Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91844 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] WinSpywareProtect has taken over my computer


  • This topic is locked This topic is locked
55 replies to this topic

#16 Eldize

Eldize

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 20 June 2008 - 01:43 PM

Here are the USS.exe scan, KDDNA scan, Combo Fix log, and HJT log

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: USS.exe
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 321347308212bc82eeb9191d1850c860
Packers detected: -

Scanner results
Scan taken on 20 Jun 2008 19:35:28 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


I tried to scan the kddna.exe again and this is what came up:
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file


ComboFix 08-06-19.4 - New Account 2008-06-20 15:02:01.2 - FAT32x86
Running from: C:\Documents and Settings\New Account\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\New Account\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\kddna.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\carol\Local Settings\Temporary Internet Files\temp.dmf
C:\Documents and Settings\New Account\err.log

.
((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

2100-02-24 13:35 . 2000-06-08 18:00 3,144 --a------ C:\WINDOWS\SYSTEM32\dllcache\srgb.icm
2008-06-20 14:08 . 2008-06-20 14:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-20 14:08 . 2008-06-20 14:08 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-18 07:06 . 2008-06-18 07:06 <DIR> d-------- C:\Program Files\Alwil Software
2008-06-17 13:18 . 2008-06-17 13:18 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-17 10:36 . 2008-06-17 10:36 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\Avg
2008-06-17 10:36 . 2008-06-17 10:36 <DIR> d-------- C:\Program Files\AVG
2008-06-17 10:36 . 2008-06-17 10:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-17 10:36 . 2008-06-17 10:36 96,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys
2008-06-17 10:36 . 2008-06-17 10:36 75,272 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgtdix.sys
2008-06-17 10:36 . 2008-06-17 10:36 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-06-17 09:18 . 2008-06-17 09:38 3,528 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-06-17 09:17 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-06-17 09:17 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-06-17 09:17 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-06-17 09:17 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-06-17 09:17 . 2008-06-15 15:28 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.C.exe
2008-06-17 09:17 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\SYSTEM32\404Fix.exe
2008-06-17 09:17 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-06-17 09:17 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-06-17 09:17 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-06-17 08:48 . 2008-06-17 08:48 <DIR> d-------- C:\Documents and Settings\New Account\Application Data\Malwarebytes
2008-06-17 08:46 . 2008-06-17 08:46 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 08:46 . 2008-06-17 08:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-17 08:46 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-06-17 08:46 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-06-17 08:37 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\SYSTEM32\dllcache\bthport.sys
2008-06-17 08:14 . 2008-06-17 08:14 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-17 08:00 . 2008-06-16 03:15 <DIR> d-------- C:\SDFix
2008-06-14 16:33 . 2008-06-14 16:33 <DIR> d-------- C:\Program Files\Viewpoint
2008-06-14 13:50 . 2008-06-14 13:50 <DIR> d-------- C:\Documents and Settings\New Account\Application Data\SUPERAntiSpyware.com
2008-06-14 13:49 . 2008-06-14 13:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-05 15:56 . 2008-06-05 15:56 <DIR> d-------- C:\Program Files\USS
2008-06-05 15:53 . 2001-03-08 19:30 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2008-06-05 15:53 . 2004-10-07 14:39 8,704 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2008-06-05 15:40 . 2004-10-07 14:39 89,088 --a------ C:\WINDOWS\SYSTEM32\atl71.dll
2008-06-03 21:45 . 2008-06-03 21:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2100-04-08 15:45 69,632 ----a-w C:\WINDOWS\SYSTEM32\Lxasmdm.dll
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\SYSTEM32\dllcache\rmcast.sys
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-04-21 07:04 659,456 ------w C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2008-04-21 07:04 615,936 ------w C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
2008-04-21 07:04 532,480 ------w C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
2008-04-21 07:04 474,112 ------w C:\WINDOWS\SYSTEM32\dllcache\shlwapi.dll
2008-04-21 07:04 449,024 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
2008-04-21 07:04 39,424 ------w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
2008-04-21 07:04 3,059,712 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2008-04-21 07:04 146,432 ------w C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
2008-04-21 07:04 1,494,528 ------w C:\WINDOWS\SYSTEM32\dllcache\shdocvw.dll
2008-04-21 07:03 96,256 ------w C:\WINDOWS\SYSTEM32\dllcache\inseng.dll
2008-04-21 07:03 55,808 ------w C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
2008-04-21 07:03 357,888 ------w C:\WINDOWS\SYSTEM32\dllcache\dxtmsft.dll
2008-04-21 07:03 251,392 ------w C:\WINDOWS\SYSTEM32\dllcache\iepeers.dll
2008-04-21 07:03 205,312 ------w C:\WINDOWS\SYSTEM32\dllcache\dxtrans.dll
2008-04-21 07:03 16,384 ------w C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
2008-04-21 07:03 151,040 ------w C:\WINDOWS\SYSTEM32\dllcache\cdfview.dll
2008-04-21 07:03 1,054,208 ------w C:\WINDOWS\SYSTEM32\dllcache\danim.dll
2008-04-21 07:03 1,023,488 ------w C:\WINDOWS\SYSTEM32\dllcache\browseui.dll
2008-04-17 10:52 18,432 ------w C:\WINDOWS\SYSTEM32\dllcache\iedw.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\dllcache\msjint40.dll
2007-08-30 11:01 488,144 ----a-w C:\Program Files\HJTsetup
2007-08-02 21:14 11,343,614 ----a-w C:\Program Files\FullTiltSetup.exe
2007-07-01 23:34 12,301,192 ----a-w C:\Program Files\R40947.EXE
2007-07-01 23:33 25,277,256 ----a-w C:\Program Files\R69382.EXE
2007-07-01 23:33 12,304,024 ----a-w C:\Program Files\R37379.EXE
2007-07-01 23:31 4,152,248 ----a-w C:\Program Files\R45973.EXE
2007-07-01 23:30 456,441 ----a-w C:\Program Files\A01en885.zip
2007-07-01 23:29 791,339 ----a-w C:\Program Files\al95xpen.cab
2005-09-06 11:31 18,160 ----a-w C:\Documents and Settings\carol\Application Data\GDIPFONTCACHEV1.DAT
2004-05-04 12:56 271 --sh--w C:\Program Files\desktop.ini
2004-05-04 12:56 23,357 ---h--w C:\Program Files\folder.htt
2001-06-20 20:19 40,960 ----a-w C:\Program Files\ACMonitor_X83.exe
2004-06-22 11:03 8 --sh--w C:\WINDOWS\DRM\pdrm.dat
.

------- Sigcheck -------

2004-08-04 03:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\SYSTEM32\svchost.exe
2001-08-23 12:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 03:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe

2004-08-04 03:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\SYSTEM32\ws2_32.dll
2001-08-23 12:00 75264 8529c295df59b564d37a73b5629162b1 C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
2004-08-04 03:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll

2004-08-04 03:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\SYSTEM32\winlogon.exe
2002-08-29 06:41 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 03:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe

2004-08-04 02:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\SYSTEM32\DRIVERS\ndis.sys
2002-08-29 05:09 167552 3b350e5a2a5e951453f3993275a4523a C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2004-08-04 02:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\ServicePackFiles\i386\ndis.sys

2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SYSTEM32\DRIVERS\ip6fw.sys
2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys

2004-08-04 03:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\SYSTEM32\services.exe
2001-08-23 12:00 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\$NtServicePackUninstall$\services.exe
2004-08-04 03:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\ServicePackFiles\i386\services.exe

2004-08-04 03:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\SYSTEM32\lsass.exe
2002-08-29 06:41 11776 b2b6ba905d0e3f8a32a0eb3b4051807b C:\WINDOWS\$NtServicePackUninstall$\lsass.exe
2004-08-04 03:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\ServicePackFiles\i386\lsass.exe

2004-08-04 03:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\SYSTEM32\ctfmon.exe
2002-08-29 06:41 13312 414de7cf9d3f19c3ea902f1bb38ec116 C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2004-08-04 03:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-09-22 09:52 160568]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-05-04 09:55 26112]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\SYSTEM32\nwiz.exe]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2001-06-27 04:03 36864]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50 71216]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 10:29 40960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"HostManager"="C:\Program Files\Common Files\AOL\1127502932\ee\AOLSoftware.exe" [2007-04-12 17:23 42032]
"ddoctorv2"="C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2007-04-19 14:21 198184]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14 270648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"USS"="C:\Program Files\USS\USS.exe" [2008-03-25 19:31 143360]
"C:\WINDOWS\system32\kddna.exe"="C:\WINDOWS\system32\kddna.exe" [ ]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-17 10:36 1177368]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"msacm.ctmp3"= C:\WINDOWS\SYSTEM32\ctmp3.acm
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WebrootSpySweeperService"=2 (0x2)
"WANMiniportService"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)
"NVSvc"=2 (0x2)
"MpfService"=2 (0x2)
"McShield"=2 (0x2)
"LexBceS"=2 (0x2)
"ITMRTSVC"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"AOLService"=2 (0x2)
"aolavupd"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"NAV Agent"=C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
"DIAGENT"=C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
"UpdReg"=C:\WINDOWS\Updreg.exe
"AHQInit"=C:\Program Files\Creative\SBLive\Program\AHQInit.exe
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"POINTER"=point32.exe
"bbui"=C:\Program Files\Creative\8xxx\bbui.exe
"devldr16.exe"=C:\WINDOWS\SYSTEM32\DEVLDR16.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\America Online 9.0b\\WAOL.EXE"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1127502932\\EE\\aolsoftware.exe"=
"C:\\WINDOWS\\System32\\LEXPPS.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 18:00:00 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2008-06-20 19:06:58 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
- C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE
"2004-05-04 13:34:30 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE
"2008-06-18 12:20:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 15:07:26
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-20 15:08:53
ComboFix-quarantined-files.txt 2008-06-20 19:08:50
ComboFix2.txt 2008-06-20 18:03:42

Pre-Run: 24,848,793,600 bytes free
Post-Run: 24,840,880,128 bytes free

221 --- E O F --- 2008-06-20 10:01:17



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:42:47 PM, on 6/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\AOL\1127502932\ee\AOLSoftware.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\USS\USS.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\America Online 9.0b\aoltray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\America Online 9.0b\aolwbspd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127502932\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kddna.exe] C:\WINDOWS\system32\kddna.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ll/gtdownlr.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish...fishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...77/mcinsctl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FE39249-F924-4017-9F47-D5E2D7D39EA3}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{0FE39249-F924-4017-9F47-D5E2D7D39EA3}: NameServer = 205.188.146.145
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7428 bytes

    Advertisements

Register to Remove


#17 Eldize

Eldize

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 20 June 2008 - 01:57 PM

I forgot to mention, while I was rebooting my computer (after Combofix), it ran very slowly. Before I even connected to the internet, a PC PRIVACY TOOL box popped up (I'm assuming it's malware). Not sure if this is significant. Something else just happened, in the task bar (bottom right of the computer screen), an icon just showed up. When I right click it, it says - Safely Remove Hardware (DISREGARD THIS - I'M ASSUMING IT'S THE IPOD I HAD CHARGING ALL DAY). Sorry

Edited by Eldize, 20 June 2008 - 02:29 PM.


#18 Eldize

Eldize

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 20 June 2008 - 02:08 PM

LD - I have to be to work in 1/2 hour, so I'll have to finish the steps in the morning. Thanks again for all your help

#19 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 20 June 2008 - 07:35 PM

Lets run an F-Secure online scan it will scan for Viruses, Spyware and RootKits:
  • Click HERE
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

Note: This scan will only work with Internet Explorer.
You must be logged on a administrator rights to run this scan.
The scan may take a few hours.

Also let me know how the computer is running now.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#20 Eldize

Eldize

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 21 June 2008 - 06:39 AM

I have a slight dilemma, this computer was given to me and I do not have access to the administrator account. Is that going to be a problem?

#21 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 21 June 2008 - 07:01 AM

I still don't like that program as I can't find much information on it.
Did you install it or know what it is?
C:\Program Files\USS

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#22 Eldize

Eldize

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 21 June 2008 - 07:03 AM

No, I did not install it and I have no clue what it is. I run HJT at least once a month and I've never seen it before.

#23 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 21 June 2008 - 07:08 AM

USA Shield 2.15

Filename: uss.exe
Size: 0.51 MB
License: Shareware

I think it's this:

http://www.softpedia...SA-Shield.shtml

I'm looking at the combofix scan and will give you a fix in a minute or two.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#24 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 21 June 2008 - 07:16 AM

Open notepad and copy/paste the text in the Codebox below into it:

Folder::
C:\SDFix
C:\Program Files\Viewpoint

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\WINDOWS\system32\kddna.exe"=-

Save this as Save this as "CFScript"


Posted Image

Drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

Also please describe how your computer behaves at the moment.



I have a slight dilemma, this computer was given to me and I do not have access to the administrator account. Is that going to be a problem?

Unless the previous owner set one there won't be a password. The default Administrator password is left blank for the user to set one.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#25 Eldize

Eldize

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 21 June 2008 - 07:49 AM

Here are the logs

ComboFix 08-06-19.4 - New Account 2008-06-21 9:23:39.3 - FAT32x86
Running from: C:\Documents and Settings\New Account\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\New Account\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Experience Technology\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ComponentMgr.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLArt.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLShell.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\BlueStreak.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\DataTracking.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\GifReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\LensFlares.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Mts2Reader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ObjectMovie.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ServiceComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VectorView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPAudio.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPExtras.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ZoomView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.xpt
C:\SDFix
C:\SDFix\apps\assosfix.reg
C:\SDFix\apps\cliptext.exe
C:\SDFix\apps\download.exe
C:\SDFix\apps\dummy.sys
C:\SDFix\apps\Enable_Command_Prompt.reg
C:\SDFix\apps\ERDNT.E_E
C:\SDFix\apps\ERDNTDOS.LOC
C:\SDFix\apps\ERDNTWIN.LOC
C:\SDFix\apps\ERUNT.EXE
C:\SDFix\apps\ERUNT.LOC
C:\SDFix\apps\fix.reg
C:\SDFix\apps\FixBH.reg
C:\SDFix\apps\FixComponents.reg
C:\SDFix\apps\FIXCU.reg
C:\SDFix\apps\FIXLM.reg
C:\SDFix\apps\FixPath.exe
C:\SDFix\apps\FixRedir.reg
C:\SDFix\apps\FixSchedule.reg
C:\SDFix\apps\FixWebCheck.reg
C:\SDFix\apps\fixXP.reg
C:\SDFix\apps\FixXPsp2.reg
C:\SDFix\apps\grep.exe
C:\SDFix\apps\HPFix.reg
C:\SDFix\apps\HPFix2.reg
C:\SDFix\apps\HPFix3.reg
C:\SDFix\apps\HPFix4.reg
C:\SDFix\apps\HPFix5.reg
C:\SDFix\apps\HPFix6.reg
C:\SDFix\apps\HPFix7.reg
C:\SDFix\apps\HPFix8.reg
C:\SDFix\apps\HPFix9.reg
C:\SDFix\apps\isadmin.exe
C:\SDFix\apps\leg2.txt
C:\SDFix\apps\legacy.txt
C:\SDFix\apps\legacybk.txt
C:\SDFix\apps\locate.com
C:\SDFix\apps\LS.exe
C:\SDFix\apps\MD5File.exe
C:\SDFix\apps\MyGcpvFix.reg
C:\SDFix\apps\MyGkFix2.reg
C:\SDFix\apps\Process.exe
C:\SDFix\apps\procs.exe
C:\SDFix\apps\psservice.exe
C:\SDFix\apps\Rem.txt
C:\SDFix\apps\Rem2.txt
C:\SDFix\apps\Replace\regedit.exe
C:\SDFix\apps\Replace\W2K.exe
C:\SDFix\apps\Replace\w2k\beep.sys
C:\SDFix\apps\Replace\w2k\null.sys
C:\SDFix\apps\Replace\XP.exe
C:\SDFix\apps\Replace\xp\beep.sys
C:\SDFix\apps\Replace\xp\null.sys
C:\SDFix\apps\Reset_AppInit_DLLs.reg
C:\SDFix\apps\RestartIt!.exe
C:\SDFix\apps\Restore_SecurityCenter.reg
C:\SDFix\apps\Restore_SharedAccess.reg
C:\SDFix\apps\sc.exe
C:\SDFix\apps\sed.exe
C:\SDFix\apps\SF.exe
C:\SDFix\apps\shutdown.exe
C:\SDFix\apps\srv2.txt
C:\SDFix\apps\srv2bk.txt
C:\SDFix\apps\svc.txt
C:\SDFix\apps\svcbk.txt
C:\SDFix\apps\swreg.exe
C:\SDFix\apps\swsc.exe
C:\SDFix\apps\unzip.exe
C:\SDFix\apps\vfind.exe
C:\SDFix\apps\WINMSG.EXE
C:\SDFix\apps\winsec.reg
C:\SDFix\apps\zip.exe
C:\SDFix\backups\backupreg.zip
C:\SDFix\backups\catchme.log
C:\SDFix\backups\HOSTS
C:\SDFix\catchme.exe
C:\SDFix\dummy.sys
C:\SDFix\Report.txt
C:\SDFix\RunThis.bat
C:\SDFix\SDFIX_ReadMe_Online.url
C:\SDFix\W2K_CodecRepair.inf
C:\SDFix\XP_CodecRepair.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-21 to 2008-06-21 )))))))))))))))))))))))))))))))
.

2100-02-24 13:35 . 2000-06-08 18:00 3,144 --a------ C:\WINDOWS\SYSTEM32\dllcache\srgb.icm
2008-06-20 15:26 . 2008-06-20 15:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-20 15:26 . 2008-06-20 15:26 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-18 07:06 . 2008-06-18 07:06 <DIR> d-------- C:\Program Files\Alwil Software
2008-06-17 13:18 . 2008-06-17 13:18 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-17 10:36 . 2008-06-17 10:36 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\Avg
2008-06-17 10:36 . 2008-06-17 10:36 <DIR> d-------- C:\Program Files\AVG
2008-06-17 10:36 . 2008-06-17 10:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-17 10:36 . 2008-06-17 10:36 96,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys
2008-06-17 10:36 . 2008-06-17 10:36 75,272 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgtdix.sys
2008-06-17 10:36 . 2008-06-17 10:36 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-06-17 09:18 . 2008-06-17 09:38 3,528 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-06-17 09:17 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-06-17 09:17 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-06-17 09:17 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-06-17 09:17 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-06-17 09:17 . 2008-06-15 15:28 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.C.exe
2008-06-17 09:17 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\SYSTEM32\404Fix.exe
2008-06-17 09:17 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-06-17 09:17 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-06-17 09:17 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-06-17 08:48 . 2008-06-17 08:48 <DIR> d-------- C:\Documents and Settings\New Account\Application Data\Malwarebytes
2008-06-17 08:46 . 2008-06-17 08:46 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 08:46 . 2008-06-17 08:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-17 08:46 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-06-17 08:46 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-06-17 08:37 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\SYSTEM32\dllcache\bthport.sys
2008-06-17 08:14 . 2008-06-17 08:14 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-14 13:50 . 2008-06-14 13:50 <DIR> d-------- C:\Documents and Settings\New Account\Application Data\SUPERAntiSpyware.com
2008-06-14 13:49 . 2008-06-14 13:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-05 15:56 . 2008-06-05 15:56 <DIR> d-------- C:\Program Files\USS
2008-06-05 15:53 . 2001-03-08 19:30 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2008-06-05 15:53 . 2004-10-07 14:39 8,704 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2008-06-05 15:40 . 2004-10-07 14:39 89,088 --a------ C:\WINDOWS\SYSTEM32\atl71.dll
2008-06-03 21:45 . 2008-06-03 21:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2100-04-08 15:45 69,632 ----a-w C:\WINDOWS\SYSTEM32\Lxasmdm.dll
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\SYSTEM32\dllcache\rmcast.sys
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-04-21 07:04 659,456 ------w C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2008-04-21 07:04 615,936 ------w C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
2008-04-21 07:04 532,480 ------w C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
2008-04-21 07:04 474,112 ------w C:\WINDOWS\SYSTEM32\dllcache\shlwapi.dll
2008-04-21 07:04 449,024 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
2008-04-21 07:04 39,424 ------w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
2008-04-21 07:04 3,059,712 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2008-04-21 07:04 146,432 ------w C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
2008-04-21 07:04 1,494,528 ------w C:\WINDOWS\SYSTEM32\dllcache\shdocvw.dll
2008-04-21 07:03 96,256 ------w C:\WINDOWS\SYSTEM32\dllcache\inseng.dll
2008-04-21 07:03 55,808 ------w C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
2008-04-21 07:03 357,888 ------w C:\WINDOWS\SYSTEM32\dllcache\dxtmsft.dll
2008-04-21 07:03 251,392 ------w C:\WINDOWS\SYSTEM32\dllcache\iepeers.dll
2008-04-21 07:03 205,312 ------w C:\WINDOWS\SYSTEM32\dllcache\dxtrans.dll
2008-04-21 07:03 16,384 ------w C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
2008-04-21 07:03 151,040 ------w C:\WINDOWS\SYSTEM32\dllcache\cdfview.dll
2008-04-21 07:03 1,054,208 ------w C:\WINDOWS\SYSTEM32\dllcache\danim.dll
2008-04-21 07:03 1,023,488 ------w C:\WINDOWS\SYSTEM32\dllcache\browseui.dll
2008-04-17 10:52 18,432 ------w C:\WINDOWS\SYSTEM32\dllcache\iedw.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\dllcache\msjint40.dll
2007-08-30 11:01 488,144 ----a-w C:\Program Files\HJTsetup
2007-08-02 21:14 11,343,614 ----a-w C:\Program Files\FullTiltSetup.exe
2007-07-01 23:34 12,301,192 ----a-w C:\Program Files\R40947.EXE
2007-07-01 23:33 25,277,256 ----a-w C:\Program Files\R69382.EXE
2007-07-01 23:33 12,304,024 ----a-w C:\Program Files\R37379.EXE
2007-07-01 23:31 4,152,248 ----a-w C:\Program Files\R45973.EXE
2007-07-01 23:30 456,441 ----a-w C:\Program Files\A01en885.zip
2007-07-01 23:29 791,339 ----a-w C:\Program Files\al95xpen.cab
2005-09-06 11:31 18,160 ----a-w C:\Documents and Settings\carol\Application Data\GDIPFONTCACHEV1.DAT
2004-05-04 12:56 271 --sh--w C:\Program Files\desktop.ini
2004-05-04 12:56 23,357 ---h--w C:\Program Files\folder.htt
2001-06-20 20:19 40,960 ----a-w C:\Program Files\ACMonitor_X83.exe
2004-06-22 11:03 8 --sh--w C:\WINDOWS\DRM\pdrm.dat
.

------- Sigcheck -------

2004-08-04 03:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\SYSTEM32\svchost.exe
2001-08-23 12:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 03:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe

2004-08-04 03:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\SYSTEM32\ws2_32.dll
2001-08-23 12:00 75264 8529c295df59b564d37a73b5629162b1 C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
2004-08-04 03:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll

2004-08-04 03:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\SYSTEM32\winlogon.exe
2002-08-29 06:41 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 03:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe

2004-08-04 02:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\SYSTEM32\DRIVERS\ndis.sys
2002-08-29 05:09 167552 3b350e5a2a5e951453f3993275a4523a C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2004-08-04 02:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\ServicePackFiles\i386\ndis.sys

2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SYSTEM32\DRIVERS\ip6fw.sys
2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys

2004-08-04 03:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\SYSTEM32\services.exe
2001-08-23 12:00 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\$NtServicePackUninstall$\services.exe
2004-08-04 03:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\ServicePackFiles\i386\services.exe

2004-08-04 03:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\SYSTEM32\lsass.exe
2002-08-29 06:41 11776 b2b6ba905d0e3f8a32a0eb3b4051807b C:\WINDOWS\$NtServicePackUninstall$\lsass.exe
2004-08-04 03:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\ServicePackFiles\i386\lsass.exe

2004-08-04 03:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\SYSTEM32\ctfmon.exe
2002-08-29 06:41 13312 414de7cf9d3f19c3ea902f1bb38ec116 C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2004-08-04 03:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-20_14.02.13.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-20 17:53:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-21 13:31:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-21 13:31:46 16,384 ----a-w C:\WINDOWS\TEMP\Perflib_Perfdata_470.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-09-22 09:52 160568]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-05-04 09:55 26112]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\SYSTEM32\nwiz.exe]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2001-06-27 04:03 36864]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50 71216]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 10:29 40960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"HostManager"="C:\Program Files\Common Files\AOL\1127502932\ee\AOLSoftware.exe" [2007-04-12 17:23 42032]
"ddoctorv2"="C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2007-04-19 14:21 198184]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14 270648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"USS"="C:\Program Files\USS\USS.exe" [2008-03-25 19:31 143360]
"C:\WINDOWS\system32\kddna.exe"="C:\WINDOWS\system32\kddna.exe" [ ]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-17 10:36 1177368]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"msacm.ctmp3"= C:\WINDOWS\SYSTEM32\ctmp3.acm
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WebrootSpySweeperService"=2 (0x2)
"WANMiniportService"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)
"NVSvc"=2 (0x2)
"MpfService"=2 (0x2)
"McShield"=2 (0x2)
"LexBceS"=2 (0x2)
"ITMRTSVC"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"AOLService"=2 (0x2)
"aolavupd"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"NAV Agent"=C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
"DIAGENT"=C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
"UpdReg"=C:\WINDOWS\Updreg.exe
"AHQInit"=C:\Program Files\Creative\SBLive\Program\AHQInit.exe
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"POINTER"=point32.exe
"bbui"=C:\Program Files\Creative\8xxx\bbui.exe
"devldr16.exe"=C:\WINDOWS\SYSTEM32\DEVLDR16.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\America Online 9.0b\\WAOL.EXE"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1127502932\\EE\\aolsoftware.exe"=
"C:\\WINDOWS\\System32\\LEXPPS.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 18:00:00 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2008-06-21 13:36:52 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
- C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE
"2004-05-04 13:34:30 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE
"2008-06-18 12:20:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-21 09:33:35
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\America Online 9.0b\aoltray.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\America Online 9.0b\aolwbspd.exe
.
**************************************************************************
.
Completion time: 2008-06-21 9:44:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-21 13:44:32
ComboFix3.txt 2008-06-20 18:03:42
ComboFix2.txt 2008-06-20 19:08:56

Pre-Run: 24,758,681,600 bytes free
Post-Run: 24,764,841,984 bytes free

353 --- E O F --- 2008-06-20 10:01:17


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:34 AM, on 6/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\AOL\1127502932\ee\AOLSoftware.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\USS\USS.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\America Online 9.0b\aoltray.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\America Online 9.0b\aolwbspd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127502932\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kddna.exe] C:\WINDOWS\system32\kddna.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ll/gtdownlr.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish...fishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...77/mcinsctl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FE39249-F924-4017-9F47-D5E2D7D39EA3}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{0FE39249-F924-4017-9F47-D5E2D7D39EA3}: NameServer = 205.188.146.145
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7428 bytes

    Advertisements

Register to Remove


#26 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 21 June 2008 - 07:55 AM

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a checkmark/tick in the box on the left side on these:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kddna.exe] C:\WINDOWS\system32\kddna.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ll/gtdownlr.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish...fishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...77/mcinsctl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab

Close ALL windows and browsers except HijackThis and click "Fix checked"


Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#27 Eldize

Eldize

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 21 June 2008 - 08:16 AM

When I rebooted, that darn PCPrivacyTool box popped up again.

Here is my new scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:21 AM, on 6/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\AOL\1127502932\ee\AOLSoftware.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\USS\USS.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\America Online 9.0b\aoltray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\America Online 9.0b\aolwbspd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127502932\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6342 bytes

Edited by Eldize, 21 June 2008 - 08:16 AM.


#28 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 21 June 2008 - 08:22 AM

I don't see it listed. Is it listed in add/remove programs?

Click Start>Settings>Control Panel.
Double-click on Add/Remove Programs.
In the displayed list, choose the following program:
PCPrivacyTool
Click on Change/Remove.
Follow the instructions on the dialog box that appears.
Close the Add/Remove Programs window, and the Control Panel window.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#29 Eldize

Eldize

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 21 June 2008 - 08:24 AM

I was re-reading my combofix log and noticed something: bbui"=C:\Program Files\Creative\8xxx\bbui.exe "devldr16.exe"=C:\WINDOWS\SYSTEM32\DEVLDR16.EXE Is this something to be concerned with?

#30 Eldize

Eldize

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 21 June 2008 - 08:28 AM

I don't see it listed. Is it listed in add/remove programs?

Click Start>Settings>Control Panel.
Double-click on Add/Remove Programs.
In the displayed list, choose the following program:
PCPrivacyTool
Click on Change/Remove.
Follow the instructions on the dialog box that appears.
Close the Add/Remove Programs window, and the Control Panel window.


No - It's not listed in the add/remove programs. It seems to be a fake one - like a pop up - says 2450 viruses have been detected - click here to remove (or something like that).

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users