View Full Version : Smitfraud has taken over
need assistance
2007-11-15, 13:45
Smitfraud has taken over my PC with a sprinkling of Virtumonde thrown in for good measure. I can remove everything but Smitfraud with either Spybot or Adaware. Listed below is my most recent HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:18:17 AM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Allen Kelley\Desktop\hijackthis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\eqwexkyl.dll
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\Malware Sweeper\MalSwep.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 4883 bytes
Any assistance would be appreciated.
Hello
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
First thing you need to do is move HJT off the desktop and into its own folder, Create a folder on your C:\ drive and name it Hijackthis, then right click on the Hijackthis icon where you currently have it and select CUT, then open the new folder you just created and right click inside that folder and select PASTE.
Now go to where you just moved HJT and on the Hijackthis Icon ( looks like a man with a spyglass ) right click on it and rename it to Scanner.exe
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Let me see the Combofix log, the smitfraud log and a new HJT renamed please
need assistance
2007-11-16, 03:31
Thanks for your help so far. Attached below is the log for ComboFix.
ComboFix log
ComboFix 07-11-08.1 - Allen Kelley 2007-11-15 19:47:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.420 [GMT -5:00]
Running from: C:\Documents and Settings\Allen Kelley\Desktop\ComboFix.exe
* Created a new restore point
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Allen Kelley\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Allen Kelley\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Allen Kelley\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Jonathan Kelley.DC6RL091\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Jonathan Kelley.DC6RL091\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Jonathan Kelley.DC6RL091\Favorites\Online Security Guide.lnk
C:\Documents and Settings\William Kelley\Desktop\Live Safety Center.lnk
C:\Documents and Settings\William Kelley\Desktop\Online Security Guide.lnk
C:\Documents and Settings\William Kelley\Favorites\Online Security Guide.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\a13
C:\WINDOWS\system32\cbxywvt.dll
C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\ddayx.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\e2
C:\WINDOWS\system32\e2\caws83122.exe
C:\WINDOWS\system32\eqwexkyl.dllbox
C:\WINDOWS\system32\g1
C:\WINDOWS\system32\i8
C:\WINDOWS\system32\i8\taldrvr11.exe
C:\WINDOWS\system32\ijjlm.ini
C:\WINDOWS\system32\ijjlm.ini2
C:\WINDOWS\system32\jihiyqxa.dllbox
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\system32\mljjj.dll
C:\WINDOWS\system32\onnmp.bak1
C:\WINDOWS\system32\onnmp.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmnno.dll
C:\WINDOWS\system32\rrutv.ini
C:\WINDOWS\system32\rrutv.ini2
C:\WINDOWS\system32\vturr.dll
C:\WINDOWS\system32\vtuts.dll
C:\WINDOWS\system32\x22
C:\WINDOWS\system32\x22\c124wvr.exe
C:\z.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\core
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.
2007-11-15 19:43 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-15 19:42 85,056 --a------ C:\WINDOWS\system32\ttgsteeo.dll
2007-11-15 19:42 79,936 --a------ C:\WINDOWS\system32\xdhiaewx.dll
2007-11-15 19:40 <DIR> d-------- C:\Hijackthis
2007-11-15 19:39 71,232 --a------ C:\WINDOWS\system32\alygjlek.exe
2007-11-15 19:00 79,936 --a------ C:\WINDOWS\system32\jrdeahpo.dll
2007-11-15 18:57 71,232 --a------ C:\WINDOWS\system32\ogkxpykq.exe
2007-11-15 14:58 79,936 --a------ C:\WINDOWS\system32\ayjknnwd.dll
2007-11-15 06:13 145,984 --a------ C:\WINDOWS\system32\yfptpaie.dll
2007-11-15 06:13 145,984 --a------ C:\WINDOWS\system32\eqwexkyl.dll
2007-11-14 18:51 85,056 --a------ C:\WINDOWS\system32\tfdyahwx.dll
2007-11-14 18:45 71,232 --a------ C:\WINDOWS\system32\wdnbwfpe.exe
2007-11-13 18:58 85,056 --a------ C:\WINDOWS\system32\ogehlfju.dll
2007-11-13 18:46 71,232 --a------ C:\WINDOWS\system32\xwgpyfxu.exe
2007-11-13 18:46 71,232 --a------ C:\WINDOWS\system32\esnwuyfp.exe
2007-11-13 15:56 <DIR> d-------- C:\Program Files\iTunes
2007-11-13 15:49 <DIR> d-------- C:\Program Files\QuickTime
2007-11-12 18:44 71,232 --a------ C:\WINDOWS\system32\oewojwxc.exe
2007-11-12 17:51 71,232 --a------ C:\WINDOWS\system32\ismmeuts.exe
2007-11-11 16:46 71,232 --a------ C:\WINDOWS\system32\npyteykg.exe
2007-11-11 15:51 71,232 --a------ C:\WINDOWS\system32\pgyhdolf.exe
2007-11-10 20:41 71,232 --a------ C:\WINDOWS\system32\qxmlckrd.exe
2007-11-10 10:52 <DIR> d-------- C:\Program Files\DellSupport
2007-11-10 10:28 71,232 --a------ C:\WINDOWS\system32\vtfhwfmk.exe
2007-11-09 23:31 88,128 --a------ C:\WINDOWS\system32\qjqrsblo.dll
2007-11-09 23:31 71,232 --a------ C:\WINDOWS\system32\weyeicet.exe
2007-11-09 17:04 71,232 --a------ C:\WINDOWS\system32\piwhwwne.exe
2007-11-08 17:03 71,232 --a------ C:\WINDOWS\system32\nbjawlel.exe
2007-11-07 16:41 71,232 --a------ C:\WINDOWS\system32\fkmejnhc.exe
2007-11-06 16:48 71,232 --a------ C:\WINDOWS\system32\mtdfismd.exe
2007-11-01 20:54 2,214 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-30 07:42 <DIR> d-------- C:\Documents and Settings\Allen Kelley\Incomplete
2007-10-30 07:41 <DIR> d-------- C:\Documents and Settings\Allen Kelley\Application Data\LimeWire
2007-10-30 07:36 <DIR> d-------- C:\WINDOWS\system32\Mz18r
2007-10-30 07:36 <DIR> d-------- C:\Temp\mZOr
2007-10-30 07:36 <DIR> d-------- C:\Temp
2007-10-30 07:36 507,217 --a------ C:\Temp\ocli.exe
2007-10-30 07:36 82 --a------ C:\n.bat
2007-10-30 07:36 0 --a------ C:\z.dat
2007-10-30 07:35 28,672 --a------ C:\Documents and Settings\Allen Kelley\update.exe
2007-10-29 18:00 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-10-29 17:47 <DIR> d-------- C:\ConverterOutput
2007-10-29 17:43 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll
2007-10-29 17:43 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll
2007-10-29 17:43 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2007-10-29 17:43 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2007-10-29 17:43 34,820 --a------ C:\WINDOWS\system32\ffdshow.reg
2007-10-29 17:42 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-10-24 08:57 <DIR> d-------- C:\GSS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-16 01:04 260,732 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-16 01:04 22,218,784 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-15 11:49 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-13 21:42 --------- d-----w C:\Documents and Settings\William Kelley\Application Data\LimeWire
2007-11-13 21:38 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-11-13 20:56 --------- d-----w C:\Program Files\iPod
2007-11-10 16:29 --------- d--h--w C:\Documents and Settings\Jonathan Kelley.DC6RL091\Application Data\Gtek
2007-11-10 15:54 --------- d--h--w C:\Documents and Settings\William Kelley\Application Data\Gtek
2007-11-10 15:54 --------- d--h--w C:\Documents and Settings\Patty Kelley\Application Data\Gtek
2007-11-10 15:54 --------- d--h--w C:\Documents and Settings\Allen Kelley\Application Data\Gtek
2007-11-10 15:54 --------- d-----w C:\Documents and Settings\Jonathan Kelley\Application Data\Gtek
2007-11-09 21:06 --------- d-----w C:\Program Files\AIM6
2007-11-09 21:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-11-01 21:50 --------- d-----w C:\Program Files\Olympus
2007-11-01 01:14 --------- d-----w C:\Program Files\Viewpoint
2007-11-01 01:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-01 01:05 --------- d-----w C:\Program Files\LimeWire
2007-10-29 23:00 278,536 ----a-w C:\WINDOWS\Fonts\Setup.exe
2007-10-29 22:55 278,535 --sh--w C:\WINDOWS\Fonts\svchost.exe
2007-10-29 21:29 --------- d-----w C:\Documents and Settings\Allen Kelley\Application Data\Yahoo!
2007-10-15 23:01 --------- d-----w C:\Documents and Settings\William Kelley\Application Data\Move Networks
2007-10-13 20:14 --------- d-----w C:\Program Files\Java
2007-10-06 19:02 --------- d-----w C:\Program Files\Swapper
2007-10-05 03:02 --------- d-----w C:\Program Files\MSXML 6.0
2007-10-04 02:37 --------- d-----w C:\Program Files\MSBuild
2007-10-04 02:31 --------- d-----w C:\Program Files\Reference Assemblies
2007-09-26 00:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-09-23 18:15 --------- d-----w C:\Program Files\Red Storm Entertainment
2007-09-06 20:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2005-12-31 17:55 251 -c--a-w C:\Program Files\wt3d.ini
2006-02-24 22:54:18 56 --sh--r C:\WINDOWS\system32\487A8B3333.sys
2006-04-02 00:22:39 335 -csha-w C:\WINDOWS\system32\hhhkj.ini2
2006-02-24 22:54:19 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1429E805-9DAD-4385-A3D0-8AC52C003820}]
C:\Program Files\Messenger\mexokatC:\WINDOWS\system32\e2\caws83122.exe.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8564b7d7-67ce-4dfa-9380-7ca552f1bfb9}]
2007-11-15 19:42 79936 --a------ C:\WINDOWS\system32\xdhiaewx.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9e3853a7-555f-49fc-b5a1-78740a4fc403}]
C:\WINDOWS\system32\ddwqbqh.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-15 06:13 145984 --a------ C:\WINDOWS\system32\eqwexkyl.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\eqwexkyl.dll [2007-11-15 06:13 145984]
[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\eqwexkyl.dll [2007-11-15 06:13 145984]
[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [2003-01-30 13:12]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 15:14]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 15:14]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"70888760"="C:\WINDOWS\system32\ttgsteeo.dll" [2007-11-15 19:42]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]
"Malware Sweeper"="C:\Program Files\MalwareSweeper.com\Malware Sweeper\MalSwep.exe" []
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 13:16:08]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\eqwexkyl]
eqwexkyl.dll 2007-11-15 06:13 145984 C:\WINDOWS\system32\eqwexkyl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jihiyqxa]
jihiyqxa.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vturr.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
"C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
"C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"PcCtlCom"=2 (0x2)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
R3 SMCWPCIG;SMCWPCI-G 54Mbps Wireless PCI adapter Service;C:\WINDOWS\system32\DRIVERS\SMCWPCIG.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys
S4 GbFsMf;GbFsMf;C:\WINDOWS\system32\DRIVERS\GbFsMf.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-15 21:33:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 20:08:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-15 20:11:33 - machine was rebooted
.
--- E O F ---
need assistance
2007-11-16, 03:32
HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:13 PM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\Scanner.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1429E805-9DAD-4385-A3D0-8AC52C003820} - C:\Program Files\Messenger\mexokatC:\WINDOWS\system32\e2\caws83122.exe.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {9bfb1f25-5ac7-0839-afd4-ec767d7b4658} - {8564b7d7-67ce-4dfa-9380-7ca552f1bfb9} - C:\WINDOWS\system32\xdhiaewx.dll
O2 - BHO: (no name) - {9e3853a7-555f-49fc-b5a1-78740a4fc403} - C:\WINDOWS\system32\ddwqbqh.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\eqwexkyl.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\eqwexkyl.dll
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [70888760] rundll32.exe "C:\WINDOWS\system32\ttgsteeo.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\Malware Sweeper\MalSwep.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O20 - Winlogon Notify: eqwexkyl - C:\WINDOWS\SYSTEM32\eqwexkyl.dll
O20 - Winlogon Notify: jihiyqxa - jihiyqxa.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6571 bytes
Smitfraud log
SmitFraudFix v2.246
Scan done at 20:20:18.21, Thu 11/15/2007
Run from C:\Documents and Settings\Allen Kelley\Desktop\Tools\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Allen Kelley
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Allen Kelley\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ALLENK~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: SMCWPCI-G 54Mbps Wireless PCI adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FB9868F7-5FF7-4608-A2CA-01637B839227}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FB9868F7-5FF7-4608-A2CA-01637B839227}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{FB9868F7-5FF7-4608-A2CA-01637B839227}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Does Smitfraud only create a log for the desktop it is run from? For example, ComboFix shows output for all 4 desktops while Smitfraud only shows output from one? Let me know if I need to run it for the others.
Thanks!
Both programs scan your entire system. The issue your having is not with Smitfraud, your infected with the Vundo Trojan.
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
need assistance
2007-11-16, 04:34
Interesting. . . . even though Ad-aware and Spybot claim to remove Virtumonde, they must leave some traces. . . .
Attached is the Vundo log:
VundoFix V6.6.1
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.11
Scan started at 9:11:00 PM 11/15/2007
Listing files found while scanning....
C:\windows\system32\eqwexkyl.dll
C:\windows\system32\yfptpaie.dll
Beginning removal...
Attempting to delete C:\windows\system32\eqwexkyl.dll
C:\windows\system32\eqwexkyl.dll Has been deleted!
Attempting to delete C:\windows\system32\yfptpaie.dll
C:\windows\system32\yfptpaie.dll Has been deleted!
Performing Repairs to the registry.
Done!
Listed below is the latest HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:45 PM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\Scanner.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1429E805-9DAD-4385-A3D0-8AC52C003820} - C:\Program Files\Messenger\mexokatC:\WINDOWS\system32\e2\caws83122.exe.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {9bfb1f25-5ac7-0839-afd4-ec767d7b4658} - {8564b7d7-67ce-4dfa-9380-7ca552f1bfb9} - C:\WINDOWS\system32\xdhiaewx.dll
O2 - BHO: (no name) - {9e3853a7-555f-49fc-b5a1-78740a4fc403} - C:\WINDOWS\system32\ddwqbqh.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [70888760] rundll32.exe "C:\WINDOWS\system32\ttgsteeo.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\Malware Sweeper\MalSwep.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O20 - Winlogon Notify: jihiyqxa - jihiyqxa.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6576 bytes
Hello,
Interesting. . . . even though Ad-aware and Spybot claim to remove Virtumonde, they must leave some traces. Both those programs are great at removing bits and pieces of most infections but they do not remove the whole thing, special tools for different infections need to be run. The thieves that write these infections are adding new files all the time, about as fast as we detect them new ones are being added. Its a cat and mouse game.
I would suggest uninstalling Weatherbug from your Add Remove Programs in the Control Panel, sometimes these come bundled with other programs you did not ask for. You would be safer installing the program from the WeatherChannel.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O2 - BHO: (no name) - {1429E805-9DAD-4385-A3D0-8AC52C003820} - C:\Program Files\Messenger\mexokatC:\WINDOWS\system32\e2\caws83122.exe.dll (file missing)
O2 - BHO: {9bfb1f25-5ac7-0839-afd4-ec767d7b4658} - {8564b7d7-67ce-4dfa-9380-7ca552f1bfb9} - C:\WINDOWS\system32\xdhiaewx.dll
O2 - BHO: (no name) - {9e3853a7-555f-49fc-b5a1-78740a4fc403} - C:\WINDOWS\system32\ddwqbqh.dll (file missing)
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [70888760] rundll32.exe "C:\WINDOWS\system32\ttgsteeo.dll",b
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O20 - Winlogon Notify: jihiyqxa - jihiyqxa.dll (file missing)
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad
File::
C:\WINDOWS\system32\hhhkj.ini2
C:\WINDOWS\system32\ttgsteeo.dll
C:\WINDOWS\system32\xdhiaewx.dll
C:\WINDOWS\system32\alygjlek.exe
C:\WINDOWS\system32\jrdeahpo.dll
C:\WINDOWS\system32\ogkxpykq.exe
C:\WINDOWS\system32\ayjknnwd.dll
C:\WINDOWS\system32\tfdyahwx.dll
C:\WINDOWS\system32\wdnbwfpe.exe
C:\WINDOWS\system32\ogehlfju.dll
C:\WINDOWS\system32\xwgpyfxu.exe
C:\WINDOWS\system32\esnwuyfp.exe
C:\WINDOWS\system32\oewojwxc.exe
C:\WINDOWS\system32\ismmeuts.exe
C:\WINDOWS\system32\npyteykg.exe
C:\WINDOWS\system32\pgyhdolf.exe
C:\WINDOWS\system32\qxmlckrd.exe
C:\WINDOWS\system32\vtfhwfmk.exe
C:\WINDOWS\system32\qjqrsblo.dll
C:\WINDOWS\system32\weyeicet.exe
C:\WINDOWS\system32\piwhwwne.exe
C:\WINDOWS\system32\nbjawlel.exe
C:\WINDOWS\system32\fkmejnhc.exe
C:\WINDOWS\system32\mtdfismd.exe
C:\WINDOWS\system32\ttgsteeo.dll
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
need assistance
2007-11-16, 06:19
Ken,
I truly appreciate your assistance.
ComboFix log:
ComboFix 07-11-08.1 - Allen Kelley 2007-11-15 23:02:25.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.542 [GMT -5:00]
Running from: C:\Documents and Settings\Allen Kelley\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\eqwexkyl.dllbox
.
((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.
2007-11-15 22:30 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-15 21:11 <DIR> d-------- C:\VundoFix Backups
2007-11-15 20:44 <DIR> d-------- C:\Program Files\SpywareGuard
2007-11-15 19:43 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-15 19:42 85,056 --a------ C:\WINDOWS\system32\ttgsteeo.dll
2007-11-15 19:42 79,936 --a------ C:\WINDOWS\system32\xdhiaewx.dll
2007-11-15 19:40 <DIR> d-------- C:\Hijackthis
2007-11-15 19:39 71,232 --a------ C:\WINDOWS\system32\alygjlek.exe
2007-11-15 19:00 79,936 --a------ C:\WINDOWS\system32\jrdeahpo.dll
2007-11-15 18:57 71,232 --a------ C:\WINDOWS\system32\ogkxpykq.exe
2007-11-15 14:58 79,936 --a------ C:\WINDOWS\system32\ayjknnwd.dll
2007-11-14 18:51 85,056 --a------ C:\WINDOWS\system32\tfdyahwx.dll
2007-11-14 18:45 71,232 --a------ C:\WINDOWS\system32\wdnbwfpe.exe
2007-11-13 18:58 85,056 --a------ C:\WINDOWS\system32\ogehlfju.dll
2007-11-13 18:46 71,232 --a------ C:\WINDOWS\system32\xwgpyfxu.exe
2007-11-13 18:46 71,232 --a------ C:\WINDOWS\system32\esnwuyfp.exe
2007-11-13 15:56 <DIR> d-------- C:\Program Files\iTunes
2007-11-13 15:49 <DIR> d-------- C:\Program Files\QuickTime
2007-11-12 18:44 71,232 --a------ C:\WINDOWS\system32\oewojwxc.exe
2007-11-12 17:51 71,232 --a------ C:\WINDOWS\system32\ismmeuts.exe
2007-11-11 16:46 71,232 --a------ C:\WINDOWS\system32\npyteykg.exe
2007-11-11 15:51 71,232 --a------ C:\WINDOWS\system32\pgyhdolf.exe
2007-11-10 20:41 71,232 --a------ C:\WINDOWS\system32\qxmlckrd.exe
2007-11-10 10:52 <DIR> d-------- C:\Program Files\DellSupport
2007-11-10 10:28 71,232 --a------ C:\WINDOWS\system32\vtfhwfmk.exe
2007-11-09 23:31 88,128 --a------ C:\WINDOWS\system32\qjqrsblo.dll
2007-11-09 23:31 71,232 --a------ C:\WINDOWS\system32\weyeicet.exe
2007-11-09 17:04 71,232 --a------ C:\WINDOWS\system32\piwhwwne.exe
2007-11-08 17:03 71,232 --a------ C:\WINDOWS\system32\nbjawlel.exe
2007-11-07 16:41 71,232 --a------ C:\WINDOWS\system32\fkmejnhc.exe
2007-11-06 16:48 71,232 --a------ C:\WINDOWS\system32\mtdfismd.exe
2007-11-01 20:54 2,352 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-30 07:42 <DIR> d-------- C:\Documents and Settings\Allen Kelley\Incomplete
2007-10-30 07:41 <DIR> d-------- C:\Documents and Settings\Allen Kelley\Application Data\LimeWire
2007-10-30 07:36 <DIR> d-------- C:\WINDOWS\system32\Mz18r
2007-10-30 07:36 <DIR> d-------- C:\Temp\mZOr
2007-10-30 07:36 <DIR> d-------- C:\Temp
2007-10-30 07:36 507,217 --a------ C:\Temp\ocli.exe
2007-10-30 07:36 82 --a------ C:\n.bat
2007-10-30 07:36 0 --a------ C:\z.dat
2007-10-30 07:35 28,672 --a------ C:\Documents and Settings\Allen Kelley\update.exe
2007-10-29 18:00 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-10-29 17:47 <DIR> d-------- C:\ConverterOutput
2007-10-29 17:43 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll
2007-10-29 17:43 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll
2007-10-29 17:43 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2007-10-29 17:43 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2007-10-29 17:43 34,820 --a------ C:\WINDOWS\system32\ffdshow.reg
2007-10-29 17:42 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-10-24 08:57 <DIR> d-------- C:\GSS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-16 04:07 22,388,768 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-16 04:06 263,396 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-15 11:49 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-13 21:42 --------- d-----w C:\Documents and Settings\William Kelley\Application Data\LimeWire
2007-11-13 21:38 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-11-13 20:56 --------- d-----w C:\Program Files\iPod
2007-11-10 16:29 --------- d--h--w C:\Documents and Settings\Jonathan Kelley.DC6RL091\Application Data\Gtek
2007-11-10 15:54 --------- d--h--w C:\Documents and Settings\William Kelley\Application Data\Gtek
2007-11-10 15:54 --------- d--h--w C:\Documents and Settings\Patty Kelley\Application Data\Gtek
2007-11-10 15:54 --------- d--h--w C:\Documents and Settings\Allen Kelley\Application Data\Gtek
2007-11-10 15:54 --------- d-----w C:\Documents and Settings\Jonathan Kelley\Application Data\Gtek
2007-11-09 21:06 --------- d-----w C:\Program Files\AIM6
2007-11-09 21:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-11-01 21:50 --------- d-----w C:\Program Files\Olympus
2007-11-01 01:14 --------- d-----w C:\Program Files\Viewpoint
2007-11-01 01:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-01 01:05 --------- d-----w C:\Program Files\LimeWire
2007-10-29 21:29 --------- d-----w C:\Documents and Settings\Allen Kelley\Application Data\Yahoo!
2007-10-15 23:01 --------- d-----w C:\Documents and Settings\William Kelley\Application Data\Move Networks
2007-10-13 20:14 --------- d-----w C:\Program Files\Java
2007-10-06 19:02 --------- d-----w C:\Program Files\Swapper
2007-10-05 03:02 --------- d-----w C:\Program Files\MSXML 6.0
2007-10-04 02:37 --------- d-----w C:\Program Files\MSBuild
2007-10-04 02:31 --------- d-----w C:\Program Files\Reference Assemblies
2007-09-26 00:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-09-23 18:15 --------- d-----w C:\Program Files\Red Storm Entertainment
2007-09-06 20:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2005-12-31 17:55 251 -c--a-w C:\Program Files\wt3d.ini
2006-02-24 22:54:18 56 --sh--r C:\WINDOWS\system32\487A8B3333.sys
2006-04-02 00:22:39 335 -csha-w C:\WINDOWS\system32\hhhkj.ini2
2006-02-24 22:54:19 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot_2007-11-15_22.54.43.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-10 11:00:00 61,440 ------w C:\WINDOWS\system32\admparse.dll
+ 2007-08-13 23:39:20 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
- 2004-08-10 11:00:00 99,840 ------w C:\WINDOWS\system32\advpack.dll
+ 2007-08-20 10:04:34 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2004-08-10 11:00:00 61,440 ------w C:\WINDOWS\system32\dllcache\admparse.dll
+ 2007-08-13 23:39:20 71,680 ----a-w C:\WINDOWS\system32\dllcache\admparse.dll
- 2006-06-03 11:40:49 33,792 ------w C:\WINDOWS\system32\dllcache\custsat.dll
+ 2007-08-13 23:54:10 33,792 ----a-w C:\WINDOWS\system32\dllcache\custsat.dll
- 2007-08-22 12:55:30 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2007-08-13 23:35:46 346,624 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2004-08-10 11:00:00 38,912 ------w C:\WINDOWS\system32\dllcache\hmmapi.dll
+ 2007-08-13 23:18:02 60,416 ----a-w C:\WINDOWS\system32\dllcache\hmmapi.dll
- 2007-08-21 10:19:39 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2007-08-13 23:44:02 69,120 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2004-08-10 11:00:00 81,920 ------w C:\WINDOWS\system32\dllcache\ieencode.dll
+ 2007-08-13 23:45:18 78,336 ----a-w C:\WINDOWS\system32\dllcache\ieencode.dll
- 2007-08-22 12:55:32 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2007-08-13 23:54:10 191,488 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2004-08-10 11:00:00 62,976 ------w C:\WINDOWS\system32\dllcache\iesetup.dll
+ 2007-08-13 23:39:12 55,296 ----a-w C:\WINDOWS\system32\dllcache\iesetup.dll
- 2007-08-22 12:55:32 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2007-08-13 23:39:02 92,672 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2006-05-18 05:24:25 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2007-08-13 23:38:04 491,520 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2004-08-10 11:00:00 22,016 ------w C:\WINDOWS\system32\dllcache\licmgr10.dll
+ 2007-08-13 23:44:18 40,960 ----a-w C:\WINDOWS\system32\dllcache\licmgr10.dll
- 2004-08-10 11:00:00 56,832 ------w C:\WINDOWS\system32\dllcache\mshtmler.dll
+ 2007-08-13 23:01:12 48,128 ----a-w C:\WINDOWS\system32\dllcache\mshtmler.dll
- 2007-08-22 12:55:38 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2007-08-13 23:36:12 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-06-26 15:13:22 851,968 ------w C:\WINDOWS\system32\dllcache\vgx.dll
+ 2007-08-13 23:54:10 765,952 ----a-w C:\WINDOWS\system32\dllcache\VGX.dll
- 2007-08-22 12:55:30 357,888 ------w C:\WINDOWS\system32\dxtmsft.dll
+ 2007-08-13 23:35:46 346,624 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-08-22 12:55:31 205,824 ------w C:\WINDOWS\system32\dxtrans.dll
+ 2007-08-20 10:04:34 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-10-25 11:36:18 269,392 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-11-16 03:57:42 269,392 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2007-08-13 23:36:26 61,952 ------w C:\WINDOWS\system32\icardie.dll
+ 2007-08-20 10:04:34 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-02-12 21:10:12 2,451,312 ------w C:\WINDOWS\system32\ieapfltr.dat
+ 2007-04-17 09:32:38 2,455,488 ----a-w C:\WINDOWS\system32\ieapfltr.dat
- 2007-07-11 17:27:48 383,488 ------w C:\WINDOWS\system32\ieapfltr.dll
+ 2007-08-20 10:04:35 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2004-08-10 11:00:00 81,920 ------w C:\WINDOWS\system32\ieencode.dll
+ 2007-08-13 23:45:18 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
- 2007-08-13 23:54:10 6,049,280 ------w C:\WINDOWS\system32\ieframe.dll
+ 2007-08-20 10:04:37 6,058,496 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-08-22 12:55:32 251,904 ------w C:\WINDOWS\system32\iepeers.dll
+ 2007-08-13 23:54:10 191,488 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2007-08-13 23:34:04 266,752 ------w C:\WINDOWS\system32\iertutil.dll
+ 2007-08-20 10:04:38 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2004-08-10 11:00:00 62,976 ------w C:\WINDOWS\system32\iesetup.dll
+ 2007-08-13 23:39:12 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
- 2004-08-10 11:00:00 35,840 ------w C:\WINDOWS\system32\imgutil.dll
+ 2007-08-13 23:36:06 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
- 2007-08-22 12:55:32 96,256 ------w C:\WINDOWS\system32\inseng.dll
+ 2007-08-13 23:39:02 92,672 ----a-w C:\WINDOWS\system32\inseng.dll
- 2006-05-18 05:24:25 450,560 ------w C:\WINDOWS\system32\jscript.dll
+ 2007-08-13 23:38:04 491,520 ----a-w C:\WINDOWS\system32\jscript.dll
- 2004-08-10 11:00:00 22,016 ------w C:\WINDOWS\system32\licmgr10.dll
+ 2007-08-13 23:44:18 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
- 2007-08-13 23:54:10 458,752 ------w C:\WINDOWS\system32\msfeeds.dll
+ 2007-08-20 10:04:39 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-08-13 23:54:10 50,688 ------w C:\WINDOWS\system32\msfeedsbs.dll
+ 2007-08-20 10:04:39 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2004-08-10 11:00:00 29,184 ------w C:\WINDOWS\system32\mshta.exe
+ 2007-08-13 23:32:30 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
- 2007-08-22 12:55:36 3,064,832 ------w C:\WINDOWS\system32\mshtml.dll
+ 2007-08-20 20:34:42 3,584,512 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-08-22 12:55:37 449,024 ------w C:\WINDOWS\system32\mshtmled.dll
+ 2007-08-20 10:04:41 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2004-08-10 11:00:00 56,832 ------w C:\WINDOWS\system32\mshtmler.dll
+ 2007-08-13 23:01:12 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
- 2004-08-10 11:00:00 146,432 ------w C:\WINDOWS\system32\msls31.dll
+ 2007-08-13 23:54:10 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
- 2007-08-22 12:55:38 39,424 ------w C:\WINDOWS\system32\pngfilt.dll
+ 2007-08-13 23:36:12 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2004-08-10 11:00:00 37,888 ------w C:\WINDOWS\system32\url.dll
+ 2007-08-20 10:04:42 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-08-22 12:55:43 617,984 ------w C:\WINDOWS\system32\urlmon.dll
+ 2007-08-20 10:04:42 1,152,000 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2004-08-10 11:00:00 417,792 ------w C:\WINDOWS\system32\vbscript.dll
+ 2007-08-13 23:54:10 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
- 2004-08-10 11:00:00 276,480 ------w C:\WINDOWS\system32\webcheck.dll
+ 2007-08-20 10:04:42 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2007-08-22 12:55:44 665,600 ------w C:\WINDOWS\system32\wininet.dll
+ 2007-08-20 10:04:43 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-11-16 04:07:35 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_70c.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [2003-01-30 13:12]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 15:14]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 15:14]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]
"Malware Sweeper"="C:\Program Files\MalwareSweeper.com\Malware Sweeper\MalSwep.exe" []
C:\Documents and Settings\Allen Kelley\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 13:16:08]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
"C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
"C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"PcCtlCom"=2 (0x2)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
R3 SMCWPCIG;SMCWPCI-G 54Mbps Wireless PCI adapter Service;C:\WINDOWS\system32\DRIVERS\SMCWPCIG.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys
S4 GbFsMf;GbFsMf;C:\WINDOWS\system32\DRIVERS\GbFsMf.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-15 21:33:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 23:08:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-15 23:11:53 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-15 22:55
C:\ComboFix3.txt ... 2007-11-15 20:11
.
--- E O F ---
need assistance
2007-11-16, 06:20
HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:14 PM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\Scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\Malware Sweeper\MalSwep.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6346 bytes
Log looks good but those bad files where not removed with Combofix, you may have not done it correctly.
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad
File::
C:\WINDOWS\system32\hhhkj.ini2
C:\WINDOWS\system32\ttgsteeo.dll
C:\WINDOWS\system32\xdhiaewx.dll
C:\WINDOWS\system32\alygjlek.exe
C:\WINDOWS\system32\jrdeahpo.dll
C:\WINDOWS\system32\ogkxpykq.exe
C:\WINDOWS\system32\ayjknnwd.dll
C:\WINDOWS\system32\tfdyahwx.dll
C:\WINDOWS\system32\wdnbwfpe.exe
C:\WINDOWS\system32\ogehlfju.dll
C:\WINDOWS\system32\xwgpyfxu.exe
C:\WINDOWS\system32\esnwuyfp.exe
C:\WINDOWS\system32\oewojwxc.exe
C:\WINDOWS\system32\ismmeuts.exe
C:\WINDOWS\system32\npyteykg.exe
C:\WINDOWS\system32\pgyhdolf.exe
C:\WINDOWS\system32\qxmlckrd.exe
C:\WINDOWS\system32\vtfhwfmk.exe
C:\WINDOWS\system32\qjqrsblo.dll
C:\WINDOWS\system32\weyeicet.exe
C:\WINDOWS\system32\piwhwwne.exe
C:\WINDOWS\system32\nbjawlel.exe
C:\WINDOWS\system32\fkmejnhc.exe
C:\WINDOWS\system32\mtdfismd.exe
C:\WINDOWS\system32\ttgsteeo.dll
Folder::
Registry::
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If you dont get them this time we can try another method.
need assistance
2007-11-16, 15:56
When running ComboFix, I received the following errors:
---------------------------
swreg.cfexe - Application Error
---------------------------
The instruction at "0x00403eca" referenced memory at "0x00aec578". The memory could not be "read".
Click on OK to terminate the program
Click on CANCEL to debug the program
---------------------------
OK Cancel
---------------------------
---------------------------
regt.cfexe - Application Error
---------------------------
The application failed to initialize properly (0xc0000005). Click on OK to terminate the application.
---------------------------
OK
---------------------------
---------------------------
find.exe - Application Error
---------------------------
The application failed to initialize properly (0xc0000005). Click on OK to terminate the application.
---------------------------
OK
---------------------------
---------------------------
tree.com - Application Error
---------------------------
The application failed to initialize properly (0xc0000005). Click on OK to terminate the application.
---------------------------
OK
---------------------------
Listed below is the ComboFix log:
ComboFix 07-11-08.1 - Allen Kelley 2007-11-16 8:34:32.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.395 [GMT -5:00]
Running from: C:\Documents and Settings\Allen Kelley\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Allen Kelley\Desktop\CFscript.txt
* Created a new restore point
FILE
C:\WINDOWS\system32\alygjlek.exe
C:\WINDOWS\system32\ayjknnwd.dll
C:\WINDOWS\system32\esnwuyfp.exe
C:\WINDOWS\system32\fkmejnhc.exe
C:\WINDOWS\system32\hhhkj.ini2
C:\WINDOWS\system32\ismmeuts.exe
C:\WINDOWS\system32\jrdeahpo.dll
C:\WINDOWS\system32\mtdfismd.exe
C:\WINDOWS\system32\nbjawlel.exe
C:\WINDOWS\system32\npyteykg.exe
C:\WINDOWS\system32\oewojwxc.exe
C:\WINDOWS\system32\ogehlfju.dll
C:\WINDOWS\system32\ogkxpykq.exe
C:\WINDOWS\system32\pgyhdolf.exe
C:\WINDOWS\system32\piwhwwne.exe
C:\WINDOWS\system32\qjqrsblo.dll
C:\WINDOWS\system32\qxmlckrd.exe
C:\WINDOWS\system32\tfdyahwx.dll
C:\WINDOWS\system32\ttgsteeo.dll
C:\WINDOWS\system32\vtfhwfmk.exe
C:\WINDOWS\system32\wdnbwfpe.exe
C:\WINDOWS\system32\weyeicet.exe
C:\WINDOWS\system32\xdhiaewx.dll
C:\WINDOWS\system32\xwgpyfxu.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\alygjlek.exe
C:\WINDOWS\system32\ayjknnwd.dll
C:\WINDOWS\system32\esnwuyfp.exe
C:\WINDOWS\system32\fkmejnhc.exe
C:\WINDOWS\system32\hhhkj.ini2
C:\WINDOWS\system32\ismmeuts.exe
C:\WINDOWS\system32\jrdeahpo.dll
C:\WINDOWS\system32\mtdfismd.exe
C:\WINDOWS\system32\nbjawlel.exe
C:\WINDOWS\system32\npyteykg.exe
C:\WINDOWS\system32\oewojwxc.exe
C:\WINDOWS\system32\ogehlfju.dll
C:\WINDOWS\system32\ogkxpykq.exe
C:\WINDOWS\system32\pgyhdolf.exe
C:\WINDOWS\system32\piwhwwne.exe
C:\WINDOWS\system32\qjqrsblo.dll
C:\WINDOWS\system32\qxmlckrd.exe
C:\WINDOWS\system32\tfdyahwx.dll
C:\WINDOWS\system32\ttgsteeo.dll
C:\WINDOWS\system32\vtfhwfmk.exe
C:\WINDOWS\system32\wdnbwfpe.exe
C:\WINDOWS\system32\weyeicet.exe
C:\WINDOWS\system32\xdhiaewx.dll
C:\WINDOWS\system32\xwgpyfxu.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.
2007-11-16 07:12 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-16 07:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-15 22:30 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-15 21:11 <DIR> d-------- C:\VundoFix Backups
2007-11-15 20:44 <DIR> d-------- C:\Program Files\SpywareGuard
2007-11-15 19:43 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-15 19:40 <DIR> d-------- C:\Hijackthis
2007-11-13 15:56 <DIR> d-------- C:\Program Files\iTunes
2007-11-13 15:49 <DIR> d-------- C:\Program Files\QuickTime
2007-11-10 10:52 <DIR> d-------- C:\Program Files\DellSupport
2007-11-01 20:54 2,352 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-30 07:42 <DIR> d-------- C:\Documents and Settings\Allen Kelley\Incomplete
2007-10-30 07:41 <DIR> d-------- C:\Documents and Settings\Allen Kelley\Application Data\LimeWire
2007-10-30 07:36 <DIR> d-------- C:\WINDOWS\system32\Mz18r
2007-10-30 07:36 <DIR> d-------- C:\Temp\mZOr
2007-10-30 07:36 <DIR> d-------- C:\Temp
2007-10-30 07:36 507,217 --a------ C:\Temp\ocli.exe
2007-10-30 07:36 82 --a------ C:\n.bat
2007-10-30 07:36 0 --a------ C:\z.dat
2007-10-30 07:35 28,672 --a------ C:\Documents and Settings\Allen Kelley\update.exe
2007-10-29 18:00 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-10-29 17:47 <DIR> d-------- C:\ConverterOutput
2007-10-29 17:43 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll
2007-10-29 17:43 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll
2007-10-29 17:43 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2007-10-29 17:43 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2007-10-29 17:43 34,820 --a------ C:\WINDOWS\system32\ffdshow.reg
2007-10-29 17:42 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-10-24 08:57 <DIR> d-------- C:\GSS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-16 13:41 271,340 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-16 13:41 23,064,608 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-15 11:49 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-13 21:42 --------- d-----w C:\Documents and Settings\William Kelley\Application Data\LimeWire
2007-11-13 21:38 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-11-13 20:56 --------- d-----w C:\Program Files\iPod
2007-11-10 16:29 --------- d--h--w C:\Documents and Settings\Jonathan Kelley.DC6RL091\Application Data\Gtek
2007-11-10 15:54 --------- d--h--w C:\Documents and Settings\William Kelley\Application Data\Gtek
2007-11-10 15:54 --------- d--h--w C:\Documents and Settings\Patty Kelley\Application Data\Gtek
2007-11-10 15:54 --------- d--h--w C:\Documents and Settings\Allen Kelley\Application Data\Gtek
2007-11-10 15:54 --------- d-----w C:\Documents and Settings\Jonathan Kelley\Application Data\Gtek
2007-11-09 21:06 --------- d-----w C:\Program Files\AIM6
2007-11-09 21:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-11-01 21:50 --------- d-----w C:\Program Files\Olympus
2007-11-01 01:14 --------- d-----w C:\Program Files\Viewpoint
2007-11-01 01:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-01 01:05 --------- d-----w C:\Program Files\LimeWire
2007-10-29 23:00 278,536 ----a-w C:\WINDOWS\Fonts\Setup.exe
2007-10-29 22:55 278,535 --sh--w C:\WINDOWS\Fonts\svchost.exe
2007-10-29 21:29 --------- d-----w C:\Documents and Settings\Allen Kelley\Application Data\Yahoo!
2007-10-15 23:01 --------- d-----w C:\Documents and Settings\William Kelley\Application Data\Move Networks
2007-10-13 20:14 --------- d-----w C:\Program Files\Java
2007-10-06 19:02 --------- d-----w C:\Program Files\Swapper
2007-10-05 03:02 --------- d-----w C:\Program Files\MSXML 6.0
2007-10-04 02:37 --------- d-----w C:\Program Files\MSBuild
2007-10-04 02:31 --------- d-----w C:\Program Files\Reference Assemblies
2007-09-26 00:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-09-23 18:15 --------- d-----w C:\Program Files\Red Storm Entertainment
2007-09-06 20:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2005-12-31 17:55 251 -c--a-w C:\Program Files\wt3d.ini
2006-02-24 22:54:18 56 --sh--r C:\WINDOWS\system32\487A8B3333.sys
2006-02-24 22:54:19 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot_2007-11-15_23.11.09.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\updspapi.dll
+ 2007-08-13 23:54:10 765,952 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\vgx.dll
- 2007-08-13 23:54:10 765,952 ----a-w C:\WINDOWS\system32\dllcache\VGX.dll
+ 2007-07-12 23:31:54 765,952 ----a-w C:\WINDOWS\system32\dllcache\vgx.dll
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-11-16 13:41:55 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_630.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [2003-01-30 13:12]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 15:14]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 15:14]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]
"Malware Sweeper"="C:\Program Files\MalwareSweeper.com\Malware Sweeper\MalSwep.exe" []
C:\Documents and Settings\Allen Kelley\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 13:16:08]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
"C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
"C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"PcCtlCom"=2 (0x2)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
R3 SMCWPCIG;SMCWPCI-G 54Mbps Wireless PCI adapter Service;C:\WINDOWS\system32\DRIVERS\SMCWPCIG.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys
S4 GbFsMf;GbFsMf;C:\WINDOWS\system32\DRIVERS\GbFsMf.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-15 21:33:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 08:44:07
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-16 8:52:04 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-15 23:11
C:\ComboFix3.txt ... 2007-11-15 22:55
.
--- E O F ---
That got im :bigthumb:
Post a new HJT log and lets make sure nothing has returned.
need assistance
2007-11-16, 16:59
Let's hope this does it; your help has been invaluable and a donation is on its way!
Here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:30 AM, on 11/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\Scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\Malware Sweeper\MalSwep.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6479 bytes
I was just double checking your Combofix log and found a couple of more bad entries that need to go. They just showed up on your last log.
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad
File::
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\Fonts\svchost.exe
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
need assistance
2007-11-16, 17:36
Here' the latest ComboFix log; HJT log will follow:
ComboFix 07-11-08.1 - Allen Kelley 2007-11-16 10:29:31.5 - NTFSx86
Running from: C:\Documents and Settings\Allen Kelley\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Allen Kelley\Desktop\CFscript.txt
* Created a new restore point
FILE
C:\WINDOWS\Fonts\svchost.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\Fonts\svchost.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.
2007-11-16 07:12 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-16 07:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-15 22:30 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-15 21:11 <DIR> d-------- C:\VundoFix Backups
2007-11-15 20:44 <DIR> d-------- C:\Program Files\SpywareGuard
2007-11-15 19:43 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-15 19:40 <DIR> d-------- C:\Hijackthis
2007-11-13 15:56 <DIR> d-------- C:\Program Files\iTunes
2007-11-13 15:49 <DIR> d-------- C:\Program Files\QuickTime
2007-11-10 10:52 <DIR> d-------- C:\Program Files\DellSupport
2007-11-01 20:54 2,352 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-30 07:42 <DIR> d-------- C:\Documents and Settings\Allen Kelley\Incomplete
2007-10-30 07:41 <DIR> d-------- C:\Documents and Settings\Allen Kelley\Application Data\LimeWire
2007-10-30 07:36 <DIR> d-------- C:\WINDOWS\system32\Mz18r
2007-10-30 07:36 <DIR> d-------- C:\Temp\mZOr
2007-10-30 07:36 <DIR> d-------- C:\Temp
2007-10-30 07:36 507,217 --a------ C:\Temp\ocli.exe
2007-10-30 07:36 82 --a------ C:\n.bat
2007-10-30 07:36 0 --a------ C:\z.dat
2007-10-30 07:35 28,672 --a------ C:\Documents and Settings\Allen Kelley\update.exe
2007-10-29 18:00 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-10-29 17:47 <DIR> d-------- C:\ConverterOutput
2007-10-29 17:43 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll
2007-10-29 17:43 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll
2007-10-29 17:43 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2007-10-29 17:43 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2007-10-29 17:43 34,820 --a------ C:\WINDOWS\system32\ffdshow.reg
2007-10-29 17:42 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-10-24 08:57 <DIR> d-------- C:\GSS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-16 15:33 23,167,008 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-16 13:41 271,340 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-15 11:49 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-13 21:42 --------- d-----w C:\Documents and Settings\William Kelley\Application Data\LimeWire
2007-11-13 21:38 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-11-13 21:38 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-11-13 20:56 --------- d-----w C:\Program Files\iPod
2007-11-10 16:29 --------- d--h--w C:\Documents and Settings\Jonathan Kelley.DC6RL091\Application Data\Gtek
2007-11-10 15:54 --------- d--h--w C:\Documents and Settings\William Kelley\Application Data\Gtek
2007-11-10 15:54 --------- d--h--w C:\Documents and Settings\Patty Kelley\Application Data\Gtek
2007-11-10 15:54 --------- d--h--w C:\Documents and Settings\Allen Kelley\Application Data\Gtek
2007-11-10 15:54 --------- d-----w C:\Documents and Settings\Jonathan Kelley\Application Data\Gtek
2007-11-09 21:06 --------- d-----w C:\Program Files\AIM6
2007-11-09 21:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-11-01 21:50 --------- d-----w C:\Program Files\Olympus
2007-11-01 01:14 --------- d-----w C:\Program Files\Viewpoint
2007-11-01 01:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-01 01:05 --------- d-----w C:\Program Files\LimeWire
2007-10-29 23:00 278,536 ----a-w C:\WINDOWS\Fonts\Setup.exe
2007-10-29 21:29 --------- d-----w C:\Documents and Settings\Allen Kelley\Application Data\Yahoo!
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-15 23:01 --------- d-----w C:\Documents and Settings\William Kelley\Application Data\Move Networks
2007-10-13 20:14 --------- d-----w C:\Program Files\Java
2007-10-06 19:02 --------- d-----w C:\Program Files\Swapper
2007-10-05 03:02 --------- d-----w C:\Program Files\MSXML 6.0
2007-10-04 02:37 --------- d-----w C:\Program Files\MSBuild
2007-10-04 02:31 --------- d-----w C:\Program Files\Reference Assemblies
2007-09-26 00:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-09-23 18:15 --------- d-----w C:\Program Files\Red Storm Entertainment
2007-09-06 20:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 20:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 -c--a-w C:\WINDOWS\system32\AVASTSS.scr
2007-08-22 12:55 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:55 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:55 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 20:34 3,584,512 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2005-12-31 17:55 251 -c--a-w C:\Program Files\wt3d.ini
2006-02-24 22:54:18 56 --sh--r C:\WINDOWS\system32\487A8B3333.sys
2006-02-24 22:54:19 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot_2007-11-15_23.11.09.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\updspapi.dll
+ 2007-08-13 23:54:10 765,952 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\vgx.dll
- 2007-08-13 23:54:10 765,952 ----a-w C:\WINDOWS\system32\dllcache\VGX.dll
+ 2007-07-12 23:31:54 765,952 ----a-w C:\WINDOWS\system32\dllcache\vgx.dll
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-11-16 13:41:55 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_630.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [2003-01-30 13:12]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 15:14]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 15:14]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]
"Malware Sweeper"="C:\Program Files\MalwareSweeper.com\Malware Sweeper\MalSwep.exe" []
C:\Documents and Settings\Allen Kelley\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 13:16:08]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
"C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
"C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"PcCtlCom"=2 (0x2)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
R3 SMCWPCIG;SMCWPCI-G 54Mbps Wireless PCI adapter Service;C:\WINDOWS\system32\DRIVERS\SMCWPCIG.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys
S4 GbFsMf;GbFsMf;C:\WINDOWS\system32\DRIVERS\GbFsMf.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-15 21:33:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 10:33:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-16 10:34:38
C:\ComboFix2.txt ... 2007-11-16 08:52
C:\ComboFix3.txt ... 2007-11-15 23:11
.
--- E O F ---
need assistance
2007-11-16, 17:38
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:53 AM, on 11/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Hijackthis\Scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\Malware Sweeper\MalSwep.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6480 bytes
My bad, need to get more sleep at night :oops:
Add this one please.
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad
File::
C:\WINDOWS\Fonts\Setup.exe
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
together with a new HijackThis log.
need assistance
2007-11-16, 18:03
No need to apologize at all; I was dead in the water before we began this exercise, so you have gotten me to a much better place.
Here's the ComboFix log; the HJT log will follow.
ComboFix 07-11-08.1 - Allen Kelley 2007-11-16 10:57:19.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.571 [GMT -5:00]
Running from: C:\Documents and Settings\Allen Kelley\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Allen Kelley\Desktop\CFscript.txt
* Created a new restore point
FILE
C:\WINDOWS\Fonts\Setup.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\Fonts\Setup.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.
2007-11-16 07:12 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-16 07:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-15 22:30 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-15 21:11 <DIR> d-------- C:\VundoFix Backups
2007-11-15 20:44 <DIR> d-------- C:\Program Files\SpywareGuard
2007-11-15 19:43 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-15 19:40 <DIR> d-------- C:\Hijackthis
2007-11-13 15:56 <DIR> d-------- C:\Program Files\iTunes
2007-11-13 15:49 <DIR> d-------- C:\Program Files\QuickTime
2007-11-10 10:52 <DIR> d-------- C:\Program Files\DellSupport
2007-11-01 20:54 2,352 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-30 07:42 <DIR> d-------- C:\Documents and Settings\Allen Kelley\Incomplete
2007-10-30 07:41 <DIR> d-------- C:\Documents and Settings\Allen Kelley\Application Data\LimeWire
2007-10-30 07:36 <DIR> d-------- C:\WINDOWS\system32\Mz18r
2007-10-30 07:36 <DIR> d-------- C:\Temp\mZOr
2007-10-30 07:36 <DIR> d-------- C:\Temp
2007-10-30 07:36 507,217 --a------ C:\Temp\ocli.exe
2007-10-30 07:36 82 --a------ C:\n.bat
2007-10-30 07:36 0 --a------ C:\z.dat
2007-10-30 07:35 28,672 --a------ C:\Documents and Settings\Allen Kelley\update.exe
2007-10-29 18:00 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-10-29 17:47 <DIR> d-------- C:\ConverterOutput
2007-10-29 17:43 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll
2007-10-29 17:43 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll
2007-10-29 17:43 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2007-10-29 17:43 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2007-10-29 17:43 34,820 --a------ C:\WINDOWS\system32\ffdshow.reg
2007-10-29 17:42 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-10-24 08:57 <DIR> d-------- C:\GSS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-16 15:59 23,183,392 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-16 13:41 271,340 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-15 11:49 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-13 21:42 --------- d-----w C:\Documents and Settings\William Kelley\Application Data\LimeWire
2007-11-13 21:38 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-11-13 21:38 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-11-13 20:56 --------- d-----w C:\Program Files\iPod
2007-11-10 16:29 --------- d--h--w C:\Documents and Settings\Jonathan Kelley.DC6RL091\Application Data\Gtek
2007-11-10 15:54 --------- d--h--w C:\Documents and Settings\William Kelley\Application Data\Gtek
2007-11-10 15:54 --------- d--h--w C:\Documents and Settings\Patty Kelley\Application Data\Gtek
2007-11-10 15:54 --------- d--h--w C:\Documents and Settings\Allen Kelley\Application Data\Gtek
2007-11-10 15:54 --------- d-----w C:\Documents and Settings\Jonathan Kelley\Application Data\Gtek
2007-11-09 21:06 --------- d-----w C:\Program Files\AIM6
2007-11-09 21:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-11-01 21:50 --------- d-----w C:\Program Files\Olympus
2007-11-01 01:14 --------- d-----w C:\Program Files\Viewpoint
2007-11-01 01:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-01 01:05 --------- d-----w C:\Program Files\LimeWire
2007-10-29 21:29 --------- d-----w C:\Documents and Settings\Allen Kelley\Application Data\Yahoo!
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-15 23:01 --------- d-----w C:\Documents and Settings\William Kelley\Application Data\Move Networks
2007-10-13 20:14 --------- d-----w C:\Program Files\Java
2007-10-06 19:02 --------- d-----w C:\Program Files\Swapper
2007-10-05 03:02 --------- d-----w C:\Program Files\MSXML 6.0
2007-10-04 02:37 --------- d-----w C:\Program Files\MSBuild
2007-10-04 02:31 --------- d-----w C:\Program Files\Reference Assemblies
2007-09-26 00:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-09-23 18:15 --------- d-----w C:\Program Files\Red Storm Entertainment
2007-09-06 20:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 20:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 -c--a-w C:\WINDOWS\system32\AVASTSS.scr
2007-08-22 12:55 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:55 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:55 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 20:34 3,584,512 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2005-12-31 17:55 251 -c--a-w C:\Program Files\wt3d.ini
2006-02-24 22:54:18 56 --sh--r C:\WINDOWS\system32\487A8B3333.sys
2006-02-24 22:54:19 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot_2007-11-15_23.11.09.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\updspapi.dll
+ 2007-08-13 23:54:10 765,952 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\vgx.dll
- 2007-08-13 23:54:10 765,952 ----a-w C:\WINDOWS\system32\dllcache\VGX.dll
+ 2007-07-12 23:31:54 765,952 ----a-w C:\WINDOWS\system32\dllcache\vgx.dll
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-11-16 13:41:55 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_630.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [2003-01-30 13:12]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 15:14]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 15:14]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]
"Malware Sweeper"="C:\Program Files\MalwareSweeper.com\Malware Sweeper\MalSwep.exe" []
C:\Documents and Settings\Allen Kelley\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 13:16:08]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
"C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
"C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"PcCtlCom"=2 (0x2)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
R3 SMCWPCIG;SMCWPCI-G 54Mbps Wireless PCI adapter Service;C:\WINDOWS\system32\DRIVERS\SMCWPCIG.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys
S4 GbFsMf;GbFsMf;C:\WINDOWS\system32\DRIVERS\GbFsMf.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-15 21:33:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 10:59:54
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-16 11:00:57
C:\ComboFix2.txt ... 2007-11-16 10:34
C:\ComboFix3.txt ... 2007-11-16 08:52
.
--- E O F ---
need assistance
2007-11-16, 18:05
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:27 AM, on 11/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\Scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\Malware Sweeper\MalSwep.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6480 bytes
AHHH Thats better, thanks for your patience :bigthumb:
Malware Sweeper right now in the Gray area so your call to uninstall it, you can read about it here. This site evaluates Anti Spyware programs and lists them as either Rogue programs or ok, this one has not been evaluated yet.
http://www.castlecops.com/s12819-MalSwep_exe.html
The rest of your log looks fine :bigthumb:
Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
(cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and
painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I
wouldn't access the internet without it.
Glad we could help
Safe Surfn
Ken
need assistance
2007-11-16, 19:19
Thanks!!!!!!!!!!!!!!!!!!!!!!!!!!!
Your very welcome.
Stay well,
Ken
Good Morning,
I hate to bother you like this but staying on top of all this garbage is a never ending process. We just discovered that those two files we removed from the Fonts folder may have infected other files in that folder, I would like you to run this program that will flush all the bad files out .
Please run this free online virus scanner from ESET (http://www.eset.eu/online-scanner)
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
This topic has been moved to archives.
If you need the thread re-opened, please send me a private message (pm) and provide a link to the closed topic.
Applies only to the original poster, anyone else with similar problems please start your own topic.