tflatland
2008-07-31, 19:41
Hey there, well let me start off by saying I have spybot, adaware, and hijack this on my computer right now. Whenever I run spybot's scan it comes up with Smitfraud-C.Coreservice or something like that and a couple of virtumonde files and zenosearch. It usually says it deletes everything and for a short while my computer is fine and no sites are blocked (facebook, hotmail) but then after a while it does it again or at least when I restart the comptuter so I would really like to just get this stuff off for good! Please help, thanks in advance!
oh sorry I forgot here is my hijack this log, i haven't ran spybot or adaware before doing this either.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:27 PM, on 7/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20815)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\lcntptdm.exe
C:\windows\system32\rwwnw64d.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\FNTS~1\scanregw.exe
C:\PROGRA~1\MICROS~2\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\W?nSxS\n?lookup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\tanner\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\lcntptdm.exe DWram02FF
O4 - HKLM\..\Run: [{B1-13-32-21-DW}] C:\windows\system32\rwwnw64d.exe DWram02FF
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKLM\..\Run: [dc1b138e] rundll32.exe "C:\WINDOWS\system32\pyibilgw.dll",b
O4 - HKLM\..\Run: [BMdf282012] Rundll32.exe "C:\WINDOWS\system32\vipetvoo.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [mjc] C:\Program Files\mjc\mjc.exe
O4 - HKCU\..\Run: [Atbs] "C:\WINDOWS\system32\FNTS~1\scanregw.exe" -vt ndrv
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~2\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Gfdo] "C:\Program Files\Common Files\W?nSxS\n?lookup.exe"
O4 - HKCU\..\Run: [Sakora] C:\Program Files\Sakora\Sakora.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\lcntptdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3EB0057-B62E-4474-B955-5D1613E1F97E}: NameServer = 166.102.165.11 166.102.165.13
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470.exe (file missing)
--
End of file - 6106 bytes
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those three things, everything should go smoothly :D
Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------
Disable Teatimer
First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident Second step, For Either Version : Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
No Antivirus
I can see no indication of any Antivirus software.
Use an AntiVirus Software - It is very important that you have anti-virus software running on your machine.
This alone can save you a lot of trouble with malware in the future.
Free AV list ( Home users only)
Avira AntiVir (http://www.free-av.com/)
Avast (http://www.avast.com/eng/products.html)
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week.
If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Antivirus is a MUST
Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
Installed Programs
Please could you give me a list of the programs that are installed.
Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary and let the database download.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
**Note**
To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
tflatland
2008-08-06, 08:18
well i did everything and have the log files except I couldnt do the kaspersky scan because the computer just wouldnt download java? I think thats why but anyways here is everything else...
ComboFix 08-08-04.09 - tanner 2008-08-05 0:43:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.211 [GMT -5:00]
Running from: C:\Documents and Settings\tanner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\tanner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\tanner\Application Data\macromedia\Flash Player\#SharedObjects\LB3Q2JH4\interclick.com
C:\Documents and Settings\tanner\Application Data\macromedia\Flash Player\#SharedObjects\LB3Q2JH4\interclick.com\ud.sol
C:\Documents and Settings\tanner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\tanner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\tanner\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\tanner\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\tanner\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\tanner\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\Common Files\wnsxs~1\n?lookup.exe
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\BMdf282012.txt
C:\WINDOWS\BMdf282012.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\lfn.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\portsv.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\AcJiQXbc.ini
C:\WINDOWS\system32\AcJiQXbc.ini2
C:\WINDOWS\system32\bdftqeua.ini
C:\WINDOWS\system32\bpijkknr.ini
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\MSKSSRVV.sys
C:\WINDOWS\system32\efcYPgDu.dll
C:\WINDOWS\system32\etmebktk.ini
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\fnts~1\F?nts\
C:\WINDOWS\system32\gbvqxjka.ini
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\ictdmgvl.ini
C:\WINDOWS\system32\lywajyig.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\mwqjoiyh.ini
C:\WINDOWS\system32\nrxxsblg.ini
C:\WINDOWS\system32\pyywnmoo.ini
C:\WINDOWS\system32\qglkukps.ini
C:\WINDOWS\system32\rrjmiigu.ini
C:\WINDOWS\system32\sdwehcth.ini
C:\WINDOWS\system32\uDgPYcfe.ini
C:\WINDOWS\system32\uDgPYcfe.ini2
C:\WINDOWS\system32\wglibiyp.ini
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\wlvftbjw.ini
C:\WINDOWS\system32\yifcpusi.ini
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\yoursearchnet_com.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CMDSERVICE
-------\Legacy_MSKSSRVV
-------\Legacy_MSSECURITY1.209.4
-------\Legacy_NETWORK_MONITOR
-------\Service_MSKSSRVV
-------\Service_MsSecurity1.209.4
((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.
2008-08-05 00:00 . 2008-08-05 00:00 <DIR> d-------- C:\Program Files\Avira
2008-08-05 00:00 . 2008-08-05 00:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-08-04 23:48 . 2008-08-04 23:48 2,048 --a------ C:\WINDOWS\system32\xgfdpjte.exe
2008-07-28 10:14 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-07-28 10:14 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-07-28 10:14 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-07-28 10:14 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-07-27 12:24 . 2008-08-01 22:50 <DIR> d-------- C:\Downloads
2008-07-27 12:22 . 2008-07-27 12:22 <DIR> d-------- C:\Program Files\Zultrax P2P
2008-07-27 12:22 . 2008-08-01 22:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zultrax P2P
2008-07-21 23:36 . 2008-07-21 23:36 <DIR> d-------- C:\Documents and Settings\tanner\Application Data\vlc
2008-07-21 23:29 . 2008-07-21 23:29 <DIR> d-------- C:\Documents and Settings\tanner\Application Data\dvdcss
2008-07-21 22:43 . 2008-07-21 22:43 43,521 --ahs---- C:\WINDOWS\system32\jjixrysx.ini
2008-07-21 21:59 . 2008-07-21 21:59 <DIR> d-------- C:\Program Files\VideoLAN
2008-07-21 21:34 . 2008-07-21 21:34 654 --ahs---- C:\WINDOWS\system32\rcgevgbi.ini
2008-07-20 20:33 . 2008-07-21 08:39 654 --ahs---- C:\WINDOWS\system32\mvwvtnoo.ini
2008-07-19 23:51 . 2008-07-19 23:51 <DIR> d-------- C:\VundoFix Backups
2008-07-19 22:59 . 2008-08-02 23:51 1,928 --a------ C:\WINDOWS\wininit.ini
2008-07-19 22:35 . 2008-07-19 22:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-19 22:35 . 2008-07-19 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-19 12:18 . 2008-07-21 21:31 594 --ahs---- C:\WINDOWS\system32\kjfjejru.ini
2008-07-16 21:51 . 2008-07-16 21:51 <DIR> d-------- C:\Temp\pendmoves
2008-07-16 12:06 . 2008-07-16 12:06 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-16 11:46 . 2008-07-16 11:46 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-07-16 11:39 . 2008-07-16 11:39 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-16 11:39 . 2008-07-16 11:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-16 11:38 . 2008-07-16 11:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-15 22:08 . 2008-08-02 23:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-15 21:09 . 2004-08-03 23:08 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2008-07-15 21:09 . 2004-08-03 23:08 25,600 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys
2008-07-15 21:07 . 2008-07-15 21:07 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-07-15 21:07 . 2008-07-15 21:07 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-07-15 20:59 . 2005-10-20 20:47 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2008-07-15 20:59 . 2005-10-20 20:47 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2008-07-15 20:58 . 2008-07-15 20:58 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-07-15 20:57 . 2008-07-15 20:57 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-07-15 20:51 . 2008-07-15 20:51 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-07-15 13:52 . 2008-07-16 11:48 <DIR> d--hs---- C:\WINDOWS\dGFubmVy
2008-07-15 13:48 . 2008-07-15 21:52 <DIR> d-------- C:\Program Files\Common Files\wzzi
2008-07-15 13:35 . 2008-08-05 00:19 <DIR> d-------- C:\WINDOWS\system32\aumsDK18
2008-07-15 13:35 . 2008-07-15 13:35 <DIR> d-------- C:\Temp\zpv201
2008-07-15 10:03 . 2008-07-15 21:53 <DIR> d-------- C:\Program Files\Webtools
2008-07-12 07:49 . 2008-07-15 10:04 878 --ahs---- C:\WINDOWS\system32\gnmgppap.ini
2008-07-12 07:47 . 2008-07-12 07:47 152,079 --a------ C:\WINDOWS\system32\g94.exe
2008-07-11 23:51 . 2008-07-11 23:51 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-07-11 23:47 . 2008-07-16 11:48 <DIR> d-------- C:\WINDOWS\system32\sfig
2008-07-11 23:47 . 2008-08-05 00:20 <DIR> d-------- C:\WINDOWS\system32\provdll
2008-07-11 23:47 . 2008-08-05 00:20 <DIR> d-------- C:\WINDOWS\system32\olixds18
2008-07-11 23:47 . 2008-07-16 11:48 <DIR> d-------- C:\WINDOWS\system32\OBDE
2008-07-11 23:47 . 2008-08-05 00:20 <DIR> d-------- C:\WINDOWS\system32\imp32
2008-07-11 23:47 . 2008-07-11 23:47 <DIR> d-------- C:\Temp\stmpv4
2008-07-11 23:47 . 2008-08-05 00:43 <DIR> d-------- C:\Temp
2008-07-09 20:38 . 2008-07-09 20:38 <DIR> d-------- C:\Program Files\Burning Mill Express
2008-07-09 20:38 . 2008-07-09 20:38 162,895 --a------ C:\WINDOWS\Burning Mill Express Uninstaller.exe
2008-07-09 20:31 . 2008-07-09 20:34 <DIR> d-------- C:\Documents and Settings\tanner\Application Data\InfraRecorder
2008-07-08 21:36 . 2008-07-08 21:36 <DIR> d-------- C:\Documents and Settings\tanner\Application Data\Smith Micro
2008-07-08 21:35 . 2008-07-08 21:35 <DIR> d-------- C:\Program Files\PANTECH
2008-07-08 21:35 . 2006-11-01 17:21 319,456 --a------ C:\WINDOWS\system32\DIFxAPI.dll
2008-07-08 21:35 . 2007-08-23 00:13 77,824 --a------ C:\WINDOWS\system32\ptdmwmcp.dll
2008-07-08 21:35 . 2007-08-17 20:56 59,520 --a------ C:\WINDOWS\system32\drivers\PTDMWWAN.sys
2008-07-08 21:35 . 2007-08-17 20:56 41,856 --a------ C:\WINDOWS\system32\drivers\PTDMMdm.sys
2008-07-08 21:35 . 2007-08-17 20:56 39,936 --a------ C:\WINDOWS\system32\drivers\PTDMVsp.sys
2008-07-08 21:35 . 2007-08-17 20:56 29,952 --a------ C:\WINDOWS\system32\drivers\PTDMBus.sys
2008-07-08 21:34 . 2008-07-08 21:34 <DIR> d-------- C:\Program Files\Alltel
2008-07-06 23:34 . 2008-07-06 23:34 <DIR> d-------- C:\Program Files\Xvid
2008-07-06 23:34 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-07-06 23:34 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-07-06 23:34 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-28 16:03 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-22 21:11 --------- d-----w C:\Documents and Settings\tanner\Application Data\BitTorrent
2008-07-16 16:20 --------- d-----w C:\Documents and Settings\tanner\Application Data\LimeWire
2008-07-16 03:10 --------- d-----w C:\Program Files\Google
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 02:56 9,715,200 ----a-w C:\WINDOWS\RTLCPL.exe
2008-06-12 02:56 86,016 ----a-w C:\WINDOWS\SoundMan.exe
2008-06-12 02:56 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-06-12 02:56 1,826,816 ----a-w C:\WINDOWS\SkyTel.exe
2008-06-12 02:56 1,196,032 ----a-w C:\WINDOWS\RtlUpd.exe
2008-06-12 02:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-12 02:56 --------- d-----w C:\Program Files\Realtek
2008-06-12 02:55 69,632 ----a-w C:\WINDOWS\Alcmtr.exe
2008-06-12 02:55 520,192 ----a-w C:\WINDOWS\RtlExUpd.dll
2008-06-12 02:55 4,752,384 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-06-12 02:55 2,808,832 ----a-w C:\WINDOWS\alcwzrd.exe
2008-06-12 02:55 2,165,760 ----a-w C:\WINDOWS\MicCal.exe
2008-06-12 02:55 16,862,720 ----a-w C:\WINDOWS\RTHDCPL.exe
2008-06-12 01:59 --------- d-----w C:\Program Files\PC Drivers HeadQuarters
2008-06-12 01:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-04-16 04:14 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008041520080416\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gfdo"="C:\Program Files\Common Files\W?nSxS\n?lookup.exe" [?]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~2\wcescomm.exe" [2006-06-20 22:36 1207080]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-15 22:08 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 20:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ACU"="C:\Program Files\Atheros\ACU.exe" [2005-12-08 17:49 323584]
"ArcSoft Connection Service"="C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-02-22 10:33 72192]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497]
"RTHDCPL"="RTHDCPL.EXE" [2008-06-11 21:55 16862720 C:\WINDOWS\RTHDCPL.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Zultrax P2P\\Zultrax.Exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R2 ACDaemon;ArcSoft Connect Daemon;C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2008-02-22 10:33]
R3 PTDMBus;PANTECH USB Modem Composite Device Driver ;C:\WINDOWS\system32\DRIVERS\PTDMBus.sys [2007-08-17 20:56]
R3 PTDMMdm;PANTECH USB Modem Drivers ;C:\WINDOWS\system32\DRIVERS\PTDMMdm.sys [2007-08-17 20:56]
R3 PTDMVsp;PANTECH USB Modem Serial Port ;C:\WINDOWS\system32\DRIVERS\PTDMVsp.sys [2007-08-17 20:56]
R3 PTDMWWAN;PANTECH USB Modem WWAN Driver;C:\WINDOWS\system32\DRIVERS\PTDMWWAN.sys [2007-08-17 20:56]
.
- - - - ORPHANS REMOVED - - - -
BHO-{4E70DA6C-1A8F-4407-B030-481CD0E0795F} - C:\WINDOWS\system32\cbXQiJcA.dll
BHO-{9d39931d-8b4a-4681-898c-324e9bd5d728} - C:\WINDOWS\system32\tuvacb.dll
BHO-{DF33B918-76DA-7C56-F73C-78A2E5EB4CC1} - C:\WINDOWS\system32\rgo.dll
HKCU-Run-mjc - C:\Program Files\mjc\mjc.exe
HKCU-Run-Atbs - C:\WINDOWS\system32\FNTS~1\scanregw.exe
HKCU-Run-Sakora - C:\Program Files\Sakora\Sakora.exe
HKLM-Run-{B1-13-32-21-DW} - C:\windows\system32\rwwnw64d.exe
HKLM-Run-Antivirus - C:\Program Files\VAV\vav.exe
Notify-rqRIyxXN - rqRIyxXN.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\tanner\Application Data\Mozilla\Firefox\Profiles\xdzogs6d.default\
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.1273.1045\npCIDetect12.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 00:51:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-05 0:53:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-05 05:53:05
Pre-Run: 67,178,688,512 bytes free
Post-Run: 67,241,148,416 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
252 --- E O F --- 2008-07-07 18:18:27
Ad-Aware
Adobe Flash Player Plugin
ArcSoft MediaConverter 2.5
Atheros Client Utility
Avira AntiVir Personal - Free Antivirus
Burning Mill Express
Driver Detective
Express Burn
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB909394)
Microsoft .NET Framework 2.0
Microsoft ActiveSync 4.0
Motorola Driver Installation
Mozilla Firefox (3.0.1)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
PANTECH PC USB Modem Software
QuickLink Mobile
Realtek High Definition Audio Driver
Rhapsody
Rhapsody Player Engine
SA52xx Device Manager
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Spybot - Search & Destroy
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VideoLAN VLC media player 0.8.6f
WavePad Uninstall
Xvid 1.1.3 final uninstall
Zultrax P2P
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:11:48 AM, on 8/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20815)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\MICROS~2\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\tanner\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~2\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Gfdo] "C:\Program Files\Common Files\W?nSxS\n?lookup.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3EB0057-B62E-4474-B955-5D1613E1F97E}: NameServer = 166.102.165.11 166.102.165.13
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
--
End of file - 5749 bytes
REMOVE P2P PROGRAMS
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
Zultrax P2P
Please read the Guidelines for P2P Programs (http://forums.spybot.info/showpost.php?p=218503&postcount=4) where we explain why it's not a good idea to have them.
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.
Post back a new HijackThis, so we can continue cleaning your pc.
Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Please go to this site Link >> ActiveScan (http://www.pandasecurity.com/activescan/index/) << LINK
Click the Scan Now button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
When the scan is finished, a report will be generated
Next to Scan Details click the small Save button and save the report to your desktop.
Please post the report in your reply.