[Resolved] Trojans, AdWare, Worm, IE went crazy...HELP
#1
Posted 29 April 2008 - 10:08 AM
Register to Remove
#2
Posted 03 May 2008 - 06:02 PM
My name is Gringo and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.
Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.
Sorry about the delay in responding The forums have been very busy
If you still need help, Scan again with HijackThis, and copy/paste" a new log file into this thread.
:install hijackthis:
- Download HJTInstall.exe to your Desktop.
- Doubleclick HJTInstall.exe to install it.
- By default it will install to C:\Program Files\Trend Micro\HijackThis .
- Click on Install.
- It will create a HijackThis icon on the desktop.
- Once installed, it will launch Hijackthis.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
- Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Also please make an uninstall list and post that as well
Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in your next reply.
Gringo
#3
Posted 04 May 2008 - 03:47 PM
OH MY GOSH....IT ACTUALLY WORKED!!!! SO, HERE YOU GO.
Now, I'm going to do the next step of "make an uninstall list using hijack this". So be on the look out for that too.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:24 PM, on 5/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Shutterfly\Studio\BIN\SFlyStudio.exe
C:\Program Files\Svconr\Svconr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
C:\Program Files\MostFun\Bin\MostFun.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sbc.yahoo.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {53378be3-f71c-1dfa-84a4-65c5b617ef19} - {91fe716b-5c56-4a48-afd1-c17f3eb87335} - C:\WINDOWS\system32\aypbmcjp.dll (file missing)
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\bak\mcupdate.exe
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\Avast4\ashWebSv.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [a0c41ad9] rundll32.exe "C:\WINDOWS\system32\bbbiksxo.dll",b
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [ShutterflyStudio] C:\Program Files\Shutterfly\Studio\BIN\SFlyStudio.exe /trayonly
O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: 2WireSetup.lnk = C:\Program Files\2Wire\WebWorks.exe
O4 - Startup: Event Minder Reminders.lnk = C:\HALLMARK\EMREMIND.EXE
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Startup: iWin Desktop Alerts.lnk = C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
O4 - Startup: MostFun.lnk = C:\Program Files\MostFun\Bin\MostFun.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: iWin Desktop Alerts.lnk = C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to miniMEDIA Video Converter... - C:\Program Files\Tiger Electronics\miniMEDIA\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?da9fb24d82bf41f28a3bb81f4fd0ec6f
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?da9fb24d82bf41f28a3bb81f4fd0ec6f
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: Yahoo! Pyramids - http://download2.gam...ts/y/pyt1_x.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://C:\Program Files\Tropix\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase2895.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.co...GameManager.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 12956 bytes
#4
Posted 04 May 2008 - 03:53 PM
#5
Posted 05 May 2008 - 08:04 AM
:run combofix:
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix
Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Note:Do not mouseclick combofix's window while it's running. That may cause it to stall
:information and logs:
In your next post I need the following
1.LOG FROM COMBOFIX
2.NEW HIJACKTHIS LOG
[/list]
Gringo
#6
Posted 07 May 2008 - 05:28 PM
ComboFix 08-05-01.3 - Owner 2008-05-07 9:33:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.144 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\IA
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\command.pif
C:\WINDOWS\system32\FhiiRXyb.ini
C:\WINDOWS\system32\FhiiRXyb.ini2
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NWSAPAGENT
-------\Service_NwSapAgent
((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.
2008-05-05 16:58 . 2008-05-05 16:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Gamelab
2008-05-05 16:57 . 2008-05-05 16:58 <DIR> d-------- C:\Program Files\Jojo's Fashion Show
2008-05-05 16:31 . 2008-05-06 21:38 <DIR> d-------- C:\Program Files\SpongeBob SquarePants Diner Dash
2008-05-05 00:48 . 2008-05-05 00:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zylom
2008-05-04 23:13 . 2008-05-04 23:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iWin
2008-05-04 16:37 . 2008-05-04 16:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-04 10:19 . 2008-05-07 08:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-04 10:19 . 2008-05-04 10:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-30 17:38 . 2008-04-30 17:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-30 17:28 . 2008-04-30 17:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-30 17:28 . 2008-04-30 17:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-30 17:28 . 2008-04-30 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-30 16:39 . 2008-04-30 16:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-30 13:24 . 2008-04-30 13:31 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-30 10:51 . 2008-04-30 10:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iWinArcade
2008-04-30 00:26 . 2008-04-30 00:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-04-30 00:09 . 2006-09-18 10:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-30 00:09 . 2006-09-18 11:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-04-30 00:09 . 2006-09-18 11:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-04-30 00:09 . 2006-09-18 11:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-04-30 00:09 . 2008-04-30 00:09 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-30 00:09 . 2008-05-07 09:33 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-29 17:16 . 2008-04-29 17:16 <DIR> d-------- C:\Program Files\Mystery P.I. - The Vegas Heist
2008-04-29 17:16 . 2008-04-29 17:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SpinTop
2008-04-28 18:01 . 2008-04-28 23:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-28 18:01 . 2008-04-28 18:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-28 18:01 . 2008-04-28 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-28 17:00 . 2008-04-28 17:00 <DIR> d-------- C:\Program Files\Svconr
2008-04-28 16:45 . 2008-04-28 16:45 109,738 --a------ C:\WINDOWS\BMa3f72945.xml
2008-04-27 00:30 . 2006-09-14 11:53 1,941,504 --a------ C:\WINDOWS\system32\Tropix.scr
2008-04-21 03:45 . 2008-04-21 03:45 <DIR> d-------- C:\Program Files\The Hidden Object Show
2008-04-20 02:20 . 2008-04-20 02:20 <DIR> d-------- C:\WINDOWS\Dream Day - First Home
2008-04-20 02:20 . 2008-04-20 02:21 <DIR> d-------- C:\Program Files\Dream Day - First Home
2008-04-19 02:15 . 2008-04-20 01:15 <DIR> d-------- C:\Program Files\Dream Day First Home
2008-04-19 02:04 . 2008-05-04 23:14 <DIR> d-------- C:\Program Files\Family Feud III - Dream Home
2008-04-10 00:13 . 2008-04-10 00:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Interama
2008-04-07 02:13 . 2008-04-07 02:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Pi Eye Games
2008-04-07 01:52 . 2008-04-07 01:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MostFun
2008-04-07 01:41 . 2008-04-09 23:48 <DIR> d-------- C:\Program Files\MostFun
2008-04-07 01:25 . 2008-05-06 21:49 <DIR> d-------- C:\Program Files\Brain Booster
2008-04-07 01:23 . 2008-04-07 01:23 <DIR> d-------- C:\Program Files\Circulate
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 07:14 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst
2008-05-07 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-05-07 02:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-05 06:28 --------- d-----w C:\Program Files\Lx_cats
2008-05-04 05:59 --------- d-----w C:\Program Files\AOL Games
2008-05-01 05:41 --------- d-----w C:\Program Files\2Wire
2008-04-30 05:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\Uniblue
2008-04-29 08:45 --------- d-----w C:\Program Files\GameHouse
2008-04-29 07:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\Big Fish Games
2008-04-29 06:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Fugazo
2008-04-29 00:20 --------- d-----w C:\Program Files\BFG
2008-04-21 08:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Gogii
2008-04-21 02:30 --------- d-----w C:\Program Files\Tropix
2008-04-20 22:13 13,984 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-04-19 06:59 --------- d-----w C:\Program Files\bfgclient
2008-04-04 19:52 --------- d-----w C:\Program Files\iTunes
2008-04-04 19:43 --------- d-----w C:\Program Files\iPod
2008-04-04 19:41 --------- d-----w C:\Program Files\Bonjour
2008-04-04 19:40 --------- d-----w C:\Program Files\QuickTime
2008-04-04 18:52 --------- d-----w C:\Program Files\LimeWire
2008-04-02 19:21 --------- d-----w C:\Program Files\Games
2008-04-02 03:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ludia
2008-04-02 03:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ludia
2008-04-01 07:50 --------- d-----w C:\Documents and Settings\Owner\Application Data\Boomzap
2008-04-01 07:02 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-03-28 01:24 --------- d-----w C:\Program Files\CardRecovery
2008-03-26 18:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\Leadertech
2008-03-26 18:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-26 17:36 --------- d-----w C:\Program Files\Digital Photo Recovery
2008-03-21 07:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\Friday's games
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 15:10 0 ----a-w C:\Program Files\temp01
2008-03-12 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:32 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2006-12-19 00:21 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-11-11 23:06 1,727,833 ----a-w C:\Program Files\ChayceAndRoland.JPG
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 50,776 2005-06-23 16:24:12 C:\Program Files\America Online 9.0\bak\AOL.EXE
----a-w 125,528 2004-11-03 21:03:00 C:\Program Files\Common Files\AOL\1158597562\EE\bak\AOLHostManager.exe
----a-w 185,896 2007-07-02 14:54:17 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 58,488 2004-08-27 23:22:40 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 218,240 2004-08-06 00:23:14 C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe
----a-w 32,768 2004-11-03 03:24:46 C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe
----a-w 135,168 2004-11-15 22:04:32 C:\Program Files\Digital Media Reader\bak\shwiconem.exe
----a-w 68,856 2007-08-04 04:07:15 C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe
----a-w 267,064 2007-09-05 23:03:52 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,048 2008-03-30 15:36:40 C:\Program Files\iTunes\iTunesHelper.exe
----a-w 83,608 2007-03-14 08:43:44 C:\Program Files\Java\jre1.6.0_01\bin\bak\jusched.exe
----a-w 327,680 2006-01-06 20:14:20 C:\Program Files\McAfee\McAfee AntiSpyware\bak\masalert.exe
----a-w 303,104 2005-09-23 01:29:08 C:\Program Files\McAfee.com\Agent\bak\mcagent.exe
----a-w 212,992 2006-01-11 19:05:42 C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe
----a-w 277,296 2006-10-13 23:01:18 C:\Program Files\Microsoft LifeCam\bak\LifeExp.exe
----a-w 132,248 2004-08-17 22:36:18 C:\Program Files\Norton Internet Security\bak\cfgwiz.exe
----a-w 33,936 2004-08-31 02:29:36 C:\Program Files\Norton Internet Security\bak\UrlLstCk.exe
----a-w 286,720 2007-06-29 11:24:52 C:\Program Files\QuickTime\bak\QTTask.exe
----a-w 413,696 2008-03-29 04:37:20 C:\Program Files\QuickTime\QTTask.exe
----a-w 1,028,096 2003-07-14 19:55:01 C:\Program Files\SBC Yahoo!\Connection Manager\bak\ConnectionManager.exe
----a-w 81,920 2006-05-08 10:17:56 C:\Program Files\Sony\SonicStage\bak\SsAAD.exe
----a-w 57,344 2003-07-11 21:51:16 C:\Program Files\Yahoo!\browser\bak\ybrwicon.exe
----a-w 224,248 2007-06-08 14:59:38 C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe
----a-w 707,376 2006-10-13 23:04:06 C:\WINDOWS\bak\vVX3000.exe
----a-w 118,784 2004-08-20 22:51:14 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 155,648 2004-08-20 22:55:14 C:\WINDOWS\system32\bak\igfxtray.exe
----a-w 155,648 2001-07-09 18:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91fe716b-5c56-4a48-afd1-c17f3eb87335}]
C:\WINDOWS\system32\aypbmcjp.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShutterflyStudio"="C:\Program Files\Shutterfly\Studio\BIN\SFlyStudio.exe" [2007-03-06 13:05 2496512]
"Svconr"="C:\Program Files\Svconr\Svconr.exe" [2008-04-28 17:00 57344]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 19:42 79448]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\bak\mcupdate.exe" [2006-01-11 14:05 212992]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 14:47 73728]
"avast! Web Scanner"="C:\PROGRA~1\ALWILS~1\Avast4\ashWebSv.exe" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"a0c41ad9"="C:\WINDOWS\system32\bbbiksxo.dll" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"avast!"="C:\Program Files\Alwil Software\Avast4\ashServ.exe" [ ]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
2WireSetup.lnk - C:\Program Files\2Wire\WebWorks.exe [2008-05-01 00:40:53 622592]
Event Minder Reminders.lnk - C:\HALLMARK\EMREMIND.EXE [2007-07-09 16:39:42 6240]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Install Pending Files.LNK - C:\Program Files\SIFXINST\SIFXINST.EXE [2006-09-18 11:35:37 729088]
iWin Desktop Alerts.lnk - C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe [2008-01-28 19:51:51 107520]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1158597562\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MostFun\\Bin\\MostFun.exe"=
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2006-10-13 18:01]
R3 2WIREPCP;2Wire USB;C:\WINDOWS\system32\DRIVERS\2WirePCP.sys [2005-05-12 11:26]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 01:01]
.
Contents of the 'Scheduled Tasks' folder
"2008-04-30 16:44:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-07 14:29:03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-29 13:43:41 C:\WINDOWS\Tasks\McAfee AntiSpyware.job"
- c:\progra~1\mcafee\MCAFEE~1\MASCon.exe
"2008-05-05 23:28:16 C:\WINDOWS\Tasks\ParetoLogic Registration.job"
- C:\WINDOWS\system32\rundll32.exe@
"2006-09-18 16:26:07 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-03-22 13:24:00 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\PROGRA~1\Uniblue\SPYERA~1\SpyEraser.exe
"2007-10-14 06:03:04 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\PROGRA~1\Uniblue\SPYERA~1\SpyEraser.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 09:43:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\McAfee AntiSpyware\MASSrv.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MostFun\Bin\MostFun.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-05-07 9:58:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-07 14:58:29
Pre-Run: 65,679,998,976 bytes free
Post-Run: 68,223,328,256 bytes free
260 --- E O F --- 2008-04-09 08:16:23
#7
Posted 07 May 2008 - 05:37 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:28 PM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Shutterfly\Studio\BIN\SFlyStudio.exe
C:\Program Files\Svconr\Svconr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
C:\Program Files\MostFun\Bin\MostFun.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sbc.yahoo.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {53378be3-f71c-1dfa-84a4-65c5b617ef19} - {91fe716b-5c56-4a48-afd1-c17f3eb87335} - C:\WINDOWS\system32\aypbmcjp.dll (file missing)
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\bak\mcupdate.exe
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\Avast4\ashWebSv.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [a0c41ad9] rundll32.exe "C:\WINDOWS\system32\bbbiksxo.dll",b
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [ShutterflyStudio] C:\Program Files\Shutterfly\Studio\BIN\SFlyStudio.exe /trayonly
O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: 2WireSetup.lnk = C:\Program Files\2Wire\WebWorks.exe
O4 - Startup: Event Minder Reminders.lnk = C:\HALLMARK\EMREMIND.EXE
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Startup: iWin Desktop Alerts.lnk = C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
O4 - Startup: MostFun.lnk = C:\Program Files\MostFun\Bin\MostFun.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: iWin Desktop Alerts.lnk = C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to miniMEDIA Video Converter... - C:\Program Files\Tiger Electronics\miniMEDIA\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?da9fb24d82bf41f28a3bb81f4fd0ec6f
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?da9fb24d82bf41f28a3bb81f4fd0ec6f
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: Yahoo! Pyramids - http://download2.gam...ts/y/pyt1_x.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://C:\Program Files\Tropix\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase2895.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.co...GameManager.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 13049 bytes
#8
Posted 08 May 2008 - 08:59 AM
you are doing good
now lets keep going
:Run CFScript:
Open Notepad and copy/paste the text in the box into the window:
KILLALL:: Folder:: C:\Program Files\Svconr Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91fe716b-5c56-4a48-afd1-c17f3eb87335}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Svconr"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "a0c41ad9"=- AWF:: C:\Program Files\America Online 9.0\bak\AOL.EXE C:\Program Files\Common Files\AOL\1158597562\EE\bak\AOLHostManager.exe C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe C:\Program Files\Digital Media Reader\bak\shwiconem.exe C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe C:\Program Files\iTunes\bak\iTunesHelper.exe C:\Program Files\Java\jre1.6.0_01\bin\bak\jusched.exe C:\Program Files\McAfee\McAfee AntiSpyware\bak\masalert.exe C:\Program Files\McAfee.com\Agent\bak\mcagent.exe C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe C:\Program Files\Microsoft LifeCam\bak\LifeExp.exe C:\Program Files\Norton Internet Security\bak\cfgwiz.exe C:\Program Files\Norton Internet Security\bak\UrlLstCk.exe C:\Program Files\QuickTime\bak\QTTask.exe C:\Program Files\SBC Yahoo!\Connection Manager\bak\ConnectionManager.exe C:\Program Files\Sony\SonicStage\bak\SsAAD.exe C:\Program Files\Yahoo!\browser\bak\ybrwicon.exe C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe C:\WINDOWS\bak\vVX3000.exe C:\WINDOWS\system32\bak\hkcmd.exe C:\WINDOWS\system32\bak\igfxtray.exe C:\WINDOWS\system32\bak\NeroCheck.exe
Save it to your desktop as CFScript.txt
Refering to the picture above, drag CFScript.txt into ComboFix.exe
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
:information and logs:
In your next post I need the following
1.the new log from combofix
[/list]
Gringo
#9
Posted 09 May 2008 - 07:51 AM
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.200 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Svconr
C:\Program Files\Svconr\Svconr.exe
.
((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.
2008-05-05 16:58 . 2008-05-05 16:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Gamelab
2008-05-05 16:57 . 2008-05-05 16:58 <DIR> d-------- C:\Program Files\Jojo's Fashion Show
2008-05-05 16:31 . 2008-05-06 21:38 <DIR> d-------- C:\Program Files\SpongeBob SquarePants Diner Dash
2008-05-05 00:48 . 2008-05-05 00:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zylom
2008-05-04 23:13 . 2008-05-04 23:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iWin
2008-05-04 16:37 . 2008-05-04 16:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-04 10:19 . 2008-05-09 02:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-04 10:19 . 2008-05-04 10:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-30 17:38 . 2008-04-30 17:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-30 17:28 . 2008-04-30 17:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-30 17:28 . 2008-04-30 17:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-30 17:28 . 2008-04-30 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-30 16:39 . 2008-04-30 16:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-30 13:24 . 2008-04-30 13:31 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-30 10:51 . 2008-04-30 10:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iWinArcade
2008-04-30 00:26 . 2008-04-30 00:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-04-30 00:09 . 2006-09-18 10:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-30 00:09 . 2006-09-18 11:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-04-30 00:09 . 2006-09-18 11:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-04-30 00:09 . 2006-09-18 11:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-04-30 00:09 . 2008-04-30 00:09 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-30 00:09 . 2008-05-08 20:55 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-29 17:16 . 2008-04-29 17:16 <DIR> d-------- C:\Program Files\Mystery P.I. - The Vegas Heist
2008-04-29 17:16 . 2008-04-29 17:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SpinTop
2008-04-28 18:01 . 2008-04-28 23:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-28 18:01 . 2008-04-28 18:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-28 18:01 . 2008-04-28 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-28 16:45 . 2008-04-28 16:45 109,738 --a------ C:\WINDOWS\BMa3f72945.xml
2008-04-27 00:30 . 2006-09-14 11:53 1,941,504 --a------ C:\WINDOWS\system32\Tropix.scr
2008-04-21 03:45 . 2008-04-21 03:45 <DIR> d-------- C:\Program Files\The Hidden Object Show
2008-04-20 02:20 . 2008-04-20 02:20 <DIR> d-------- C:\WINDOWS\Dream Day - First Home
2008-04-20 02:20 . 2008-04-20 02:21 <DIR> d-------- C:\Program Files\Dream Day - First Home
2008-04-19 02:15 . 2008-04-20 01:15 <DIR> d-------- C:\Program Files\Dream Day First Home
2008-04-19 02:04 . 2008-05-04 23:14 <DIR> d-------- C:\Program Files\Family Feud III - Dream Home
2008-04-10 00:13 . 2008-04-10 00:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Interama
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 07:37 --------- d-----w C:\Program Files\QuickTime
2008-05-09 07:37 --------- d-----w C:\Program Files\Norton Internet Security
2008-05-09 07:37 --------- d-----w C:\Program Files\Microsoft LifeCam
2008-05-09 07:37 --------- d-----w C:\Program Files\iTunes
2008-05-09 07:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-09 07:30 --------- d-----w C:\Program Files\Digital Media Reader
2008-05-09 07:30 --------- d-----w C:\Program Files\America Online 9.0
2008-05-07 07:14 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst
2008-05-07 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-05-07 02:49 --------- d-----w C:\Program Files\Brain Booster
2008-05-07 02:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-05 06:28 --------- d-----w C:\Program Files\Lx_cats
2008-05-04 05:59 --------- d-----w C:\Program Files\AOL Games
2008-05-01 05:41 --------- d-----w C:\Program Files\2Wire
2008-04-30 05:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\Uniblue
2008-04-29 08:45 --------- d-----w C:\Program Files\GameHouse
2008-04-29 07:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\Big Fish Games
2008-04-29 06:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Fugazo
2008-04-29 00:20 --------- d-----w C:\Program Files\BFG
2008-04-21 08:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Gogii
2008-04-21 02:30 --------- d-----w C:\Program Files\Tropix
2008-04-20 22:13 13,984 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-04-19 06:59 --------- d-----w C:\Program Files\bfgclient
2008-04-10 04:48 --------- d-----w C:\Program Files\MostFun
2008-04-07 07:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\Pi Eye Games
2008-04-07 06:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\MostFun
2008-04-07 06:23 --------- d-----w C:\Program Files\Circulate
2008-04-04 19:43 --------- d-----w C:\Program Files\iPod
2008-04-04 19:41 --------- d-----w C:\Program Files\Bonjour
2008-04-04 18:52 --------- d-----w C:\Program Files\LimeWire
2008-04-02 19:21 --------- d-----w C:\Program Files\Games
2008-04-02 03:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ludia
2008-04-02 03:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ludia
2008-04-01 07:50 --------- d-----w C:\Documents and Settings\Owner\Application Data\Boomzap
2008-04-01 07:02 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-03-28 01:24 --------- d-----w C:\Program Files\CardRecovery
2008-03-26 18:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\Leadertech
2008-03-26 18:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-26 17:36 --------- d-----w C:\Program Files\Digital Photo Recovery
2008-03-21 07:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\Friday's games
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 15:10 0 ----a-w C:\Program Files\temp01
2008-03-12 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:32 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2006-12-19 00:21 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-11-11 23:06 1,727,833 ----a-w C:\Program Files\ChayceAndRoland.JPG
.
((((((((((((((((((((((((((((( snapshot@2008-05-07_ 9.56.10.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-07 14:43:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-09 07:37:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-09 07:16:03 24,576 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neodesk\e42ab0fd\2e9ffd2\d18gdbnx.dll
+ 2008-05-09 07:16:01 4,096 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neodesk\e42ab0fd\2e9ffd2\dhn1ybjc.dll
+ 2008-05-09 07:15:57 3,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neodesk\e42ab0fd\2e9ffd2\grj2-eym.dll
+ 2004-08-20 22:51:14 118,784 ----a-w C:\WINDOWS\system32\hkcmd.exe
+ 2004-08-20 22:55:14 155,648 ----a-w C:\WINDOWS\system32\igfxtray.exe
+ 2001-07-09 18:50:42 155,648 ----a-w C:\WINDOWS\system32\NeroCheck.exe
+ 2006-10-13 23:04:06 707,376 ----a-w C:\WINDOWS\vVX3000.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShutterflyStudio"="C:\Program Files\Shutterfly\Studio\BIN\SFlyStudio.exe" [2007-03-06 13:05 2496512]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 19:42 79448]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 14:05 212992]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 14:47 73728]
"avast! Web Scanner"="C:\PROGRA~1\ALWILS~1\Avast4\ashWebSv.exe" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-05 18:03 267064]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"avast!"="C:\Program Files\Alwil Software\Avast4\ashServ.exe" [ ]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
2WireSetup.lnk - C:\Program Files\2Wire\WebWorks.exe [2008-05-01 00:40:53 622592]
Event Minder Reminders.lnk - C:\HALLMARK\EMREMIND.EXE [2007-07-09 16:39:42 6240]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Install Pending Files.LNK - C:\Program Files\SIFXINST\SIFXINST.EXE [2006-09-18 11:35:37 729088]
iWin Desktop Alerts.lnk - C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe [2008-01-28 19:51:51 107520]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1158597562\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MostFun\\Bin\\MostFun.exe"=
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2006-10-13 18:01]
R3 2WIREPCP;2Wire USB;C:\WINDOWS\system32\DRIVERS\2WirePCP.sys [2005-05-12 11:26]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 01:01]
.
Contents of the 'Scheduled Tasks' folder
"2008-05-07 16:44:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-09 07:29:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-29 13:43:41 C:\WINDOWS\Tasks\McAfee AntiSpyware.job"
- c:\progra~1\mcafee\MCAFEE~1\MASCon.exe
"2008-05-08 23:00:04 C:\WINDOWS\Tasks\ParetoLogic Registration.job"
- C:\WINDOWS\system32\rundll32.exe@
"2006-09-18 16:26:07 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-03-22 13:24:00 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\PROGRA~1\Uniblue\SPYERA~1\SpyEraser.exe
"2007-10-14 06:03:04 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\PROGRA~1\Uniblue\SPYERA~1\SpyEraser.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 02:37:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\McAfee AntiSpyware\MASSrv.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\MostFun\Bin\MostFun.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2008-05-09 2:52:06 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-05-09 07:51:47
ComboFix2.txt 2008-05-07 14:58:54
Pre-Run: 69,124,771,840 bytes free
Post-Run: 69,113,585,664 bytes free
231 --- E O F --- 2008-04-09 08:16:23
#10
Posted 09 May 2008 - 04:45 PM
you are doing very good
: Recovery Console :
we need to install the Recovery Console on this computer
this is very important it could save you later
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System
the one for you is Windows XP Service Pack 2 (SP2)
Download the file & save it as it's originally named, next to ComboFix.exe.
Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.
:Clean temp files:
Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.
Under Main choose: Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
if you use Firefox: Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
if you use Opera: Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program
[/list]
: Malwarebytes' Anti-Malware :
- Please download Malwarebytes' Anti-Malware to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
- then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform full scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
:Run Kaspersky Online AV Scanner:
- Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.
- Read the Requirements and limitations before you click Accept.
- Allow the ActiveX download if necessary.
- Once the database has downloaded, click Next.
- Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
- Click on "My Computer"
- When the scan has completed, click Save Report As...
- Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
- Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
:information and logs:
In your next post I need the following
1.log from combofix (it will be short)
2.log from MBAM
3.log from kaspersky
4.let me know how the computer is doing now
[/list]
Gringo
Register to Remove
#11
Posted 11 May 2008 - 10:02 PM
ComboFix 08-05-01.3 - Owner 2008-05-11 22:48:17.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.112 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.
2008-05-05 16:58 . 2008-05-05 16:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Gamelab
2008-05-05 16:57 . 2008-05-05 16:58 <DIR> d-------- C:\Program Files\Jojo's Fashion Show
2008-05-05 16:31 . 2008-05-06 21:38 <DIR> d-------- C:\Program Files\SpongeBob SquarePants Diner Dash
2008-05-05 00:48 . 2008-05-05 00:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zylom
2008-05-04 23:13 . 2008-05-04 23:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iWin
2008-05-04 16:37 . 2008-05-04 16:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-04 10:19 . 2008-05-11 13:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-04 10:19 . 2008-05-04 10:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-30 17:38 . 2008-04-30 17:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-30 17:28 . 2008-04-30 17:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-30 17:28 . 2008-04-30 17:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-30 17:28 . 2008-04-30 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-30 16:39 . 2008-04-30 16:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-30 13:24 . 2008-04-30 13:31 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-30 10:51 . 2008-04-30 10:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iWinArcade
2008-04-30 00:26 . 2008-04-30 00:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-04-30 00:09 . 2006-09-18 10:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-30 00:09 . 2006-09-18 11:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-04-30 00:09 . 2006-09-18 11:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-04-30 00:09 . 2006-09-18 11:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-04-30 00:09 . 2008-04-30 00:09 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-30 00:09 . 2008-05-11 22:12 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-29 17:16 . 2008-04-29 17:16 <DIR> d-------- C:\Program Files\Mystery P.I. - The Vegas Heist
2008-04-29 17:16 . 2008-04-29 17:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SpinTop
2008-04-28 18:01 . 2008-04-28 23:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-28 18:01 . 2008-04-28 18:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-28 18:01 . 2008-04-28 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-28 16:45 . 2008-04-28 16:45 109,738 --a------ C:\WINDOWS\BMa3f72945.xml
2008-04-27 00:30 . 2006-09-14 11:53 1,941,504 --a------ C:\WINDOWS\system32\Tropix.scr
2008-04-21 03:45 . 2008-04-21 03:45 <DIR> d-------- C:\Program Files\The Hidden Object Show
2008-04-20 02:20 . 2008-04-20 02:20 <DIR> d-------- C:\WINDOWS\Dream Day - First Home
2008-04-20 02:20 . 2008-04-20 02:21 <DIR> d-------- C:\Program Files\Dream Day - First Home
2008-04-19 02:15 . 2008-04-20 01:15 <DIR> d-------- C:\Program Files\Dream Day First Home
2008-04-19 02:04 . 2008-05-04 23:14 <DIR> d-------- C:\Program Files\Family Feud III - Dream Home
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 03:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-09 07:37 --------- d-----w C:\Program Files\QuickTime
2008-05-09 07:37 --------- d-----w C:\Program Files\Norton Internet Security
2008-05-09 07:37 --------- d-----w C:\Program Files\Microsoft LifeCam
2008-05-09 07:37 --------- d-----w C:\Program Files\iTunes
2008-05-09 07:37 --------- d-----w C:\Program Files\Digital Media Reader
2008-05-09 07:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-09 07:37 --------- d-----w C:\Program Files\America Online 9.0
2008-05-07 07:14 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst
2008-05-07 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-05-07 02:49 --------- d-----w C:\Program Files\Brain Booster
2008-05-07 02:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-05 06:28 --------- d-----w C:\Program Files\Lx_cats
2008-05-04 05:59 --------- d-----w C:\Program Files\AOL Games
2008-05-01 05:41 --------- d-----w C:\Program Files\2Wire
2008-04-30 05:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\Uniblue
2008-04-29 08:45 --------- d-----w C:\Program Files\GameHouse
2008-04-29 07:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\Big Fish Games
2008-04-29 06:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Fugazo
2008-04-29 00:20 --------- d-----w C:\Program Files\BFG
2008-04-21 08:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Gogii
2008-04-21 02:30 --------- d-----w C:\Program Files\Tropix
2008-04-20 22:13 13,984 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-04-19 06:59 --------- d-----w C:\Program Files\bfgclient
2008-04-10 05:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Interama
2008-04-10 04:48 --------- d-----w C:\Program Files\MostFun
2008-04-07 07:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\Pi Eye Games
2008-04-07 06:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\MostFun
2008-04-07 06:23 --------- d-----w C:\Program Files\Circulate
2008-04-04 19:43 --------- d-----w C:\Program Files\iPod
2008-04-04 19:41 --------- d-----w C:\Program Files\Bonjour
2008-04-04 18:52 --------- d-----w C:\Program Files\LimeWire
2008-04-02 19:21 --------- d-----w C:\Program Files\Games
2008-04-02 03:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ludia
2008-04-02 03:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ludia
2008-04-01 07:50 --------- d-----w C:\Documents and Settings\Owner\Application Data\Boomzap
2008-04-01 07:02 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-03-28 01:24 --------- d-----w C:\Program Files\CardRecovery
2008-03-26 18:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\Leadertech
2008-03-26 18:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-26 17:36 --------- d-----w C:\Program Files\Digital Photo Recovery
2008-03-21 07:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\Friday's games
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 15:10 0 ----a-w C:\Program Files\temp01
2008-03-12 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:32 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2006-12-19 00:21 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-11-11 23:06 1,727,833 ----a-w C:\Program Files\ChayceAndRoland.JPG
.
((((((((((((((((((((((((((((( snapshot@2008-05-07_ 9.56.10.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-07 14:43:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-12 03:39:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-12 03:42:59 3,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neodesk\e42ab0fd\2e9ffd2\gbwmwqro.dll
+ 2008-05-12 03:43:06 24,576 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neodesk\e42ab0fd\2e9ffd2\m8h6qhod.dll
+ 2008-05-12 03:43:03 4,096 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neodesk\e42ab0fd\2e9ffd2\qssflf6k.dll
+ 2008-05-11 19:33:03 126,976 ------w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neoedge.services.agent.webservices\526c3ea7\436a57b2\assembly\tmp\JQW28EKQ\NeoEdge.Services.Agent.dll
+ 2004-08-20 22:51:14 118,784 ----a-w C:\WINDOWS\system32\hkcmd.exe
+ 2004-08-20 22:55:14 155,648 ----a-w C:\WINDOWS\system32\igfxtray.exe
+ 2001-07-09 18:50:42 155,648 ----a-w C:\WINDOWS\system32\NeroCheck.exe
+ 2006-10-13 23:04:06 707,376 ----a-w C:\WINDOWS\vVX3000.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShutterflyStudio"="C:\Program Files\Shutterfly\Studio\BIN\SFlyStudio.exe" [2007-03-06 13:05 2496512]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 19:42 79448]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 14:05 212992]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 14:47 73728]
"avast! Web Scanner"="C:\PROGRA~1\ALWILS~1\Avast4\ashWebSv.exe" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-05 18:03 267064]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"avast!"="C:\Program Files\Alwil Software\Avast4\ashServ.exe" [ ]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
2WireSetup.lnk - C:\Program Files\2Wire\WebWorks.exe [2008-05-01 00:40:53 622592]
Event Minder Reminders.lnk - C:\HALLMARK\EMREMIND.EXE [2007-07-09 16:39:42 6240]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Install Pending Files.LNK - C:\Program Files\SIFXINST\SIFXINST.EXE [2006-09-18 11:35:37 729088]
iWin Desktop Alerts.lnk - C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe [2008-01-28 19:51:51 107520]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1158597562\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MostFun\\Bin\\MostFun.exe"=
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2006-10-13 18:01]
R3 2WIREPCP;2Wire USB;C:\WINDOWS\system32\DRIVERS\2WirePCP.sys [2005-05-12 11:26]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 01:01]
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-07 16:44:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-12 03:29:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-29 13:43:41 C:\WINDOWS\Tasks\McAfee AntiSpyware.job"
- c:\progra~1\mcafee\MCAFEE~1\MASCon.exe
"2008-05-12 02:30:56 C:\WINDOWS\Tasks\ParetoLogic Registration.job"
- C:\WINDOWS\system32\rundll32.exe@
"2006-09-18 16:26:07 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-03-22 13:24:00 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\PROGRA~1\Uniblue\SPYERA~1\SpyEraser.exe
"2007-10-14 06:03:04 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\PROGRA~1\Uniblue\SPYERA~1\SpyEraser.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 22:52:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-11 22:57:15
ComboFix-quarantined-files.txt 2008-05-12 03:56:29
ComboFix2.txt 2008-05-09 07:52:08
ComboFix3.txt 2008-05-07 14:58:54
Pre-Run: 68,905,361,408 bytes free
Post-Run: 68,943,060,992 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
214 --- E O F --- 2008-04-09 08:16:23
#12
Posted 12 May 2008 - 11:36 AM
#13
Posted 12 May 2008 - 11:19 PM
#14
Posted 13 May 2008 - 06:28 AM
#15
Posted 13 May 2008 - 06:33 AM
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users