PDA

View Full Version : Yikes! Need help desperately!


cammianne
2007-12-05, 02:03
My teen daughter tried to download a keygen (she lost the code for her Sims game). UGH! Of course, what she got is a whole lotta bad, LOL.

I read the rules about what to do before posting, however the kids computer is so messed up, I can't do any of 'em. Pop-ups galore are opening up trying to get me to download things to clean the computer (yeah, like I'm gonna click on one). I can open IE, but no matter what website I try to pull up, it pulls up all kinds of different things.

I burned Hijackthis, SpyBot and AdAware on my computer and then tried to install them on hers. The only one I was able to do was Hijackthis. SpyBot shuts down before I can get it loaded (I make it just past where it asks the language I want it in, but when I try to install it closes. I can't even get AdAware to open.

I was able to scan with Hijackthis, but since I can't get online, I can't post the log.

I forgot to mention, when she first did this, it said she has the New Malware.j trojan. It says that every time we turn it on or try to do anything, but McAfee can't do anything with it.

I also received a balloon saying we have a black door trojan. I'm not sure if that's different from the Malware.j or what.

Any ideas? Should I just write down everything on the Hijackthis log (it could take forever, LOL, there's a lot there), and then come back and try to post it here? YIKES!!! HELP!!! LOL.

Cammi
katana
2007-12-05, 19:27
It sounds like your having some serious problems there !!!

You will need to download some programs to run on the infected machine,
you can burn them to a disc, but it would be easier if you can get hold of a USB drive
that way you can post the logs we will need to see.

Download and Run ComboFix

Download Combofix from one of the links below :

ComboFix.exe 1 (http://subs.geekstogo.com/ComboFix.exe)
ComboFix.exe 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
ComboFix.exe 3 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

Then double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
ComboFix SHOULD NOT be used unless requested by a forum helper

SmitFraud Look
Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.exe) (by S!Ri)

Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)

If you can, post these logs back
cammianne
2007-12-06, 01:43
ComboFix 07-12-02.7 - Main Office 2007-12-05 19:00:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.136 [GMT -5:00]
Running from: E:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\ufazozuj.dll
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\Main Office\Application Data\ShoppingReport
C:\Documents and Settings\Main Office\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Main Office\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\Main Office\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\Main Office\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\Main Office\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\Main Office\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\Main Office\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Documents and Settings\Main Office\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Main Office\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Main Office\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Main Office\Start Menu\Programs\Startup\findfast.exe
C:\Program Files\3269.exe
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
C:\Program Files\ShoppingReport\Uninst.exe
C:\Program Files\ucleaner_setup.exe
C:\Program Files\Ultimate Cleaner
C:\Program Files\xloader10181.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\Casino.ico
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\mgrs.exe
C:\WINDOWS\shell.exe
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\__c0050F62.dat
C:\WINDOWS\system32\__c007A824.dat
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\ccoyfflg.dll
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\dobe~1\?dobe\
C:\WINDOWS\system32\drvzadr.dll
C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\ghhkj.ini2
C:\WINDOWS\system32\jpkhmuxy.ini
C:\WINDOWS\system32\pofgiuys.dllbox
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\regscan.exe
C:\WINDOWS\system32\skjlrsjp
C:\WINDOWS\system32\skjlrsjp\bg1.gif
C:\WINDOWS\system32\skjlrsjp\bgtop.gif
C:\WINDOWS\system32\skjlrsjp\bottom1.gif
C:\WINDOWS\system32\skjlrsjp\essentials.gif
C:\WINDOWS\system32\skjlrsjp\icon1.ico
C:\WINDOWS\system32\skjlrsjp\install1.gif
C:\WINDOWS\system32\skjlrsjp\left1.gif
C:\WINDOWS\system32\skjlrsjp\li.gif
C:\WINDOWS\system32\skjlrsjp\logo.gif
C:\WINDOWS\system32\skjlrsjp\main.htm
C:\WINDOWS\system32\skjlrsjp\mainframe.htm
C:\WINDOWS\system32\skjlrsjp\reinstall1.gif
C:\WINDOWS\system32\skjlrsjp\right1.gif
C:\WINDOWS\system32\skjlrsjp\s1.htm
C:\WINDOWS\system32\skjlrsjp\s2.htm
C:\WINDOWS\system32\skjlrsjp\s3.htm
C:\WINDOWS\system32\skjlrsjp\skjlrsjp1.exe
C:\WINDOWS\system32\skjlrsjp\skjlrsjp2.exe
C:\WINDOWS\system32\skjlrsjp\skjlrsjp3.exe
C:\WINDOWS\system32\skjlrsjp\SMTop1.gif
C:\WINDOWS\system32\skjlrsjp\SMTop2.gif
C:\WINDOWS\system32\skjlrsjp\SMTop3.gif
C:\WINDOWS\system32\skjlrsjp\SMTop4.gif
C:\WINDOWS\system32\skjlrsjp\soft1_off.gif
C:\WINDOWS\system32\skjlrsjp\soft1_off_ext.gif
C:\WINDOWS\system32\skjlrsjp\soft1_on.gif
C:\WINDOWS\system32\skjlrsjp\soft1_on_ext.gif
C:\WINDOWS\system32\skjlrsjp\soft2_off.gif
C:\WINDOWS\system32\skjlrsjp\soft2_off_ext.gif
C:\WINDOWS\system32\skjlrsjp\soft2_on.gif
C:\WINDOWS\system32\skjlrsjp\soft2_on_ext.gif
C:\WINDOWS\system32\skjlrsjp\soft3_off.gif
C:\WINDOWS\system32\skjlrsjp\soft3_off_ext.gif
C:\WINDOWS\system32\skjlrsjp\soft3_on.gif
C:\WINDOWS\system32\skjlrsjp\soft3_on_ext.gif
C:\WINDOWS\system32\skjlrsjp\softbottom_off.gif
C:\WINDOWS\system32\skjlrsjp\softbottom_on.gif
C:\WINDOWS\system32\skjlrsjp\softleft_off.gif
C:\WINDOWS\system32\skjlrsjp\softleft_on.gif
C:\WINDOWS\system32\skjlrsjp\top1.gif
C:\WINDOWS\system32\skjlrsjp\top2.gif
C:\WINDOWS\system32\skjlrsjp\turnoff1.gif
C:\WINDOWS\system32\skjlrsjp\turnon1.gif
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\winkit32.dll
C:\WINDOWS\system32\yxumhkpj.dll
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2007-11-06 to 2007-12-06 )))))))))))))))))))))))))))))))
.

2007-12-05 19:23 . 2007-12-05 19:27 20,810 ---hs---- C:\WINDOWS\system32\pofgiuys.dllbox
2007-12-05 19:01 . 2007-12-05 19:01 <DIR> d-------- C:\Documents and Settings\Main Office\report
2007-12-04 19:24 . 2007-12-04 19:24 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\report
2007-12-04 19:22 . 2007-12-04 19:22 145,984 --a------ C:\WINDOWS\system32\pofgiuys.dll
2007-12-04 19:22 . 2007-12-04 19:22 145,984 --a------ C:\WINDOWS\system32\bybbxhkx.dll
2007-12-01 15:10 . 2007-12-01 15:10 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\Application Data
2007-12-01 15:05 . 2007-12-01 15:05 <DIR> d-------- C:\Documents and Settings\Main Office\ShoppingReport
2007-12-01 15:05 . 2007-12-01 15:05 <DIR> d-------- C:\Documents and Settings\Main Office\Documents and Settings
2007-12-01 15:05 . 2007-12-01 15:05 <DIR> d-------- C:\Documents and Settings\Main Office\cs
2007-12-01 15:05 . 2007-12-01 15:05 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\Documents and Settings
2007-12-01 15:05 . 2007-12-01 15:05 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\cs
2007-12-01 14:47 . 2007-12-01 14:47 <DIR> d-------- C:\ShoppingReport
2007-12-01 14:47 . 2007-12-01 14:47 <DIR> d-------- C:\Documents and Settings\Main Office\Main Office
2007-12-01 14:47 . 2007-12-01 14:47 <DIR> d-------- C:\cs
2007-12-01 12:21 . 2007-12-01 12:21 324,192 --a------ C:\WINDOWS\system32\jkhhg.dll
2007-12-01 12:18 . 2007-12-01 12:18 <DIR> d-------- C:\Program Files\E404 Helper
2007-12-01 12:18 . 2007-12-04 19:25 10,240 --a------ C:\Program Files\spoolsv.exe
2007-12-01 12:16 . 2007-12-01 12:16 <DIR> d-------- C:\Program Files\Ztrunktz
2007-12-01 12:16 . 2007-12-01 12:16 <DIR> d-------- C:\Program Files\MalwareAlarm
2007-12-01 12:16 . 2007-12-01 12:16 <DIR> d-------- C:\Program Files\crcfylmn
2007-12-01 12:16 . 2007-12-01 12:16 1,148,902 --a------ C:\Install
2007-12-01 12:16 . 2007-12-01 12:16 102,912 --a------ C:\WINDOWS\system32\drvzad.dll
2007-12-01 12:16 . 2007-12-01 12:16 34,304 --a------ C:\WINDOWS\system32\wvuvsts.dll
2007-12-01 11:15 . 2007-12-01 11:44 125 --a------ C:\ioSpecial.ini
2007-11-27 18:43 . 2007-11-27 18:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Christmasville
2007-11-27 18:41 . 2007-11-27 18:41 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\SpinTop
2007-11-25 19:23 . 2007-11-25 19:23 <DIR> d-------- C:\Program Files\Zango
2007-11-25 19:23 . 2007-11-28 16:36 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\Zango
2007-11-25 19:23 . 2007-12-05 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ZangoSA
2007-11-25 19:23 . 2007-11-25 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
2007-11-25 18:12 . 2007-11-25 18:12 <DIR> d-------- C:\Program Files\GameTap
2007-11-25 18:12 . 2007-11-25 18:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GameTap
2007-11-25 17:18 . 2007-11-25 17:18 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\Talkback
2007-11-25 17:02 . 2007-11-25 17:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NannyMania
2007-11-25 17:00 . 2007-12-01 11:43 <DIR> d-------- C:\Program Files\GameHouse
2007-11-25 17:00 . 2007-11-25 17:16 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\GameHouse
2007-11-25 17:00 . 2007-11-25 17:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9
2007-11-25 16:39 . 2007-11-25 16:39 4 --a------ C:\WINDOWS\sbsystem.dat
2007-11-21 14:13 . 2007-11-21 14:16 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\MagicBall3
2007-11-21 08:33 . 2007-11-21 13:51 40 --a------ C:\WINDOWS\RSoftInfo.dat
2007-11-17 15:16 . 2007-11-17 15:20 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\Super-Cow
2007-11-11 14:30 . 2007-11-11 14:30 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\FrimaStudio
2007-11-09 21:18 . 2007-11-09 21:18 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\Jane s Hotel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-05 00:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-01 19:30 --------- d-----w C:\Program Files\Yahoo!
2007-12-01 16:45 --------- d-----w C:\Program Files\Cartoon Network
2007-12-01 16:45 --------- d-----w C:\Program Files\AOL Games
2007-12-01 16:40 --------- d-----w C:\Program Files\King Kong Skull Island Adventure
2007-12-01 16:39 --------- d-----w C:\Program Files\Jasc Software Inc
2007-12-01 16:32 --------- d-----w C:\Program Files\Nick Arcade
2007-12-01 16:31 --------- d-----w C:\Program Files\Games
2007-12-01 16:26 --------- d-----w C:\Program Files\Corel
2007-12-01 16:26 --------- d-----w C:\Program Files\Common Files\Corel
2007-12-01 16:26 --------- d-----w C:\Documents and Settings\Main Office\Application Data\Corel
2007-11-26 00:26 --------- d-----w C:\Documents and Settings\Main Office\Application Data\PlayFirst
2007-11-25 23:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-02 00:16 --------- d-----w C:\Program Files\Eets
2007-10-30 19:57 11,012 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-10-27 16:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2007-10-27 01:08 --------- d-----w C:\Documents and Settings\Main Office\Application Data\Jasc
2007-10-27 00:31 --------- d-----w C:\Documents and Settings\Main Office\Application Data\Ulead Systems
2007-10-27 00:29 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2007-10-27 00:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-10-27 00:28 --------- d-----w C:\Program Files\Ulead Systems
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 21:59 --------- d-----w C:\Program Files\DeliciousDeluxe2_at
2007-10-14 01:13 --------- d--h--w C:\Documents and Settings\Main Office\Application Data\Move Networks
2007-08-01 01:57 9,878 ----a-w C:\Documents and Settings\Main Office\Application Data\wklnhst.dat
2007-01-10 20:53 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-01-06 20:08 48,483 ----a-w C:\Program Files\Tumblebugs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07AA283A-43D7-4CBE-A064-32A21112D94D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{267909BB-CE6E-4250-900F-94BE63DF043A}]
2007-12-01 12:21 324192 --a------ C:\WINDOWS\system32\jkhhg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30BAA4DF-E0AB-4AFD-B6D8-FFAA032D0468}]
2007-12-01 12:16 34304 --a------ C:\WINDOWS\system32\wvuvsts.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}]
C:\Program Files\RXToolBar\sfcont.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62780D18-D103-03D3-323A-01F43008B839}]
2007-12-01 12:16 98304 --a------ C:\Program Files\Ztrunktz\bbxocddh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-12-04 19:22 145984 --a------ C:\WINDOWS\system32\pofgiuys.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}]
2007-12-01 12:18 17920 --a------ C:\Program Files\E404 Helper\e404.v4.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\pofgiuys.dll [2007-12-04 19:22 145984]

[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 20:22]
"Aim6"="" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-07-16 14:17]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 19:42]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 19:22]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 19:19]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" []
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 17:18]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 17:29]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 11:05]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2006-11-07 14:49]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 09:26]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 16:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-13 11:17]
"LXBXCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll" [2004-11-02 10:08]
"lxbxmon.exe"="C:\Program Files\Lexmark 7100 Series\lxbxmon.exe" [2005-01-18 04:43]
"FaxCenterServer4_in_1"="C:\Program Files\Lexmark 7100 Series\fm3032.exe" [2004-12-06 11:53]
"EzPrint"="C:\Program Files\Lexmark 7100 Series\ezprint.exe" [2004-09-17 08:24]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50]
"HostManager"="C:\Program Files\Common Files\AOL\1170457508\ee\AOLSoftware.exe" [2006-09-25 19:52]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-31 16:25]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-09-13 11:17]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-08-27 18:22]
"ZangoSA"="C:\Program Files\Zango\bin\10.0.370.0\ZangoSA.exe" [2007-10-02 22:32]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-09-13 11:14:48]
Picture Package Menu.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2007-02-23 10:00:00]
Picture Package VCD Maker.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2007-02-23 09:59:50]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-29 20:49:48]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{30BAA4DF-E0AB-4AFD-B6D8-FFAA032D0468}"= C:\WINDOWS\system32\wvuvsts.dll [2007-12-01 12:16 34304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pofgiuys]
pofgiuys.dll 2007-12-04 19:22 145984 C:\WINDOWS\system32\pofgiuys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuvsts]
wvuvsts.dll 2007-12-01 12:16 34304 C:\WINDOWS\system32\wvuvsts.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0050F62]
C:\WINDOWS\system32\__c0050F62.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\jkhhg.dll

R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS
R2 X4HSX32;X4HSX32;\??\C:\Program Files\GameTap\bin\Release\X4HSX32.Sys
R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys
R3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys

*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2007-12-06 00:24:14 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (OFFICE-Main Office).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-05 19:23:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\ghhkj.ini2 6495 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-12-05 19:29:27 - machine was rebooted
.
--- E O F ---


Still trying to get the SmitfraudFix, having trouble. But, on a positive note, whatever it is that Combofix did, it's allowing me to actually reach this message board from the messed up computer, so that's a step in the right direction!!:crowned:
cammianne
2007-12-06, 01:49
SmitFraudFix v2.258

Scan done at 19:43:00.53, 12/05/2007
Run from C:\Documents and Settings\Main Office\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Lexmark 7100 Series\lxbxmon.exe
C:\Program Files\Lexmark 7100 Series\ezprint.exe
C:\Program Files\Common Files\AOL\1170457508\ee\AOLSoftware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\Zango\bin\10.0.370.0\ZangoSA.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\lxbxcoms.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\SmitfraudFix.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Main Office


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Main Office\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MAINOF~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~3\\GOEC62~1.DLL"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Linksys Wireless-G USB Network Adapter #2 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0064BF86-2859-4223-B8DE-CFDDC2A8278F}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0064BF86-2859-4223-B8DE-CFDDC2A8278F}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{0064BF86-2859-4223-B8DE-CFDDC2A8278F}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

:crowned:
katana
2007-12-06, 01:53
Good news that you can access the net now :D:

There is still a lot to do, and there are several strange folders in that ComboFix log :sick:


It is now 1 am here, so I will look at your logs first thing tomorrow.
:bigthumb:
cammianne
2007-12-06, 02:58
Thank you soooooooooooooo much. I appreciate all your help!!!

Cammi
katana
2007-12-06, 11:36
Do you know what these folders are ?, They seem to be normal folders within another folder
C:\Documents and Settings\Main Office\Application Data\Documents and Settings
C:\Documents and Settings\Main Office\Application Data\Application Data
C:\Documents and Settings\Main Office\Documents and Settings


Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal (http://www.virustotal.com/en/indexf.html)
Copy/paste the the following file path into the window
C:\WINDOWS\RSoftInfo.dat
Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
C:\WINDOWS\sbsystem.dat

If Virustotal is too busy please try Jotti (http://virusscan.jotti.org/)


Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


http://forums.spybot.info/showthread.php?p=142345#post142345

Comment:: Katana

Collect::[4]
C:\WINDOWS\system32\wvuvsts.dll

DirLook::
C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9


File::
C:\WINDOWS\system32\pofgiuys.dllbox
C:\WINDOWS\system32\pofgiuys.dll
C:\WINDOWS\system32\bybbxhkx.dll
C:\WINDOWS\system32\drvzad.dll
C:\WINDOWS\system32\jkhhg.dll
C:\Program Files\spoolsv.exe
C:\WINDOWS\system32\ghhkj.ini2
Folder::
C:\Program Files\Ztrunktz
C:\Program Files\crcfylmn
C:\Program Files\RXToolBar
C:\Program Files\E404 Helper
Driver::
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07AA283A-43D7-4CBE-A064-32A21112D94D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{267909BB-CE6E-4250-900F-94BE63DF043A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30BAA4DF-E0AB-4AFD-B6D8-FFAA032D0468}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62780D18-D103-03D3-323A-01F43008B839}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
[-HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZangoSA"=-

[HKEY_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{30BAA4DF-E0AB-4AFD-B6D8-FFAA032D0468}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pofgiuys]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuvsts]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0050F62]


Save this as CFScript.txt and place it on your desktop.


http://img.photobucket.com/albums/v666/sUBs/CFScript.gif


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis.
Click OK and follow the instructions to submit the file.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
cammianne
2007-12-07, 00:28
Here are the results of the two scans through VirusTotal. I hope it's okay posting it like this, but when I tried to cut and paste, it locked up this system.

http://www.virustotal.com/resultado.html?b0791c1852fd798f4c4b3c55b7e40919

http://www.virustotal.com/resultado.html?aa5c25230e6e11e6e58f010ccac286b1
EDIT:- Both clean, Thats fine

Will post again after I do CFScript thingy.

Cammi
cammianne
2007-12-07, 02:20
ComboFix 07-12-02.7 - Main Office 2007-12-06 19:48:54.2 - NTFSx86
Running from: E:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Main Office\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\spoolsv.exe
C:\WINDOWS\system32\bybbxhkx.dll
C:\WINDOWS\system32\drvzad.dll
C:\WINDOWS\system32\ghhkj.ini2
C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\pofgiuys.dll
C:\WINDOWS\system32\pofgiuys.dllbox
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Main Office\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Main Office\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Main Office\Favorites\Online Security Guide.lnk
C:\Program Files\crcfylmn
C:\Program Files\crcfylmn\ibatghqf.dll
C:\Program Files\E404 Helper
C:\Program Files\E404 Helper\e404.v4.dll
C:\Program Files\spoolsv.exe
C:\Program Files\Ztrunktz
C:\Program Files\Ztrunktz\bbxocddh.dll
C:\WINDOWS\system32\bybbxhkx.dll
C:\WINDOWS\system32\drvzad.dll
C:\WINDOWS\system32\ghhkj.ini2
C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\pofgiuys.dll
C:\WINDOWS\system32\pofgiuys.dllbox
C:\WINDOWS\system32\wvuvsts.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-07 to 2007-12-07 )))))))))))))))))))))))))))))))
.

2007-12-05 19:43 . 2007-12-05 19:43 5,128 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-05 19:42 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-05 19:42 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-05 19:42 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-05 19:42 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-05 19:24 . 2007-12-06 19:57 8,521 --ahs---- C:\WINDOWS\system32\ghhkj.ini
2007-12-05 19:01 . 2007-12-05 19:01 <DIR> d-------- C:\Documents and Settings\Main Office\report
2007-12-04 19:24 . 2007-12-04 19:24 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\report
2007-12-01 15:10 . 2007-12-01 15:10 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\Application Data
2007-12-01 15:05 . 2007-12-01 15:05 <DIR> d-------- C:\Documents and Settings\Main Office\ShoppingReport
2007-12-01 15:05 . 2007-12-01 15:05 <DIR> d-------- C:\Documents and Settings\Main Office\Documents and Settings
2007-12-01 15:05 . 2007-12-01 15:05 <DIR> d-------- C:\Documents and Settings\Main Office\cs
2007-12-01 15:05 . 2007-12-01 15:05 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\Documents and Settings
2007-12-01 15:05 . 2007-12-01 15:05 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\cs
2007-12-01 14:47 . 2007-12-01 14:47 <DIR> d-------- C:\ShoppingReport
2007-12-01 14:47 . 2007-12-01 14:47 <DIR> d-------- C:\Documents and Settings\Main Office\Main Office
2007-12-01 14:47 . 2007-12-01 14:47 <DIR> d-------- C:\cs
2007-12-01 12:16 . 2007-12-01 12:16 <DIR> d-------- C:\Program Files\MalwareAlarm
2007-12-01 12:16 . 2007-12-01 12:16 1,148,902 --a------ C:\Install
2007-12-01 11:15 . 2007-12-01 11:44 125 --a------ C:\ioSpecial.ini
2007-11-27 18:43 . 2007-11-27 18:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Christmasville
2007-11-27 18:41 . 2007-11-27 18:41 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\SpinTop
2007-11-25 19:23 . 2007-11-25 19:23 <DIR> d-------- C:\Program Files\Zango
2007-11-25 19:23 . 2007-11-28 16:36 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\Zango
2007-11-25 19:23 . 2007-12-06 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ZangoSA
2007-11-25 19:23 . 2007-11-25 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
2007-11-25 18:12 . 2007-11-25 18:12 <DIR> d-------- C:\Program Files\GameTap
2007-11-25 18:12 . 2007-11-25 18:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GameTap
2007-11-25 17:18 . 2007-11-25 17:18 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\Talkback
2007-11-25 17:02 . 2007-11-25 17:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NannyMania
2007-11-25 17:00 . 2007-12-01 11:43 <DIR> d-------- C:\Program Files\GameHouse
2007-11-25 17:00 . 2007-11-25 17:16 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\GameHouse
2007-11-25 17:00 . 2007-11-25 17:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9
2007-11-25 16:39 . 2007-11-25 16:39 4 --a------ C:\WINDOWS\sbsystem.dat
2007-11-21 14:13 . 2007-11-21 14:16 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\MagicBall3
2007-11-21 08:33 . 2007-11-21 13:51 40 --a------ C:\WINDOWS\RSoftInfo.dat
2007-11-17 15:16 . 2007-11-17 15:20 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\Super-Cow
2007-11-11 14:30 . 2007-11-11 14:30 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\FrimaStudio
2007-11-09 21:18 . 2007-11-09 21:18 <DIR> d-------- C:\Documents and Settings\Main Office\Application Data\Jane s Hotel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-05 00:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-01 19:30 --------- d-----w C:\Program Files\Yahoo!
2007-12-01 16:45 --------- d-----w C:\Program Files\Cartoon Network
2007-12-01 16:45 --------- d-----w C:\Program Files\AOL Games
2007-12-01 16:40 --------- d-----w C:\Program Files\King Kong Skull Island Adventure
2007-12-01 16:39 --------- d-----w C:\Program Files\Jasc Software Inc
2007-12-01 16:32 --------- d-----w C:\Program Files\Nick Arcade
2007-12-01 16:31 --------- d-----w C:\Program Files\Games
2007-12-01 16:26 --------- d-----w C:\Program Files\Corel
2007-12-01 16:26 --------- d-----w C:\Program Files\Common Files\Corel
2007-12-01 16:26 --------- d-----w C:\Documents and Settings\Main Office\Application Data\Corel
2007-11-26 00:26 --------- d-----w C:\Documents and Settings\Main Office\Application Data\PlayFirst
2007-11-25 23:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-02 00:16 --------- d-----w C:\Program Files\Eets
2007-10-30 19:57 11,012 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-10-27 16:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2007-10-27 01:08 --------- d-----w C:\Documents and Settings\Main Office\Application Data\Jasc
2007-10-27 00:31 --------- d-----w C:\Documents and Settings\Main Office\Application Data\Ulead Systems
2007-10-27 00:29 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2007-10-27 00:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-10-27 00:28 --------- d-----w C:\Program Files\Ulead Systems
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 21:59 --------- d-----w C:\Program Files\DeliciousDeluxe2_at
2007-10-14 01:13 --------- d--h--w C:\Documents and Settings\Main Office\Application Data\Move Networks
2007-08-01 01:57 9,878 ----a-w C:\Documents and Settings\Main Office\Application Data\wklnhst.dat
2007-01-10 20:53 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-01-06 20:08 48,483 ----a-w C:\Program Files\Tumblebugs
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 ----


---- Directory of C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9 ----

2007-11-25 18:03 91 --a------ C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9\profile.ini


((((((((((((((((((((((((((((( snapshot@2007-12-05_19.27.30.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-07 01:04:12 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 20:22]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-07-16 14:17]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 19:42]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 19:22]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 19:19]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" []
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 17:18]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 17:29]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 11:05]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2006-11-07 14:49]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 09:26]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 16:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-13 11:17]
"LXBXCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll" [2004-11-02 10:08]
"lxbxmon.exe"="C:\Program Files\Lexmark 7100 Series\lxbxmon.exe" [2005-01-18 04:43]
"FaxCenterServer4_in_1"="C:\Program Files\Lexmark 7100 Series\fm3032.exe" [2004-12-06 11:53]
"EzPrint"="C:\Program Files\Lexmark 7100 Series\ezprint.exe" [2004-09-17 08:24]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50]
"HostManager"="C:\Program Files\Common Files\AOL\1170457508\ee\AOLSoftware.exe" [2006-09-25 19:52]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-31 16:25]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-09-13 11:17]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-08-27 18:22]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-09-13 11:14:48]
Picture Package Menu.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2007-02-23 10:00:00]
Picture Package VCD Maker.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2007-02-23 09:59:50]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-29 20:49:48]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\jkhhg.dll

R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe"
R2 X4HSX32;X4HSX32;\??\C:\Program Files\GameTap\bin\Release\X4HSX32.Sys
R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys
R3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys

*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2007-12-07 01:04:43 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (OFFICE-Main Office).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-06 20:05:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ATWPKT2]
"ImagePath"="\??\C:\WINDOWS\system32\drivers\ATWPKT2.SYS"
.
Completion time: 2007-12-06 20:08:11 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-05 19:29
.
--- E O F ---
katana
2007-12-07, 03:00
Do you know what these folders are ?, They seem to be normal folders within another folder
C:\Documents and Settings\Main Office\Application Data\Documents and Settings
C:\Documents and Settings\Main Office\Application Data\Application Data
C:\Documents and Settings\Main Office\Documents and Settings

Looking good now, how are things running ?
Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:



File::
C:\WINDOWS\system32\ghhkj.ini
Folder::
C:\Program Files\MalwareAlarm

Save this as CFScript.txt and place it on your desktop.


http://img.photobucket.com/albums/v666/sUBs/CFScript.gif


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



Download AVG Anti-Spyware
Please download AVG Anti-Spyware (http://free.grisoft.com/filedir/inst/avgas-setup-7.5.1.43.exe). to your Desktop or to your usual Download Folder.


Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.

Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.

Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.


Run AVG Anti-Spyware
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.

Under How to act?

Click on Recommended Action and choose Quarantine from the popup menu.

Under How to scan?

All checkboxes should be ticked.

Under Possibly unwanted software:

All checkboxes should be ticked.

Under Reports:

Select Do not automatically generate reports

Under What to scan?

Select Scan every file.


Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg

When done, click the Save Scan Report button. (4)

Click the Save Report as button.
Save the report to your Desktop.

Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.


Installed Programs
Please could you give me a list of the programs that are installed. This will help me create a fix for you.
Start HijackThis
Click on the Config button
Click on the Misc Tools button
Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.


Logs/Information to Post in Reply
Please post the following logs/Information in your reply

ComboFix Log
AVG Log
Installed Programs list
Do you know what those folders are ?
How are things running now ?
cammianne
2007-12-07, 03:22
Sorry I forgot to answer those other questions. Those folders don't appear to have anything in 'em, or if they do (and I just couldn't find 'em), they're probably not important. I bought this computer originally for a business my sister and I owned (hence, the Main Office folder-we had two computers, one in the Main Office and one in the lobby area).
katana
2007-12-07, 03:30
Sorry I forgot to answer those other questions. Those folders don't appear to have anything in 'em, or if they do (and I just couldn't find 'em), they're probably not important. I bought this computer originally for a business my sister and I owned (hence, the Main Office folder-we had two computers, one in the Main Office and one in the lobby area).

As long as you know what they are, that is fine :bigthumb: