Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91703 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Adware-Isearch, Vundo....Hijack This Log


  • This topic is locked This topic is locked
25 replies to this topic

#1 sms7204

sms7204

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 31 March 2008 - 07:02 PM

Because, well, I'm an idiot, (for lack of a better reason or term :) I accidentally opened up a program that gave me ALL SORTS of Trojans and Adware. I have a current subscription to McAfee, and some of the names that it has found most frequently in the last two weeks (that it never had before) are "Vundo" (Trojan), "Downloader.gen.a" (Trojan), "Adware-Isearch", and "Spyware-JuanSearch". None of these had ever appeared before. It dramatically slows down any Internet Browser, but IE is practically unusable. I use Mozilla mostly, but it often has unwanted banner ads and occasionally the popup page "http://www.rebatepro...ssortools.com".

I've run "Hijack This" on my last reboot (which was a few hours ago today), and I'm posting it here, in hopes that maybe someone can help, because this is over my head! If you can help me from here, THANK YOU SOOOOO MUCH!!! Here is the log:

Sincerely,
Spencer


Logfile of HijackThis v1.99.1
Scan saved at 7:49:15 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svshost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svshost.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svshost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\schost.exe
C:\Documents and Settings\Spencer Somerville\lsass.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\RABCO\X_RABCOse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Documents and Settings\Spencer Somerville\Desktop\Fixes\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Microsoft Manage Services] schost.exe
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Spencer Somerville\lsass.exe
O4 - HKLM\..\Run: [14369fd7] rundll32.exe "C:\WINDOWS\system32\icupfjvr.dll",b
O4 - HKLM\..\Run: [BM1705ac4b] Rundll32.exe "C:\WINDOWS\system32\lcetwlvl.dll",s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINDOWS\System32\crtv2_32.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINDOWS\System32\crtv2_32.dll (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://www.imgag.com...all/Crusher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: aa0n58e3y7t3 - Unknown owner - C:\WINDOWS\system32\svshost.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3BlbmNlciBTb21lcnZpbGxl\command.exe (file missing)
O23 - Service: g35b7z8f6 - Unknown owner - C:\WINDOWS\system32\svshost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: is6y22l7i4j2 - Unknown owner - C:\WINDOWS\system32\svshost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

    Advertisements

Register to Remove


#2 gringo_pr

gringo_pr

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 423 posts

Posted 01 April 2008 - 06:44 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please reply to this thread, do not start another.
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.

As I am still in training, everything that I post to you, must be checked by one of the teachers. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long.

If you follow these instructions, everything should go smoothly.

we are currently looking at your log now and will be back as soon as possible with your instructions.
while you are waiting one other thing that can be of good use is an uninstall list so please do the following

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in your next reply.


Gringo

#3 gringo_pr

gringo_pr

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 423 posts

Posted 01 April 2008 - 07:52 PM

Hello sms7204



:Download and Install SDFix

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

: Run SDFix
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

:run combofix:

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

: older version of hijackthis :

You are using an older version of hijackthis please uninstall the old version
1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add remove programs
choose hijackthis and click on remove

install hijackthis

  • Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required
.


:information and logs:

In your next post I need the following

1.log from sdfix
2.log from combofix
3.log from new hijackthis
4.and the uninstall list if you have not give it to me yet
[/list]
Gringo


#4 gringo_pr

gringo_pr

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 423 posts

Posted 04 April 2008 - 05:51 AM

Hello

: three day bump :


It has been three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

#5 sms7204

sms7204

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 06 April 2008 - 01:42 PM

Hello

: three day bump :


It has been three days since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo



Hi Gringo!
Thanks for your response. I'm sorry, I've been very busy. This afternoon I am sitting down to start on your recommendations. I will post more stuff tonight hopefully!

Thanks!
Spencer

#6 sms7204

sms7204

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 06 April 2008 - 08:08 PM

Gringo,
Here are my logfiles:

First, Hijack this Uninstall log:

Adobe Download Manager 1.2 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop 6.0
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop CS
Adobe Reader 8.1.1
ANIO Service
ANIWZCS2 Service
AOL Instant Messenger
AOL Toolbar 2.0
Apple Mobile Device Support
Apple Software Update
BitZipper 5.0.1
Buzzsaw CD Ripper 3.1
Conexant SmartHSFi V.9x 56K Speakerphone PCI Modem
Dell Media Experience
Dell Solution Center
Dell Support
DesignPro 5.0 Limited Edition
Digital Line Detect
DING!
DivX
DivX Player
DS21Patch
FirstClass® Client
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Intel® Extreme Graphics Driver
Internet Explorer Default Page
iPod for Windows 2005-09-23
iTunes
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2
Java™ 6 Update 2
Java™ SE Runtime Environment 6 Update 1
LimeWire
LimeWire 4.16.6
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Flight Simulator X Demo
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Modem Helper
Moyea FLV Player version 1.0.0.36
Mozilla Firefox (2.0.0.13)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
Netscape Browser (remove only)
NetWaiting
Ofoto Print@Home ActiveX Control
QuickTime
RABCO
RangeBooster G WDA-2320
RealPlayer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Shockwave
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy 1.4
Spyware Detector
Sure Delete 5.1.1
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WordPerfect Office 11
Yahoo! Anti-Spy

#7 sms7204

sms7204

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 06 April 2008 - 08:10 PM

Next, my SDFix report (there was one generated, which is the one I am posting, called "report.txt", but there was also another one titled "report_old_1.txt"....let me know if you need that one too)


SDFix: Version 1.167
Run by Spencer Somerville on Sun 04/06/2008 at 04:27 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name:
cmdService
Network Monitor

Path:

cmdService - Deleted
Network Monitor - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\PROGRA~1\WINDOW~1\SAGUBILA - Deleted
C:\PROGRA~1\NETMEE~1\LIQADU~1.DLL - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Temp\0b9\tmpTF.log - Deleted
C:\Temp\gbRve12\csLioes.log - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\svshost.exe - Deleted
C:\Documents and Settings\Spencer Somerville\lsass.exe - Deleted
C:\WINDOWS\Fonts\'\*.zip - 18283 File(s) 2,120,498,906 bytes - Deleted



Folder C:\Program Files\Network Monitor - Removed
Folder C:\Documents and Settings\LocalService\Application Data\NetMon - Removed
Folder C:\Temp\0b9 - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\gbRve12 - Removed
Folder C:\WINDOWS\Fonts\' - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 17:43:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Java\\j2re1.4.2\\bin\\javaw.exe"="C:\\Program Files\\Java\\j2re1.4.2\\bin\\javaw.exe:*:Disabled:javaw"
"C:\\Program Files\\LimeWire\\LimeWire 4.2.6\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire 4.2.6\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:RealPlayer"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\Common Files\\AOL\\1128994163\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1128994163\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1128994163\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1128994163\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 13 Oct 2004 1,694,208 A..H. --- "C:\Program Files\Messenger\msmsgs.exe"
Fri 1 Jun 2007 1,453,725 A.SH. --- "C:\WINDOWS\SYSTEM32\klnmp.tmp"
Tue 5 Jun 2007 1,432,486 A.SH. --- "C:\WINDOWS\SYSTEM32\klnmp.bak1"
Mon 4 Jun 2007 1,433,569 A.SH. --- "C:\WINDOWS\SYSTEM32\klnmp.bak2"
Mon 24 Mar 2008 7,680 ..SHR --- "C:\WINDOWS\SYSTEM32\schost.exe"
Tue 6 Jul 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 17 Feb 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Sun 17 Feb 2008 211 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Mon 1 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 15 May 2003 43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"

Finished!

#8 sms7204

sms7204

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 06 April 2008 - 08:12 PM

Here's the Combofix log report (when the computer restarted, a window popped up saying Windows didn't know how to open this file: RABCOse.exe.vir , so I just hit the cancel button)

ComboFix 08-04-06.1 - Spencer Somerville 2008-04-06 19:11:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.191 [GMT -6:00]
Running from: C:\Documents and Settings\Spencer Somerville\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Spencer Somerville\Application Data\{2CF0B992-5EEB-4143-99C0-5297EF71F444}
C:\Program Files\RABCO
C:\Program Files\RABCO\ExecutionDll.dll
C:\Program Files\RABCO\RABCO.dll
C:\Program Files\RABCO\RABCO.dll.intermediate.manifest
C:\Program Files\RABCO\RABCOse.exe
C:\Program Files\RABCO\RABCOse.info
C:\Program Files\RABCO\RABCOse.original
C:\Program Files\RABCO\Setup.log
C:\Program Files\RABCO\un_RABCOSetup_16230.exe
C:\Program Files\RABCO\un_RABCOSetup_16230.txt
C:\Program Files\RABCO\X_RABCOse.exe
C:\Program Files\RABCO\X_RABCOse.log
C:\WINDOWS\BM1705ac4b.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\SYSTEM32\aijcunpk.ini
C:\WINDOWS\system32\aqVreo18
C:\WINDOWS\system32\atkakedw.dll
C:\WINDOWS\system32\bmklqyrb.dll
C:\WINDOWS\SYSTEM32\cJTvyyxx.ini
C:\WINDOWS\SYSTEM32\cJTvyyxx.ini2
C:\WINDOWS\SYSTEM32\dla\ntp2.ini
C:\WINDOWS\system32\ealmshsj.dll
C:\WINDOWS\system32\egfurcyk.dll
C:\WINDOWS\system32\eqnmccde.dll
C:\WINDOWS\system32\etknufby.dll
C:\WINDOWS\system32\fvsciald.dll
C:\WINDOWS\SYSTEM32\ggnlfjel.ini
C:\WINDOWS\system32\gsjlandl.dll
C:\WINDOWS\system32\gwmmarcu.dll
C:\WINDOWS\system32\heuojath.dll
C:\WINDOWS\system32\hlgeaytb.dll
C:\WINDOWS\system32\ibyoujeo.dll
C:\WINDOWS\system32\imkwvbda.dll
C:\WINDOWS\system32\ioqusnsv.dll
C:\WINDOWS\system32\kpnucjia.dll
C:\WINDOWS\system32\lcetwlvl.dll
C:\WINDOWS\system32\lhdnltna.dll
C:\WINDOWS\system32\lqajobcv.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mkooaano.dll
C:\WINDOWS\SYSTEM32\oejuoybi.ini
C:\WINDOWS\system32\okthxfor.dll
C:\WINDOWS\SYSTEM32\qhndlhdr.ini
C:\WINDOWS\system32\qxqnfuvp.dll
C:\WINDOWS\system32\rihbeldw.dll
C:\WINDOWS\SYSTEM32\rvjfpuci.ini
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\T7\icm.exe
C:\WINDOWS\system32\ulhfuxqk.dll
C:\WINDOWS\system32\vbhldukp.dll
C:\WINDOWS\system32\waikpxxw.dll
C:\WINDOWS\system32\wcsriwuv.dll
C:\WINDOWS\system32\xxyyvTJc.dll
C:\WINDOWS\system32\yrmrcgoa.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-04-06 15:45 . 2008-04-06 15:45 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-06 15:37 . 2008-04-06 17:49 <DIR> d-------- C:\SDFix
2008-04-06 15:35 . 2008-04-06 15:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-04 22:36 . 2008-04-05 00:13 2,328,397 ---hs---- C:\WINDOWS\SYSTEM32\glugeewb.ini
2008-04-03 22:36 . 2008-04-03 22:36 2,213,024 ---hs---- C:\WINDOWS\SYSTEM32\ipsgmxxe.ini
2008-04-02 22:36 . 2008-04-02 22:36 1,975,113 ---hs---- C:\WINDOWS\SYSTEM32\glbfqmuv.ini
2008-03-28 22:26 . 2008-03-29 22:27 1,319,980 ---hs---- C:\WINDOWS\SYSTEM32\fiomgxxu.ini
2008-03-27 22:26 . 2008-03-27 22:26 1,546,252 ---hs---- C:\WINDOWS\SYSTEM32\qkjnxqpw.ini
2008-03-26 22:29 . 2008-03-26 22:29 1,550,475 ---hs---- C:\WINDOWS\SYSTEM32\ebkectoi.ini
2008-03-25 22:26 . 2008-03-26 22:26 1,585,970 ---hs---- C:\WINDOWS\SYSTEM32\slptsmgl.ini
2008-03-24 22:23 . 2008-03-25 22:23 1,580,285 ---hs---- C:\WINDOWS\SYSTEM32\qeaoejmg.ini
2008-03-24 22:16 . 2008-03-24 22:19 39,463 --a------ C:\gbo.exe
2008-03-24 11:14 . 2008-03-24 16:26 39,463 --a------ C:\bfgco.exe
2008-03-24 02:23 . 2008-03-24 02:23 2,261,737 -rahs---- C:\MaxSecurePattern.DB
2008-03-24 02:10 . 2008-03-24 02:29 12,057,971 -rahs---- C:\MaxSecureSig.DB
2008-03-23 22:16 . 2008-03-24 08:27 7,680 -r-hs---- C:\WINDOWS\SYSTEM32\schost.exe
2008-03-23 22:15 . 2008-03-23 22:15 294 ---hs---- C:\WINDOWS\SYSTEM32\MVEffMoq.ini
2008-03-22 09:42 . 2008-03-22 09:42 6,656 --a------ C:\hlpr.exe
2008-03-22 08:45 . 2008-03-22 08:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-21 15:42 . 2008-03-24 08:26 <DIR> d-------- C:\WINDOWS\U3BlbmNlciBTb21lcnZpbGxl
2008-03-21 15:42 . 2008-03-21 15:42 <DIR> d-------- C:\WINDOWS\SYSTEM32\usnv
2008-03-21 15:42 . 2008-03-21 15:42 <DIR> d-------- C:\WINDOWS\SYSTEM32\mdp2
2008-03-21 15:42 . 2008-03-24 08:22 <DIR> d-------- C:\WINDOWS\SYSTEM32\FxTmp
2008-03-21 15:42 . 2008-03-23 22:15 1,543,219 ---hs---- C:\WINDOWS\SYSTEM32\tbqbbfmn.ini
2008-03-21 15:42 . 2008-03-23 22:12 0 --a------ C:\WINDOWS\SYSTEM32\atmtd.dll.tmp
2008-03-21 15:41 . 2008-03-21 15:41 5,632 --a------ C:\dllhost.exe
2008-03-20 00:51 . 2008-03-20 00:51 147,456 --a------ C:\WINDOWS\SYSTEM32\vbzip10.dll
2008-03-20 00:48 . 2008-03-20 00:48 18,944 --a------ C:\WINDOWS\SYSTEM32\xxyvSIaA.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-06 17:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-20 06:34 --------- d-----w C:\Documents and Settings\Spencer Somerville\Application Data\BitZipper
2008-03-08 02:07 --------- d-----w C:\Program Files\iTunes
2008-03-08 02:07 --------- d-----w C:\Program Files\iPod
2008-03-08 02:04 --------- d-----w C:\Program Files\QuickTime
2008-02-25 05:39 --------- d-----w C:\Program Files\FirstClass
2008-02-19 08:17 --------- d-----w C:\Program Files\McAfee
2008-02-19 05:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-19 05:12 --------- d-----w C:\Program Files\Microsoft Games
2007-06-05 16:28 1,432,486 --sha-w C:\WINDOWS\SYSTEM32\klnmp.bak1
2007-06-04 16:27 1,433,569 --sha-w C:\WINDOWS\SYSTEM32\klnmp.bak2
2007-06-06 13:55 1,482,384 --sh--w C:\WINDOWS\SYSTEM32\klnmp.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A995B5A-5DCC-4805-B398-F39CD61B8CAC}]
C:\Program Files\NetMeeting\liqadugi89104.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3306BE3C-9B61-485B-B71B-C8CDB57AB510}]
C:\WINDOWS\system32\gebayvs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7361261b-f509-4361-ba56-4aaf34b60814}]
C:\WINDOWS\system32\ylmvnbhs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76B9AD9A-0440-E3D0-5C1E-52839B04472B}]
C:\PROGRA~1\SHOWSC~1\Fivetons.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35 67112]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 20:05 323584]
"D-Link RangeBooster G WDA-2320"="C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe" [2005-12-15 12:21 2490368]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-03-30 09:42 36904]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"Microsoft Manage Services"="schost.exe" [2008-03-24 08:27 7680 C:\WINDOWS\SYSTEM32\schost.exe]

C:\Documents and Settings\Spencer Somerville\Start Menu\Programs\Startup\
RABCO - Auto Update.lnk - C:\QooBox\Quarantine\C\Program Files\RABCO\RABCOse.exe.vir [2008-03-21 15:42:26 183216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-06-03 13:52:30 124912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{3306BE3C-9B61-485B-B71B-C8CDB57AB510}"= C:\WINDOWS\system32\gebayvs.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
C:\Program Files\SpywareDetector\SDNotify.dll 2007-05-21 20:13 172032 C:\Program Files\SpywareDetector\SDNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= L3CODECA.ACM

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DING!.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DING!.lnk
backup=C:\WINDOWS\pss\DING!.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Spencer Somerville^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\Spencer Somerville\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-08-04 02:33 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-08-26 19:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDAutoLiveupdate]
--a------ 2007-05-22 10:27 376832 C:\Program Files\SpywareDetector\LiveUpdateSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTraySD]
--a------ 2007-05-22 10:39 661208 C:\Program Files\SpywareDetector\SDSystemTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SDService"=2 (0x2)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"dmadmin"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"ANIWZCSdService"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Java\\j2re1.4.2\\bin\\javaw.exe"=
"C:\\Program Files\\LimeWire\\LimeWire 4.2.6\\LimeWire.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-08-25 15:00]
S2 aa0n58e3y7t3;aa0n58e3y7t3;"C:\WINDOWS\system32\svshost.exe" []
S2 g35b7z8f6;g35b7z8f6;"C:\WINDOWS\system32\svshost.exe" []
S2 is6y22l7i4j2;is6y22l7i4j2;"C:\WINDOWS\system32\svshost.exe" []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-07 02:00:00 C:\WINDOWS\Tasks\8A430A0394A8A3FF.job"
- c:\progra~1\inside~1\Hidestylefour.exe
"2008-04-01 03:30:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-07 02:00:00 C:\WINDOWS\Tasks\B2507FBE94CFF042.job"
- c:\progra~1\inside~1\Hidestylefour.exe
"2008-03-15 07:26:02 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-04-01 07:00:31 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 20:52:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-06 20:56:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-07 02:56:43
Pre-Run: 28,778,020,864 bytes free
Post-Run: 28,712,427,520 bytes free
.
2008-03-13 09:01:55 --- E O F ---

#9 sms7204

sms7204

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 06 April 2008 - 08:13 PM

And finally, here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:00 PM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\schost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {2A995B5A-5DCC-4805-B398-F39CD61B8CAC} - C:\Program Files\NetMeeting\liqadugi89104.dll (file missing)
O2 - BHO: (no name) - {3306BE3C-9B61-485B-B71B-C8CDB57AB510} - C:\WINDOWS\system32\gebayvs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: {41806b43-faa4-65ab-1634-905fb1621637} - {7361261b-f509-4361-ba56-4aaf34b60814} - C:\WINDOWS\system32\ylmvnbhs.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {76B9AD9A-0440-E3D0-5C1E-52839B04472B} - C:\PROGRA~1\SHOWSC~1\Fivetons.exe (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Microsoft Manage Services] schost.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: RABCO - Auto Update.lnk = C:\QooBox\Quarantine\C\Program Files\RABCO\RABCOse.exe.vir
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINDOWS\System32\crtv2_32.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINDOWS\System32\crtv2_32.dll (file missing) (HKCU)
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://www.imgag.com...all/Crusher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: aa0n58e3y7t3 - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: g35b7z8f6 - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: is6y22l7i4j2 - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 9452 bytes

#10 gringo_pr

gringo_pr

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 423 posts

Posted 07 April 2008 - 07:09 AM

Hello sms7204

That got rid of alot of junk but still have more to go :D

P2P Warning!

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

LimeWire
LimeWire 4.16.6
BitTornado


Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

References for the risk of these programs can be found in these links: http://www.microsoft...protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetw...cles/art053.htm

I would recommend that you uninstall LimeWire, LimeWire 4.16.6 and BitTornado, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

deljob

Download Deljob.exe and save it to your desktop.
Doubleclick Deljob.exe.

A log, (logit.txt) should open afterwards. This log will be present on your desktop
Post the contents of the logfile in your next reply

:Remove bad HijackThis entries:
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
      O2 - BHO: (no name) - SOFTWARE - (no file)
      O2 - BHO: (no name) - {2A995B5A-5DCC-4805-B398-F39CD61B8CAC} - C:\Program Files\NetMeeting\liqadugi89104.dll (file missing)
      O2 - BHO: (no name) - {3306BE3C-9B61-485B-B71B-C8CDB57AB510} - C:\WINDOWS\system32\gebayvs.dll (file missing)
      O2 - BHO: {41806b43-faa4-65ab-1634-905fb1621637} - {7361261b-f509-4361-ba56-4aaf34b60814} - C:\WINDOWS\system32\ylmvnbhs.dll (file missing)
      O2 - BHO: (no name) - {76B9AD9A-0440-E3D0-5C1E-52839B04472B} - C:\PROGRA~1\SHOWSC~1\Fivetons.exe (file missing)
      O4 - HKLM\..\Run: [Microsoft Manage Services] schost.exe
      O4 - Startup: RABCO - Auto Update.lnk = C:\QooBox\Quarantine\C\Program Files\RABCO\RABCOse.exe.vir
      O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
      O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
      O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINDOWS\System32\crtv2_32.dll (file missing)
      O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINDOWS\System32\crtv2_32.dll (file missing) (HKCU)
      O23 - Service: aa0n58e3y7t3 - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
      O23 - Service: g35b7z8f6 - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
      O23 - Service: is6y22l7i4j2 - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

KILLALL::

File::
C:\WINDOWS\SYSTEM32\glugeewb.ini
C:\WINDOWS\SYSTEM32\ipsgmxxe.ini
C:\WINDOWS\SYSTEM32\glbfqmuv.ini
C:\WINDOWS\SYSTEM32\fiomgxxu.ini
C:\WINDOWS\SYSTEM32\qkjnxqpw.ini
C:\WINDOWS\SYSTEM32\ebkectoi.ini
C:\WINDOWS\SYSTEM32\slptsmgl.ini
C:\WINDOWS\SYSTEM32\qeaoejmg.ini
C:\gbo.exe
C:\bfgco.exe
C:\WINDOWS\SYSTEM32\MVEffMoq.ini
C:\hlpr.exe
C:\WINDOWS\SYSTEM32\tbqbbfmn.ini
C:\WINDOWS\SYSTEM32\atmtd.dll.tmp
C:\dllhost.exe
C:\WINDOWS\SYSTEM32\vbzip10.dll
C:\WINDOWS\SYSTEM32\xxyvSIaA.dll
C:\WINDOWS\SYSTEM32\klnmp.ini2

Folder::
C:\Documents and Settings\All Users\Application Data\Rabio
C:\WINDOWS\U3BlbmNlciBTb21lcnZpbGxl
C:\WINDOWS\SYSTEM32\usnv
C:\WINDOWS\SYSTEM32\mdp2
C:\WINDOWS\SYSTEM32\FxTmp

Rootkit::
C:\WINDOWS\SYSTEM32\klnmp.tmp
C:\WINDOWS\SYSTEM32\klnmp.bak1
C:\WINDOWS\SYSTEM32\klnmp.bak2
C:\WINDOWS\SYSTEM32\schost.exe

Driver::
aa0n58e3y7t3
g35b7z8f6
is6y22l7i4j2

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A995B5A-5DCC-4805-B398-F39CD61B8CAC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3306BE3C-9B61-485B-B71B-C8CDB57AB510}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7361261b-f509-4361-ba56-4aaf34b60814}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76B9AD9A-0440-E3D0-5C1E-52839B04472B}]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{3306BE3C-9B61-485B-B71B-C8CDB57AB510}"=-


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt



:information and logs:

In your next post I need the following

1.log from deljobs
2.log from combofix
3.log from MBAM
4.new hijackthis log
[/list]
Gringo

    Advertisements

Register to Remove


#11 sms7204

sms7204

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 08 April 2008 - 05:49 AM

Gringo, it will take me a day or two to do this, because I will be out of town. Just letting you know so I don't leave you wondering. Thanks for all your help so far!!! Spencer

#12 gringo_pr

gringo_pr

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 423 posts

Posted 08 April 2008 - 04:17 PM

just let me know when you are back gringo

#13 sms7204

sms7204

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 13 April 2008 - 11:25 AM

Gringo, OK, here is my Deljob log: -------------------------------------------------------- Backups created in C:\deljob 8A430A0394A8A3FF.job B2507FBE94CFF042.job -------------------------------------------------------- Files in Windows Tasks folder AppleSoftwareUpdate.job McDefragTask.job McQcTask.job -------------------------------------------------------- Export App Data folders -------------------------------------------------------- Volume in drive C has no label. Volume Serial Number is 1436-9F78 Directory of C:\Documents and Settings\Spencer Somerville\Application Data 04/06/2008 07:17 PM <DIR> . 04/06/2008 07:17 PM <DIR> .. 01/11/2005 12:54 AM <DIR> BITTOR~1 .BitTornado 03/03/2008 01:17 AM <DIR> Adobe 07/19/2007 06:58 PM <DIR> AdobeUM 06/20/2005 07:05 PM <DIR> Aim 01/01/2006 10:54 AM <DIR> APPLEC~1 Apple Computer 03/20/2008 12:34 AM <DIR> BITZIP~1 BitZipper 02/19/2004 09:14 PM <DIR> Corel 07/22/2004 06:28 AM <DIR> CYBERL~1 CyberLink 07/27/2005 09:53 PM <DIR> Google 03/09/2004 11:41 PM <DIR> Help 01/26/2004 06:55 AM <DIR> IDENTI~1 Identities 01/26/2004 07:36 AM <DIR> JASCSO~1 Jasc Software Inc 02/21/2004 12:46 PM <DIR> LEADER~1 Leadertech 07/05/2004 02:20 PM <DIR> Lycos 03/01/2004 12:15 AM <DIR> MACROM~1 Macromedia 12/04/2004 12:34 PM <DIR> McAfee.com 02/18/2008 11:19 PM <DIR> MICROS~1 Microsoft 10/11/2007 12:36 AM <DIR> Moyea 12/29/2004 12:46 AM <DIR> Mozilla 06/20/2005 12:12 AM <DIR> Netscape 03/11/2004 08:21 PM <DIR> Real 11/05/2007 12:54 AM <DIR> SITEAD~1 SiteAdvisor 06/04/2006 09:45 PM <DIR> Snapfish 02/21/2004 12:46 PM <DIR> Sonic 01/26/2004 07:19 AM <DIR> Sun 0 File(s) 0 bytes 27 Dir(s) 28,540,796,928 bytes free Volume in drive C has no label. Volume Serial Number is 1436-9F78 Directory of C:\Documents and Settings\All Users\Application Data 03/22/2008 08:45 AM <DIR> . 03/22/2008 08:45 AM <DIR> .. 03/03/2008 01:17 AM <DIR> Adobe 10/10/2005 11:24 PM <DIR> AOL 06/30/2007 08:47 PM <DIR> Apple 01/15/2007 10:42 AM <DIR> APPLEC~1 Apple Computer 01/09/2007 07:57 PM <DIR> Avery 01/26/2004 07:28 AM <DIR> BVRPSO~1 BVRP Software 01/26/2004 07:33 AM <DIR> Dell 06/01/2007 10:15 AM <DIR> FIRSTC~1 FirstClass 06/03/2007 01:53 PM <DIR> Google 04/09/2008 02:31 PM <DIR> GOOGLE~1 Google Updater 08/02/2005 10:43 PM <DIR> IESERV~1 IEService 04/22/2005 04:56 PM <DIR> Kodak 12/14/2006 01:33 AM <DIR> MACROV~1 Macrovision 06/12/2007 09:50 AM <DIR> McAfee 06/12/2007 09:50 AM <DIR> McAfee.com 02/18/2008 11:19 PM <DIR> MICROS~1 Microsoft 12/04/2004 02:07 PM <DIR> Pribi 07/05/2004 07:23 PM <DIR> QUICKT~1 QuickTime 03/22/2008 08:45 AM <DIR> Rabio 01/26/2004 07:26 AM <DIR> SBSI 12/04/2004 02:07 PM <DIR> Setup 09/17/2007 12:03 AM <DIR> SITEAD~1 SiteAdvisor 12/08/2005 09:01 AM <DIR> SOUTHW~1 Southwest Airlines 09/09/2004 10:02 PM <DIR> SPYBOT~1 Spybot - Search & Destroy 10/10/2005 07:28 PM <DIR> VIEWPO~1 Viewpoint 05/23/2006 07:08 PM <DIR> WINDOW~1 Windows Genuine Advantage 0 File(s) 0 bytes 28 Dir(s) 28,540,792,832 bytes free -------------------------------------------------------- All User Accounts -------------------------------------------------------- Administrator All Users Spencer Somerville --------------------------------------------------------

#14 sms7204

sms7204

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 13 April 2008 - 11:26 AM

Here is my new combofix log:

ComboFix 08-04-06.1 - Spencer Somerville 2008-04-13 12:05:48.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.264 [GMT -6:00]
Running from: C:\Documents and Settings\Spencer Somerville\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Spencer Somerville\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\bfgco.exe
C:\dllhost.exe
C:\gbo.exe
C:\hlpr.exe
C:\WINDOWS\SYSTEM32\atmtd.dll.tmp
C:\WINDOWS\SYSTEM32\ebkectoi.ini
C:\WINDOWS\SYSTEM32\fiomgxxu.ini
C:\WINDOWS\SYSTEM32\glbfqmuv.ini
C:\WINDOWS\SYSTEM32\glugeewb.ini
C:\WINDOWS\SYSTEM32\ipsgmxxe.ini
C:\WINDOWS\SYSTEM32\klnmp.ini2
C:\WINDOWS\SYSTEM32\MVEffMoq.ini
C:\WINDOWS\SYSTEM32\qeaoejmg.ini
C:\WINDOWS\SYSTEM32\qkjnxqpw.ini
C:\WINDOWS\SYSTEM32\slptsmgl.ini
C:\WINDOWS\SYSTEM32\tbqbbfmn.ini
C:\WINDOWS\SYSTEM32\vbzip10.dll
C:\WINDOWS\SYSTEM32\xxyvSIaA.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bfgco.exe
C:\dllhost.exe
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Documents and Settings\Spencer Somerville\lsass.exe
C:\gbo.exe
C:\hlpr.exe
C:\WINDOWS\SYSTEM32\atmtd.dll.tmp
C:\WINDOWS\SYSTEM32\ebkectoi.ini
C:\WINDOWS\SYSTEM32\fiomgxxu.ini
C:\WINDOWS\SYSTEM32\FxTmp
C:\WINDOWS\SYSTEM32\glbfqmuv.ini
C:\WINDOWS\SYSTEM32\glugeewb.ini
C:\WINDOWS\SYSTEM32\ipsgmxxe.ini
C:\WINDOWS\SYSTEM32\klnmp.bak1
C:\WINDOWS\SYSTEM32\klnmp.bak2
C:\WINDOWS\SYSTEM32\klnmp.ini2
C:\WINDOWS\SYSTEM32\klnmp.tmp
C:\WINDOWS\SYSTEM32\mdp2
C:\WINDOWS\SYSTEM32\mdp2\dr32gb.exe
C:\WINDOWS\SYSTEM32\MVEffMoq.ini
C:\WINDOWS\SYSTEM32\qeaoejmg.ini
C:\WINDOWS\SYSTEM32\qkjnxqpw.ini
C:\WINDOWS\SYSTEM32\schost.exe
C:\WINDOWS\SYSTEM32\slptsmgl.ini
C:\WINDOWS\SYSTEM32\tbqbbfmn.ini
C:\WINDOWS\SYSTEM32\usnv
C:\WINDOWS\SYSTEM32\usnv\ax89104.exe
C:\WINDOWS\SYSTEM32\vbzip10.dll
C:\WINDOWS\SYSTEM32\xxyvSIaA.dll
C:\WINDOWS\U3BlbmNlciBTb21lcnZpbGxl

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_G35B7Z8F6
-------\Legacy_IS6Y22L7I4J2
-------\Service_g35b7z8f6
-------\Service_is6y22l7i4j2


((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

2008-04-13 09:23 . 2008-04-13 09:23 <DIR> d-------- C:\Program Files\Safari
2008-04-10 00:35 . 2008-04-10 00:35 <DIR> d-------- C:\deljob
2008-04-06 15:45 . 2008-04-06 15:45 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-06 15:37 . 2008-04-06 17:49 <DIR> d-------- C:\SDFix
2008-04-06 15:35 . 2008-04-06 15:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts
2008-03-24 02:23 . 2008-03-24 02:23 2,261,737 -rahs---- C:\MaxSecurePattern.DB
2008-03-24 02:10 . 2008-03-24 02:29 12,057,971 -rahs---- C:\MaxSecureSig.DB

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 15:21 --------- d-----w C:\Program Files\iTunes
2008-04-13 15:21 --------- d-----w C:\Program Files\iPod
2008-04-13 15:18 --------- d-----w C:\Program Files\QuickTime
2008-04-12 23:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-10 06:35 --------- d-----w C:\Program Files\BitZipper
2008-03-20 06:34 --------- d-----w C:\Documents and Settings\Spencer Somerville\Application Data\BitZipper
2008-02-25 05:39 --------- d-----w C:\Program Files\FirstClass
2008-02-19 08:17 --------- d-----w C:\Program Files\McAfee
2008-02-19 05:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-19 05:12 --------- d-----w C:\Program Files\Microsoft Games
.

((((((((((((((((((((((((((((( snapshot@2008-04-06_20.56.22.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-13 15:22:03 102,400 ----a-r C:\WINDOWS\Installer\{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}\iTunesIco.exe
+ 2008-04-13 15:23:58 307,200 ----a-r C:\WINDOWS\Installer\{F0E8F94D-6E68-4B35-92DF-3AA6DC6A6768}\SafariIco.exe
- 2008-04-01 06:21:22 6,378 ----a-w C:\WINDOWS\mozver.dat
+ 2008-04-10 06:10:44 6,378 ----a-w C:\WINDOWS\mozver.dat
- 2008-04-07 00:53:45 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-04-13 16:48:17 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2008-04-07 00:53:45 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-04-13 16:48:17 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-04-13 16:48:17 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-09-19 21:44:04 15,664 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys
+ 2008-01-29 18:01:28 16,168 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys
- 2006-10-04 01:47:52 109,360 ----a-w C:\WINDOWS\SYSTEM32\GEARAspi.dll
+ 2008-01-29 18:02:30 107,368 ----a-w C:\WINDOWS\SYSTEM32\GEARAspi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35 67112]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 20:05 323584]
"D-Link RangeBooster G WDA-2320"="C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe" [2005-12-15 12:21 2490368]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-03-30 09:42 36904]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-06-03 13:52:30 124912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
C:\Program Files\SpywareDetector\SDNotify.dll 2007-05-21 20:13 172032 C:\Program Files\SpywareDetector\SDNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= L3CODECA.ACM

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DING!.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DING!.lnk
backup=C:\WINDOWS\pss\DING!.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Spencer Somerville^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\Spencer Somerville\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-08-04 02:33 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-08-26 19:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDAutoLiveupdate]
--a------ 2007-05-22 10:27 376832 C:\Program Files\SpywareDetector\LiveUpdateSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTraySD]
--a------ 2007-05-22 10:39 661208 C:\Program Files\SpywareDetector\SDSystemTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SDService"=2 (0x2)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"dmadmin"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"ANIWZCSdService"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Java\\j2re1.4.2\\bin\\javaw.exe"=
"C:\\Program Files\\LimeWire\\LimeWire 4.2.6\\LimeWire.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-08-25 15:00]
S4 aa0n58e3y7t3;aa0n58e3y7t3;"C:\WINDOWS\system32\svshost.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{465aa7d6-005e-11db-ba3c-000d56c020f1}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 03:30:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-15 07:26:02 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-04-01 07:00:31 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 12:13:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-04-13 12:18:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-13 18:18:34
ComboFix2.txt 2008-04-07 02:56:53
Pre-Run: 28,124,557,312 bytes free
Post-Run: 28,101,058,560 bytes free
.
2008-03-13 09:01:55 --- E O F ---

#15 gringo_pr

gringo_pr

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 423 posts

Posted 13 April 2008 - 12:08 PM

I would like to see the log from malwarebytes and a new hijackthis log gringo

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users