Page 2 of 6 FirstFirst 123456 LastLast
Results 11 to 20 of 57

Thread: virtumonde got me too

  1. 2008-02-19, 16:40 #11
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    Thanks for the info.

    We don't install another antivirus yet as you have vundo file infector which might infect that.

    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    RenV::
----a-w           155,648 2008-01-14 13:49:00  C:\WINDOWS\SYSTEM32\NeroCheck .exe
----a-w            15,360 2008-02-17 19:10:12  C:\WINDOWS\SYSTEM32\ctfmon .exe
----a-w           158,208 2008-02-17 03:04:04  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w           649,728 2008-01-14 22:45:12  C:\Program Files\QuickTime\qttask    .exe
----a-w           649,728 2008-01-15 05:18:12  C:\Program Files\QuickTime\qttask     .exe
----a-w           649,728 2008-01-15 13:34:46  C:\Program Files\QuickTime\qttask      .exe
----a-w           649,728 2008-01-16 04:01:32  C:\Program Files\QuickTime\qttask       .exe
----a-w           649,728 2008-01-16 13:52:08  C:\Program Files\QuickTime\qttask        .exe
----a-w           649,728 2008-01-17 13:34:58  C:\Program Files\QuickTime\qttask         .exe
----a-w           282,624 2008-01-17 13:35:46  C:\Program Files\QuickTime\qttask          .exe
----a-w         1,235,456 2008-01-15 05:18:08  C:\Program Files\FolderShare\FolderShare     .exe
----a-w         1,235,456 2008-01-15 13:34:42  C:\Program Files\FolderShare\FolderShare      .exe
----a-w         1,235,456 2008-01-16 04:01:30  C:\Program Files\FolderShare\FolderShare       .exe
----a-w         1,235,456 2008-01-16 13:52:06  C:\Program Files\FolderShare\FolderShare        .exe
----a-w         1,235,456 2008-01-17 13:34:56  C:\Program Files\FolderShare\FolderShare         .exe
----a-w         1,235,456 2008-01-18 13:01:00  C:\Program Files\FolderShare\FolderShare          .exe
----a-w         1,235,456 2008-01-19 05:28:52  C:\Program Files\FolderShare\FolderShare           .exe
----a-w         1,235,456 2008-01-19 14:49:44  C:\Program Files\FolderShare\FolderShare            .exe
----a-w         1,235,456 2008-01-19 22:07:26  C:\Program Files\FolderShare\FolderShare             .exe
----a-w         1,235,456 2008-01-20 13:05:32  C:\Program Files\FolderShare\FolderShare              .exe
----a-w         1,235,456 2008-01-21 00:57:40  C:\Program Files\FolderShare\FolderShare               .exe
----a-w         1,235,456 2008-01-21 13:45:58  C:\Program Files\FolderShare\FolderShare                .exe
----a-w         1,235,456 2008-01-22 13:30:02  C:\Program Files\FolderShare\FolderShare                 .exe
----a-w         1,235,456 2008-01-24 13:23:50  C:\Program Files\FolderShare\FolderShare                  .exe
----a-w         1,235,456 2008-01-25 13:12:52  C:\Program Files\FolderShare\FolderShare                   .exe
----a-w         1,235,456 2008-01-26 14:00:48  C:\Program Files\FolderShare\FolderShare                    .exe
----a-w         1,235,456 2008-01-27 13:10:08  C:\Program Files\FolderShare\FolderShare                     .exe
----a-w         1,235,456 2008-01-28 00:02:38  C:\Program Files\FolderShare\FolderShare                      .exe
----a-w         1,235,456 2008-01-29 13:21:38  C:\Program Files\FolderShare\FolderShare                       .exe
----a-w         1,235,456 2008-01-30 13:26:08  C:\Program Files\FolderShare\FolderShare                        .exe
----a-w         1,235,456 2008-01-30 15:22:54  C:\Program Files\FolderShare\FolderShare                         .exe
----a-w         1,235,456 2008-01-30 16:10:46  C:\Program Files\FolderShare\FolderShare                          .exe
----a-w         1,235,456 2008-01-31 12:52:42  C:\Program Files\FolderShare\FolderShare                           .exe
----a-w         1,235,456 2008-01-31 13:46:00  C:\Program Files\FolderShare\FolderShare                            .exe
----a-w         1,235,456 2008-02-01 04:46:42  C:\Program Files\FolderShare\FolderShare                             .exe
----a-w         1,235,456 2008-02-01 13:14:42  C:\Program Files\FolderShare\FolderShare                              .exe
----a-w         1,235,456 2008-02-02 13:54:24  C:\Program Files\FolderShare\FolderShare                               .exe
----a-w         1,235,456 2008-02-02 16:06:34  C:\Program Files\FolderShare\FolderShare                                .exe
----a-w         1,235,456 2008-02-02 23:20:48  C:\Program Files\FolderShare\FolderShare                                 .exe
----a-w         1,235,456 2008-02-03 00:33:20  C:\Program Files\FolderShare\FolderShare                                  .exe
----a-w         1,235,456 2008-02-03 03:53:04  C:\Program Files\FolderShare\FolderShare                                   .exe
----a-w         1,235,456 2008-02-03 13:09:24  C:\Program Files\FolderShare\FolderShare                                    .exe
----a-w         1,235,456 2008-02-04 13:50:12  C:\Program Files\FolderShare\FolderShare                                     .exe
----a-w         1,235,456 2008-02-05 14:56:58  C:\Program Files\FolderShare\FolderShare                                      .exe
----a-w         1,235,456 2008-02-05 18:28:32  C:\Program Files\FolderShare\FolderShare                                       .exe
----a-w         1,235,456 2008-02-06 14:46:12  C:\Program Files\FolderShare\FolderShare                                        .exe
----a-w         1,235,456 2008-02-06 16:40:16  C:\Program Files\FolderShare\FolderShare                                         .exe
----a-w         1,235,456 2008-02-06 17:39:54  C:\Program Files\FolderShare\FolderShare                                          .exe
----a-w         1,235,456 2008-02-07 13:29:04  C:\Program Files\FolderShare\FolderShare                                           .exe
----a-w         1,235,456 2008-02-08 13:12:16  C:\Program Files\FolderShare\FolderShare                                            .exe
----a-w         1,235,456 2008-02-09 13:36:42  C:\Program Files\FolderShare\FolderShare                                             .exe
----a-w         1,235,456 2008-02-10 12:43:56  C:\Program Files\FolderShare\FolderShare                                              .exe
----a-w         1,235,456 2008-02-11 13:05:44  C:\Program Files\FolderShare\FolderShare                                               .exe
----a-w         1,235,456 2008-02-12 13:11:24  C:\Program Files\FolderShare\FolderShare                                                .exe
----a-w         1,235,456 2008-02-13 13:05:02  C:\Program Files\FolderShare\FolderShare                                                 .exe
----a-w         1,235,456 2008-02-14 01:54:00  C:\Program Files\FolderShare\FolderShare                                                  .exe
----a-w         1,235,456 2008-02-14 13:11:14  C:\Program Files\FolderShare\FolderShare                                                   .exe
----a-w         1,235,456 2008-02-15 13:22:34  C:\Program Files\FolderShare\FolderShare                                                    .exe
----a-w         1,235,456 2008-02-16 14:04:36  C:\Program Files\FolderShare\FolderShare                                                     .exe
----a-w         1,235,456 2008-02-16 16:48:18  C:\Program Files\FolderShare\FolderShare                                                      .exe
----a-w         1,235,456 2008-02-16 19:32:28  C:\Program Files\FolderShare\FolderShare                                                       .exe
----a-w         1,235,456 2008-02-16 20:49:34  C:\Program Files\FolderShare\FolderShare                                                        .exe
----a-w         1,743,360 2008-01-14 22:45:08  C:\Program Files\TGTSoft\StyleXP\StyleXP .exe
----a-w         1,372,160 2008-01-17 13:35:48  C:\Program Files\TGTSoft\StyleXP\StyleXP  .exe
----a-w         1,694,208 2008-02-14 00:24:30  C:\Program Files\Messenger\msmsgs .exe

File::
C:\WINDOWS\SYSTEM32\oxyfjhwa.ini
C:\WINDOWS\SYSTEM32\kahindwu.ini
C:\WINDOWS\SYSTEM32\tpkoyoea.ini
C:\WINDOWS\SYSTEM32\jpiqejvx.ini
C:\WINDOWS\SYSTEM32\tqhttets.ini
C:\WINDOWS\SYSTEM32\pprijqhf.ini
C:\WINDOWS\SYSTEM32\gxgjmrhb.ini
C:\WINDOWS\SYSTEM32\chwxhmmf.ini
C:\WINDOWS\SYSTEM32\xpdbncvm.ini
C:\WINDOWS\SYSTEM32\xooaomjm.ini
C:\WINDOWS\SYSTEM32\vsrrdylm.ini
C:\WINDOWS\SYSTEM32\cirueasx.ini
C:\WINDOWS\SYSTEM32\kltgfybn.ini
C:\WINDOWS\SYSTEM32\ofxflobj.ini
C:\WINDOWS\SYSTEM32\lkgjgnxy.ini
C:\WINDOWS\SYSTEM32\xotboipg.ini
C:\WINDOWS\SYSTEM32\oufrpeds.ini
C:\WINDOWS\SYSTEM32\xgqyrpni.ini
C:\WINDOWS\SYSTEM32\tytemlnm.ini
C:\WINDOWS\SYSTEM32\lujpuouu.ini
C:\WINDOWS\SYSTEM32\puculuhy.ini
C:\WINDOWS\SYSTEM32\btvxjnce.ini
C:\WINDOWS\SYSTEM32\koxuytol.ini
C:\WINDOWS\SYSTEM32\jinvuulv.ini
C:\WINDOWS\SYSTEM32\rewjlbep.ini
C:\WINDOWS\SYSTEM32\nkgudkqh.ini
C:\WINDOWS\SYSTEM32\ytytwepr.ini
C:\WINDOWS\SYSTEM32\oognqwkq.ini

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuurpq]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d422d49c]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaGateway]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdate]
    Save this as "CFScript"

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  2. 2008-02-19, 19:51 #12
    didymustoo
    didymustoo is offline
    Member
    Join Date
    Feb 2008
    Posts
    41

    Default

    Here is the combofix log:

    ComboFix 08-02-19.2 - fjw 2008-02-19 12:42:30.2 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.739 [GMT -6:00]
    Running from: C:\Documents and Settings\fjw\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\fjw\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\WINDOWS\SYSTEM32\btvxjnce.ini
    C:\WINDOWS\SYSTEM32\chwxhmmf.ini
    C:\WINDOWS\SYSTEM32\cirueasx.ini
    C:\WINDOWS\SYSTEM32\gxgjmrhb.ini
    C:\WINDOWS\SYSTEM32\jinvuulv.ini
    C:\WINDOWS\SYSTEM32\jpiqejvx.ini
    C:\WINDOWS\SYSTEM32\kahindwu.ini
    C:\WINDOWS\SYSTEM32\kltgfybn.ini
    C:\WINDOWS\SYSTEM32\koxuytol.ini
    C:\WINDOWS\SYSTEM32\lkgjgnxy.ini
    C:\WINDOWS\SYSTEM32\lujpuouu.ini
    C:\WINDOWS\SYSTEM32\nkgudkqh.ini
    C:\WINDOWS\SYSTEM32\ofxflobj.ini
    C:\WINDOWS\SYSTEM32\oognqwkq.ini
    C:\WINDOWS\SYSTEM32\oufrpeds.ini
    C:\WINDOWS\SYSTEM32\oxyfjhwa.ini
    C:\WINDOWS\SYSTEM32\pprijqhf.ini
    C:\WINDOWS\SYSTEM32\puculuhy.ini
    C:\WINDOWS\SYSTEM32\rewjlbep.ini
    C:\WINDOWS\SYSTEM32\tpkoyoea.ini
    C:\WINDOWS\SYSTEM32\tqhttets.ini
    C:\WINDOWS\SYSTEM32\tytemlnm.ini
    C:\WINDOWS\SYSTEM32\vsrrdylm.ini
    C:\WINDOWS\SYSTEM32\xgqyrpni.ini
    C:\WINDOWS\SYSTEM32\xooaomjm.ini
    C:\WINDOWS\SYSTEM32\xotboipg.ini
    C:\WINDOWS\SYSTEM32\xpdbncvm.ini
    C:\WINDOWS\SYSTEM32\ytytwepr.ini
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\SYSTEM32\btvxjnce.ini
    C:\WINDOWS\SYSTEM32\chwxhmmf.ini
    C:\WINDOWS\SYSTEM32\cirueasx.ini
    C:\WINDOWS\SYSTEM32\gxgjmrhb.ini
    C:\WINDOWS\SYSTEM32\jinvuulv.ini
    C:\WINDOWS\SYSTEM32\jpiqejvx.ini
    C:\WINDOWS\SYSTEM32\kahindwu.ini
    C:\WINDOWS\SYSTEM32\kltgfybn.ini
    C:\WINDOWS\SYSTEM32\koxuytol.ini
    C:\WINDOWS\SYSTEM32\lkgjgnxy.ini
    C:\WINDOWS\SYSTEM32\lujpuouu.ini
    C:\WINDOWS\SYSTEM32\nkgudkqh.ini
    C:\WINDOWS\SYSTEM32\ofxflobj.ini
    C:\WINDOWS\SYSTEM32\oognqwkq.ini
    C:\WINDOWS\SYSTEM32\oufrpeds.ini
    C:\WINDOWS\SYSTEM32\oxyfjhwa.ini
    C:\WINDOWS\SYSTEM32\pprijqhf.ini
    C:\WINDOWS\SYSTEM32\puculuhy.ini
    C:\WINDOWS\SYSTEM32\rewjlbep.ini
    C:\WINDOWS\SYSTEM32\tpkoyoea.ini
    C:\WINDOWS\SYSTEM32\tqhttets.ini
    C:\WINDOWS\SYSTEM32\tytemlnm.ini
    C:\WINDOWS\SYSTEM32\vsrrdylm.ini
    C:\WINDOWS\SYSTEM32\xgqyrpni.ini
    C:\WINDOWS\SYSTEM32\xooaomjm.ini
    C:\WINDOWS\SYSTEM32\xotboipg.ini
    C:\WINDOWS\SYSTEM32\xpdbncvm.ini
    C:\WINDOWS\SYSTEM32\ytytwepr.ini

    .
    ((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
    .

    2008-02-18 07:19 . 2008-02-18 07:19 <DIR> d--hs---- C:\FOUND.000
    2008-02-16 21:09 . 2008-02-16 21:09 <DIR> d-------- C:\Program Files\Trend Micro
    2008-02-16 14:48 . 2008-02-16 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-02-16 14:47 . 2008-02-16 14:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
    2008-02-15 09:04 . 2008-02-18 13:10 6,014 --a------ C:\WINDOWS\BMd711e700.xml
    2008-02-15 09:04 . 2008-02-19 07:11 22 --a------ C:\WINDOWS\pskt.ini
    2008-02-15 08:33 . 2008-02-15 08:33 <DIR> d-------- C:\mGame
    2008-02-07 18:15 . 2008-02-07 18:15 67 --a------ C:\WINDOWS\101_ASB.INI
    2008-02-07 18:14 . 2008-02-07 18:14 <DIR> d-------- C:\DISNEY
    2008-02-02 21:39 . 2008-02-02 21:39 <DIR> d-------- C:\Documents and Settings\fjw\DoctorWeb
    2008-01-31 22:34 . 2008-01-31 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-01-25 16:27 . 2008-01-25 16:27 110 --a------ C:\WINDOWS\HandySnap.INI
    2008-01-22 22:01 . 2008-01-22 22:01 <DIR> d-------- C:\OutputFolder
    2008-01-22 21:59 . 2008-01-22 21:59 <DIR> d-------- C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-02-17 19:10 15,360 ----a-w C:\WINDOWS\SYSTEM32\ctfmon .exe
    2008-02-17 03:04 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
    2008-02-17 02:23 500,736 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp
    2008-01-16 14:39 186,000 ----a-w C:\Documents and Settings\fjw\Application Data\GDIPFONTCACHEV1.DAT
    2008-01-14 13:49 155,648 ----a-w C:\WINDOWS\SYSTEM32\NeroCheck .exe
    2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
    2007-12-26 05:07 8,413 ----a-w C:\WINDOWS\system32\drivers\mcstrm.sys
    2007-12-26 05:07 --------- d-----w C:\Program Files\Common Files\Real
    2007-12-26 05:03 --------- d-----w C:\Program Files\Best Buy Rhapsody
    2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtmsft.dll
    2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mrxdav.sys
    2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
    2007-12-08 05:21 3,592,192 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
    2007-12-06 11:01 625,664 ------w C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
    2007-12-06 11:00 70,656 ------w C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
    2007-12-06 11:00 13,824 ------w C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
    2007-12-06 04:59 161,792 ------w C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
    2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\SYSTEM32\dllcache\oleaut32.dll
    2007-12-04 18:38 550,912 ------w C:\WINDOWS\SYSTEM32\oleaut32.dll
    2006-12-23 16:04 32 ----a-r C:\Documents and Settings\All Users\hash.dat
    2006-01-11 02:13 159,312 ----a-w C:\Documents and Settings\Jeremy\Application Data\GDIPFONTCACHEV1.DAT
    2005-11-05 03:58 33,750 ----a-w C:\WINDOWS\Internet Logs\GLB98_2nd_2005_11_04_21_58_33.dmp.zip
    2005-11-05 03:58 33,668 ------w C:\WINDOWS\Internet Logs\GLB8F_2nd_2005_11_04_21_57_55.dmp.zip
    2005-10-05 00:50 89,304 ------w C:\WINDOWS\Internet Logs\vsmon_2nd_2005_10_04_18_41_53_small.dmp.zip
    2005-10-05 00:50 79,592 ------w C:\WINDOWS\Internet Logs\vsmon_2nd_2005_10_04_18_41_35_small.dmp.zip
    2005-10-05 00:50 79,542 ------w C:\WINDOWS\Internet Logs\vsmon_2nd_2005_10_04_18_42_35_small.dmp.zip
    2005-10-05 00:40 12,377,066 ------w C:\WINDOWS\Internet Logs\ZLCLIENT_2nd_2005_10_04_17_59_25_full.dmp.zip
    2005-04-04 22:23 0 ---h--w C:\Program Files\AppUpdate.log
    2004-09-21 20:07 86,016 ----a-w C:\Program Files\SPInstall.exe
    2004-09-21 16:54 975 ----a-w C:\Program Files\ReadMe.txt
    2004-09-21 16:05 1,841 ----a-w C:\Program Files\PackingList.txt
    2004-09-21 15:36 908 ----a-w C:\Program Files\Setup.ini
    2004-09-21 15:36 19,443,744 ----a-w C:\Program Files\Data1.cab
    2004-09-21 15:36 1,591,952 ----a-w C:\Program Files\SundayPlus.msi
    2004-09-21 15:35 225,280 ----a-w C:\Program Files\SPSetupHelper.exe
    2004-09-15 02:35 49,152 ----a-w C:\Program Files\EnglishUI.dll
    2004-04-23 00:02 560 ----a-w C:\Program Files\Global.sw
    2004-01-10 02:34 266 --sh--w C:\Program Files\desktop.ini
    2003-02-25 15:04 4,632 ----a-w C:\Program Files\0x0409.ini
    2006-03-27 03:50 3,766 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
    2006-03-27 03:50 88 --sh--r C:\WINDOWS\SYSTEM32\D4B12B0226.sys
    .
    Code:
    <pre>
----a-w           155,648 2008-01-14 13:49:00  C:\WINDOWS\SYSTEM32\NeroCheck .exe
----a-w            15,360 2008-02-17 19:10:12  C:\WINDOWS\SYSTEM32\ctfmon .exe
----a-w           158,208 2008-02-17 03:04:04  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w           649,728 2008-01-14 22:45:12  C:\Program Files\QuickTime\qttask    .exe
----a-w           649,728 2008-01-15 05:18:12  C:\Program Files\QuickTime\qttask     .exe
----a-w           649,728 2008-01-15 13:34:46  C:\Program Files\QuickTime\qttask      .exe
----a-w           649,728 2008-01-16 04:01:32  C:\Program Files\QuickTime\qttask       .exe
----a-w           649,728 2008-01-16 13:52:08  C:\Program Files\QuickTime\qttask        .exe
----a-w           649,728 2008-01-17 13:34:58  C:\Program Files\QuickTime\qttask         .exe
----a-w           282,624 2008-01-17 13:35:46  C:\Program Files\QuickTime\qttask          .exe
----a-w         1,235,456 2008-01-15 05:18:08  C:\Program Files\FolderShare\FolderShare     .exe
----a-w         1,235,456 2008-01-15 13:34:42  C:\Program Files\FolderShare\FolderShare      .exe
----a-w         1,235,456 2008-01-16 04:01:30  C:\Program Files\FolderShare\FolderShare       .exe
----a-w         1,235,456 2008-01-16 13:52:06  C:\Program Files\FolderShare\FolderShare        .exe
----a-w         1,235,456 2008-01-17 13:34:56  C:\Program Files\FolderShare\FolderShare         .exe
----a-w         1,235,456 2008-01-18 13:01:00  C:\Program Files\FolderShare\FolderShare          .exe
----a-w         1,235,456 2008-01-19 05:28:52  C:\Program Files\FolderShare\FolderShare           .exe
----a-w         1,235,456 2008-01-19 14:49:44  C:\Program Files\FolderShare\FolderShare            .exe
----a-w         1,235,456 2008-01-19 22:07:26  C:\Program Files\FolderShare\FolderShare             .exe
----a-w         1,235,456 2008-01-20 13:05:32  C:\Program Files\FolderShare\FolderShare              .exe
----a-w         1,235,456 2008-01-21 00:57:40  C:\Program Files\FolderShare\FolderShare               .exe
----a-w         1,235,456 2008-01-21 13:45:58  C:\Program Files\FolderShare\FolderShare                .exe
----a-w         1,235,456 2008-01-22 13:30:02  C:\Program Files\FolderShare\FolderShare                 .exe
----a-w         1,235,456 2008-01-24 13:23:50  C:\Program Files\FolderShare\FolderShare                  .exe
----a-w         1,235,456 2008-01-25 13:12:52  C:\Program Files\FolderShare\FolderShare                   .exe
----a-w         1,235,456 2008-01-26 14:00:48  C:\Program Files\FolderShare\FolderShare                    .exe
----a-w         1,235,456 2008-01-27 13:10:08  C:\Program Files\FolderShare\FolderShare                     .exe
----a-w         1,235,456 2008-01-28 00:02:38  C:\Program Files\FolderShare\FolderShare                      .exe
----a-w         1,235,456 2008-01-29 13:21:38  C:\Program Files\FolderShare\FolderShare                       .exe
----a-w         1,235,456 2008-01-30 13:26:08  C:\Program Files\FolderShare\FolderShare                        .exe
----a-w         1,235,456 2008-01-30 15:22:54  C:\Program Files\FolderShare\FolderShare                         .exe
----a-w         1,235,456 2008-01-30 16:10:46  C:\Program Files\FolderShare\FolderShare                          .exe
----a-w         1,235,456 2008-01-31 12:52:42  C:\Program Files\FolderShare\FolderShare                           .exe
----a-w         1,235,456 2008-01-31 13:46:00  C:\Program Files\FolderShare\FolderShare                            .exe
----a-w         1,235,456 2008-02-01 04:46:42  C:\Program Files\FolderShare\FolderShare                             .exe
----a-w         1,235,456 2008-02-01 13:14:42  C:\Program Files\FolderShare\FolderShare                              .exe
----a-w         1,235,456 2008-02-02 13:54:24  C:\Program Files\FolderShare\FolderShare                               .exe
----a-w         1,235,456 2008-02-02 16:06:34  C:\Program Files\FolderShare\FolderShare                                .exe
----a-w         1,235,456 2008-02-02 23:20:48  C:\Program Files\FolderShare\FolderShare                                 .exe
----a-w         1,235,456 2008-02-03 00:33:20  C:\Program Files\FolderShare\FolderShare                                  .exe
----a-w         1,235,456 2008-02-03 03:53:04  C:\Program Files\FolderShare\FolderShare                                   .exe
----a-w         1,235,456 2008-02-03 13:09:24  C:\Program Files\FolderShare\FolderShare                                    .exe
----a-w         1,235,456 2008-02-04 13:50:12  C:\Program Files\FolderShare\FolderShare                                     .exe
----a-w         1,235,456 2008-02-05 14:56:58  C:\Program Files\FolderShare\FolderShare                                      .exe
----a-w         1,235,456 2008-02-05 18:28:32  C:\Program Files\FolderShare\FolderShare                                       .exe
----a-w         1,235,456 2008-02-06 14:46:12  C:\Program Files\FolderShare\FolderShare                                        .exe
----a-w         1,235,456 2008-02-06 16:40:16  C:\Program Files\FolderShare\FolderShare                                         .exe
----a-w         1,235,456 2008-02-06 17:39:54  C:\Program Files\FolderShare\FolderShare                                          .exe
----a-w         1,235,456 2008-02-07 13:29:04  C:\Program Files\FolderShare\FolderShare                                           .exe
----a-w         1,235,456 2008-02-08 13:12:16  C:\Program Files\FolderShare\FolderShare                                            .exe
----a-w         1,235,456 2008-02-09 13:36:42  C:\Program Files\FolderShare\FolderShare                                             .exe
----a-w         1,235,456 2008-02-10 12:43:56  C:\Program Files\FolderShare\FolderShare                                              .exe
----a-w         1,235,456 2008-02-11 13:05:44  C:\Program Files\FolderShare\FolderShare                                               .exe
----a-w         1,235,456 2008-02-12 13:11:24  C:\Program Files\FolderShare\FolderShare                                                .exe
----a-w         1,235,456 2008-02-13 13:05:02  C:\Program Files\FolderShare\FolderShare                                                 .exe
----a-w         1,235,456 2008-02-14 01:54:00  C:\Program Files\FolderShare\FolderShare                                                  .exe
----a-w         1,235,456 2008-02-14 13:11:14  C:\Program Files\FolderShare\FolderShare                                                   .exe
----a-w         1,235,456 2008-02-15 13:22:34  C:\Program Files\FolderShare\FolderShare                                                    .exe
----a-w         1,235,456 2008-02-16 14:04:36  C:\Program Files\FolderShare\FolderShare                                                     .exe
----a-w         1,235,456 2008-02-16 16:48:18  C:\Program Files\FolderShare\FolderShare                                                      .exe
----a-w         1,235,456 2008-02-16 19:32:28  C:\Program Files\FolderShare\FolderShare                                                       .exe
----a-w         1,235,456 2008-02-16 20:49:34  C:\Program Files\FolderShare\FolderShare                                                        .exe
----a-w         1,743,360 2008-01-14 22:45:08  C:\Program Files\TGTSoft\StyleXP\StyleXP .exe
----a-w         1,372,160 2008-01-17 13:35:48  C:\Program Files\TGTSoft\StyleXP\StyleXP  .exe
----a-w         1,694,208 2008-02-14 00:24:30  C:\Program Files\Messenger\msmsgs .exe
</pre>

    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
    @={7D688A77-C613-11D0-999B-00C04FD655E1}

    [HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
    2007-10-25 21:34 8460288 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:07 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 16:22 7618560]
    "nwiz"="nwiz.exe" [2006-06-01 16:22 1519616 C:\WINDOWS\SYSTEM32\nwiz.exe]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 16:22 86016]
    "Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 106544 C:\WINDOWS\SYSTEM32\TWEAKUI.CPL]
    "ATIPTA"="atiptaxx.exe" [2001-09-27 01:39 245760 C:\WINDOWS\SYSTEM32\atiptaxx.exe]

    C:\Documents and Settings\fjw\Start Menu\Programs\Startup\
    Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2007-01-08 21:22:17 2746104]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "<NO NAME>"= 00000000
    "NoFavoritesMenu"= 01000000
    "NoLogoff"= 0 (0x0)

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "<NO NAME>"= 00000000
    "NoFavoritesMenu"= 01000000
    "NoActiveDesktopChanges"= 0 (0x0)
    "NoLogoff"= 0 (0x0)



    Continued in next post
  3. 2008-02-19, 19:52 #13
    didymustoo
    didymustoo is offline
    Member
    Join Date
    Feb 2008
    Posts
    41

    Default

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel MEDIA FOLDERS INDEXER 8.LNK]
    backup=C:\WINDOWS\pss\Corel MEDIA FOLDERS INDEXER 8.LNKCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Encoder Agent.lnk]
    backup=C:\WINDOWS\pss\Encoder Agent.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Cody^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
    --a------ 2001-09-27 01:39 245760 C:\WINDOWS\SYSTEM32\atiptaxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AuthConsoleStart]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopIconToy]
    --a------ 2006-10-26 21:03 278528 C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ESP]
    --a------ 2006-07-30 12:09 63008 C:\Program Files\Cox\Applications\app\start.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FolderShare]
    --a------ 2008-02-16 14:49 1235456 C:\Program Files\FolderShare\FolderShare .exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    --a------ 2004-09-13 15:49 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
    --a------ 2003-03-26 05:34 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    --a------ 2005-06-10 10:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    --a------ 2005-06-10 10:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    C:\WINDOWS\system32\dumprep 0 -k

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
    C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobipocket Reader Notifications]
    --a------ 2006-06-20 16:54 57344 C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --a------ 2008-02-13 18:24 2226688 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-01-17 07:35 282624 C:\Program Files\QuickTime\qttask .exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    --a------ 2008-02-16 14:49 2441216 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StarSkin]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
    --a------ 2008-01-17 07:35 1372160 C:\Program Files\TGTSoft\StyleXP\StyleXP .exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    --a------ 2007-05-14 17:22 35328 C:\Program Files\Winamp\winampa.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "UPS"=3 (0x3)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "msnmsgr"="C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    "LogitechSoftwareUpdate"="C:\PROGRAM FILES\LOGITECH\VIDEO\MANIFESTENGINE.EXE" boot

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
    "Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    "SiS Tray"=C:\WINDOWS\SYSTEM32\sistray.exe
    "StillImageMonitor"=C:\WINDOWS\SYSTEM32\stimon.exe

    R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-04-01 19:16]
    R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2001-09-27 00:32]
    S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]
    S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Gpotato\Flyff\GameGuard\dump_wmimmc.sys []
    S3 PhilCam8116;Logitech QuickCam Pro 3000 (08B0);C:\WINDOWS\system32\DRIVERS\CamDrO21.sys [2001-08-17 14:05]
    S3 XDva090;XDva090;C:\WINDOWS\system32\XDva090.sys []


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MmoptPreferredAudioDevices]
    rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,@0,SUSB\VID_046D&PID_08B0&MI_01\1USB&VID_046D&PID_08B0&INST_0

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
    C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-02-19 12:43:45
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-02-19 12:44:14
    ComboFix-quarantined-files.txt 2008-02-19 18:44:14
    ComboFix2.txt 2008-02-19 14:55:02
    .
    2008-02-15 05:58:29 --- E O F ---


    and here is the HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:47:14 PM, on 2/19/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    c:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\WINDOWS\SYSTEM32\LVCOMSX.EXE
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Opera\Opera.exe
    C:\Program Files\Trend Micro\HijackThis\didymustoo.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\FJW\Application Data\Mozilla\Profiles\default\brw22mi9.slt\prefs.js)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
    O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
    O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Search - ?p=ZJfox000
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {03A0F84E-3E69-4B3E-B4D3-019CB73B57B3} (AuthWebWizardMain.DHTMLPage1) - http://www3.authentium.com/cssrelease/bin/WizMain.exe
    O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/down...auncherNew.cab
    O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/...cannerCtrl.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...92/mcfscan.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - c:\Program Files\Common Files\Command Software\dvpapi.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 5640 bytes
  4. 2008-02-19, 19:56 #14
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    Boot in safe mode

    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    RenV::
----a-w           155,648 2008-01-14 13:49:00  C:\WINDOWS\SYSTEM32\NeroCheck .exe
----a-w            15,360 2008-02-17 19:10:12  C:\WINDOWS\SYSTEM32\ctfmon .exe
----a-w           158,208 2008-02-17 03:04:04  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w           649,728 2008-01-14 22:45:12  C:\Program Files\QuickTime\qttask    .exe
----a-w           649,728 2008-01-15 05:18:12  C:\Program Files\QuickTime\qttask     .exe
----a-w           649,728 2008-01-15 13:34:46  C:\Program Files\QuickTime\qttask      .exe
----a-w           649,728 2008-01-16 04:01:32  C:\Program Files\QuickTime\qttask       .exe
----a-w           649,728 2008-01-16 13:52:08  C:\Program Files\QuickTime\qttask        .exe
----a-w           649,728 2008-01-17 13:34:58  C:\Program Files\QuickTime\qttask         .exe
----a-w           282,624 2008-01-17 13:35:46  C:\Program Files\QuickTime\qttask          .exe
----a-w         1,235,456 2008-01-15 05:18:08  C:\Program Files\FolderShare\FolderShare     .exe
----a-w         1,235,456 2008-01-15 13:34:42  C:\Program Files\FolderShare\FolderShare      .exe
----a-w         1,235,456 2008-01-16 04:01:30  C:\Program Files\FolderShare\FolderShare       .exe
----a-w         1,235,456 2008-01-16 13:52:06  C:\Program Files\FolderShare\FolderShare        .exe
----a-w         1,235,456 2008-01-17 13:34:56  C:\Program Files\FolderShare\FolderShare         .exe
----a-w         1,235,456 2008-01-18 13:01:00  C:\Program Files\FolderShare\FolderShare          .exe
----a-w         1,235,456 2008-01-19 05:28:52  C:\Program Files\FolderShare\FolderShare           .exe
----a-w         1,235,456 2008-01-19 14:49:44  C:\Program Files\FolderShare\FolderShare            .exe
----a-w         1,235,456 2008-01-19 22:07:26  C:\Program Files\FolderShare\FolderShare             .exe
----a-w         1,235,456 2008-01-20 13:05:32  C:\Program Files\FolderShare\FolderShare              .exe
----a-w         1,235,456 2008-01-21 00:57:40  C:\Program Files\FolderShare\FolderShare               .exe
----a-w         1,235,456 2008-01-21 13:45:58  C:\Program Files\FolderShare\FolderShare                .exe
----a-w         1,235,456 2008-01-22 13:30:02  C:\Program Files\FolderShare\FolderShare                 .exe
----a-w         1,235,456 2008-01-24 13:23:50  C:\Program Files\FolderShare\FolderShare                  .exe
----a-w         1,235,456 2008-01-25 13:12:52  C:\Program Files\FolderShare\FolderShare                   .exe
----a-w         1,235,456 2008-01-26 14:00:48  C:\Program Files\FolderShare\FolderShare                    .exe
----a-w         1,235,456 2008-01-27 13:10:08  C:\Program Files\FolderShare\FolderShare                     .exe
----a-w         1,235,456 2008-01-28 00:02:38  C:\Program Files\FolderShare\FolderShare                      .exe
----a-w         1,235,456 2008-01-29 13:21:38  C:\Program Files\FolderShare\FolderShare                       .exe
----a-w         1,235,456 2008-01-30 13:26:08  C:\Program Files\FolderShare\FolderShare                        .exe
----a-w         1,235,456 2008-01-30 15:22:54  C:\Program Files\FolderShare\FolderShare                         .exe
----a-w         1,235,456 2008-01-30 16:10:46  C:\Program Files\FolderShare\FolderShare                          .exe
----a-w         1,235,456 2008-01-31 12:52:42  C:\Program Files\FolderShare\FolderShare                           .exe
----a-w         1,235,456 2008-01-31 13:46:00  C:\Program Files\FolderShare\FolderShare                            .exe
----a-w         1,235,456 2008-02-01 04:46:42  C:\Program Files\FolderShare\FolderShare                             .exe
----a-w         1,235,456 2008-02-01 13:14:42  C:\Program Files\FolderShare\FolderShare                              .exe
----a-w         1,235,456 2008-02-02 13:54:24  C:\Program Files\FolderShare\FolderShare                               .exe
----a-w         1,235,456 2008-02-02 16:06:34  C:\Program Files\FolderShare\FolderShare                                .exe
----a-w         1,235,456 2008-02-02 23:20:48  C:\Program Files\FolderShare\FolderShare                                 .exe
----a-w         1,235,456 2008-02-03 00:33:20  C:\Program Files\FolderShare\FolderShare                                  .exe
----a-w         1,235,456 2008-02-03 03:53:04  C:\Program Files\FolderShare\FolderShare                                   .exe
----a-w         1,235,456 2008-02-03 13:09:24  C:\Program Files\FolderShare\FolderShare                                    .exe
----a-w         1,235,456 2008-02-04 13:50:12  C:\Program Files\FolderShare\FolderShare                                     .exe
----a-w         1,235,456 2008-02-05 14:56:58  C:\Program Files\FolderShare\FolderShare                                      .exe
----a-w         1,235,456 2008-02-05 18:28:32  C:\Program Files\FolderShare\FolderShare                                       .exe
----a-w         1,235,456 2008-02-06 14:46:12  C:\Program Files\FolderShare\FolderShare                                        .exe
----a-w         1,235,456 2008-02-06 16:40:16  C:\Program Files\FolderShare\FolderShare                                         .exe
----a-w         1,235,456 2008-02-06 17:39:54  C:\Program Files\FolderShare\FolderShare                                          .exe
----a-w         1,235,456 2008-02-07 13:29:04  C:\Program Files\FolderShare\FolderShare                                           .exe
----a-w         1,235,456 2008-02-08 13:12:16  C:\Program Files\FolderShare\FolderShare                                            .exe
----a-w         1,235,456 2008-02-09 13:36:42  C:\Program Files\FolderShare\FolderShare                                             .exe
----a-w         1,235,456 2008-02-10 12:43:56  C:\Program Files\FolderShare\FolderShare                                              .exe
----a-w         1,235,456 2008-02-11 13:05:44  C:\Program Files\FolderShare\FolderShare                                               .exe
----a-w         1,235,456 2008-02-12 13:11:24  C:\Program Files\FolderShare\FolderShare                                                .exe
----a-w         1,235,456 2008-02-13 13:05:02  C:\Program Files\FolderShare\FolderShare                                                 .exe
----a-w         1,235,456 2008-02-14 01:54:00  C:\Program Files\FolderShare\FolderShare                                                  .exe
----a-w         1,235,456 2008-02-14 13:11:14  C:\Program Files\FolderShare\FolderShare                                                   .exe
----a-w         1,235,456 2008-02-15 13:22:34  C:\Program Files\FolderShare\FolderShare                                                    .exe
----a-w         1,235,456 2008-02-16 14:04:36  C:\Program Files\FolderShare\FolderShare                                                     .exe
----a-w         1,235,456 2008-02-16 16:48:18  C:\Program Files\FolderShare\FolderShare                                                      .exe
----a-w         1,235,456 2008-02-16 19:32:28  C:\Program Files\FolderShare\FolderShare                                                       .exe
----a-w         1,235,456 2008-02-16 20:49:34  C:\Program Files\FolderShare\FolderShare                                                        .exe
----a-w         1,743,360 2008-01-14 22:45:08  C:\Program Files\TGTSoft\StyleXP\StyleXP .exe
----a-w         1,372,160 2008-01-17 13:35:48  C:\Program Files\TGTSoft\StyleXP\StyleXP  .exe
----a-w         1,694,208 2008-02-14 00:24:30  C:\Program Files\Messenger\msmsgs .exe
    Save this as "CFScript"

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  5. 2008-02-19, 20:22 #15
    didymustoo
    didymustoo is offline
    Member
    Join Date
    Feb 2008
    Posts
    41

    Default

    Combofix log part 1:

    ComboFix 08-02-19.2 - fjw 2008-02-19 13:12:14.3 - FAT32x86 MINIMAL
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.794 [GMT -6:00]
    Running from: C:\Documents and Settings\fjw\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\fjw\Desktop\CFScript.txt

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
    .

    2008-02-18 07:19 . 2008-02-18 07:19 <DIR> d--hs---- C:\FOUND.000
    2008-02-16 21:09 . 2008-02-16 21:09 <DIR> d-------- C:\Program Files\Trend Micro
    2008-02-16 14:48 . 2008-02-16 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-02-16 14:47 . 2008-02-16 14:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
    2008-02-15 09:04 . 2008-02-18 13:10 6,014 --a------ C:\WINDOWS\BMd711e700.xml
    2008-02-15 09:04 . 2008-02-19 07:11 22 --a------ C:\WINDOWS\pskt.ini
    2008-02-15 08:33 . 2008-02-15 08:33 <DIR> d-------- C:\mGame
    2008-02-07 18:15 . 2008-02-07 18:15 67 --a------ C:\WINDOWS\101_ASB.INI
    2008-02-07 18:14 . 2008-02-07 18:14 <DIR> d-------- C:\DISNEY
    2008-02-02 21:39 . 2008-02-02 21:39 <DIR> d-------- C:\Documents and Settings\fjw\DoctorWeb
    2008-01-31 22:34 . 2008-01-31 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-01-25 16:27 . 2008-01-25 16:27 110 --a------ C:\WINDOWS\HandySnap.INI
    2008-01-22 22:01 . 2008-01-22 22:01 <DIR> d-------- C:\OutputFolder
    2008-01-22 21:59 . 2008-01-22 21:59 <DIR> d-------- C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-02-17 19:10 15,360 ----a-w C:\WINDOWS\SYSTEM32\ctfmon .exe
    2008-02-17 03:04 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
    2008-02-17 02:23 500,736 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp
    2008-01-16 14:39 186,000 ----a-w C:\Documents and Settings\fjw\Application Data\GDIPFONTCACHEV1.DAT
    2008-01-14 13:49 155,648 ----a-w C:\WINDOWS\SYSTEM32\NeroCheck.exe
    2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
    2007-12-26 05:07 8,413 ----a-w C:\WINDOWS\system32\drivers\mcstrm.sys
    2007-12-26 05:07 --------- d-----w C:\Program Files\Common Files\Real
    2007-12-26 05:03 --------- d-----w C:\Program Files\Best Buy Rhapsody
    2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtmsft.dll
    2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mrxdav.sys
    2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
    2007-12-08 05:21 3,592,192 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
    2007-12-06 11:01 625,664 ------w C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
    2007-12-06 11:00 70,656 ------w C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
    2007-12-06 11:00 13,824 ------w C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
    2007-12-06 04:59 161,792 ------w C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
    2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\SYSTEM32\dllcache\oleaut32.dll
    2007-12-04 18:38 550,912 ------w C:\WINDOWS\SYSTEM32\oleaut32.dll
    2006-12-23 16:04 32 ----a-r C:\Documents and Settings\All Users\hash.dat
    2006-01-11 02:13 159,312 ----a-w C:\Documents and Settings\Jeremy\Application Data\GDIPFONTCACHEV1.DAT
    2005-11-05 03:58 33,750 ----a-w C:\WINDOWS\Internet Logs\GLB98_2nd_2005_11_04_21_58_33.dmp.zip
    2005-11-05 03:58 33,668 ------w C:\WINDOWS\Internet Logs\GLB8F_2nd_2005_11_04_21_57_55.dmp.zip
    2005-10-05 00:50 89,304 ------w C:\WINDOWS\Internet Logs\vsmon_2nd_2005_10_04_18_41_53_small.dmp.zip
    2005-10-05 00:50 79,592 ------w C:\WINDOWS\Internet Logs\vsmon_2nd_2005_10_04_18_41_35_small.dmp.zip
    2005-10-05 00:50 79,542 ------w C:\WINDOWS\Internet Logs\vsmon_2nd_2005_10_04_18_42_35_small.dmp.zip
    2005-10-05 00:40 12,377,066 ------w C:\WINDOWS\Internet Logs\ZLCLIENT_2nd_2005_10_04_17_59_25_full.dmp.zip
    2005-04-04 22:23 0 ---h--w C:\Program Files\AppUpdate.log
    2004-09-21 20:07 86,016 ----a-w C:\Program Files\SPInstall.exe
    2004-09-21 16:54 975 ----a-w C:\Program Files\ReadMe.txt
    2004-09-21 16:05 1,841 ----a-w C:\Program Files\PackingList.txt
    2004-09-21 15:36 908 ----a-w C:\Program Files\Setup.ini
    2004-09-21 15:36 19,443,744 ----a-w C:\Program Files\Data1.cab
    2004-09-21 15:36 1,591,952 ----a-w C:\Program Files\SundayPlus.msi
    2004-09-21 15:35 225,280 ----a-w C:\Program Files\SPSetupHelper.exe
    2004-09-15 02:35 49,152 ----a-w C:\Program Files\EnglishUI.dll
    2004-04-23 00:02 560 ----a-w C:\Program Files\Global.sw
    2004-01-10 02:34 266 --sh--w C:\Program Files\desktop.ini
    2003-02-25 15:04 4,632 ----a-w C:\Program Files\0x0409.ini
    2006-03-27 03:50 3,766 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
    2006-03-27 03:50 88 --sh--r C:\WINDOWS\SYSTEM32\D4B12B0226.sys
    .
    Code:
    <pre>
----a-w            15,360 2008-02-17 19:10:12  C:\WINDOWS\SYSTEM32\ctfmon .exe
----a-w           158,208 2008-02-17 03:04:04  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w           649,728 2008-01-14 22:45:12  C:\Program Files\QuickTime\qttask    .exe
----a-w           649,728 2008-01-15 05:18:12  C:\Program Files\QuickTime\qttask     .exe
----a-w           649,728 2008-01-15 13:34:46  C:\Program Files\QuickTime\qttask      .exe
----a-w           649,728 2008-01-16 04:01:32  C:\Program Files\QuickTime\qttask       .exe
----a-w           649,728 2008-01-16 13:52:08  C:\Program Files\QuickTime\qttask        .exe
----a-w           649,728 2008-01-17 13:34:58  C:\Program Files\QuickTime\qttask         .exe
----a-w           282,624 2008-01-17 13:35:46  C:\Program Files\QuickTime\qttask          .exe
----a-w         1,235,456 2008-01-15 05:18:08  C:\Program Files\FolderShare\FolderShare     .exe
----a-w         1,235,456 2008-01-15 13:34:42  C:\Program Files\FolderShare\FolderShare      .exe
----a-w         1,235,456 2008-01-16 04:01:30  C:\Program Files\FolderShare\FolderShare       .exe
----a-w         1,235,456 2008-01-16 13:52:06  C:\Program Files\FolderShare\FolderShare        .exe
----a-w         1,235,456 2008-01-17 13:34:56  C:\Program Files\FolderShare\FolderShare         .exe
----a-w         1,235,456 2008-01-18 13:01:00  C:\Program Files\FolderShare\FolderShare          .exe
----a-w         1,235,456 2008-01-19 05:28:52  C:\Program Files\FolderShare\FolderShare           .exe
----a-w         1,235,456 2008-01-19 14:49:44  C:\Program Files\FolderShare\FolderShare            .exe
----a-w         1,235,456 2008-01-19 22:07:26  C:\Program Files\FolderShare\FolderShare             .exe
----a-w         1,235,456 2008-01-20 13:05:32  C:\Program Files\FolderShare\FolderShare              .exe
----a-w         1,235,456 2008-01-21 00:57:40  C:\Program Files\FolderShare\FolderShare               .exe
----a-w         1,235,456 2008-01-21 13:45:58  C:\Program Files\FolderShare\FolderShare                .exe
----a-w         1,235,456 2008-01-22 13:30:02  C:\Program Files\FolderShare\FolderShare                 .exe
----a-w         1,235,456 2008-01-24 13:23:50  C:\Program Files\FolderShare\FolderShare                  .exe
----a-w         1,235,456 2008-01-25 13:12:52  C:\Program Files\FolderShare\FolderShare                   .exe
----a-w         1,235,456 2008-01-26 14:00:48  C:\Program Files\FolderShare\FolderShare                    .exe
----a-w         1,235,456 2008-01-27 13:10:08  C:\Program Files\FolderShare\FolderShare                     .exe
----a-w         1,235,456 2008-01-28 00:02:38  C:\Program Files\FolderShare\FolderShare                      .exe
----a-w         1,235,456 2008-01-29 13:21:38  C:\Program Files\FolderShare\FolderShare                       .exe
----a-w         1,235,456 2008-01-30 13:26:08  C:\Program Files\FolderShare\FolderShare                        .exe
----a-w         1,235,456 2008-01-30 15:22:54  C:\Program Files\FolderShare\FolderShare                         .exe
----a-w         1,235,456 2008-01-30 16:10:46  C:\Program Files\FolderShare\FolderShare                          .exe
----a-w         1,235,456 2008-01-31 12:52:42  C:\Program Files\FolderShare\FolderShare                           .exe
----a-w         1,235,456 2008-01-31 13:46:00  C:\Program Files\FolderShare\FolderShare                            .exe
----a-w         1,235,456 2008-02-01 04:46:42  C:\Program Files\FolderShare\FolderShare                             .exe
----a-w         1,235,456 2008-02-01 13:14:42  C:\Program Files\FolderShare\FolderShare                              .exe
----a-w         1,235,456 2008-02-02 13:54:24  C:\Program Files\FolderShare\FolderShare                               .exe
----a-w         1,235,456 2008-02-02 16:06:34  C:\Program Files\FolderShare\FolderShare                                .exe
----a-w         1,235,456 2008-02-02 23:20:48  C:\Program Files\FolderShare\FolderShare                                 .exe
----a-w         1,235,456 2008-02-03 00:33:20  C:\Program Files\FolderShare\FolderShare                                  .exe
----a-w         1,235,456 2008-02-03 03:53:04  C:\Program Files\FolderShare\FolderShare                                   .exe
----a-w         1,235,456 2008-02-03 13:09:24  C:\Program Files\FolderShare\FolderShare                                    .exe
----a-w         1,235,456 2008-02-04 13:50:12  C:\Program Files\FolderShare\FolderShare                                     .exe
----a-w         1,235,456 2008-02-05 14:56:58  C:\Program Files\FolderShare\FolderShare                                      .exe
----a-w         1,235,456 2008-02-05 18:28:32  C:\Program Files\FolderShare\FolderShare                                       .exe
----a-w         1,235,456 2008-02-06 14:46:12  C:\Program Files\FolderShare\FolderShare                                        .exe
----a-w         1,235,456 2008-02-06 16:40:16  C:\Program Files\FolderShare\FolderShare                                         .exe
----a-w         1,235,456 2008-02-06 17:39:54  C:\Program Files\FolderShare\FolderShare                                          .exe
----a-w         1,235,456 2008-02-07 13:29:04  C:\Program Files\FolderShare\FolderShare                                           .exe
----a-w         1,235,456 2008-02-08 13:12:16  C:\Program Files\FolderShare\FolderShare                                            .exe
----a-w         1,235,456 2008-02-09 13:36:42  C:\Program Files\FolderShare\FolderShare                                             .exe
----a-w         1,235,456 2008-02-10 12:43:56  C:\Program Files\FolderShare\FolderShare                                              .exe
----a-w         1,235,456 2008-02-11 13:05:44  C:\Program Files\FolderShare\FolderShare                                               .exe
----a-w         1,235,456 2008-02-12 13:11:24  C:\Program Files\FolderShare\FolderShare                                                .exe
----a-w         1,235,456 2008-02-13 13:05:02  C:\Program Files\FolderShare\FolderShare                                                 .exe
----a-w         1,235,456 2008-02-14 01:54:00  C:\Program Files\FolderShare\FolderShare                                                  .exe
----a-w         1,235,456 2008-02-14 13:11:14  C:\Program Files\FolderShare\FolderShare                                                   .exe
----a-w         1,235,456 2008-02-15 13:22:34  C:\Program Files\FolderShare\FolderShare                                                    .exe
----a-w         1,235,456 2008-02-16 14:04:36  C:\Program Files\FolderShare\FolderShare                                                     .exe
----a-w         1,235,456 2008-02-16 16:48:18  C:\Program Files\FolderShare\FolderShare                                                      .exe
----a-w         1,235,456 2008-02-16 19:32:28  C:\Program Files\FolderShare\FolderShare                                                       .exe
----a-w         1,235,456 2008-02-16 20:49:34  C:\Program Files\FolderShare\FolderShare                                                        .exe
----a-w         1,743,360 2008-01-14 22:45:08  C:\Program Files\TGTSoft\StyleXP\StyleXP .exe
----a-w         1,372,160 2008-01-17 13:35:48  C:\Program Files\TGTSoft\StyleXP\StyleXP  .exe
----a-w         1,694,208 2008-02-14 00:24:30  C:\Program Files\Messenger\msmsgs .exe
</pre>

    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
    @={7D688A77-C613-11D0-999B-00C04FD655E1}

    [HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
    2007-10-25 21:34 8460288 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:07 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 16:22 7618560]
    "nwiz"="nwiz.exe" [2006-06-01 16:22 1519616 C:\WINDOWS\SYSTEM32\nwiz.exe]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 16:22 86016]
    "Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 106544 C:\WINDOWS\SYSTEM32\TWEAKUI.CPL]
    "ATIPTA"="atiptaxx.exe" [2001-09-27 01:39 245760 C:\WINDOWS\SYSTEM32\atiptaxx.exe]

    C:\Documents and Settings\fjw\Start Menu\Programs\Startup\
    Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2007-01-08 21:22:17 2746104]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "<NO NAME>"= 00000000
    "NoFavoritesMenu"= 01000000
    "NoLogoff"= 0 (0x0)

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "<NO NAME>"= 00000000
    "NoFavoritesMenu"= 01000000
    "NoActiveDesktopChanges"= 0 (0x0)
    "NoLogoff"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel MEDIA FOLDERS INDEXER 8.LNK]
    backup=C:\WINDOWS\pss\Corel MEDIA FOLDERS INDEXER 8.LNKCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Encoder Agent.lnk]
    backup=C:\WINDOWS\pss\Encoder Agent.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Cody^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
    --a------ 2001-09-27 01:39 245760 C:\WINDOWS\SYSTEM32\atiptaxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AuthConsoleStart]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopIconToy]
    --a------ 2006-10-26 21:03 278528 C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ESP]
    --a------ 2006-07-30 12:09 63008 C:\Program Files\Cox\Applications\app\start.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FolderShare]
    --a------ 2008-02-16 14:49 1235456 C:\Program Files\FolderShare\FolderShare .exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    --a------ 2004-09-13 15:49 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
    --a------ 2003-03-26 05:34 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    --a------ 2005-06-10 10:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
  6. 2008-02-19, 20:23 #16
    didymustoo
    didymustoo is offline
    Member
    Join Date
    Feb 2008
    Posts
    41

    Default

    Combofix log part 2:


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    --a------ 2005-06-10 10:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    C:\WINDOWS\system32\dumprep 0 -k

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
    C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobipocket Reader Notifications]
    --a------ 2006-06-20 16:54 57344 C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --a------ 2008-02-13 18:24 2226688 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a------ 2008-01-14 07:49 155648 C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-01-17 07:35 282624 C:\Program Files\QuickTime\qttask .exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    --a------ 2008-02-16 14:49 2441216 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StarSkin]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
    --a------ 2008-01-17 07:35 1372160 C:\Program Files\TGTSoft\StyleXP\StyleXP .exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    --a------ 2007-05-14 17:22 35328 C:\Program Files\Winamp\winampa.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "UPS"=3 (0x3)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "msnmsgr"="C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    "LogitechSoftwareUpdate"="C:\PROGRAM FILES\LOGITECH\VIDEO\MANIFESTENGINE.EXE" boot

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
    "Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    "SiS Tray"=C:\WINDOWS\SYSTEM32\sistray.exe
    "StillImageMonitor"=C:\WINDOWS\SYSTEM32\stimon.exe

    S2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-04-01 19:16]
    S3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2001-09-27 00:32]
    S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]
    S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Gpotato\Flyff\GameGuard\dump_wmimmc.sys []
    S3 PhilCam8116;Logitech QuickCam Pro 3000 (08B0);C:\WINDOWS\system32\DRIVERS\CamDrO21.sys [2001-08-17 14:05]
    S3 XDva090;XDva090;C:\WINDOWS\system32\XDva090.sys []

    *Newly Created Service* - MVDCODEC

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MmoptPreferredAudioDevices]
    rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,@0,SUSB\VID_046D&PID_08B0&MI_01\1USB&VID_046D&PID_08B0&INST_0

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
    C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-02-19 13:15:34
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-02-19 13:16:21
    ComboFix-quarantined-files.txt 2008-02-19 19:16:18
    ComboFix3.txt 2008-02-19 14:55:02
    ComboFix2.txt 2008-02-19 18:44:16
    .
    2008-02-15 05:58:29 --- E O F ---


    HFT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:17:22 PM, on 2/19/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Safe mode

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\didymustoo.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\FJW\Application Data\Mozilla\Profiles\default\brw22mi9.slt\prefs.js)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
    O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
    O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Search - ?p=ZJfox000
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {03A0F84E-3E69-4B3E-B4D3-019CB73B57B3} (AuthWebWizardMain.DHTMLPage1) - http://www3.authentium.com/cssrelease/bin/WizMain.exe
    O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/down...auncherNew.cab
    O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/...cannerCtrl.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...92/mcfscan.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - c:\Program Files\Common Files\Command Software\dvpapi.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 5233 bytes
  7. 2008-02-20, 10:34 #17
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    Yes, no go.

    That will mean that you will need to re-install some startup programs.

    Make windows to show file extensions, see here

    Rename these files:

    C:\WINDOWS\SYSTEM32\ctfmon .exe
    C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
    C:\Program Files\Messenger\msmsgs .exe

    to these:

    C:\WINDOWS\SYSTEM32\ctfmon.exe
    C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
    C:\Program Files\Messenger\msmsgs.exe

    Uninstall via add/remove programs:

    QuickTime
    FolderShare
    StyleXP

    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    File::
C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp

Folder::
C:\Program Files\TGTSoft\StyleXP
C:\Program Files\FolderShare
C:\Program Files\QuickTime
    Save this as "CFScript"

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  8. 2008-02-20, 14:40 #18
    didymustoo
    didymustoo is offline
    Member
    Join Date
    Feb 2008
    Posts
    41

    Default

    I tried renaming ctfmon .exe to ctfmon.exe. I received this message, “Cannot rename ctfmon : A file with the name you specified already exists. Specify a different name.”

    So I tried renaming ctfmon.exe to ctfmon.exe.bak. I got the same message.
    So I decided to try renaming MSConfig .exe to MSConfig.exe, got the same message. I renamed MSConfig.exe to MSConfig.exe.bak and still got the same message. I then decided to rename MSConfig.exe.bak back to MSConfig.exe and the computer won’t let me telling me a file with the same name already exists. Same problem with ctfmon.exe.bak. So,

    I now have the following files on my computer:
    ctfmon.exe
    ctfmon .exe
    ctfmon.exe.bak

    MSConfig exe
    MSConfig.exe
    MSConfig.exe.bak
    msconfig.exe.tmp

    I thought I’d better let you know before I went on to the uninstall programs step.
  9. 2008-02-20, 14:49 #19
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    Delete all these:

    ctfmon .exe
    ctfmon.exe.bak
    MSConfig exe
    MSConfig.exe
    MSConfig.exe.bak

    Download this
    and unzip it to here:

    C:\WINDOWS\pchealth\helpctr\binaries

    Then just continue with my previous instructions, please
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  10. 2008-02-20, 15:07 #20
    didymustoo
    didymustoo is offline
    Member
    Join Date
    Feb 2008
    Posts
    41

    Default

    I appreciate your help and patience.

    I was able to delete all files except for ctfmon.exe.bak. When I attempt to do so I get a message, "Cannot delete ctfmon.exe: Access is denied."
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules