View Full Version : repost win32.vb.ahq detected
Carlleetos
2008-03-05, 07:53
please remove old win32.vb.ahq detected post. i'll only put hijack this log for now until asked for kapersky log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:35 PM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\1130304777\ee\AOLSoftware.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\aol\1130304777\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1130304777\ee\aolsoftware.exe
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
c:\program files\aol\aol toolbar 5.0\AolTbServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [jptitjs] c:\windows\system32\lwthuek.exe r
O4 - HKLM\..\Run: [jE5eIH0X] C:\WINDOWS\jdisexo.exe
O4 - HKLM\..\Run: C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1130304777\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Dinst]
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AutoTBar] S\System32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\servicesAUTOTBAR.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOLAspSunset2] C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [mvghgo] C:\WINDOWS\System32\mvghgo.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.8\webbuying.exe
O4 - HKCU\..\Run: [qiko] C:\PROGRA~1\COMMON~1\qiko\qikom.exe
O4 - HKCU\..\Run: [QdrPack13] "C:\Program Files\QdrPack\QdrPack13.exe"
O4 - HKCU\..\Run: [QdrModule13] "C:\Program Files\QdrModule\QdrModule13.exe"
O4 - HKCU\..\Run: [Plook]
O4 - HKCU\..\Run: [cav] C:\WINDOWS\System32\cav.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [Aju] "C:\Program Files\?ssembly\?ttrib.exe"
O4 - HKLM\..\Policies\Explorer\Run: [mvghgo] C:\WINDOWS\System32\mvghgo.exe
O4 - HKCU\..\Policies\Explorer\Run: [cav] C:\WINDOWS\System32\cav.exe
O4 - HKUS\S-1-5-18\..\Run: [Plook] C:\Program Files\PLook\plook.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Plook] C:\Program Files\PLook\plook.exe (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw2.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203584042359
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203584026656
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 12583 bytes
[I]Edit: Previous topic http://forums.spybot.info/showthread.php?t=22128
Carlleetos
2008-03-07, 04:01
bump?..........
Hi Carlleetos
Please post next kaspersky report :)
Carlleetos
2008-03-13, 03:44
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, March 04, 2008 5:59:37 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/03/2008
Kaspersky Anti-Virus database records: 597006
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
K:\
L:\
M:\
N:\
Scan Statistics:
Total number of scanned objects: 146806
Number of viruses found: 17
Number of infected objects: 49
Number of suspicious objects: 0
Duration of the scan process: 02:18:39
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051104034333.zip/WINDOWS/Nail.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.b skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051104034333.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\avg8\AvgAm\avgam.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\emc\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgam.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgns.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsrm.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\commonpriv.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\commonpub.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ea563f5ed0b8ea72081a19b9b561dd25_9a97e8f5-a518-434e-855a-2797590cb266 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\All Users\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\99_ncontext_4_0_3_7.exe/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.p skipped
C:\Documents and Settings\Owner\99_ncontext_4_0_3_7.exe WiseSFX: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\AOLCC\ACCAgnt.log Object is locked skipped
C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\AOLCC\AUAolOn.log Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051104034333.zip/WINDOWS/Nail.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.b skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20051104034333.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\CMLS--2008-03-04--12-26-51.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinUninstaller.exe.vir/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinUninstaller.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\Program Files\MyWay\myBar\1.bin\MY2NS.EXE.vir Infected: not-a-virus:AdWare.Win32.MyWay.b skipped
C:\QooBox\Quarantine\C\WINDOWS\bundles\2504041110.exe.vir/WISE0006.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.c skipped
C:\QooBox\Quarantine\C\WINDOWS\bundles\2504041110.exe.vir/WISE0007.BIN/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.e skipped
C:\QooBox\Quarantine\C\WINDOWS\bundles\2504041110.exe.vir/WISE0007.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.e skipped
C:\QooBox\Quarantine\C\WINDOWS\bundles\2504041110.exe.vir WiseSFX: infected - 3 skipped
C:\QooBox\Quarantine\C\WINDOWS\bundles\2504041110.exe.vir WiseSFXDropper: infected - 3 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP107\A0007072.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP107\A0007073.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP108\A0007145.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP108\A0007146.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007152.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007153.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007154.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007155.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007156.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007157.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007158.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007159.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007160.sys Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007161.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007162.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007163.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007164.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007165.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007166.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007167.exe/data0002 Infected: not-a-virus:AdWare.Win32.PowerZone.b skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007167.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007168.sys Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007169.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007170.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007171.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.d skipped
Carlleetos
2008-03-13, 03:44
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007171.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007172.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007173.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007174.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007175.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007176.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007177.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007178.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007179.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007180.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007181.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007182.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007183.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007184.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007185.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007186.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007187.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007188.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007189.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP109\A0007196.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP110\change.log Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP15\A0000829.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP15\A0000832.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP15\A0000833.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP15\A0000836.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP15\A0000836.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP15\A0000836.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP15\A0000837.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000006.EXE Infected: not-a-virus:AdWare.Win32.MyWay.b skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000010.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000013.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000018.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000020.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000021.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000023.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000024.exe/WISE0006.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.c skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000024.exe/WISE0007.BIN/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.e skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000024.exe/WISE0007.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.e skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000024.exe WiseSFX: infected - 3 skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000024.exe WiseSFXDropper: infected - 3 skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000028.exe/data0002 Infected: not-a-virus:AdWare.Win32.BookedSpace.c skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000028.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000033.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000035.exe/data0006 Infected: not-a-virus:AdWare.Win32.MegaSearch.d skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000035.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000039.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000041.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000043.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000044.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000045.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000046.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000047.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000047.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000048.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000049.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000049.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000052.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000053.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000054.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000055.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000056.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000057.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000058.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000059.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000060.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000061.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000067.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP2\A0000074.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP31\A0001226.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP31\A0001227.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP31\A0001228.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP60\A0001663.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP64\A0005964.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP64\A0005964.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP64\A0005964.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP64\A0005994.exe Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP64\A0006000.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP64\A0006001.dll Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP65\A0006082.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP65\A0006099.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\actsetup.dll Infected: Trojan-Dropper.Win32.Agent.hn skipped
C:\WINDOWS\extract.exe/systb.dll Infected: not-a-virus:AdWare.Win32.ImiBar.c skipped
C:\WINDOWS\extract.exe/wdskctl.exe Infected: not-a-virus:AdWare.Win32.ShopNav.g skipped
C:\WINDOWS\extract.exe CAB: infected - 2 skipped
C:\WINDOWS\extract.exe MimarSinan: infected - 2 skipped
C:\WINDOWS\extract.exe UPX: infected - 2 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{2663EC1F-DDD4-4A1D-B779-6B4C8B7DC25A}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\svrrunu.exe Infected: Trojan.Win32.Qrap skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\htinetbs.exe Infected: Trojan.Win32.Crypt.t skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Hi
Delete any other previous copies of Combofix.
After that:
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post:
- a fresh HijackThis log
- combofix report
Carlleetos
2008-03-13, 20:43
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:26 AM, on 3/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\gearsec.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\wanmpsvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\AOL\1130304777\ee\AOLSoftware.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
c:\program files\common files\aol\1130304777\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1130304777\ee\aolsoftware.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\1130304777\ee\anotify.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [jptitjs] c:\windows\system32\lwthuek.exe r
O4 - HKLM\..\Run: [jE5eIH0X] C:\WINDOWS\jdisexo.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1130304777\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Dinst]
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AutoTBar] S\System32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\servicesAUTOTBAR.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOLAspSunset2] C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [mvghgo] C:\WINDOWS\System32\mvghgo.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [qiko] C:\PROGRA~1\COMMON~1\qiko\qikom.exe
O4 - HKCU\..\Run: [Plook]
O4 - HKCU\..\Run: [cav] C:\WINDOWS\System32\cav.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [Aju] "C:\Program Files\?ssembly\?ttrib.exe"
O4 - HKLM\..\Policies\Explorer\Run: [mvghgo] C:\WINDOWS\System32\mvghgo.exe
O4 - HKCU\..\Policies\Explorer\Run: [cav] C:\WINDOWS\System32\cav.exe
O4 - HKUS\S-1-5-18\..\Run: [Plook] C:\Program Files\PLook\plook.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Plook] C:\Program Files\PLook\plook.exe (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw2.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203584042359
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203584026656
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 12196 bytes
Carlleetos
2008-03-13, 20:44
ComboFix 08-03-10.1 - Owner 2008-03-13 10:17:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.111 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-02-13 to 2008-03-13 )))))))))))))))))))))))))))))))
.
2008-03-04 14:03 . 2008-03-04 14:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-04 14:03 . 2008-03-04 14:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-04 13:55 . 2008-03-04 13:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-04 09:40 . 2006-08-21 01:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-03-04 09:40 . 2006-08-21 01:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-03-04 09:40 . 2006-08-21 04:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-03-04 09:23 . 2008-03-04 09:23 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-04 09:01 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-03 22:43 . 2008-03-03 22:43 73,864 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-03-03 22:43 . 2008-03-03 22:43 14,104 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-03-03 22:43 . 2008-03-03 22:43 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-03-03 22:42 . 2008-03-04 12:25 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-03-03 22:42 . 2008-03-03 22:42 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-03-03 22:41 . 2008-03-03 22:41 <DIR> d-------- C:\Program Files\AVG
2008-03-03 22:41 . 2008-03-03 22:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-03-03 22:41 . 2008-03-03 22:41 45,568 --a------ C:\WINDOWS\system32\avgfwdx.dll
2008-03-03 22:41 . 2008-03-03 22:41 22,528 --a------ C:\WINDOWS\system32\drivers\avgfwdx.sys
2008-03-03 19:06 . 2008-03-03 19:06 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-03 19:06 . 2008-03-03 19:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-03 17:51 . 2008-03-03 17:59 1,354 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-03 17:47 . 2003-03-18 12:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-03-03 17:47 . 2003-03-18 11:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-03-03 17:47 . 2003-02-20 19:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-03-03 17:46 . 2008-03-03 17:46 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-03 16:41 . 2004-01-20 19:48 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-03-03 16:41 . 2004-01-21 01:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-03-03 16:41 . 2004-01-20 19:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-03-03 16:41 . 2004-01-20 20:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-03-03 16:41 . 2004-01-21 01:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2008-02-23 13:55 . 2008-02-23 13:55 401 --a------ C:\WINDOWS\system32\L5B9F.tmp
2008-02-23 13:45 . 2008-02-23 13:45 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-02-23 13:43 . 2008-03-03 19:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-23 08:09 . 2008-03-04 01:40 <DIR> d-------- C:\WINDOWS\system32\xb8
2008-02-23 08:09 . 2008-03-04 01:38 <DIR> d-------- C:\WINDOWS\system32\ff3
2008-02-23 08:09 . 2008-03-04 01:38 <DIR> d-------- C:\WINDOWS\system32\ez2
2008-02-23 08:09 . 2008-03-04 01:36 <DIR> d-------- C:\WINDOWS\system32\cms4
2008-02-23 00:53 . 2008-02-23 00:53 401 --a------ C:\WINDOWS\system32\L3F2B.tmp
2008-02-21 04:06 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-21 04:06 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-21 01:45 . 2008-02-21 01:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-21 01:40 . 2005-10-20 14:20 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2008-02-21 01:32 . 2008-02-21 01:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-02-21 01:04 . 2008-02-21 01:04 <DIR> d-------- C:\Program Files\Google
2008-02-21 00:54 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-02-21 00:54 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-02-21 00:54 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-02-21 00:54 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-02-21 00:07 . 2008-02-21 00:07 <DIR> d-------- C:\Program Files\MySpace
2008-02-21 00:07 . 2008-02-21 00:07 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2008-02-20 23:35 . 2004-08-03 23:56 240,640 --a------ C:\WINDOWS\system32\mpg4dmod.dll
2008-02-20 23:33 . 2008-02-20 23:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\You've Got Pictures Screensaver
2008-02-20 23:33 . 2005-07-12 01:17 173,184 --a------ C:\WINDOWS\system32\ygpss.scr
2008-02-20 23:29 . 2008-02-21 00:09 <DIR> d-------- C:\Program Files\America Online 9.0f
2008-02-20 23:17 . 2003-12-08 21:02 69,680 -ra------ C:\WINDOWS\system32\drivers\tj2kunic.sys
2008-02-20 23:17 . 2003-12-08 21:02 5,712 -ra------ C:\WINDOWS\system32\drivers\tj2kwh.sys
2008-02-20 23:17 . 2003-12-08 21:02 3,904 -ra------ C:\WINDOWS\system32\drivers\tj2kcr.sys
2008-02-20 23:11 . 2008-02-20 23:11 <DIR> d-------- C:\Program Files\support.com
2008-02-20 23:11 . 2008-02-20 23:11 1,135 --a------ C:\net_save.dna
2008-02-20 23:08 . 2008-02-20 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Support.com
2008-02-20 23:07 . 2003-12-08 21:02 17,616 -ra------ C:\WINDOWS\system32\drivers\tj2knd5.sys
2008-02-20 23:02 . 2004-08-03 23:56 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2008-02-20 23:01 . 2004-08-03 23:56 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-02-20 23:00 . 2008-02-20 23:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\acccore
2008-02-20 23:00 . 2008-02-20 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-02-20 23:00 . 2004-08-03 23:56 377,984 --------- C:\WINDOWS\system32\ati2dvaa.dll
2008-02-20 22:59 . 2008-02-20 23:00 <DIR> d-------- C:\Program Files\AIM6
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 16:57 4,122 ----a-w C:\WINDOWS\viassary-hp.reg
2008-03-04 08:31 --------- d-----w C:\Program Files\toolbar.del
2008-03-04 07:59 --------- d-----w C:\Program Files\Common Files\wintools.del
2008-03-04 05:53 --------- d-----w C:\Program Files\Viewpoint
2008-03-04 05:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-04 02:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-04 02:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-23 22:16 --------- d-----w C:\Program Files\Easy Internet signup
2008-02-21 09:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-02-21 07:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-21 07:54 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-21 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-21 07:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2008-02-21 07:29 --------- d-----w C:\Program Files\Common Files\aolshare
2008-02-21 07:28 --------- d-----w C:\Program Files\MSN Encarta Plus
2008-02-21 07:27 --------- d-----w C:\Program Files\Microsoft Works
2008-02-21 07:27 --------- d-----w C:\Program Files\Microsoft Plus! Digital Media Edition
2008-02-21 07:27 --------- d-----w C:\Program Files\IntelliMover Data Transfer Demo
2008-02-21 07:27 --------- d-----w C:\Program Files\America Online 9.0e
2008-02-21 07:27 --------- d-----w C:\Program Files\America Online 9.0d
2008-02-21 07:21 --------- d-----w C:\Program Files\Quicken
2008-02-21 07:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-02-21 07:15 --------- d-----w C:\Program Files\America Online 9.0c
2008-02-21 07:15 --------- d-----w C:\Program Files\America Online 9.0
2008-02-21 07:15 --------- d-----w C:\Program Files\AIM
2008-02-21 07:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\interMute
2005-07-31 12:23 148,356 -c--a-w C:\Documents and Settings\Owner\99_ncontext_4_0_3_7.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-21 01:04 171448]
"RecordNow!"="" []
"qiko"="C:\PROGRA~1\COMMON~1\qiko\qikom.exe" [ ]
"Plook"=" " []
"cav"="C:\WINDOWS\System32\cav.exe" [ ]
"AOLCC"="C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" [2005-02-09 10:18 326232]
"Aju"="C:\Program Files\?ssembly\?ttrib.exe" [ ]
"Aim6"="" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2003-08-20 18:56 45056 C:\WINDOWS\system32\VTTimer.exe]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 08:01 110592]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-01-20 19:22 151597]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-10-29 10:17 135168]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-01-20 17:53 32881]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2003-11-03 16:50 221184]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-30 21:21 98304]
"NAV CfgWiz"="c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe" [ ]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 19:02 61440]
"jptitjs"="c:\windows\system32\lwthuek.exe" [ ]
"jE5eIH0X"="C:\WINDOWS\jdisexo.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-01-16 12:16 229376]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 03:23 49152]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-21 03:15 483328]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 20:14 188416]
"HostManager"="C:\Program Files\Common Files\AOL\1130304777\ee\AOLSoftware.exe" [2007-10-08 13:50 41824]
"Dinst"=" " []
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"AutoTBar"="S\System32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\servicesAUTOTBAR.EXE" [ ]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 04:50 71216]
"AOLAspSunset2"="C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe" [2008-02-20 23:28 53248]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 17:42 79448]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 20:35 50176 C:\WINDOWS\ALCXMNTR.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2003-12-12 21:54 88363 C:\WINDOWS\AGRSMMSG.exe]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-03-03 22:42 899864]
"mvghgo"="C:\WINDOWS\System32\mvghgo.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Plook"="C:\Program Files\PLook\plook.exe" [ ]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 12:32 8699904]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-03-10 08:40:30 757760]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 13:12:08 16423]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-30 04:49:48 57344]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2004-01-20 19:59:55 16384]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"mvghgo"= C:\WINDOWS\System32\mvghgo.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"cav"= C:\WINDOWS\System32\cav.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^AOL Desktop.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\AOL Desktop.lnk
backup=C:\WINDOWS\pss\AOL Desktop.lnkStartup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-03-03 22:43]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-03-03 22:42]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-03-03 22:42]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-03-03 22:42]
R2 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-03-03 22:42]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-03-03 22:43]
S2 Ca504av;Mega Camera, WDM Video Capture;C:\WINDOWS\system32\Drivers\Ca504av.sys []
S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-03-03 22:41]
S3 tj2knd5;Terayon Cable Modem (NDIS);C:\WINDOWS\system32\DRIVERS\tj2knd5.sys [2003-12-08 21:02]
S3 tj2kunic;Terayon Cable Modem (WDM);C:\WINDOWS\system32\DRIVERS\tj2kunic.sys [2003-12-08 21:02]
S3 USBCamera;Mega Camera Still Image Capture, Version 1.00;C:\WINDOWS\system32\Drivers\Bulk504.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2df18f40-e985-11dc-b6bc-c3c510ceb3e6}]
\Shell\AutoRun\command - F:\wd_windows_tools\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-13 17:46:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
- c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe
"2004-01-21 09:49:59 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2004-11-29 01:56:00 C:\WINDOWS\Tasks\System Restore.job"
- C:\WINDOWS\system32\Restore\rstrui.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 10:21:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
? [3412]
? [3012]
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\qbtiuctl.exe 499712 bytes executable
C:\WINDOWS\system32\drivers\mskidusb.sys 12288 bytes executable
scan completed successfully
hidden files: 2
**************************************************************************
.
Completion time: 2008-03-13 10:24:26
ComboFix-quarantined-files.txt 2008-03-13 18:24:23
ComboFix2.txt 2008-03-04 02:30:28
.
2008-03-04 20:00:11 --- E O F ---
Hi
Open notepad and copy/paste the text in the quotebox below into it:
Rootkit::
C:\WINDOWS\system32\qbtiuctl.exe
C:\WINDOWS\system32\drivers\mskidusb.sys
File::
C:\WINDOWS\system32\L5B9F.tmp
C:\WINDOWS\system32\L3F2B.tmp
Folder::
C:\Documents and Settings\All Users\Application Data\Rabio
C:\WINDOWS\system32\xb8
C:\WINDOWS\system32\ff3
C:\WINDOWS\system32\ez2
C:\WINDOWS\system32\cms4
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"qiko"=-
"Plook"=-
"cav"=-
"Aju"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]]
"jptitjs"=-
"jE5eIH0X"=-
"mvghgo"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Plook"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"mvghgo"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"cav"=-
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Due to the lack of feedback this Topic is closed.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.