View Full Version : Help
ALEXSF415
2007-09-29, 08:03
Hi
I can't access my control panel even though I'm using the admin account it will say "Restriction- This operation has been cancelled due to restrictions in effect on this computer. please contact admin."
I also get a pop up saying
Windows Security Alert
Your computer is making unauthorized copies of your system and Internet files. Run scan now to prevent any unauthorised access to your files! Click here to download spyware remover
When I click yes it sends me to h**p://avsystemcare.com
data/?mtrt=avds22&gai=swfeed&gli=6018&gff=pp_1447265044&3&ax=1&ed=1&ex=1&mtrt=null&45080703
I ran search and destroy and It can't get rid of some stuff, like hkey_users\1-5-21....\software\microsoft\windows\currentversion\policies\explorer\nocontrolpanel!=w=0 hkey_local_machine\.....\disableregistrytools!=dword:0
hkey_local_machine\.........|disabletaskmgr!=dword;0
Thanks in advance for any help.:D:
steamwiz
2007-09-29, 23:05
HI
Please read this link :-
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
THEN ...
Please download Combofix: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
and save to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.(which you'll find in the link above)
Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
steam
ALEXSF415
2007-09-30, 05:16
Hi, and thanks for your help
here are the reports you asked for.
One other thing When I went to C:\combofix.txt, it would not let me open it, it said C:\combofix.txt is not a valid win32 application
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:41 PM, on 9/29/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\00THotkey.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\s3hotkey.exe
C:\WINDOWS\System32\S3Tray2.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\kmw_run.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\OdHost.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sexofactory.com/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.toshiba.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Linksys Wireless-N Notebook Adapter] C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100911663445
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\cmcache.dat
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC300N - Unknown owner - C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Smart Card Helper SCardDrvImapiService (SCardDrvImapiService) - Unknown owner - C:\WINDOWS\System32\acctresh.exe
O23 - Service: WMI Performance Adapter WmiApSrvwinmgmt (WmiApSrvwinmgmt) - Unknown owner - C:\WINDOWS\System32\actxprxyv.exe
--
End of file - 9285 bytes
ComboFix 07-09-30.5 - ALEX 2007-09-29 19:47:31.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.64 [GMT -7:00]
Running from: C:\Documents and Settings\ALEX\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\ALEX\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\WinAvXX.exe
.
((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-30 )))))))))))))))))))))))))))))))
.
2007-09-29 19:39 59,904 --a------ C:\WINDOWS\boot4384.exe
2007-09-29 17:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-28 22:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-28 16:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\NetWorkSwitch.temp
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Drag'n Drop CD
2007-09-27 18:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-26 21:23 46,913 -r-hs---- C:\WINDOWS\system32\acctresh.exe
2007-09-26 16:21 9,728 --a------ C:\WINDOWS\exploeee.exe
2007-09-26 16:21 8,192 --a------ C:\WINDOWS\system32\stdole32.dat
2007-09-26 16:21 53 --ahs---- C:\WINDOWS\system32\4039909485.dat
2007-09-26 16:21 28,672 -r-hs---- C:\WINDOWS\system32\actxprxyv.exe
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Funk Software
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Common Files\Funk Software
2007-09-26 15:48 94,208 --a------ C:\WINDOWS\system32\W32N50CT.DLL
2007-09-26 15:48 543,104 --a------ C:\WINDOWS\system32\drivers\BCMWL5.SYS
2007-09-26 15:48 25,600 --a------ C:\WINDOWS\system32\borlndmm.dll
2007-09-26 15:48 17,142 --a------ C:\WINDOWS\system32\CBTNDIS5.SYS
2007-09-26 15:48 1,706,800 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-09-26 15:48 1,497,088 --a------ C:\WINDOWS\system32\cc3260mt.dll
2007-09-26 15:48 1,496,064 --a------ C:\WINDOWS\system32\cc3250mt.dll
2007-09-26 15:48 <DIR> d-------- C:\Program Files\Linksys
2007-09-16 18:25 6,144 --a------ C:\WINDOWS\reppor.exe
2007-09-16 18:25 39,424 --a------ C:\WINDOWS\system32\vtr.dll
2007-09-15 21:47 6,144 --a------ C:\WINDOWS\system32\cmcache.dat
2007-09-09 20:34 <DIR> d-------- C:\Program Files\Microsoft Streets and Trips
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-29 00:01 --------- d-------- C:\Program Files\Ivde
2007-09-26 15:48 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-25 09:28 --------- d-------- C:\Program Files\MySpace
2007-08-23 21:57 --------- d-------- C:\Documents and Settings\ALEX\Application Data\MySpace
2007-08-16 19:12 --------- d-------- C:\Program Files\Opera
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2002-09-08 11:11 56832 --ahsc--- C:\Program Files\Thumbs.db
2001-08-18 12:00:00 94,784 -csh--w C:\WINDOWS\twain.dll
2001-08-18 12:00:00 46,592 -csh--w C:\WINDOWS\twain_32.dll
2001-08-18 12:00:00 995,383 --sh--w C:\WINDOWS\system32\mfc42.dll
2001-08-18 12:00:00 50,688 -csh--w C:\WINDOWS\system32\msvcirt.dll
2001-08-18 12:00:00 401,462 --sh--w C:\WINDOWS\system32\msvcp60.dll
2001-08-18 12:00:00 322,560 --sh--w C:\WINDOWS\system32\msvcrt.dll
2001-08-18 12:00:00 569,344 --sh--w C:\WINDOWS\system32\oleaut32.dll
2001-08-18 12:00:00 106,496 --sh--w C:\WINDOWS\system32\olepro32.dll
2001-08-18 12:00:00 9,728 -csh--w C:\WINDOWS\system32\regsvr32.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2002-04-15 18:35]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 12:27]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2001-11-14 03:37]
"S3Hotkey"="s3hotkey.exe" [2001-09-12 21:27 C:\WINDOWS\system32\s3hotkey.exe]
"S3TRAY2"="S3Tray2.exe" [2002-02-20 16:38 C:\WINDOWS\system32\S3Tray2.exe]
"TFNF5"="TFNF5.exe" [2001-08-03 18:08 C:\WINDOWS\system32\TFNF5.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-29 14:40]
"TFncKy"="TFncKy.exe" []
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-04-12 11:13]
"Tpwrtray"="TPWRTRAY.EXE" [2002-03-19 20:38 C:\WINDOWS\system32\TPWRTRAY.EXE]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 07:11]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-04-09 17:51]
"windows auto update"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 18:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"kmw_run.exe"="kmw_run.exe" [2003-05-27 14:48 C:\WINDOWS\system32\kmw_run.exe]
"MSWheel"="" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"Linksys Wireless-N Notebook Adapter"="C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe" [2006-04-28 05:55]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-28 23:28]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 21:31]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2005-02-01 19:49:19]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2005-02-01 19:49:19]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= c:\Program Files\interMute\SpySubtract\sshook.dll [2005-02-01 19:49 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\cmcache.dat
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\System32\DRIVERS\TVALG.SYS
R2 NICSer_WPC300N;NICSer_WPC300N;C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\CBTNDIS5.SYS
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\System32\DRIVERS\KMW_KBD.sys
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\System32\DRIVERS\KMW_SYS.sys
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM4.sys
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\System32\DRIVERS\tsdhd.sys
R3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\System32\drivers\yacxgc.sys
S2 SCardDrvImapiService;Smart Card Helper SCardDrvImapiService;C:\WINDOWS\System32\acctresh.exe srv
S2 WmiApSrvwinmgmt;WMI Performance Adapter WmiApSrvwinmgmt;C:\WINDOWS\System32\actxprxyv.exe srv
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\System32\DRIVERS\KMW_USB.sys
S3 pciSd;pciSd;C:\WINDOWS\System32\DRIVERS\tossdpci.sys
S3 wlluc48;Wireless LAN PC Card Driver;C:\WINDOWS\System32\DRIVERS\wlluc48.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-09-19 01:05:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-30 02:20:51 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-09-29 03:09:47 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exe
"2007-09-30 02:56:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-29 19:55:09
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-29 19:58:49
C:\ComboFix-quarantined-files.txt ... 2007-09-29 19:58
C:\ComboFix2.txt ... 2007-09-29 19:29
.
--- E O F ---
Thanks again
ALEXSF415
2007-09-30, 07:17
I have gained access to my control panel. But can u still see if i have additional problems. thanks
ALEXSF415
2007-09-30, 08:18
I lost access to my control panel again, once I restarted the computer.
steamwiz
2007-09-30, 21:25
Hi
One other thing When I went to C:\combofix.txt, it would not let me open it, it said C:\combofix.txt is not a valid win32 application
Did you try to "run" the file ?
if you doubleclick on it, or Right click & select "open" ... it should open and show the same text that you posted.
I see you ran Combofix twice ...you posted the log from the last time you ran it, but you actualy ran it half an hour earlier as well... the log will be different when you run it for the first time ...
Please post the log from the first run ... C:\ComboFix2.txt ... note the #2
THEN ...
Download: SmitfraudFix.zip from :-
http://siri.urz.free.fr/Fix/SmitfraudFix.zip (the file contains both English and French versions)
1. Download to your desktop
2. unzip the zip file to your desktop (they will be extracted to a folder called SmitfraudFix
3. Double-click smitfraudfix.cmd
4. Select 1 and hit Enter to create a report of the infected files
5. find the C:\rapport.txt file and post the contents in your next post here...
THEN ...
Download Superantispyware.
http://www.superantispyware.com/
Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!
* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
http://www.superantispyware.com/definitions.html
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
So please remember to post :-
1. C:\ComboFix2.txt
2. C:\rapport.txt
3. SUPERAntiSpyware Scan Log
steam
ALEXSF415
2007-10-01, 07:02
Hi
The reason I ran combofix twice, is that I couldn't open the log. even if i doubleclick on it, or ight click and select open. It won't let me open combofix or rapport. so what i have been doing is copy the log over to Word and save it, so i can access later.
the popup says C:\combofix2.txt is not a valid win32 application.
I keep getting a pop up that says windows cannot find C:\windows\system32\printer.exe make sure you have typed the name correctly, and try again when it restarts.
I have AVG anti virus that I recently downloaded and I found several items in the virus vault, one of them is C:\windows\system32\printer.exe I don't know if I should move it back or leave it in the vault, there are about 25 items in there, I'll post what's in the vault, sorry if it wasn't necessary for me to post this.
please let me know if I should disable AVG or not, also if I don't disable itshould I scan my computer with AVG or will it interfer with your reports.
Please advise me if I should start making copies of the stuff on my computer so I won't lose them.
Thanks for all your help.
Trojan horse SHeur.PXY C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe 9/30/2007 13:23 autorun.exe 7.5 KB
Trojan horse SHeur.PXY C:\WINDOWS\System32\winavxx.exe 9/30/2007 14:21 winavxx.exe 7.5 KB
Trojan horse SHeur.PXY C:\Documents and Settings\ALEX\Start Menu\Programs\Startup\system.exe 9/30/2007 14:21 system.exe 7.5 KB
Trojan horse SHeur.PXY C:\qoobox\Quarantine\C\Documents and Settings\ALEX\Start Menu\Programs\Startup\system.exe.vir 9/30/2007 14:21 system.exe.vir 7.5 KB
Trojan horse SHeur.PXY C:\qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe.vir 9/30/2007 14:21 autorun.exe.vir 7.5 KB
Trojan horse Downloader.Small.AJY C:\qoobox\Quarantine\C\WINDOWS\explore.exe.vir 9/30/2007 14:21 explore.exe.vir 9.5 KB
Trojan horse SHeur.PXY C:\qoobox\Quarantine\C\WINDOWS\system32\printer.exe.vir 9/30/2007 14:21 printer.exe.vir 7.5 KB
Trojan horse SHeur.PXY C:\qoobox\Quarantine\C\WINDOWS\system32\winavxx.exe.vir 9/30/2007 14:21 winavxx.exe.vir 7.5 KB
Trojan horse Downloader.Small.AJY C:\WINDOWS\exploeee.exe 9/30/2007 14:21 exploeee.exe 9.5 KB
Trojan horse Dropper.Agent.2.R C:\WINDOWS\wupdsnff.exe 9/30/2007 14:21 wupdsnff.exe 160 KB
Trojan horse Dropper.Small.5.D C:\WINDOWS\LastGood\notepad.exe 9/30/2007 14:21 notepad.exe 23.84 KB
Virus found Win32/PolyCrypt C:\WINDOWS\system32\acctresh.exe 9/30/2007 14:21 acctresh.exe 45.81 KB
Trojan horse Generic4.LVM C:\WINDOWS\system32\cmcache.dat 9/30/2007 14:21 cmcache.dat 6 KB
Trojan horse SHeur.PXY C:\WINDOWS\system32\printer.exe 9/30/2007 14:21 printer.exe 7.5 KB
Trojan horse Generic7.JGV C:\WINDOWS\system32\systems.txt 9/30/2007 14:21 systems.txt 8 KB
Trojan horse Generic8.CQT C:\WINDOWS\system32\vtr.dll 9/30/2007 14:21 vtr.dll 38.5 KB
Trojan horse SHeur.LFS C:\WINDOWS\system32\printer.exe 9/28/2007 23:40 printer.exe 7.5 KB
Trojan horse Small.P C:\Program Files\Ivde\Mcdutc.exe 9/29/2007 0:01 Mcdutc.exe 36.63 KB
Trojan horse Downloader.Agent.5.E C:\WINDOWS\System32\neth.exe 9/29/2007 0:01 neth.exe 53.28 KB
Trojan horse Dropper.Agent.2.AM C:\counter.cab 9/29/2007 0:01 counter.cab 30.79 KB
Trojan horse SHeur.LFS C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\system.exe 9/29/2007 0:01 system.exe 7.5 KB
Trojan horse Downloader.Small.AJY C:\Documents and Settings\ALEX\Start Menu\Programs\Startup\info.exe 9/29/2007 0:01 info.exe 9.5 KB
Trojan horse SHeur.LFS C:\Documents and Settings\ALEX\Start Menu\Programs\Startup\system.exe 9/29/2007 0:01 system.exe 7.5 KB
Trojan horse SHeur.LFS C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe 9/29/2007 0:01 autorun.exe 7.5 KB
Trojan horse Downloader.Small.AJY C:\Documents and Settings\All Users\Start Menu\Programs\Startup\info.exe 9/29/2007 0:01 info.exe 9.5 KB
While I was running SmitfraudFix a pop up came up that said registry editing has been disabled by your administrator, I clicked on ok. It popped up about 8 times.
SmitFraudFix v2.234
Scan done at 17:53:55.61, Sun 09/30/2007
Run from C:\Documents and Settings\ALEX\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\00THotkey.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\s3hotkey.exe
C:\WINDOWS\System32\S3Tray2.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\OdHost.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
192.168.200.3 download.microsoft.com
192.168.200.3 downloads.microsoft.com
192.168.200.3 go.microsoft.com
192.168.200.3 microsoft.com
192.168.200.3 msdn.microsoft.com
192.168.200.3 office.microsoft.com
192.168.200.3 support.microsoft.com
192.168.200.3 windowsupdate.microsoft.com
192.168.200.3 www.microsoft.com
192.168.200.3 pandasoftware.com
192.168.200.3 www.pandasoftware.com
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\stdole32.dat FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ALEX
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ALEX\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ALEX\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\System32\\cmcache.dat"
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Linksys Wireless-N Notebook Adapter WPC300N - Packet Scheduler Miniport
DNS Server Search Order: 68.2.16.30
DNS Server Search Order: 68.2.16.25
DNS Server Search Order: 68.6.16.30
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7ED71048-472C-42CE-85A9-7FB9DD764F9B}: DhcpNameServer=68.2.16.30 68.2.16.25 68.6.16.30
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7ED71048-472C-42CE-85A9-7FB9DD764F9B}: DhcpNameServer=68.2.16.30 68.2.16.25 68.6.16.30
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7ED71048-472C-42CE-85A9-7FB9DD764F9B}: DhcpNameServer=68.2.16.30 68.2.16.25 68.6.16.30
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.2.16.30 68.2.16.25 68.6.16.30
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.2.16.30 68.2.16.25 68.6.16.30
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.2.16.30 68.2.16.25 68.6.16.30
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 09/30/2007 at 08:52 PM
Application Version : 3.9.1008
Core Rules Database Version : 3259
Trace Rules Database Version: 1317
Scan type : Complete Scan
Total Scan Time : 02:15:32
Memory items scanned : 504
Memory threats detected : 0
Registry items scanned : 5428
Registry threats detected : 0
File items scanned : 74835
File threats detected : 22
Adware.Tracking Cookie
C:\Documents and Settings\ALEX\Cookies\alex@anad.tacoda[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@ads.monster[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@ad[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@cgi-bin[2].txt
C:\Documents and Settings\ALEX\Cookies\alex@web4.realtracker[2].txt
C:\Documents and Settings\ALEX\Cookies\alex@atdmt[2].txt
C:\Documents and Settings\ALEX\Cookies\alex@perf.overture[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@windowsmedia[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@questionmarket[2].txt
C:\Documents and Settings\ALEX\Cookies\alex@overture[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@heavycom.122.2o7[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@msnportal.112.2o7[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@partner2profit[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@ads.pointroll[2].txt
C:\Documents and Settings\ALEX\Cookies\alex@adopt.euroclick[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@starware[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@ads.addynamix[1].txt
C:\Documents and Settings\ALEX\Cookies\alex@adinterax[1].txt
Adware.Starware
C:\DOCUMENTS AND SETTINGS\ALEX\DESKTOP\EXCESS\NEW FOLDER\MAPS-1.EXE
C:\DOCUMENTS AND SETTINGS\ALEX\DESKTOP\EXCESS\NEW FOLDER\MAPS.EXE
MBKWBar Toolbar
C:\PROGRAM FILES\MBKWBAR\IETOOLBAR.DLL
Adware.eXactAdvertising-Installer
C:\WINDOWS\SYSTB.EXE
steamwiz
2007-10-01, 21:52
HI
The reason I ran combofix twice, is that I couldn't open the log. even if i doubleclick on it, or ight click and select open. It won't let me open combofix or rapport. so what i have been doing is copy the log over to Word and save it, so i can access later.
the popup says C:\combofix2.txt is not a valid win32 application.
I keep getting a pop up that says windows cannot find C:\windows\system32\printer.exe make sure you have typed the name correctly, and try again when it restarts.
I have AVG anti virus that I recently downloaded and I found several items in the virus vault, one of them is C:\windows\system32\printer.exe I don't know if I should move it back or leave it in the vault, there are about 25 items in there, I'll post what's in the vault, sorry if it wasn't necessary for me to post this.
please let me know if I should disable AVG or not, also if I don't disable itshould I scan my computer with AVG or will it interfer with your reports.
Please advise me if I should start making copies of the stuff on my computer so I won't lose them.
Thanks for all your help.
1. It looks like your file association for text files is messed up ... we'll need to fix that first, so that you can post the logs...
2. DO NOT replace C:\windows\system32\printer.exe ... it part of the malware causing this problem...
3. no need to turn off AVG, but don't run anymore scans with it yet...
Are these entries in the AVG vault then ... ?
Trojan horse SHeur.PXY C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe 9/30/2007 13:23 autorun.exe 7.5 KB
Trojan horse SHeur.PXY C:\WINDOWS\System32\winavxx.exe 9/30/2007 14:21 winavxx.exe 7.5 KB
Trojan horse SHeur.PXY C:\Documents and Settings\ALEX\Start Menu\Programs\Startup\system.exe 9/30/2007 14:21 system.exe 7.5 KB
Trojan horse SHeur.PXY C:\qoobox\Quarantine\C\Documents and Settings\ALEX\Start Menu\Programs\Startup\system.exe.vir 9/30/2007 14:21 system.exe.vir 7.5 KB
Trojan horse SHeur.PXY C:\qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe.vir 9/30/2007 14:21 autorun.exe.vir 7.5 KB
Trojan horse Downloader.Small.AJY C:\qoobox\Quarantine\C\WINDOWS\explore.exe.vir 9/30/2007 14:21 explore.exe.vir 9.5 KB
Trojan horse SHeur.PXY C:\qoobox\Quarantine\C\WINDOWS\system32\printer.exe.vir 9/30/2007 14:21 printer.exe.vir 7.5 KB
Trojan horse SHeur.PXY C:\qoobox\Quarantine\C\WINDOWS\system32\winavxx.exe.vir 9/30/2007 14:21 winavxx.exe.vir 7.5 KB
etc, etc,
If so ... Don't move any back ..... they are all malware ...
4. It's always a good idea to make copies of your personal files, however No urgent need to make copies of your personal files yet ... usually this is quite easily dealt with, however yours is the most stubborn I've seen up to now ...
OK .... lets get your file associations sorted ...
Download DAFT (http://www.techsupportforum.com/sectools/Deckard/daft.exe) and save it to your Desktop.
Double-click the daft.exe icon. Read the disclaimer and click okay.
Click on the Scan button.
-----------
Download DAFT (http://www.techsupportforum.com/sectools/Deckard/daft.exe) and save it to your Desktop.
Double-click the daft.exe icon. Read the disclaimer and click okay.
Click on the Scan button.
at this point it may say "all associations Okay" (doubtful) ... on which case click OK & close the program with the X
IF [b]txt is shown as needing repairing Place a checkmark in the box next to the entry ...
Click the Fix button.
Re-scan and save a logfile. By default, it will save as daft.txt.
Post the contents of that file with your next post.
You will find daft.txt in the same place as the daft.exe file
steam
ALEXSF415
2007-10-02, 02:32
Hi
I ran Daft, and it siad that all associations okay. When avg scans on it's own when I open a file, should i click ignore, heal. Please advise me on what to do
Thank you
steamwiz
2007-10-02, 19:01
HI
"all associations okay" ... well that's a surprise ...
When avg scans on it's own when I open a file, should i click ignore, heal. Please advise me on what to do
What files are we talking about ?
If the file will heal ... then it's safe to do that ... if not, then send to quarantine ... if the file is malware, it can do no harm once quarantined, then you can empty you quarantine folder at a later date, thus deleting the file.
I've another program I want you to run, which will also produce a text file ... seeing as we are having problems opening text files... I want you to attach the text files from now on ... I will be able to open them & post them for you.
Download Deckard's System Scanner (formerly Comboscan) (http://www.geekstogo.com/forum/index.php?automodule=downloads&showfile=19) to your Desktop.
1. Close all applications and windows.
2. Double-click on comboscan.exe to run it, and follow the prompts.
3. When the scan is complete, a text file will open - ComboScan.txt
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your next reply.
5. A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
6. Please copy and paste the contents of Supplementary.txt to your post.
Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.
steam
ALEXSF415
2007-10-03, 01:55
Hi
I couldn't attach the main.txt cause it's over the size limit.
Deckard's System Scanner v20070905.67
Run by ALEX on 2007-10-02 16:07:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
18: 2007-10-02 23:07:28 UTC - RP541 - Deckard's System Scanner Restore Point
17: 2007-10-01 01:29:00 UTC - RP540 - Installed SUPERAntiSpyware Free Edition
16: 2007-09-30 05:58:49 UTC - RP539 - Removed Norton AntiVirus 2002
15: 2007-09-30 01:01:04 UTC - RP538 - ComboFix created restore point
14: 2007-09-29 06:27:43 UTC - RP537 - Installed AVG 7.5
-- First Restore Point --
1: 2007-09-27 02:45:09 UTC - RP524 - Unsigned driver install
Backed up registry hives.
Performed disk cleanup.
Total Physical Memory: 256 MiB (512 MiB recommended).
-- HijackThis (run as ALEX.exe) ------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:09:40 PM, on 10/2/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\printer.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\s3hotkey.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\S3Tray2.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avginet.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\OdHost.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\ALEX\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ALEX.exe
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sexofactory.com/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.toshiba.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\printer.exe
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Linksys Wireless-N Notebook Adapter] C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: info.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100911663445
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\cmcache.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC300N - Unknown owner - C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Smart Card Helper SCardDrvImapiService (SCardDrvImapiService) - Unknown owner - C:\WINDOWS\System32\acctresh.exe
O23 - Service: WMI Performance Adapter WmiApSrvwinmgmt (WmiApSrvwinmgmt) - Unknown owner - C:\WINDOWS\System32\actxprxyv.exe
--
End of file - 9603 bytes
-- File Associations -----------------------------------------------------------
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 TVALD (Toshiba ACPI-Based Value Added Logical Device Driver) - c:\windows\system32\drivers\tvald.sys <Not Verified; Toshiba Corporation; Toshiba ACPI-Compliant Value Added Logical Device>
R0 TVALG (Toshiba Value Added Logical and General Purpose Device Driver) - c:\windows\system32\drivers\tvalg.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Value Added Logical and General Purpose Device Driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 PMEM - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
R3 CBTNDIS5 (CBTNDIS5 NDIS Protocol Driver) - c:\windows\system32\cbtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R3 S3SSavage - c:\windows\system32\drivers\s3ssavm.sys <Not Verified; S3 Graphics, Inc.; S3 Graphics SuperSavage Miniport>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
R3 SMCIRDA (SMC IrCC Miniport Device Driver) - c:\windows\system32\drivers\smcirda.sys <Not Verified; SMC; Fast Infrared Miniport Driver>
R3 TOSHIBASoftModem (TOSHIBA Software Modem) - c:\windows\system32\drivers\ltsm.sys <Not Verified; LT; TOSHIBA SoftModem Driver>
R3 tsdhd (TOSHIBA SD Card Host Controller Driver) - c:\windows\system32\drivers\tsdhd.sys <Not Verified; TOSHIBA Corporation; SD Card Driver Set>
R3 WDM_YAMAHAAC97 (YAMAHA AC-XG Audio Device) - c:\windows\system32\drivers\yacxgc.sys <Not Verified; YAMAHA Corporation; YAMAHA AC-XG WDM>
S3 ApfiltrService (Alps Pointing-device Filter Driver) - c:\windows\system32\drivers\apfiltr.sys <Not Verified; Alps Electric Co., Ltd.; Alps Touch Pad Driver for Windows 2000/XP>
S3 BCM43XX (Linksys Wireless-N Notebook Adapter WPC300N Driver) - c:\windows\system32\drivers\bcmwl5.sys <Not Verified; Linksys, A Division of Cisco Systems, Inc.; Linksys Wireless-N Notebook Adapter WPC300N Driver>
S3 catchme - c:\docume~1\alex\locals~1\temp\catchme.sys (file missing)
S3 pciSd - c:\windows\system32\drivers\tossdpci.sys <Not Verified; TOSHIBA; Toshiba SD Memory Driver>
S3 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)
S3 wlluc48 (Wireless LAN PC Card Driver) - c:\windows\system32\drivers\wlluc48.sys <Not Verified; Lucent Technologies; ORiNOCO Driver for Windows.>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 NICSer_WPC300N - c:\program files\linksys\wireless-n network monitor\nicserv.exe
S2 SCardDrvImapiService (Smart Card Helper SCardDrvImapiService) - c:\windows\system32\acctresh.exe srv
S2 WmiApSrvwinmgmt (WMI Performance Adapter WmiApSrvwinmgmt) - c:\windows\system32\actxprxyv.exe srv
ALEXSF415
2007-10-03, 01:57
Here is the rest of it
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Scheduled Tasks -------------------------------------------------------------
2007-10-02 16:06:00 412 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2007-10-02 15:20:51 252 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2007-09-18 18:05:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
-- Files created between 2007-09-02 and 2007-10-02 -----------------------------
2007-10-02 15:03:16 59904 --a------ C:\WINDOWS\boot4384.exe
2007-10-01 16:57:09 8364 --a------ C:\WINDOWS\System32\sulimo.dat
2007-10-01 16:56:57 12288 --a------ C:\WINDOWS\svhjdsah.exe
2007-09-30 18:29:32 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-30 18:29:03 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-09-30 18:29:03 0 d-------- C:\Documents and Settings\ALEX\Application Data\SUPERAntiSpyware.com
2007-09-30 18:19:10 54563 --a------ C:\WINDOWS\System32\neth.exe
2007-09-30 18:19:04 39424 --a------ C:\WINDOWS\System32\vtr.dll <Not Verified; ; IEHelper Module>
2007-09-30 18:19:04 7680 --a------ C:\WINDOWS\System32\printer.exe
2007-09-30 18:18:54 46913 --a------ C:\WINDOWS\System32\acctresh.exe
2007-09-30 18:18:53 163840 --a------ C:\WINDOWS\wupdsnff.exe
2007-09-30 18:18:53 7680 --a------ C:\WINDOWS\System32\winavxx.exe
2007-09-30 18:18:53 9728 --a------ C:\WINDOWS\exploeee.exe
2007-09-30 17:54:26 3470 --a------ C:\WINDOWS\System32\tmp.reg
2007-09-28 23:40:06 0 dr-h----- C:\$VAULT$.AVG
2007-09-28 23:34:16 0 d-------- C:\Documents and Settings\ALEX\Application Data\AVG7
2007-09-28 23:29:32 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-09-28 23:27:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-28 23:27:48 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-09-28 22:25:59 0 d-------- C:\Program Files\Trend Micro
2007-09-28 16:31:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-09-28 15:39:42 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-09-28 15:39:42 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-09-28 15:39:42 0 d-------- C:\Documents and Settings\Administrator\Application Data\Drag'n Drop CD
2007-09-28 15:39:42 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-09-28 15:39:41 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-09-28 15:39:41 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-09-28 15:39:41 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-09-28 15:39:41 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-09-28 15:39:41 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-09-28 15:39:41 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-09-28 15:39:40 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-09-28 15:39:40 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-09-28 15:39:40 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-09-28 15:39:40 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-09-28 15:39:40 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-09-28 15:39:40 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-09-28 15:39:40 0 d-------- C:\Documents and Settings\Administrator\NetWorkSwitch.temp
2007-09-28 15:39:40 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-09-28 15:39:40 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-09-28 15:39:40 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-09-28 15:39:37 2027520 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2007-09-27 18:47:34 0 d-------- C:\Program Files\MSXML 4.0
2007-09-26 16:21:12 53 --ahs---- C:\WINDOWS\System32\4039909485.dat
2007-09-26 16:21:06 28672 -r-hs---- C:\WINDOWS\System32\actxprxyv.exe
2007-09-26 16:21:02 8192 --a------ C:\WINDOWS\System32\stdole32.dat
2007-09-26 15:49:38 0 d-------- C:\Program Files\Funk Software
2007-09-26 15:49:38 0 d-------- C:\Program Files\Common Files\Funk Software
2007-09-26 15:48:19 94208 --a------ C:\WINDOWS\System32\W32N50CT.DLL <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2007-09-26 15:48:19 1497088 --a------ C:\WINDOWS\System32\cc3260mt.dll <Not Verified; Borland Corporation; Borland C++ Builder 6.0>
2007-09-26 15:48:19 17142 --a------ C:\WINDOWS\System32\CBTNDIS5.SYS <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2007-09-26 15:48:18 1496064 --a------ C:\WINDOWS\System32\cc3250mt.dll <Not Verified; Inprise Corporation; Borland C++ Builder 5.0>
2007-09-26 15:48:18 25600 --a------ C:\WINDOWS\System32\borlndmm.dll <Not Verified; Inprise Corporation; Borland Memory Manager>
2007-09-26 15:48:17 543104 --a------ C:\WINDOWS\System32\drivers\BCMWL5.SYS <Not Verified; Linksys, A Division of Cisco Systems, Inc.; Linksys Wireless-N Notebook Adapter WPC300N Driver>
2007-09-26 15:48:04 0 d-------- C:\Program Files\Linksys
2007-09-16 18:25:26 6144 --a------ C:\WINDOWS\reppor.exe
2007-09-15 21:47:19 6144 --a------ C:\WINDOWS\System32\cmcache.dat
2007-09-09 20:34:45 0 d-------- C:\Program Files\Microsoft Streets and Trips
-- Find3M Report ---------------------------------------------------------------
2007-09-30 20:55:45 0 d-------- C:\Program Files\MBKWBar
2007-09-30 18:26:35 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-30 18:19:10 0 d-------- C:\Program Files\Ivde
2007-09-29 23:00:29 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-29 22:59:11 0 d-------- C:\Program Files\Symantec
2007-09-29 22:56:35 0 d-------- C:\Documents and Settings\ALEX\Application Data\Lavasoft
2007-09-26 15:49:38 0 d-------- C:\Program Files\Common Files
2007-09-26 15:48:01 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-25 09:28:48 0 d-------- C:\Program Files\MySpace
2007-08-23 21:57:17 0 d-------- C:\Documents and Settings\ALEX\Application Data\MySpace
2007-08-16 19:12:04 0 d-------- C:\Program Files\Opera
2007-08-07 18:30:18 0 d-------- C:\Program Files\ZipForm Desktop
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [04/15/2002 06:35 PM]
"000StTHK"="000StTHK.exe" [06/23/2001 08:28 PM C:\WINDOWS\system32\000StTHK.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [11/14/2001 03:37 AM]
"S3Hotkey"="s3hotkey.exe" [09/12/2001 09:27 PM C:\WINDOWS\system32\s3hotkey.exe]
"S3TRAY2"="S3Tray2.exe" [02/20/2002 04:38 PM C:\WINDOWS\system32\S3Tray2.exe]
"TFNF5"="TFNF5.exe" [08/03/2001 06:08 PM C:\WINDOWS\system32\TFNF5.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [03/29/2002 02:40 PM]
"TFncKy"="TFncKy.exe" []
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [04/12/2002 11:13 AM]
"Tpwrtray"="TPWRTRAY.EXE" [03/19/2002 08:38 PM C:\WINDOWS\system32\TPWRTRAY.EXE]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [07/03/2001 07:11 AM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [04/09/2002 05:51 PM]
"windows auto update"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/25/2006 07:58 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [08/04/2003 06:28 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [12/22/2003 09:38 AM]
"kmw_run.exe"="kmw_run.exe" [05/27/2003 02:48 PM C:\WINDOWS\system32\kmw_run.exe]
"MSWheel"="" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/30/2006 10:36 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [07/26/2006 04:03 AM]
"Linksys Wireless-N Notebook Adapter"="C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe" [04/28/2006 05:55 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [09/28/2007 11:28 PM]
"WinAVX"="C:\WINDOWS\System32\WinAvXX.exe" [10/02/2007 03:04 PM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/01/2007 09:31 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]
"WinAVX"="C:\WINDOWS\System32\WinAvXX.exe" [10/02/2007 03:04 PM]
C:\Documents and Settings\ALEX\Start Menu\Programs\Startup\
system.exe [10/1/2007 4:57:09 PM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
autorun.exe [10/1/2007 4:57:09 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [9/16/2003 6:19:24 AM]
info.exe [9/30/2007 6:19:48 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2/1/2005 7:49:19 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= c:\Program Files\interMute\SpySubtract\sshook.dll [02/01/2005 07:49 PM 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\WINDOWS\System32\printer.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\cmcache.dat
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
-- Hosts -----------------------------------------------------------------------
192.168.200.3 ad.doubleclick.net
192.168.200.3 ad.fastclick.net
192.168.200.3 ads.fastclick.net
192.168.200.3 ar.atwola.com
192.168.200.3 atdmt.com
192.168.200.3 avp.ch
192.168.200.3 avp.com
192.168.200.3 avp.ru
192.168.200.3 awaps.net
192.168.200.3 banner.fastclick.net
92 more entries in hosts file.
-- End of Deckard's System Scanner: finished at 2007-10-02 16:14:09 ------------
Thank you
Alex
steamwiz
2007-10-03, 22:07
Hi
why do you have NO service packs ?
without the service packs you have no hope of keeping clean, as they plug countless security vulnerabilities in both XP & IE.
First you need to install Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time. DO NOT UPGRADE TO SP2 AT THIS TIME
Go here to download SP1a
http://www.download.com/Windows-XP-Service-Pack-1a-SP1a-/3000-2098_4-10147920.html?tag=lst-0-19
The malware you have has blocked Windows update, but you should be able to install from the above link ...
-
We can forget everything you've run so far ... Combofix, AVG anti-virus & Superantispyware ( if you ran it) have all removed the bulk of this infection ... but DSS shows everything is back ....
-
Once you have SP1a installed, we'll start again ...
steam
ALEXSF415
2007-10-04, 03:57
Hi
I don't know a lot about computers. I didn't know what service packs were. Sorry for both of us wasting our time. But I greatly appreciate the time you have invested in me to help me resolve this problem. I was unable to get the update from download.com and when it redirected me to a third party, which was microsoft.com it would not let me open the page. I tried opening microsoft.com with IE and Opera, and they couldn't open it. What should I do?
Alex
steamwiz
2007-10-04, 21:39
Hi
I'm attaching a zip file, this zip file contains a registry file ... it will delete several keys from your registry... it will remove the entry blocking windows update & your Control panel + some others ...
Download the zip file to your desktop, unzip it to your desktop to reveal the reg file ... double click on the reg file and allow it to merge with the registry ...
Then try to download SP1 again ...
steam
ALEXSF415
2007-10-05, 01:25
Hi
I downloaded the zip file, but it won't let me open it. It will say Registry editing has been disabled by your admin.
Alex
steamwiz
2007-10-05, 23:12
HI
OK ... I want you to run SUPERAntiSpyware ... then post or attach the log ...
Immediately followed by Combofix ... post or attach the log ...
If you need to you can .....
Look back to post#6 for instructions on how to run SUPERAntiSpyware ...
& then post #2 for Combofix ...
steam
ALEXSF415
2007-10-06, 06:22
Hi
ComboFix 07-09-30.5 - ALEX 2007-10-05 20:53:26.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.66 [GMT -7:00]
Running from: C:\Documents and Settings\ALEX\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-09-06 to 2007-10-06 )))))))))))))))))))))))))))))))
.
2007-10-03 20:49 12,288 --a------ C:\WINDOWS\mraerea.exe
2007-10-02 16:06 <DIR> d-------- C:\Deckard
2007-10-01 16:57 8,364 --a------ C:\WINDOWS\system32\sulimo.dat
2007-09-30 18:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\ALEX\Application Data\SUPERAntiSpyware.com
2007-09-30 17:54 3,470 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-29 17:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-28 22:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-28 16:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\NetWorkSwitch.temp
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Drag'n Drop CD
2007-09-27 18:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-26 16:21 8,192 --a------ C:\WINDOWS\system32\stdole32.dat
2007-09-26 16:21 53 --ahs---- C:\WINDOWS\system32\4039909485.dat
2007-09-26 16:21 28,672 -r-hs---- C:\WINDOWS\system32\actxprxyv.exe
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Funk Software
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Common Files\Funk Software
2007-09-26 15:48 94,208 --a------ C:\WINDOWS\system32\W32N50CT.DLL
2007-09-26 15:48 543,104 --a------ C:\WINDOWS\system32\drivers\BCMWL5.SYS
2007-09-26 15:48 25,600 --a------ C:\WINDOWS\system32\borlndmm.dll
2007-09-26 15:48 17,142 --a------ C:\WINDOWS\system32\CBTNDIS5.SYS
2007-09-26 15:48 1,706,800 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-09-26 15:48 1,497,088 --a------ C:\WINDOWS\system32\cc3260mt.dll
2007-09-26 15:48 1,496,064 --a------ C:\WINDOWS\system32\cc3250mt.dll
2007-09-26 15:48 <DIR> d-------- C:\Program Files\Linksys
2007-09-16 18:25 6,144 --a------ C:\WINDOWS\reppor.exe
2007-09-15 21:47 6,144 --a------ C:\WINDOWS\system32\cmcache.dat
2007-09-09 20:34 <DIR> d-------- C:\Program Files\Microsoft Streets and Trips
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-03 14:41 --------- d-------- C:\Program Files\Ivde
2007-09-30 20:55 --------- d-------- C:\Program Files\MBKWBar
2007-09-30 18:26 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-29 23:00 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-29 23:00 --------- d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-29 22:59 --------- d-------- C:\Program Files\Symantec
2007-09-29 22:56 --------- d-------- C:\Documents and Settings\ALEX\Application Data\Lavasoft
2007-09-26 15:48 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-25 09:28 --------- d-------- C:\Program Files\MySpace
2007-08-23 21:57 --------- d-------- C:\Documents and Settings\ALEX\Application Data\MySpace
2007-08-16 19:12 --------- d-------- C:\Program Files\Opera
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2002-09-08 11:11 56832 --ahsc--- C:\Program Files\Thumbs.db
2001-08-18 12:00:00 94,784 -csh--w C:\WINDOWS\twain.dll
2001-08-18 12:00:00 46,592 -csh--w C:\WINDOWS\twain_32.dll
2001-08-18 12:00:00 995,383 --sh--w C:\WINDOWS\system32\mfc42.dll
2001-08-18 12:00:00 50,688 -csh--w C:\WINDOWS\system32\msvcirt.dll
2001-08-18 12:00:00 401,462 --sh--w C:\WINDOWS\system32\msvcp60.dll
2001-08-18 12:00:00 322,560 --sh--w C:\WINDOWS\system32\msvcrt.dll
2001-08-18 12:00:00 569,344 --sh--w C:\WINDOWS\system32\oleaut32.dll
2001-08-18 12:00:00 106,496 --sh--w C:\WINDOWS\system32\olepro32.dll
2001-08-18 12:00:00 9,728 -csh--w C:\WINDOWS\system32\regsvr32.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2002-04-15 18:35]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2001-11-14 03:37]
"S3Hotkey"="s3hotkey.exe" [2001-09-12 21:27 C:\WINDOWS\system32\s3hotkey.exe]
"S3TRAY2"="S3Tray2.exe" [2002-02-20 16:38 C:\WINDOWS\system32\S3Tray2.exe]
"TFNF5"="TFNF5.exe" [2001-08-03 18:08 C:\WINDOWS\system32\TFNF5.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-29 14:40]
"TFncKy"="TFncKy.exe" []
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-04-12 11:13]
"Tpwrtray"="TPWRTRAY.EXE" [2002-03-19 20:38 C:\WINDOWS\system32\TPWRTRAY.EXE]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 07:11]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-04-09 17:51]
"windows auto update"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 18:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"kmw_run.exe"="kmw_run.exe" [2003-05-27 14:48 C:\WINDOWS\system32\kmw_run.exe]
"MSWheel"="" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"Linksys Wireless-N Notebook Adapter"="C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe" [2006-04-28 05:55]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-28 23:28]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 21:31]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2005-02-01 19:49:19]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2005-02-01 19:49:19]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= c:\Program Files\interMute\SpySubtract\sshook.dll [2005-02-01 19:49 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\cmcache.dat
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\System32\DRIVERS\TVALG.SYS
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\CBTNDIS5.SYS
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\System32\DRIVERS\KMW_KBD.sys
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\System32\DRIVERS\KMW_SYS.sys
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM4.sys
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\System32\DRIVERS\tsdhd.sys
R3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\System32\drivers\yacxgc.sys
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\System32\DRIVERS\KMW_USB.sys
S3 pciSd;pciSd;C:\WINDOWS\System32\DRIVERS\tossdpci.sys
S3 wlluc48;Wireless LAN PC Card Driver;C:\WINDOWS\System32\DRIVERS\wlluc48.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-09-19 01:05:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-06 03:20:12 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-10-06 04:11:06 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-05 21:08:21
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\drivers\volsnap.sys
C:\WINDOWS\system32\drivers\wanarp.sys
C:\WINDOWS\system32\drivers\wdmaud.sys
C:\WINDOWS\system32\drivers\wlluc48.sys
C:\WINDOWS\system32\drivers\wmilib.sys
C:\WINDOWS\system32\drivers\ws2ifsl.sys
C:\WINDOWS\system32\drivers\yacxgc.sys
C:\WINDOWS\system32\drivers\Ygny51.sys
scan completed successfully
hidden files: 8
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Ygny51]
.
Completion time: 2007-10-05 21:15:36 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-05 21:15
C:\ComboFix2.txt ... 2007-09-29 19:58
C:\ComboFix3.txt ... 2007-09-29 19:29
.
--- E O F ---
ALEXSF415
2007-10-06, 06:24
Hi
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 10/05/2007 at 08:23 PM
Application Version : 3.9.1008
Core Rules Database Version : 3320
Trace Rules Database Version: 1321
Scan type : Complete Scan
Total Scan Time : 02:26:39
Memory items scanned : 467
Memory threats detected : 1
Registry items scanned : 5434
Registry threats detected : 13
File items scanned : 74698
File threats detected : 29
Trojan.Net-AVP/AVT
C:\WINDOWS\SYSTEM32\PRINTER.EXE
C:\WINDOWS\SYSTEM32\PRINTER.EXE
[WinAVX] C:\WINDOWS\SYSTEM32\WINAVXX.EXE
C:\WINDOWS\SYSTEM32\WINAVXX.EXE
[WinAVX] C:\WINDOWS\SYSTEM32\WINAVXX.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#WinAVX [ C:\WINDOWS\System32\WinAvXX.exe ]
HKU\S-1-5-21-3657561249-101265881-2389969595-1005\Software\Microsoft\Windows\CurrentVersion\Run#WinAVX [ C:\WINDOWS\System32\WinAvXX.exe ]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\START MENU\PROGRAMS\STARTUP\SYSTEM.EXE
C:\DOCUMENTS AND SETTINGS\ALEX\START MENU\PROGRAMS\STARTUP\SYSTEM.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP\AUTORUN.EXE
C:\WINDOWS\Prefetch\AUTORUN.EXE-3088AD1E.pf
C:\WINDOWS\Prefetch\PRINTER.EXE-0E099EB1.pf
C:\WINDOWS\Prefetch\SYSTEM.EXE-234F3E08.pf
C:\WINDOWS\Prefetch\WINAVXX.EXE-050EF48B.pf
Trojan.Net-VTROLL
HKLM\Software\Classes\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}
HKCR\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}
HKCR\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}
HKCR\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}\InprocServer32
HKCR\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}\InprocServer32#ThreadingModel
HKCR\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}\ProgID
HKCR\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}\Programmable
HKCR\CLSID\{ABCDECF0-4B15-11D1-ABED-709549C10000}\VersionIndependentProgID
C:\WINDOWS\SYSTEM32\VTR.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ABCDECF0-4B15-11D1-ABED-709549C10000}
Adware.Tracking Cookie
C:\Documents and Settings\ALEX\Cookies\alex@revsci[2].txt
Trojan.Net-Explore/DND
C:\QOOBOX\QUARANTINE\C\WINDOWS\EXPLORE.EXE.VIR
Trojan.Downloader-Gen/NoMultiTask
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP524\A0147066.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP540\A0151022.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP541\A0151070.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP541\A0151143.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP541\A0151166.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP541\A0151193.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP541\A0151235.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP541\A0151258.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP541\A0151289.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP541\A0151310.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP541\A0151333.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP541\A0151357.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP541\A0151378.DLL
Adware.Starware
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP540\A0150944.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP540\A0150945.EXE
MBKWBar Toolbar
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP540\A0150946.DLL
Adware.eXactAdvertising-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9C4232D3-2AED-420D-8BC5-9EBE4CDA7B51}\RP540\A0150947.EXE
Alex
ALEXSF415
2007-10-06, 06:35
Hi
I ran Combofix and SuperAntispyware and I had regained access to my control panel, the moment I logged on to the internet to post the logs I lost access to the Control panel. Do you think I should try to download Windows sp1a from a friends computer and not connect to the internet with this infected computer until it's up to date? I'm open to any suggestions.
Thanks
Alex
ALEXSF415
2007-10-07, 19:01
Hi
I have borrowed a laptop from a friend, so I won't have to connect to the internet from the infected computer anymore. I have burned Windows sp1a to a disc, but have not installed it on the infected computer. Tell me if you would like me to install it?
Thanks
Alex
steamwiz
2007-10-07, 21:49
Hi
Yes .. it's a good idea to keep off the net until we can stop you getting re-infected...
As you say you are now infected again since posting these latest logs ... run SUPERAntiSpyware again, it's the one which keeps removing the infection for you ... then install SP1 ...
As soon as you have installed SP1 .. do this :-
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\mraerea.exe
C:\WINDOWS\system32\sulimo.dat
C:\WINDOWS\system32\stdole32.dat
C:\WINDOWS\system32\4039909485.dat
C:\WINDOWS\system32\actxprxyv.exe
C:\WINDOWS\reppor.exe
C:\WINDOWS\system32\cmcache.dat
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
steam
ALEXSF415
2007-10-08, 05:56
Hi
ComboFix 07-09-30.5 - ALEX 2007-10-07 20:07:53.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.81 [GMT -7:00]
Running from: C:\Documents and Settings\ALEX\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ALEX\Desktop\CFScript.txt
* Created a new restore point
FILE::
C:\WINDOWS\mraerea.exe
C:\WINDOWS\system32\sulimo.dat
C:\WINDOWS\system32\stdole32.dat
C:\WINDOWS\system32\4039909485.dat
C:\WINDOWS\system32\actxprxyv.exe
C:\WINDOWS\reppor.exe
C:\WINDOWS\system32\cmcache.dat
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\mraerea.exe
C:\WINDOWS\reppor.exe
C:\WINDOWS\system32\4039909485.dat
C:\WINDOWS\system32\actxprxyv.exe
C:\WINDOWS\system32\cmcache.dat
C:\WINDOWS\system32\stdole32.dat
C:\WINDOWS\system32\sulimo.dat
.
((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.
2007-10-07 18:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-07 18:31 <DIR> d-------- C:\WINDOWS\ehome
2007-10-07 18:21 171,008 --a------ C:\WINDOWS\system32\sccsccp.dll
2007-10-07 18:14 76,288 --a------ C:\WINDOWS\system32\avifil32.dll
2007-10-07 18:14 71,680 --a------ C:\WINDOWS\system32\browsewm.dll
2007-10-07 18:14 62,976 --a------ C:\WINDOWS\system32\browselc.dll
2007-10-07 18:14 6,656 --a------ C:\WINDOWS\system32\batt.dll
2007-10-07 18:14 59,904 --a------ C:\WINDOWS\system32\cabinet.dll
2007-10-07 18:14 49,152 --a------ C:\WINDOWS\system32\browser.dll
2007-10-07 18:13 8,192 --a------ C:\WINDOWS\system32\autolfn.exe
2007-10-07 18:13 74,810 --a------ C:\WINDOWS\system32\atl.dll
2007-10-07 18:13 38,912 --a------ C:\WINDOWS\system32\audiosrv.dll
2007-10-07 18:12 32,512 --------- C:\WINDOWS\system32\drivers\amdk7.sys
2007-10-07 18:12 22,528 --a------ C:\WINDOWS\system32\at.exe
2007-10-07 18:12 14,366 --a------ C:\WINDOWS\system32\asfsipc.dll
2007-10-07 18:12 115,712 --a------ C:\WINDOWS\system32\apphelp.dll
2007-10-07 18:11 91,648 --a------ C:\WINDOWS\system32\ahui.exe
2007-10-07 18:11 62,464 --a------ C:\WINDOWS\system32\adsmsext.dll
2007-10-07 18:11 41,984 --a------ C:\WINDOWS\system32\alg.exe
2007-10-07 18:11 239,616 --a------ C:\WINDOWS\system32\adsnt.dll
2007-10-07 18:11 162,816 --a------ C:\WINDOWS\system32\adsldp.dll
2007-10-07 18:11 139,776 --a------ C:\WINDOWS\system32\adsldpc.dll
2007-10-07 18:10 59,392 --a------ C:\WINDOWS\system32\6to4svc.dll
2007-10-07 18:09 42,537 --a------ C:\WINDOWS\system32\keyboard.sys
2007-10-07 18:09 169,984 --a------ C:\WINDOWS\system32\sccbase.dll
2007-10-02 16:06 <DIR> d-------- C:\Deckard
2007-09-30 18:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\ALEX\Application Data\SUPERAntiSpyware.com
2007-09-30 17:54 3,470 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-29 17:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-28 22:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-28 16:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\NetWorkSwitch.temp
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Drag'n Drop CD
2007-09-27 18:50 68,608 --a--c--- C:\WINDOWS\system32\dllcache\locator.exe
2007-09-27 18:50 68,608 --a------ C:\WINDOWS\system32\locator.exe
2007-09-27 18:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Funk Software
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Common Files\Funk Software
2007-09-26 15:48 94,208 --a------ C:\WINDOWS\system32\W32N50CT.DLL
2007-09-26 15:48 543,104 --a------ C:\WINDOWS\system32\drivers\BCMWL5.SYS
2007-09-26 15:48 25,600 --a------ C:\WINDOWS\system32\borlndmm.dll
2007-09-26 15:48 17,142 --a------ C:\WINDOWS\system32\CBTNDIS5.SYS
2007-09-26 15:48 1,706,800 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-09-26 15:48 1,497,088 --a------ C:\WINDOWS\system32\cc3260mt.dll
2007-09-26 15:48 1,496,064 --a------ C:\WINDOWS\system32\cc3250mt.dll
2007-09-26 15:48 <DIR> d-------- C:\Program Files\Linksys
2007-09-15 21:47 6,144 --a------ C:\WINDOWS\system32\cmcache.dat
2007-09-09 20:34 <DIR> d-------- C:\Program Files\Microsoft Streets and Trips
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-03 14:41 --------- d-------- C:\Program Files\Ivde
2007-09-30 20:55 --------- d-------- C:\Program Files\MBKWBar
2007-09-30 18:26 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-29 23:00 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-29 23:00 --------- d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-29 22:59 --------- d-------- C:\Program Files\Symantec
2007-09-29 22:56 --------- d-------- C:\Documents and Settings\ALEX\Application Data\Lavasoft
2007-09-26 15:48 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-25 09:28 --------- d-------- C:\Program Files\MySpace
2007-08-23 21:57 --------- d-------- C:\Documents and Settings\ALEX\Application Data\MySpace
2007-08-16 19:12 --------- d-------- C:\Program Files\Opera
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2002-09-08 11:11 56832 --ahsc--- C:\Program Files\Thumbs.db
2001-08-18 12:00:00 94,784 -csh--w C:\WINDOWS\twain.dll
2001-08-18 12:00:00 46,592 -csh--w C:\WINDOWS\twain_32.dll
2001-08-18 12:00:00 995,383 --sh--w C:\WINDOWS\system32\mfc42.dll
2001-08-18 12:00:00 50,688 -csh--w C:\WINDOWS\system32\msvcirt.dll
2002-08-29 10:41:08 401,462 --sha-w C:\WINDOWS\system32\msvcp60.dll
2002-08-29 10:41:08 323,072 --sha-w C:\WINDOWS\system32\msvcrt.dll
2002-08-29 10:41:10 569,344 --sh--w C:\WINDOWS\system32\oleaut32.dll
2001-08-18 12:00:00 106,496 --sh--w C:\WINDOWS\system32\olepro32.dll
2001-08-18 12:00:00 9,728 -csh--w C:\WINDOWS\system32\regsvr32.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2002-04-15 18:35]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2001-11-14 03:37]
"S3Hotkey"="s3hotkey.exe" [2001-09-12 21:27 C:\WINDOWS\system32\s3hotkey.exe]
"S3TRAY2"="S3Tray2.exe" [2002-02-20 16:38 C:\WINDOWS\system32\S3Tray2.exe]
"TFNF5"="TFNF5.exe" [2001-08-03 18:08 C:\WINDOWS\system32\TFNF5.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-29 14:40]
"TFncKy"="TFncKy.exe" []
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-04-12 11:13]
"Tpwrtray"="TPWRTRAY.EXE" [2002-03-19 20:38 C:\WINDOWS\system32\TPWRTRAY.EXE]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 07:11]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-04-09 17:51]
"windows auto update"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 18:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"kmw_run.exe"="kmw_run.exe" [2003-05-27 14:48 C:\WINDOWS\system32\kmw_run.exe]
"MSWheel"="" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"Linksys Wireless-N Notebook Adapter"="C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe" [2006-04-28 05:55]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-28 23:28]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 21:31]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2005-02-01 19:49:19]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2005-02-01 19:49:19]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= c:\Program Files\interMute\SpySubtract\sshook.dll [2005-02-01 19:49 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\cmcache.dat
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\System32\DRIVERS\TVALG.SYS
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\CBTNDIS5.SYS
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\System32\DRIVERS\KMW_KBD.sys
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\System32\DRIVERS\KMW_SYS.sys
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM4.sys
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\System32\DRIVERS\tsdhd.sys
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\System32\DRIVERS\KMW_USB.sys
S3 pciSd;pciSd;C:\WINDOWS\System32\DRIVERS\tossdpci.sys
S3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\System32\drivers\yacxgc.sys
S3 wlluc48;Wireless LAN PC Card Driver;C:\WINDOWS\System32\DRIVERS\wlluc48.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-09-19 01:05:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-08 03:20:12 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-10-08 03:26:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-07 20:21:01
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\drivers\update.sys
C:\WINDOWS\system32\drivers\usb8023.sys
C:\WINDOWS\system32\drivers\usbcamd.sys
C:\WINDOWS\system32\drivers\usbcamd2.sys
C:\WINDOWS\system32\drivers\usbccgp.sys
C:\WINDOWS\system32\drivers\usbd.sys
C:\WINDOWS\system32\drivers\usbehci.sys
C:\WINDOWS\system32\drivers\usbhub.sys
C:\WINDOWS\system32\drivers\usbintel.sys
C:\WINDOWS\system32\drivers\usbport.sys
C:\WINDOWS\system32\drivers\usbprint.sys
C:\WINDOWS\system32\drivers\usbscan.sys
C:\WINDOWS\system32\drivers\usbstor.sys
C:\WINDOWS\system32\drivers\usbuhci.sys
C:\WINDOWS\system32\drivers\vdmindvd.sys
C:\WINDOWS\system32\drivers\vga.sys
C:\WINDOWS\system32\drivers\videoprt.sys
C:\WINDOWS\system32\drivers\volsnap.sys
C:\WINDOWS\system32\drivers\wacompen.sys
C:\WINDOWS\system32\drivers\wanarp.sys
C:\WINDOWS\system32\drivers\wdmaud.sys
C:\WINDOWS\system32\drivers\wlluc48.sys
C:\WINDOWS\system32\drivers\wmilib.sys
C:\WINDOWS\system32\drivers\ws2ifsl.sys
C:\WINDOWS\system32\drivers\yacxgc.sys
C:\WINDOWS\system32\drivers\Ygny51.sys
C:\WINDOWS\system32\drivers\TVALG.SYS
C:\WINDOWS\system32\drivers\udfs.sys
scan completed successfully
hidden files: 28
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Ygny51]
.
Completion time: 2007-10-07 20:29:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-07 20:28
C:\ComboFix2.txt ... 2007-10-07 17:40
C:\ComboFix3.txt ... 2007-10-05 21:15
.
--- E O F ---
Alex
ALEXSF415
2007-10-08, 05:58
Hi
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:53 PM, on 10/7/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\s3hotkey.exe
C:\WINDOWS\System32\S3Tray2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\OdHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sexofactory.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.toshiba.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Linksys Wireless-N Notebook Adapter] C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100911663445
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\cmcache.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC300N - Unknown owner - C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Smart Card Helper SCardDrvImapiService (SCardDrvImapiService) - Unknown owner - C:\WINDOWS\System32\acctresh.exe (file missing)
O23 - Service: WMI Performance Adapter WmiApSrvwinmgmt (WmiApSrvwinmgmt) - Unknown owner - C:\WINDOWS\System32\actxprxyv.exe (file missing)
--
End of file - 8882 bytes
Alex
steamwiz
2007-10-08, 22:15
HI
Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sexofactory.com/ie
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\cmcache.dat
O23 - Service: Smart Card Helper SCardDrvImapiService (SCardDrvImapiService) - Unknown owner - C:\WINDOWS\System32\acctresh.exe (file missing)
O23 - Service: WMI Performance Adapter WmiApSrvwinmgmt (WmiApSrvwinmgmt) - Unknown owner - C:\WINDOWS\System32\actxprxyv.exe (file missing)
reboot into >>>safe mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406) Click Here for instructions find and delete :-
C:\WINDOWS\System32\cmcache.dat ... file
still in safemode ... run hijackthis again & if any of the above entries (which you fixed in normal mode) are still there ... fix them again...
Reboot back into NORMAL mode ... run hijackthis again & post the new log in your next reply here ...
steam
ALEXSF415
2007-10-09, 02:00
Hi
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:29:52 PM, on 10/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\00THotkey.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\s3hotkey.exe
C:\WINDOWS\System32\S3Tray2.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\Linksys\Wireless-N Network Monitor\OdHost.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.toshiba.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Linksys Wireless-N Notebook Adapter] C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100911663445
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\cmcache.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC300N - Unknown owner - C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Smart Card Helper SCardDrvImapiService (SCardDrvImapiService) - Unknown owner - C:\WINDOWS\System32\acctresh.exe (file missing)
O23 - Service: WMI Performance Adapter WmiApSrvwinmgmt (WmiApSrvwinmgmt) - Unknown owner - C:\WINDOWS\System32\actxprxyv.exe (file missing)
--
End of file - 8634 bytes
Alex
steamwiz
2007-10-09, 17:34
Hi
I see there were still some you could not delete ...
when you tried to delete this file :-
C:\WINDOWS\System32\cmcache.dat
Did it say the file was in use ? or couldn't you find it ?
I also see you were unable to remove the entry in hijackthis, showing the file running from the AppInit_DLLs:
Let's try something else ...
first
go to Start > Run and type Services.msc > click OK
Scroll down and find the service called Smart Card Helper SCardDrvImapiService
double-click on it
click the Stop button
change the Startup Type to Disabled
click Apply and then OK
then
Scroll down and find the service called WMI Performance Adapter WmiApSrvwinmgmt
double-click on it
click the Stop button
change the Startup Type to Disabled
click Apply and then OK
and close any open windows
-
THEN
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\System32\cmcache.dat
Registry::
[HKLM\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
steam
ALEXSF415
2007-10-10, 05:16
Hi
I did find
C:\WINDOWS\System32\cmcache.dat
and I did delete it, but it came back.
ComboFix 07-09-30.5 - ALEX 2007-10-09 17:58:34.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.91 [GMT -7:00]
Running from: C:\Documents and Settings\ALEX\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ALEX\Desktop\CFScript.txt
* Created a new restore point
FILE::
C:\WINDOWS\System32\cmcache.dat
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\System32\cmcache.dat
.
((((((((((((((((((((((((( Files Created from 2007-09-10 to 2007-10-10 )))))))))))))))))))))))))))))))
.
2007-10-08 15:52 <DIR> d-------- C:\WINDOWS\pss
2007-10-07 18:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-07 18:31 <DIR> d-------- C:\WINDOWS\ehome
2007-10-07 18:21 171,008 --a------ C:\WINDOWS\system32\sccsccp.dll
2007-10-07 18:14 76,288 --a------ C:\WINDOWS\system32\avifil32.dll
2007-10-07 18:14 71,680 --a------ C:\WINDOWS\system32\browsewm.dll
2007-10-07 18:14 62,976 --a------ C:\WINDOWS\system32\browselc.dll
2007-10-07 18:14 6,656 --a------ C:\WINDOWS\system32\batt.dll
2007-10-07 18:14 59,904 --a------ C:\WINDOWS\system32\cabinet.dll
2007-10-07 18:14 49,152 --a------ C:\WINDOWS\system32\browser.dll
2007-10-07 18:13 8,192 --a------ C:\WINDOWS\system32\autolfn.exe
2007-10-07 18:13 74,810 --a------ C:\WINDOWS\system32\atl.dll
2007-10-07 18:13 38,912 --a------ C:\WINDOWS\system32\audiosrv.dll
2007-10-07 18:12 32,512 --------- C:\WINDOWS\system32\drivers\amdk7.sys
2007-10-07 18:12 22,528 --a------ C:\WINDOWS\system32\at.exe
2007-10-07 18:12 14,366 --a------ C:\WINDOWS\system32\asfsipc.dll
2007-10-07 18:12 115,712 --a------ C:\WINDOWS\system32\apphelp.dll
2007-10-07 18:11 91,648 --a------ C:\WINDOWS\system32\ahui.exe
2007-10-07 18:11 62,464 --a------ C:\WINDOWS\system32\adsmsext.dll
2007-10-07 18:11 41,984 --a------ C:\WINDOWS\system32\alg.exe
2007-10-07 18:11 239,616 --a------ C:\WINDOWS\system32\adsnt.dll
2007-10-07 18:11 162,816 --a------ C:\WINDOWS\system32\adsldp.dll
2007-10-07 18:11 139,776 --a------ C:\WINDOWS\system32\adsldpc.dll
2007-10-07 18:10 59,392 --a------ C:\WINDOWS\system32\6to4svc.dll
2007-10-07 18:09 42,537 --a------ C:\WINDOWS\system32\keyboard.sys
2007-10-07 18:09 169,984 --a------ C:\WINDOWS\system32\sccbase.dll
2007-10-02 16:06 <DIR> d-------- C:\Deckard
2007-09-30 18:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\ALEX\Application Data\SUPERAntiSpyware.com
2007-09-30 17:54 3,470 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-29 17:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-28 22:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-28 16:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\NetWorkSwitch.temp
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Drag'n Drop CD
2007-09-27 18:50 68,608 --a--c--- C:\WINDOWS\system32\dllcache\locator.exe
2007-09-27 18:50 68,608 --a------ C:\WINDOWS\system32\locator.exe
2007-09-27 18:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Funk Software
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Common Files\Funk Software
2007-09-26 15:48 94,208 --a------ C:\WINDOWS\system32\W32N50CT.DLL
2007-09-26 15:48 543,104 --a------ C:\WINDOWS\system32\drivers\BCMWL5.SYS
2007-09-26 15:48 25,600 --a------ C:\WINDOWS\system32\borlndmm.dll
2007-09-26 15:48 17,142 --a------ C:\WINDOWS\system32\CBTNDIS5.SYS
2007-09-26 15:48 1,706,800 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-09-26 15:48 1,497,088 --a------ C:\WINDOWS\system32\cc3260mt.dll
2007-09-26 15:48 1,496,064 --a------ C:\WINDOWS\system32\cc3250mt.dll
2007-09-26 15:48 <DIR> d-------- C:\Program Files\Linksys
2007-09-15 21:47 6,144 --a------ C:\WINDOWS\system32\cmcache.dat
2007-09-09 20:34 <DIR> d-------- C:\Program Files\Microsoft Streets and Trips
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 22:09 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-07 22:02 27840 --a------ C:\WINDOWS\java\x.exe
2007-10-07 22:02 --------- d-------- C:\Program Files\VisualRoute
2007-10-03 14:41 --------- d-------- C:\Program Files\Ivde
2007-09-30 20:55 --------- d-------- C:\Program Files\MBKWBar
2007-09-29 23:00 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-29 23:00 --------- d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-29 22:59 --------- d-------- C:\Program Files\Symantec
2007-09-29 22:56 --------- d-------- C:\Documents and Settings\ALEX\Application Data\Lavasoft
2007-09-26 15:48 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-25 09:28 --------- d-------- C:\Program Files\MySpace
2007-08-23 21:57 --------- d-------- C:\Documents and Settings\ALEX\Application Data\MySpace
2007-08-16 19:12 --------- d-------- C:\Program Files\Opera
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2002-09-08 11:11 56832 --ahsc--- C:\Program Files\Thumbs.db
2001-08-18 12:00:00 94,784 -csh--w C:\WINDOWS\twain.dll
2001-08-18 12:00:00 46,592 -csh--w C:\WINDOWS\twain_32.dll
2001-08-18 12:00:00 995,383 --sh--w C:\WINDOWS\system32\mfc42.dll
2001-08-18 12:00:00 50,688 -csh--w C:\WINDOWS\system32\msvcirt.dll
2002-08-29 10:41:08 401,462 --sha-w C:\WINDOWS\system32\msvcp60.dll
2002-08-29 10:41:08 323,072 --sha-w C:\WINDOWS\system32\msvcrt.dll
2002-08-29 10:41:10 569,344 --sh--w C:\WINDOWS\system32\oleaut32.dll
2001-08-18 12:00:00 106,496 --sh--w C:\WINDOWS\system32\olepro32.dll
2001-08-18 12:00:00 9,728 -csh--w C:\WINDOWS\system32\regsvr32.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2002-04-15 18:35]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2001-11-14 03:37]
"S3Hotkey"="s3hotkey.exe" [2001-09-12 21:27 C:\WINDOWS\system32\s3hotkey.exe]
"S3TRAY2"="S3Tray2.exe" [2002-02-20 16:38 C:\WINDOWS\system32\S3Tray2.exe]
"TFNF5"="TFNF5.exe" [2001-08-03 18:08 C:\WINDOWS\system32\TFNF5.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-29 14:40]
"TFncKy"="TFncKy.exe" []
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-04-12 11:13]
"Tpwrtray"="TPWRTRAY.EXE" [2002-03-19 20:38 C:\WINDOWS\system32\TPWRTRAY.EXE]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 07:11]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-04-09 17:51]
"windows auto update"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 18:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"kmw_run.exe"="kmw_run.exe" [2003-05-27 14:48 C:\WINDOWS\system32\kmw_run.exe]
"MSWheel"="" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"Linksys Wireless-N Notebook Adapter"="C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe" [2006-04-28 05:55]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-28 23:28]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 21:31]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2005-02-01 19:49:19]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2005-02-01 19:49:19]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= c:\Program Files\interMute\SpySubtract\sshook.dll [2005-02-01 19:49 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\cmcache.dat
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\System32\DRIVERS\TVALG.SYS
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\CBTNDIS5.SYS
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\System32\DRIVERS\KMW_KBD.sys
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\System32\DRIVERS\KMW_SYS.sys
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM4.sys
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\System32\DRIVERS\tsdhd.sys
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\System32\DRIVERS\KMW_USB.sys
S3 pciSd;pciSd;C:\WINDOWS\System32\DRIVERS\tossdpci.sys
S3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\System32\drivers\yacxgc.sys
S3 wlluc48;Wireless LAN PC Card Driver;C:\WINDOWS\System32\DRIVERS\wlluc48.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-10 01:05:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-10 00:20:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-10-10 01:16:03 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-09 18:09:38
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\drivers\update.sys
C:\WINDOWS\system32\drivers\usb8023.sys
C:\WINDOWS\system32\drivers\usbcamd.sys
C:\WINDOWS\system32\drivers\usbcamd2.sys
C:\WINDOWS\system32\drivers\usbccgp.sys
C:\WINDOWS\system32\drivers\usbd.sys
C:\WINDOWS\system32\drivers\usbehci.sys
C:\WINDOWS\system32\drivers\usbhub.sys
C:\WINDOWS\system32\drivers\usbintel.sys
C:\WINDOWS\system32\drivers\usbport.sys
C:\WINDOWS\system32\drivers\usbprint.sys
C:\WINDOWS\system32\drivers\usbscan.sys
C:\WINDOWS\system32\drivers\usbstor.sys
C:\WINDOWS\system32\drivers\usbuhci.sys
C:\WINDOWS\system32\drivers\vdmindvd.sys
C:\WINDOWS\system32\drivers\vga.sys
C:\WINDOWS\system32\drivers\videoprt.sys
C:\WINDOWS\system32\drivers\volsnap.sys
C:\WINDOWS\system32\drivers\wacompen.sys
C:\WINDOWS\system32\drivers\wanarp.sys
C:\WINDOWS\system32\drivers\wdmaud.sys
C:\WINDOWS\system32\drivers\wlluc48.sys
C:\WINDOWS\system32\drivers\wmilib.sys
C:\WINDOWS\system32\drivers\ws2ifsl.sys
C:\WINDOWS\system32\drivers\yacxgc.sys
C:\WINDOWS\system32\drivers\Ygny51.sys
C:\WINDOWS\system32\drivers\TVALG.SYS
C:\WINDOWS\system32\drivers\udfs.sys
scan completed successfully
hidden files: 28
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Ygny51]
.
Completion time: 2007-10-09 18:19:36 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-09 18:18
C:\ComboFix2.txt ... 2007-10-07 20:29
C:\ComboFix3.txt ... 2007-10-07 17:40
.
--- E O F ---
ALEXSF415
2007-10-10, 05:17
Hi
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:52:39 PM, on 10/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\s3hotkey.exe
C:\WINDOWS\System32\S3Tray2.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\OdHost.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.toshiba.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Linksys Wireless-N Notebook Adapter] C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100911663445
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\cmcache.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC300N - Unknown owner - C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
--
End of file - 8316 bytes
Alex
steamwiz
2007-10-10, 22:28
Hi
Well we keep deleting the cmcache.dat file but it's still there ...
Let's try another way ....
First ...
run hijackthis and fix this entry :-
O20 - AppInit_DLLs: C:\WINDOWS\System32\cmcache.dat
THEN ...
1. Download and unzip Avenger (by Swandog46) to your desktop. > http://swandog46.geekstogo.com/avenger.zip
2. Double click the Avenger.exe file
3. Click OK
4. Select Input script manually
5. Click the Magnifying Glass icon
6. Highlight the text in the code box below, & copy and paste it into the View/edit script box
Files to delete:
C:\WINDOWS\system32\cmcache.dat
Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
7. Click Done
8. Click the Traffic Light icon to start the program.
9. click Yes to execute the script and click Yes when asked to reboot your computer
10. Post the contents of the file C:\Avenger.txt
After the reboot... run hijackthis & post a new log .....
Don't forget to Post the contents of the file C:\Avenger.txt
& also please post a new Combofix log.
---
You have a new file which i don't like the look of ...
C:\WINDOWS\java\x.exe
it came in at the same time as this folder :-
C:\Program Files\VisualRoute
AS you have not been on the net, did you install VisualRoute from a CD ?
2007-10-07 22:02 27840 --a------ C:\WINDOWS\java\x.exe
2007-10-07 22:02 --------- d-------- C:\Program Files\VisualRoute
I would like you to upload the x.exe file to jotti or virustotal & have it scanned ... but I don't want you to go back on the net until we have removed the cmcache.dat file ... so we'll do that later ...
steam
ALEXSF415
2007-10-11, 03:16
Hi
I didn't install Visualroute, I deleted it from my computer.
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\pdiouikw
*******************
Script file located at: \??\C:\WINDOWS\System32\ffheafnr.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.
Completed script processing.
*******************
Finished! Terminate.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:46 PM, on 10/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\s3hotkey.exe
C:\WINDOWS\System32\S3Tray2.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\OdHost.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.toshiba.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Linksys Wireless-N Notebook Adapter] C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100911663445
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC300N - Unknown owner - C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
--
End of file - 8299 bytes
ALEXSF415
2007-10-11, 03:18
Hi
ComboFix 07-10-11.3 - ALEX 2007-10-10 17:37:44.8 - NTFSx86
Script execution time was exceeded on script "C:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: C:\Documents and Settings\ALEX\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\drivers\YGNY51.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_YGNY51
((((((((((((((((((((((((( Files Created from 2007-09-11 to 2007-10-11 )))))))))))))))))))))))))))))))
.
2007-10-10 16:43 60,416 --a------ C:\WINDOWS\system32\drivers\dicn^hua.sys
2007-10-08 15:52 <DIR> d-------- C:\WINDOWS\pss
2007-10-07 18:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-07 18:31 <DIR> d-------- C:\WINDOWS\ehome
2007-10-07 18:21 171,008 --a------ C:\WINDOWS\system32\sccsccp.dll
2007-10-07 18:14 76,288 --a------ C:\WINDOWS\system32\avifil32.dll
2007-10-07 18:14 71,680 --a------ C:\WINDOWS\system32\browsewm.dll
2007-10-07 18:14 62,976 --a------ C:\WINDOWS\system32\browselc.dll
2007-10-07 18:14 59,904 --a------ C:\WINDOWS\system32\cabinet.dll
2007-10-07 18:14 49,152 --a------ C:\WINDOWS\system32\browser.dll
2007-10-07 18:14 6,656 --a------ C:\WINDOWS\system32\batt.dll
2007-10-07 18:13 74,810 --a------ C:\WINDOWS\system32\atl.dll
2007-10-07 18:13 38,912 --a------ C:\WINDOWS\system32\audiosrv.dll
2007-10-07 18:13 8,192 --a------ C:\WINDOWS\system32\autolfn.exe
2007-10-07 18:12 115,712 --a------ C:\WINDOWS\system32\apphelp.dll
2007-10-07 18:12 32,512 --------- C:\WINDOWS\system32\drivers\amdk7.sys
2007-10-07 18:12 22,528 --a------ C:\WINDOWS\system32\at.exe
2007-10-07 18:12 14,366 --a------ C:\WINDOWS\system32\asfsipc.dll
2007-10-07 18:11 239,616 --a------ C:\WINDOWS\system32\adsnt.dll
2007-10-07 18:11 162,816 --a------ C:\WINDOWS\system32\adsldp.dll
2007-10-07 18:11 139,776 --a------ C:\WINDOWS\system32\adsldpc.dll
2007-10-07 18:11 91,648 --a------ C:\WINDOWS\system32\ahui.exe
2007-10-07 18:11 62,464 --a------ C:\WINDOWS\system32\adsmsext.dll
2007-10-07 18:11 41,984 --a------ C:\WINDOWS\system32\alg.exe
2007-10-07 18:10 59,392 --a------ C:\WINDOWS\system32\6to4svc.dll
2007-10-07 18:09 169,984 --a------ C:\WINDOWS\system32\sccbase.dll
2007-10-07 18:09 42,537 --a------ C:\WINDOWS\system32\keyboard.sys
2007-09-30 18:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\ALEX\Application Data\SUPERAntiSpyware.com
2007-09-30 17:54 3,470 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-29 17:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-28 23:34 <DIR> d-------- C:\Documents and Settings\ALEX\Application Data\AVG7
2007-09-28 23:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-09-28 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-28 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-09-28 22:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-28 16:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\NetWorkSwitch.temp
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Drag'n Drop CD
2007-09-27 18:50 68,608 --a------ C:\WINDOWS\system32\locator.exe
2007-09-27 18:50 68,608 --a--c--- C:\WINDOWS\system32\dllcache\locator.exe
2007-09-27 18:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Funk Software
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Common Files\Funk Software
2007-09-26 15:48 <DIR> d-------- C:\Program Files\Linksys
2007-09-26 15:48 1,706,800 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-09-26 15:48 1,497,088 --a------ C:\WINDOWS\system32\cc3260mt.dll
2007-09-26 15:48 1,496,064 --a------ C:\WINDOWS\system32\cc3250mt.dll
2007-09-26 15:48 543,104 --a------ C:\WINDOWS\system32\drivers\BCMWL5.SYS
2007-09-26 15:48 94,208 --a------ C:\WINDOWS\system32\W32N50CT.DLL
2007-09-26 15:48 25,600 --a------ C:\WINDOWS\system32\borlndmm.dll
2007-09-26 15:48 17,142 --a------ C:\WINDOWS\system32\CBTNDIS5.SYS
2007-09-15 21:47 6,144 --a------ C:\WINDOWS\system32\cmcache.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 05:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-08 05:02 --------- d-----w C:\Program Files\VisualRoute
2007-10-03 21:41 --------- d-----w C:\Program Files\Ivde
2007-10-01 03:55 --------- d-----w C:\Program Files\MBKWBar
2007-09-30 06:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-09-30 06:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-30 05:59 --------- d-----w C:\Program Files\Symantec
2007-09-30 05:56 --------- d-----w C:\Documents and Settings\ALEX\Application Data\Lavasoft
2007-09-26 22:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-10 03:41 --------- d-----w C:\Program Files\Microsoft Streets and Trips
2007-08-25 16:28 --------- d-----w C:\Program Files\MySpace
2007-08-24 04:57 --------- d-----w C:\Documents and Settings\ALEX\Application Data\MySpace
2007-08-17 02:12 --------- d-----w C:\Program Files\Opera
2004-11-04 19:02 41,648 -c--a-w C:\Documents and Settings\ALEX\Application Data\GDIPFONTCACHEV1.DAT
2002-09-08 18:11 56,832 -csha-w C:\Program Files\Thumbs.db
2001-08-18 12:00:00 94,784 -csh--w C:\WINDOWS\twain.dll
2001-08-18 12:00:00 46,592 -csh--w C:\WINDOWS\twain_32.dll
2001-08-18 12:00:00 995,383 --sh--w C:\WINDOWS\system32\mfc42.dll
2001-08-18 12:00:00 50,688 -csh--w C:\WINDOWS\system32\msvcirt.dll
2002-08-29 10:41:08 401,462 --sha-w C:\WINDOWS\system32\msvcp60.dll
2002-08-29 10:41:08 323,072 --sha-w C:\WINDOWS\system32\msvcrt.dll
2002-08-29 10:41:10 569,344 --sh--w C:\WINDOWS\system32\oleaut32.dll
2001-08-18 12:00:00 106,496 --sh--w C:\WINDOWS\system32\olepro32.dll
2001-08-18 12:00:00 9,728 -csh--w C:\WINDOWS\system32\regsvr32.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2002-04-15 18:35]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2001-11-14 03:37]
"S3Hotkey"="s3hotkey.exe" [2001-09-12 21:27 C:\WINDOWS\system32\s3hotkey.exe]
"S3TRAY2"="S3Tray2.exe" [2002-02-20 16:38 C:\WINDOWS\system32\S3Tray2.exe]
"TFNF5"="TFNF5.exe" [2001-08-03 18:08 C:\WINDOWS\system32\TFNF5.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-29 14:40]
"TFncKy"="TFncKy.exe" []
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-04-12 11:13]
"Tpwrtray"="TPWRTRAY.EXE" [2002-03-19 20:38 C:\WINDOWS\system32\TPWRTRAY.EXE]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 07:11]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-04-09 17:51]
"windows auto update"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 18:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"kmw_run.exe"="kmw_run.exe" [2003-05-27 14:48 C:\WINDOWS\system32\kmw_run.exe]
"MSWheel"="" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"Linksys Wireless-N Notebook Adapter"="C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe" [2006-04-28 05:55]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-28 23:28]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 21:31]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2005-02-01 19:49:19]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= c:\Program Files\interMute\SpySubtract\sshook.dll [2005-02-01 19:49 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\System32\DRIVERS\TVALG.SYS
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\CBTNDIS5.SYS
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\System32\DRIVERS\KMW_KBD.sys
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\System32\DRIVERS\KMW_SYS.sys
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM4.sys
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\System32\DRIVERS\tsdhd.sys
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\System32\DRIVERS\KMW_USB.sys
S3 pciSd;pciSd;C:\WINDOWS\System32\DRIVERS\tossdpci.sys
S3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\System32\drivers\yacxgc.sys
S3 wlluc48;Wireless LAN PC Card Driver;C:\WINDOWS\System32\DRIVERS\wlluc48.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-10 01:05:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-11 00:20:25 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-10-11 00:56:30 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-10 17:55:19
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-10 18:00:50 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-09 18:18
C:\ComboFix2.txt ... 2007-10-09 18:19
C:\ComboFix3.txt ... 2007-10-07 20:29
.
--- E O F ---
Alex
steamwiz
2007-10-11, 21:12
Hi
When you copied the script into Avenger, did you include the ...
Files to delete:
C:\WINDOWS\system32\cmcache.dat
Because the Avenger log doesn't even mention it, but it should say whether it found it & whether it deleted it ...
Avenger did execute the second part of the script :-
Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
It no longer shows in hijackthis or Combofix, so we have stopped it's method of running ...
We'll try & delete the file again ... (still shown in Combofix)
you still have the VisualRoute folder, so we'll delete that as well...
also this new file :-
2007-10-10 16:43 60,416 --a------ C:\WINDOWS\system32\drivers\dicn^hua.sys
& this run key which doesn't show in hijackthis ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"windows auto update"="" []
---
So ... the above was just to let you know what's happening ... this is what I want you to do :-
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\System32\cmcache.dat
C:\WINDOWS\system32\drivers\dicn^hua.sys
Folder::
C:\Program Files\VisualRoute
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"windows auto update"=-
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Then please run this :-
1. Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
2. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
3. Reboot into Safe Mode`:-
Reboot into >>>safe mode (http://www.computerhope.com/issues/chsafe.htm)
4. Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum
steam
ALEXSF415
2007-10-12, 03:31
Hi
When I copied the text into avenger I'm pretty sure I included
Files to delete:
C:\WINDOWS\system32\cmcache.dat
ComboFix 07-10-11.3 - ALEX 2007-10-11 16:54:29.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.62 [GMT -7:00]
Running from: C:\Documents and Settings\ALEX\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ALEX\Desktop\CFScript.txt
* Created a new restore point
FILE::
C:\WINDOWS\System32\cmcache.dat
C:\WINDOWS\system32\drivers\dicn^hua.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\VisualRoute
C:\Program Files\VisualRoute\keyv8-FFFFFFFFB4CF4577-A.bin
C:\Program Files\VisualRoute\startup.ini
C:\Program Files\VisualRoute\trv80.bin
C:\Program Files\VisualRoute\vr\console.txt
C:\Program Files\VisualRoute\vr\dns\216.130.164.198.txt
C:\Program Files\VisualRoute\vr\hops\216.130.164.198.txt
C:\Program Files\VisualRoute\vr\mru.txt
C:\Program Files\VisualRoute\vr\rdns\198.32.160.100.txt
C:\Program Files\VisualRoute\vr\rdns\63.93.97.197.txt
C:\Program Files\VisualRoute\vr\rdns\63.93.97.42.txt
C:\Program Files\VisualRoute\vr\rdns\66.162.144.29.txt
C:\Program Files\VisualRoute\vr\rdns\66.192.255.2.txt
C:\Program Files\VisualRoute\vr\rdns\66.52.181.187.txt
C:\Program Files\VisualRoute\vr\whois\arin-198.32.160.0.txt
C:\Program Files\VisualRoute\vr\whois\arin-216.130.164.0.txt
C:\Program Files\VisualRoute\vr\whois\arin-63.93.97.0.txt
C:\Program Files\VisualRoute\vr\whois\arin-66.162.144.0.txt
C:\Program Files\VisualRoute\vr\whois\arin-66.192.240.0.txt
C:\Program Files\VisualRoute\vr\whois\arin-66.192.250.0.txt
C:\Program Files\VisualRoute\vr\whois\arin-66.192.255.0.txt
C:\Program Files\VisualRoute\vr\whois\arin-66.52.181.0.txt
C:\Program Files\VisualRoute\vr\whois\whois.arin.net-HANDLE-NET-198-32-0-0-1.txt
C:\Program Files\VisualRoute\vr\whois\whois.arin.net-HANDLE-NET-216-130-160-0-1.txt
C:\Program Files\VisualRoute\vr\whois\whois.arin.net-HANDLE-NET-63-93-96-0-1.txt
C:\Program Files\VisualRoute\vr\whois\whois.arin.net-HANDLE-NET-66-192-0-0-1.txt
C:\Program Files\VisualRoute\vr\whois\whois.arin.net-HANDLE-NET-66-52-0-0-1.txt
C:\WINDOWS\System32\cmcache.dat
C:\WINDOWS\system32\drivers\dicn^hua.sys
.
((((((((((((((((((((((((( Files Created from 2007-09-11 to 2007-10-11 )))))))))))))))))))))))))))))))
.
2007-10-08 15:52 <DIR> d-------- C:\WINDOWS\pss
2007-10-07 18:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-07 18:31 <DIR> d-------- C:\WINDOWS\ehome
2007-10-07 18:21 171,008 --a------ C:\WINDOWS\system32\sccsccp.dll
2007-10-07 18:14 76,288 --a------ C:\WINDOWS\system32\avifil32.dll
2007-10-07 18:14 71,680 --a------ C:\WINDOWS\system32\browsewm.dll
2007-10-07 18:14 62,976 --a------ C:\WINDOWS\system32\browselc.dll
2007-10-07 18:14 59,904 --a------ C:\WINDOWS\system32\cabinet.dll
2007-10-07 18:14 49,152 --a------ C:\WINDOWS\system32\browser.dll
2007-10-07 18:14 6,656 --a------ C:\WINDOWS\system32\batt.dll
2007-10-07 18:13 74,810 --a------ C:\WINDOWS\system32\atl.dll
2007-10-07 18:13 38,912 --a------ C:\WINDOWS\system32\audiosrv.dll
2007-10-07 18:13 8,192 --a------ C:\WINDOWS\system32\autolfn.exe
2007-10-07 18:12 115,712 --a------ C:\WINDOWS\system32\apphelp.dll
2007-10-07 18:12 32,512 --------- C:\WINDOWS\system32\drivers\amdk7.sys
2007-10-07 18:12 22,528 --a------ C:\WINDOWS\system32\at.exe
2007-10-07 18:12 14,366 --a------ C:\WINDOWS\system32\asfsipc.dll
2007-10-07 18:11 239,616 --a------ C:\WINDOWS\system32\adsnt.dll
2007-10-07 18:11 162,816 --a------ C:\WINDOWS\system32\adsldp.dll
2007-10-07 18:11 139,776 --a------ C:\WINDOWS\system32\adsldpc.dll
2007-10-07 18:11 91,648 --a------ C:\WINDOWS\system32\ahui.exe
2007-10-07 18:11 62,464 --a------ C:\WINDOWS\system32\adsmsext.dll
2007-10-07 18:11 41,984 --a------ C:\WINDOWS\system32\alg.exe
2007-10-07 18:10 59,392 --a------ C:\WINDOWS\system32\6to4svc.dll
2007-10-07 18:09 169,984 --a------ C:\WINDOWS\system32\sccbase.dll
2007-10-07 18:09 42,537 --a------ C:\WINDOWS\system32\keyboard.sys
2007-09-30 18:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\ALEX\Application Data\SUPERAntiSpyware.com
2007-09-30 17:54 3,470 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-29 17:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-28 23:34 <DIR> d-------- C:\Documents and Settings\ALEX\Application Data\AVG7
2007-09-28 23:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-09-28 23:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-09-28 23:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-09-28 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-28 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-09-28 22:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-28 16:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\NetWorkSwitch.temp
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Drag'n Drop CD
2007-09-27 18:50 68,608 --a------ C:\WINDOWS\system32\locator.exe
2007-09-27 18:50 68,608 --a--c--- C:\WINDOWS\system32\dllcache\locator.exe
2007-09-27 18:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Funk Software
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Common Files\Funk Software
2007-09-26 15:48 <DIR> d-------- C:\Program Files\Linksys
2007-09-26 15:48 1,706,800 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-09-26 15:48 1,497,088 --a------ C:\WINDOWS\system32\cc3260mt.dll
2007-09-26 15:48 1,496,064 --a------ C:\WINDOWS\system32\cc3250mt.dll
2007-09-26 15:48 543,104 --a------ C:\WINDOWS\system32\drivers\BCMWL5.SYS
2007-09-26 15:48 94,208 --a------ C:\WINDOWS\system32\W32N50CT.DLL
2007-09-26 15:48 25,600 --a------ C:\WINDOWS\system32\borlndmm.dll
2007-09-26 15:48 17,142 --a------ C:\WINDOWS\system32\CBTNDIS5.SYS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 05:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-08 05:02 27,840 ----a-w C:\WINDOWS\java\x.exe
2007-10-03 21:41 --------- d-----w C:\Program Files\Ivde
2007-10-01 03:55 --------- d-----w C:\Program Files\MBKWBar
2007-09-30 06:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-09-30 06:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-30 05:59 --------- d-----w C:\Program Files\Symantec
2007-09-30 05:56 --------- d-----w C:\Documents and Settings\ALEX\Application Data\Lavasoft
2007-09-26 22:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-10 03:41 --------- d-----w C:\Program Files\Microsoft Streets and Trips
2007-08-25 16:28 --------- d-----w C:\Program Files\MySpace
2007-08-24 04:57 --------- d-----w C:\Documents and Settings\ALEX\Application Data\MySpace
2007-08-17 02:12 --------- d-----w C:\Program Files\Opera
2007-07-31 02:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 02:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 02:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 02:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 02:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 02:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 02:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 02:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2004-11-04 19:02 41,648 -c--a-w C:\Documents and Settings\ALEX\Application Data\GDIPFONTCACHEV1.DAT
2002-09-08 18:11 56,832 -csha-w C:\Program Files\Thumbs.db
2001-08-18 12:00:00 94,784 -csh--w C:\WINDOWS\twain.dll
2001-08-18 12:00:00 46,592 -csh--w C:\WINDOWS\twain_32.dll
2001-08-18 12:00:00 995,383 --sh--w C:\WINDOWS\system32\mfc42.dll
2001-08-18 12:00:00 50,688 -csh--w C:\WINDOWS\system32\msvcirt.dll
2002-08-29 10:41:08 401,462 --sha-w C:\WINDOWS\system32\msvcp60.dll
2002-08-29 10:41:08 323,072 --sha-w C:\WINDOWS\system32\msvcrt.dll
2002-08-29 10:41:10 569,344 --sh--w C:\WINDOWS\system32\oleaut32.dll
2001-08-18 12:00:00 106,496 --sh--w C:\WINDOWS\system32\olepro32.dll
2001-08-18 12:00:00 9,728 -csh--w C:\WINDOWS\system32\regsvr32.exe
.
((((((((((((((((((((((((((((( snapshot@2007-10-10_17.59.46.04 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 262,144 2007-10-11 23:54:26 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
.
----a-w 262,144 2007-10-11 00:37:40 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2002-04-15 18:35]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2001-11-14 03:37]
"S3Hotkey"="s3hotkey.exe" [2001-09-12 21:27 C:\WINDOWS\system32\s3hotkey.exe]
"S3TRAY2"="S3Tray2.exe" [2002-02-20 16:38 C:\WINDOWS\system32\S3Tray2.exe]
"TFNF5"="TFNF5.exe" [2001-08-03 18:08 C:\WINDOWS\system32\TFNF5.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-29 14:40]
"TFncKy"="TFncKy.exe" []
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-04-12 11:13]
"Tpwrtray"="TPWRTRAY.EXE" [2002-03-19 20:38 C:\WINDOWS\system32\TPWRTRAY.EXE]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 07:11]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-04-09 17:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 18:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"kmw_run.exe"="kmw_run.exe" [2003-05-27 14:48 C:\WINDOWS\system32\kmw_run.exe]
"MSWheel"="" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"Linksys Wireless-N Notebook Adapter"="C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe" [2006-04-28 05:55]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-28 23:28]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 21:31]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2005-02-01 19:49:19]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= c:\Program Files\interMute\SpySubtract\sshook.dll [2005-02-01 19:49 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\System32\DRIVERS\TVALG.SYS
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\CBTNDIS5.SYS
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\System32\DRIVERS\KMW_KBD.sys
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\System32\DRIVERS\KMW_SYS.sys
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM4.sys
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\System32\DRIVERS\tsdhd.sys
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\System32\DRIVERS\KMW_USB.sys
S3 pciSd;pciSd;C:\WINDOWS\System32\DRIVERS\tossdpci.sys
S3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\System32\drivers\yacxgc.sys
S3 wlluc48;Wireless LAN PC Card Driver;C:\WINDOWS\System32\DRIVERS\wlluc48.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-10 01:05:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-11 01:20:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-10-11 23:56:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-11 17:00:30
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-11 17:01:38
C:\ComboFix-quarantined-files.txt ... 2007-10-09 18:18
C:\ComboFix2.txt ... 2007-10-10 18:00
C:\ComboFix3.txt ... 2007-10-09 18:19
.
--- E O F ---
SDFix: Version 1.108
Run by ALEX on Thu 10/11/2007 at 05:54 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\grcbmvcv.exe.tmp - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
Remaining Files:
---------------
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Sat 18 Aug 2001 94,784 ..SH. --- "C:\WINDOWS\twain.dll"
Sat 18 Aug 2001 46,592 ..SH. --- "C:\WINDOWS\twain_32.dll"
Sat 18 Aug 2001 995,383 ..SH. --- "C:\WINDOWS\system32\mfc42.dll"
Sat 18 Aug 2001 50,688 ..SH. --- "C:\WINDOWS\system32\msvcirt.dll"
Thu 29 Aug 2002 401,462 A.SH. --- "C:\WINDOWS\system32\msvcp60.dll"
Thu 29 Aug 2002 323,072 A.SH. --- "C:\WINDOWS\system32\msvcrt.dll"
Thu 29 Aug 2002 569,344 ..SH. --- "C:\WINDOWS\system32\oleaut32.dll"
Sat 18 Aug 2001 106,496 ..SH. --- "C:\WINDOWS\system32\olepro32.dll"
Sat 18 Aug 2001 9,728 ..SH. --- "C:\WINDOWS\system32\regsvr32.exe"
Sun 4 Dec 2005 3,285,296 A..H. --- "C:\Documents and Settings\ALEX\My Documents\keysetup13.exe"
Fri 4 Jul 2003 119,736 A..H. --- "C:\Documents and Settings\ALEX\My Documents\mtwlingo.exe"
Tue 26 Sep 2006 15,626,209 A..H. --- "C:\Documents and Settings\ALEX\My Documents\PICS 4 GDL.zip"
Sat 2 Aug 2003 391,213 A..H. --- "C:\Documents and Settings\ALEX\My Documents\wwmv0104b02.exe"
Sun 24 Dec 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 25 Sep 2002 0 A..H. --- "C:\Program Files\MSN\MSNCoreFiles.BAK.{FEC69D39-ADBA-4928-98F0-3571AA97ABDF}\BITF5.tmp"
Mon 6 Nov 2000 6,784 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\clcd16.dll"
Mon 6 Nov 2000 30,208 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\clcd32.dll"
Mon 6 Nov 2000 177,152 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\clokspl.exe"
Fri 18 Jun 1999 485,600 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\DPLAY61A.EXE"
Mon 6 Nov 2000 138,752 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\dplayerx.dll"
Mon 6 Nov 2000 34,304 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\drvmgt.dll"
Thu 2 Sep 1999 53,304 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\EBUEula.dll"
Thu 25 Nov 1999 2,560,000 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\empires2.exe"
Mon 28 Sep 1998 365,568 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\HA312W32.DLL"
Thu 30 Sep 1999 565,248 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\language.dll"
Mon 6 Nov 2000 67,584 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\mcp.dll"
Tue 3 Nov 1998 112,688 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\SHW32.DLL"
Wed 26 May 2004 19,968 ...H. --- "C:\Documents and Settings\ALEX\Application Data\Microsoft\Word\~WRL0003.tmp"
Sun 10 Jul 2005 28,672 ...H. --- "C:\Documents and Settings\ALEX\Application Data\Microsoft\Word\~WRL0004.tmp"
Mon 13 Jun 2005 585,216 ...H. --- "C:\Documents and Settings\ALEX\Application Data\Microsoft\Word\~WRL1077.tmp"
Sat 21 Dec 2002 4,650,695 A..H. --- "C:\Documents and Settings\ALEX\My Documents\3 SEMESTER\CD\kmd202_en.exe"
Tue 9 Sep 1997 29,184 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\Data\closedpw.exe"
Finished!
Alex
steamwiz
2007-10-12, 20:50
Hi
We finally got rid of the cmcache.dat file ...
Nothing new has been created so I think we are just about ready to connect to the net again ...
Just these 3 items shown in Combofix, left to deal with ...
2007-10-08 05:02 27,840 ----a-w C:\WINDOWS\java\x.exe
2007-10-03 21:41 --------- d-----w C:\Program Files\Ivde
2007-10-01 03:55 --------- d-----w C:\Program Files\MBKWBar
RE: C:\Program Files\MBKWBar
This is an adware toolbar which generates pop-up advertisements ... please uninstall from add/remove program in the Control
Panel ... you will see it listed as MBKWBar - Toolbar
RE: C:\Program Files\Ivde ... I think this folder may be empty (it did have a Trojan downloader in it) please let me know
if it is empty ?
RE: C:\WINDOWS\java\x.exe
This C:\WINDOWS\java\x.exe is still in your last Combofix ... was not in the log before that, but first showed in
the one before that...
This is almost certainly malware, please have it scanned and post the results...
Please go here and upload this file ...
C:\WINDOWS\java\x.exe
http://www.virustotal.com/flash/index_en.html
Click the browse button & browse to the file on your computer
Post back the results ... right click on the page > select all
right click again copy
post the results in your next post here...
SO ... connect to the net & let me know how it goes
steam
ALEXSF415
2007-10-13, 05:55
Hi
RE: C:\Program Files\MBKWBar
I couldn't remove it with the add/remove program in the Control Panel because I didn't find it in there. So I went to C:\Program Files\MBKWBar and deleted it.
RE: C:\Program Files\Ivde
Yes the folder is empty, but the rest is in the virus vault it was Mcdutc.exe
RE: C:\WINDOWS\java\x.exe
I couldn't find this file, I went to Java folder and I also did a search for the file and nothing came up.
I have around 150 files in the AVG virus vault, do you think I should delete everything in there?
Thanks
Alex
steamwiz
2007-10-13, 19:40
Hi Alex
It would have been better to see if there was an uninstall file in the MBKWBar folder before deleting it, you will now have leftover entries in the registry, which may have been removed with any uninstall file, but that's no big issue...
Seeing as combofix keeps finding the C:\WINDOWS\java\x.exe file (& it's not something you need) we'll see if Combofix can delete it ...
Did you delete this (empty) folder C:\Program Files\Ivde ?
Next step ...
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\java\x.exe
Folder::
C:\Program Files\Ivde
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Then I want you to connect to the internet & do the following :-
You are running an out-of-date version of java
Go to add/remove programs and uninstall any earlier versions ... (in your case jre1.5.0_08)
Then You can go here and install the latest version of Java.
http://java.sun.com/javase/downloads/index.jsp
Scroll down the page to 'Java Runtime Environment (JRE) 6' and press the 'Download' button.
Running an out-of-date version of java is an infection risk.
-
THEN ...
Download CCleaner from :-
http://www.filehippo.com/download_ccleaner/ (click the download tab)
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.
doubleclick the ccsetup.exe file and install the program...
After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
Make sure the "windows" tab is selected
Under "internet explorer" tick...
Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history
under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"
Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)
under "System"
Tick ALL these ...
under "Advanced"
no need to tick any of these (but you can if you want, and realise what they do)
Applications tab...
These will mostly clean out old log files for these applications...
Clean:- (if you use them)
Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...
Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.
click "analyse" if you want to see a list of what is going to be removed, before it is removed.
Or
click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up
"This process will permanently delete files from your system. Are you sure you wish to proceed?"
click OK.
please remember to post ...
1. combofix log
2. A new hijackthis log
Oh & YES ... empty the AVG quarantine folder ... they're no problem there, but you don't need to keep them.
& let me know if you have any problems ...
steam
ALEXSF415
2007-10-14, 04:26
Hi
No I didn't delete the empty folde C:\program Files\Ivde but I went and checked and it was gone.
i did download Java JRE 6, but I didn't install it. Did you want me to install it?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:41 PM, on 10/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\s3hotkey.exe
C:\WINDOWS\System32\S3Tray2.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\OdHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\explorer.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.toshiba.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Linksys Wireless-N Notebook Adapter] C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3657561249-101265881-2389969595-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100911663445
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC300N - Unknown owner - C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
--
End of file - 8174 bytes
Alex
ALEXSF415
2007-10-14, 04:50
Hi
I still can't open my notepad, but hijack and combofix can open them, Why do you think this happens?
ComboFix 07-10-11.3 - ALEX 2007-10-13 17:19:57.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.64 [GMT -7:00]
Running from: C:\Documents and Settings\ALEX\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ALEX\Desktop\CFScript.txt
* Created a new restore point
FILE::
C:\WINDOWS\java\x.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Ivde
C:\WINDOWS\java\x.exe
.
((((((((((((((((((((((((( Files Created from 2007-09-14 to 2007-10-14 )))))))))))))))))))))))))))))))
.
2007-10-11 17:53 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-08 15:52 <DIR> d-------- C:\WINDOWS\pss
2007-10-07 18:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-07 18:31 <DIR> d-------- C:\WINDOWS\ehome
2007-10-07 18:21 171,008 --a------ C:\WINDOWS\system32\sccsccp.dll
2007-10-07 18:14 76,288 --a------ C:\WINDOWS\system32\avifil32.dll
2007-10-07 18:14 71,680 --a------ C:\WINDOWS\system32\browsewm.dll
2007-10-07 18:14 62,976 --a------ C:\WINDOWS\system32\browselc.dll
2007-10-07 18:14 59,904 --a------ C:\WINDOWS\system32\cabinet.dll
2007-10-07 18:14 49,152 --a------ C:\WINDOWS\system32\browser.dll
2007-10-07 18:14 6,656 --a------ C:\WINDOWS\system32\batt.dll
2007-10-07 18:13 74,810 --a------ C:\WINDOWS\system32\atl.dll
2007-10-07 18:13 38,912 --a------ C:\WINDOWS\system32\audiosrv.dll
2007-10-07 18:13 8,192 --a------ C:\WINDOWS\system32\autolfn.exe
2007-10-07 18:12 115,712 --a------ C:\WINDOWS\system32\apphelp.dll
2007-10-07 18:12 32,512 --------- C:\WINDOWS\system32\drivers\amdk7.sys
2007-10-07 18:12 22,528 --a------ C:\WINDOWS\system32\at.exe
2007-10-07 18:12 14,366 --a------ C:\WINDOWS\system32\asfsipc.dll
2007-10-07 18:11 239,616 --a------ C:\WINDOWS\system32\adsnt.dll
2007-10-07 18:11 162,816 --a------ C:\WINDOWS\system32\adsldp.dll
2007-10-07 18:11 139,776 --a------ C:\WINDOWS\system32\adsldpc.dll
2007-10-07 18:11 91,648 --a------ C:\WINDOWS\system32\ahui.exe
2007-10-07 18:11 62,464 --a------ C:\WINDOWS\system32\adsmsext.dll
2007-10-07 18:11 41,984 --a------ C:\WINDOWS\system32\alg.exe
2007-10-07 18:10 59,392 --a------ C:\WINDOWS\system32\6to4svc.dll
2007-10-07 18:09 169,984 --a------ C:\WINDOWS\system32\sccbase.dll
2007-10-07 18:09 42,537 --a------ C:\WINDOWS\system32\keyboard.sys
2007-09-30 18:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\ALEX\Application Data\SUPERAntiSpyware.com
2007-09-30 17:54 3,470 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-29 17:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-28 23:34 <DIR> d-------- C:\Documents and Settings\ALEX\Application Data\AVG7
2007-09-28 23:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-09-28 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-28 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-09-28 22:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-28 16:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\NetWorkSwitch.temp
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Drag'n Drop CD
2007-09-27 18:50 68,608 --a------ C:\WINDOWS\system32\locator.exe
2007-09-27 18:50 68,608 --a--c--- C:\WINDOWS\system32\dllcache\locator.exe
2007-09-27 18:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Funk Software
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Common Files\Funk Software
2007-09-26 15:48 <DIR> d-------- C:\Program Files\Linksys
2007-09-26 15:48 1,706,800 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-09-26 15:48 1,497,088 --a------ C:\WINDOWS\system32\cc3260mt.dll
2007-09-26 15:48 1,496,064 --a------ C:\WINDOWS\system32\cc3250mt.dll
2007-09-26 15:48 543,104 --a------ C:\WINDOWS\system32\drivers\BCMWL5.SYS
2007-09-26 15:48 94,208 --a------ C:\WINDOWS\system32\W32N50CT.DLL
2007-09-26 15:48 25,600 --a------ C:\WINDOWS\system32\borlndmm.dll
2007-09-26 15:48 17,142 --a------ C:\WINDOWS\system32\CBTNDIS5.SYS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 05:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-30 06:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-09-30 06:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-30 05:59 --------- d-----w C:\Program Files\Symantec
2007-09-30 05:56 --------- d-----w C:\Documents and Settings\ALEX\Application Data\Lavasoft
2007-09-26 22:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-10 03:41 --------- d-----w C:\Program Files\Microsoft Streets and Trips
2007-08-25 16:28 --------- d-----w C:\Program Files\MySpace
2007-08-24 04:57 --------- d-----w C:\Documents and Settings\ALEX\Application Data\MySpace
2007-08-17 02:12 --------- d-----w C:\Program Files\Opera
2007-07-31 02:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 02:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 02:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 02:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 02:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 02:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 02:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 02:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2004-11-04 19:02 41,648 -c--a-w C:\Documents and Settings\ALEX\Application Data\GDIPFONTCACHEV1.DAT
2002-09-08 18:11 56,832 -csha-w C:\Program Files\Thumbs.db
2001-08-18 12:00:00 94,784 -csh--w C:\WINDOWS\twain.dll
2001-08-18 12:00:00 46,592 -csh--w C:\WINDOWS\twain_32.dll
2001-08-18 12:00:00 995,383 --sh--w C:\WINDOWS\system32\mfc42.dll
2001-08-18 12:00:00 50,688 -csh--w C:\WINDOWS\system32\msvcirt.dll
2002-08-29 10:41:08 401,462 --sha-w C:\WINDOWS\system32\msvcp60.dll
2002-08-29 10:41:08 323,072 --sha-w C:\WINDOWS\system32\msvcrt.dll
2002-08-29 10:41:10 569,344 --sh--w C:\WINDOWS\system32\oleaut32.dll
2001-08-18 12:00:00 106,496 --sh--w C:\WINDOWS\system32\olepro32.dll
2001-08-18 12:00:00 9,728 -csh--w C:\WINDOWS\system32\regsvr32.exe
.
((((((((((((((((((((((((((((( snapshot@2007-10-10_17.59.46.04 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 163,328 2007-10-10 20:15:32 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
----a-w 5,976,064 2007-10-12 00:53:52 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
----a-w 159,744 2007-10-12 00:53:53 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
----a-w 163,328 2007-10-10 20:15:32 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
----a-w 5,976,064 2007-10-12 00:53:39 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
----a-w 159,744 2007-10-12 00:53:39 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
----a-w 262,144 2007-10-14 00:19:53 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
.
----a-w 262,144 2007-10-11 00:37:40 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2002-04-15 18:35]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2001-11-14 03:37]
"S3Hotkey"="s3hotkey.exe" [2001-09-12 21:27 C:\WINDOWS\system32\s3hotkey.exe]
"S3TRAY2"="S3Tray2.exe" [2002-02-20 16:38 C:\WINDOWS\system32\S3Tray2.exe]
"TFNF5"="TFNF5.exe" [2001-08-03 18:08 C:\WINDOWS\system32\TFNF5.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-29 14:40]
"TFncKy"="TFncKy.exe" []
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-04-12 11:13]
"Tpwrtray"="TPWRTRAY.EXE" [2002-03-19 20:38 C:\WINDOWS\system32\TPWRTRAY.EXE]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 07:11]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-04-09 17:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 18:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"kmw_run.exe"="kmw_run.exe" [2003-05-27 14:48 C:\WINDOWS\system32\kmw_run.exe]
"MSWheel"="" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"Linksys Wireless-N Notebook Adapter"="C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe" [2006-04-28 05:55]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-28 23:28]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 21:31]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2005-02-01 19:49:19]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= c:\Program Files\interMute\SpySubtract\sshook.dll [2005-02-01 19:49 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\System32\DRIVERS\TVALG.SYS
R2 NICSer_WPC300N;NICSer_WPC300N;C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\CBTNDIS5.SYS
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\System32\DRIVERS\KMW_KBD.sys
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\System32\DRIVERS\KMW_SYS.sys
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM4.sys
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\System32\DRIVERS\tsdhd.sys
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\System32\DRIVERS\KMW_USB.sys
S3 pciSd;pciSd;C:\WINDOWS\System32\DRIVERS\tossdpci.sys
S3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\System32\drivers\yacxgc.sys
S3 wlluc48;Wireless LAN PC Card Driver;C:\WINDOWS\System32\DRIVERS\wlluc48.sys
S4 SCardDrvImapiService;Smart Card Helper SCardDrvImapiService;C:\WINDOWS\System32\acctresh.exe srv
S4 WmiApSrvwinmgmt;WMI Performance Adapter WmiApSrvwinmgmt;C:\WINDOWS\System32\actxprxyv.exe srv
.
Contents of the 'Scheduled Tasks' folder
"2007-10-10 01:05:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-14 00:20:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-10-14 00:21:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-13 17:25:28
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-13 17:26:35
C:\ComboFix-quarantined-files.txt ... 2007-10-09 18:18
C:\ComboFix2.txt ... 2007-10-11 17:01
C:\ComboFix3.txt ... 2007-10-10 18:00
.
--- E O F ---
Alex
steamwiz
2007-10-14, 20:15
Hi Alex
Have you connected to the net yet ?
I see you did have both of these ...
C:\Program Files\Ivde
C:\WINDOWS\java\x.exe
& Combofix deleted them ...
Combofix is now clean ...
-
You don't appear to have run Ccleaner ... please do that...
-
YES .. install the new java ...
-
RE: Notepad ... try this ...
The notepad which is used when you open a txt file is in the C:\WINDOWS\system32\notepad.exe folder
There is a backup for the notepad.exe file in the C:\WINDOWS\notepad.exe folder
There is an infection going round which renames the notepad.exe to notpad.exe (note the missing e) ...
& creates a new bogus notepad.exe file ...
SO ... try this ...
Go to C:\WINDOWS\system32 & see if you have both files ... notepad.exe & notpad.exe ?
Assuming you have both ... the bogus notepad.exe file will be about 3k in size
the renamed legit file (notpad.exe) will be about 67k
-Notpad.exe (the the correct one - 67kb - with right icon)
-Notepad.exe .......(a false one - 3kb - with wrong icon)
So...
1. Delete the Notepad.exe in the system32 folder
2. Rename the Notpad.exe in the system32 folder back to Notepad.exe or Copy & paste the Notepad.exe from the C:\WINDOWS folder back into the C:\WINDOWS\system32 folder ...
After doing all the above ... please post a new hijackthis log.
steam
ALEXSF415
2007-10-15, 06:53
Hi
Yes I have connected to the net.
I did run Ccleaner the other day, and I ran it again today. It deleted about 60 mb.
I did install the new java
In C:\Windows\system32 there was no notepad.exe or notpad.exe, so I just copy & paste from C:\windows folder back into C:\windows\system32 folder and everything is working fine now.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:13 PM, on 10/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\s3hotkey.exe
C:\WINDOWS\System32\S3Tray2.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\OdHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\explorer.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.toshiba.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Linksys Wireless-N Notebook Adapter] C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3657561249-101265881-2389969595-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100911663445
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC300N - Unknown owner - C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
--
End of file - 8547 bytes
Thank you for the time you have spent helping me.
Alex
steamwiz
2007-10-15, 20:17
You're very welcome Alex
Your hijackthis log is clean ...
Now that your computer is clean it's a good idea to purge your system restore (going back to a saved restore point could put all the infections you had back)
This will clear all your infected restore points...
Turn off (Disable) System Restore in XP :-
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.
Then...
Turn on (enable) System Restore :-
Follow the same procedure, but this time uncheck Turn off System Restore
if you have any problem with this... here's a link to instructions :-
Disabling or enabling Windows XP System Restore >
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
...
If all your problems are now resolved ....
Happy surfing
steam
ALEXSF415
2007-10-17, 01:15
Hi
I have purged the system restore. I have installed sp2
Of the all files that I downloaded to clean my computer, Which one's should I keep, or should I keep them all.
And again, Thank you for Helping me clean my computer.
Alex
steamwiz
2007-10-17, 19:27
Hi Alex
You can delete :-
combofix
SmitfraudFix
Deckard's System Scanner (formerly Comboscan)
SDFix
All the above programs are continually being updated to address the newest malware, & if you have a problem in the future, you will need to download the newest version ...
You can also delete :-
Avenger
daft
You wont need those again ...
-
The only program you may consider keeping is SUPERAntiSpyware.
You can update it & run a scan anytime, as you would with Spybot ...
I would also look at installing the programs recommended here in this article by TonyKlein :-
http://forums.spybot.info/showthread.php?t=279
cheers
steam
ALEXSF415
2007-10-18, 04:07
Hi Steam
I downloaded all of the programs from that thread.
Thank you very much for all your help.
Alex
steamwiz
2007-10-18, 16:55
HI Alex
You're very welcome :)
Happy surfing
steam