyware
Ulead Systems\Ulead PhotoImpact



Good job :thumbup:

Remove the avenger program

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    • Posted Image


    Here's my usual all clean post

    Log looks good :D


    You need to create a new Clean restore point.

    Note: This will remove all previous Restore Points

    Click Start Menu > Run > copy and paste

    %SystemRoot%\System32\restore\rstrui.exe

    Press OK. Choose Create a Restore Point then click Next. Name it (something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

    Double-click My Computer.
    Click the Tools menu, and then click Folder Options.
    Click the View tab.
    Check "Hide file extensions for known file types."
    Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
    Check "Hide protected operating system files."
    Click Apply, and then click OK.

    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      • From within Internet Explorer click on the Tools menu and then click on Options.
      • Click once on the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Click once on the Custom Level button.
        [list=a]
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:
    Note: I no longer suggest Zone Alarm

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
    settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

    Using IE-SPYAD to help block unwanted sites and activities

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly.
    Without regular updates you WILL NOT be protected when new malicious programs are released.

Only run one Anti-Virus and Firewall program.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#14 timos

timos

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 14 January 2008 - 09:15 PM

LDTate: Everything is looking good on my computer. Thanks so much for the help.

#15 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 14 January 2008 - 09:21 PM

Great job :thumbup: You're more then welcome. Glad we were able to help Peace be with you :wavey:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users