-
Heres the log from Combofix:
ComboFix 07-06-18.2 - F:\Documents and Settings\Madeline\Desktop\ComboFix.exe
"Madeline" - 2007-06-25 22:11:53 - Service Pack 2 NTFS
Command switches used :: F:\Documents and Settings\Madeline\Desktop\ComboFix-Do.txt
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
F:\DOCUME~1\Madeline\APPLIC~1\DriveCleaner Free
F:\DOCUME~1\Madeline\APPLIC~1\DriveCleaner Free\Logs\update.log
F:\DOCUME~1\Madeline\APPLIC~1\errorsafefreeinstallw[1].exe
F:\DOCUME~1\Madeline\APPLIC~1\winantiviruspro2007freeinstall[1].exe
F:\WINDOWS\system32\cqqsmmkn.exe
F:\WINDOWS\system32\eefegoyo.dll
F:\WINDOWS\system32\fphbkefg.dll
((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 )))))))))))))))))))))))))))))))
2007-06-25 22:04 26,112 --a------ F:\WINDOWS\system32\nircmd.exe
2007-06-25 22:04 <DIR> drahs---- F:\autorun.inf
2007-06-25 14:02 49,152 --a------ F:\WINDOWS\nircmd.exe
2007-06-24 19:55 43,520 --a------ F:\WINDOWS\system32\CmdLineExt03.dll
2007-06-24 12:06 <DIR> d-------- F:\hijackthis
2007-06-17 19:58 <DIR> d-------- F:\DOCUME~1\Madeline\APPLIC~1\Ahead
2007-06-10 21:38 <DIR> d-------- F:\Program Files\EA GAMES
2007-06-09 17:05 <DIR> d-------- F:\Program Files\MSXML 4.0
2007-06-06 19:03 10,872 --a------ F:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-06 17:48 <DIR> d-------- F:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-05 20:48 <DIR> d-------- F:\Program Files\Windows Journal Viewer
2007-06-02 12:51 400 --a------ F:\score.dat
2007-05-29 17:40 <DIR> d-------- F:\Games
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-25 12:03:59 -------- d-----w F:\DOCUME~1\Madeline\APPLIC~1\uTorrent
2007-06-24 05:59:08 -------- d-----w F:\Program Files\AlphaZIP
2007-06-24 05:25:25 58,904 ----a-w F:\WINDOWS\system32\azipcontmn.dll
2007-06-23 08:23:17 -------- d-----w F:\Program Files\Microsoft Games
2007-06-19 06:35:34 664 ----a-w F:\WINDOWS\system32\d3d9caps.dat
2007-06-17 00:43:52 -------- d-----w F:\Program Files\WS_FTP
2007-06-15 02:39:33 -------- d-----w F:\DOCUME~1\Madeline\APPLIC~1\U3
2007-06-15 01:29:54 74,472 ----a-w F:\DOCUME~1\Madeline\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-06-06 03:41:07 -------- d-----w F:\Program Files\Windows Live Safety Center
2007-06-03 06:34:42 -------- d-----w F:\Program Files\Scholastic
2007-06-01 09:46:19 -------- d--h--w F:\Program Files\InstallShield Installation Information
2007-06-01 01:18:17 18,816 ----a-w F:\WINDOWS\system32\drivers\dvd43llh.sys
2007-06-01 01:18:15 -------- d-----w F:\Program Files\dvd43
2007-05-31 12:29:07 -------- d-----w F:\Program Files\SwiftSwitch
2007-05-23 10:47:38 -------- d-----w F:\Program Files\QuickTime
2007-05-16 15:12:02 683,520 ----a-w F:\WINDOWS\system32\inetcomm.dll
2007-05-05 01:47:48 -------- d-----w F:\Program Files\Inkscape
2007-04-25 14:21:15 144,896 ----a-w F:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w F:\WINDOWS\system32\msi.dll
2007-04-16 12:47:36 33,624 ----a-w F:\WINDOWS\system32\wups.dll
2007-04-16 12:45:54 1,710,936 ----a-w F:\WINDOWS\system32\wuaueng.dll
2007-04-16 12:45:48 549,720 ----a-w F:\WINDOWS\system32\wuapi.dll
2007-04-16 12:45:42 325,976 ----a-w F:\WINDOWS\system32\wucltui.dll
2007-04-16 12:45:36 203,096 ----a-w F:\WINDOWS\system32\wuweb.dll
2007-04-16 12:45:28 92,504 ----a-w F:\WINDOWS\system32\cdm.dll
2007-04-16 12:45:20 53,080 ----a-w F:\WINDOWS\system32\wuauclt.exe
2007-04-16 12:45:20 43,352 ----a-w F:\WINDOWS\system32\wups2.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38]
{53707962-6F74-2D53-2644-206D7942484F}=F:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{68F9551E-0411-48E4-9AAF-4BC42A6A46BE}=F:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll [2006-04-18 19:04]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="F:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-08-29 21:11]
"AVG7_CC"="F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-22 10:55]
"RemoteControl"="F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"dvd43"="F:\Program Files\dvd43\dvd43_tray.exe" [2006-05-22 13:26]
"PWRISOVM.EXE"="F:\Program Files\PowerISO\PWRISOVM.EXE" [2006-09-09 19:16]
"Easy-PrintToolBox"="F:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 11:10]
"QuickTime Task"="F:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="F:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"NetworkTen Media Manager Tray"="F:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" [2007-01-11 14:08]
"!AVG Anti-Spyware"="F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-18 16:47]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 22:29]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f35cbed2-0760-11dc-b820-00038a000015}]
AutoRun\command- H:\LaunchU3.exe -a
Contents of the 'Scheduled Tasks' folder
2007-06-20 09:46:12 F:\WINDOWS\tasks\AppleSoftwareUpdate.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-25 22:17:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-25 22:18:41
F:\ComboFix-quarantined-files.txt ... 2007-06-25 22:18
F:\ComboFix2.txt ... 2007-06-25 21:42
--- E O F ---
-
And heres the HJT
Logfile of HijackThis v1.99.1
Scan saved at 10:22:03 PM, on 25/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
F:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Real\RealPlayer\RealPlay.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
F:\Program Files\dvd43\dvd43_tray.exe
F:\Program Files\PowerISO\PWRISOVM.EXE
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\explorer.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\hijackthis\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - F:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RealTray] F:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [dvd43] F:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] F:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Easy-PrintToolBox] F:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NetworkTen Media Manager Tray] "F:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" /CustomId:NetworkTen
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - Startup: IMVU.lnk = F:\Program Files\IMVU\gui1.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = F:\QUICKENW\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxmk846YYAU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - F:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - F:\Documents and Settings\Madeline\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/...gameloader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab50997.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {25EBFA7E-A624-487D-AD62-BD7EE060B2D7} - http://supernatural.ten.com.au/entri...en_3_5_0_7.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirate...GameLoader.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1125319674675
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab50997.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab47946.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://supernatural.ten.com.au/entri...2_2_Silent.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - F:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - F:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
-
Visiting Fellow
Hello,
Just some leftovers now...
* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxmk846YYAU
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirate...GameLoader.dll
* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Then delete the F:\Qoobox - folder
Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:- Download the latest version of Java Runtime Environment (JRE) 6u1.
- Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
- Click the "Download" button to the right.
- Check the box that says: "Accept License Agreement".
- The page will refresh.
- Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
- Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Examples of older versions in Add or Remove Programs:- Java 2 Runtime Environment, SE v1.4.2
- J2SE Runtime Environment 5.0
- J2SE Runtime Environment 5.0 Update 6
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java versions.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Let me know in your next reply how things are now...
-
Smitfraud is now gone, and the computer seems to be running more smoothly as well.
MANY thanks again for all your help!
-
Visiting Fellow
Glad I could help.
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Happy Surfing again!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules