View Full Version : I have been infected.
Infected
10-08-2007, 09:44 PM
OK, I have a virus, it is takikng over my computer with pop ups, and on the few occaissions I can start Task Manager before it disables it again, I have located it has to do with a file called winh32.exe. My screen background is black with red text saying I'm not protected and I have several pop ups coming up trying to make me purchase anti spy ware, which I'm sure is just so they can get my details. A program keeps opening and shutting down with the error "Load Library Manager had to close... Send report/Don't send". This is the program directly rated to the winh32.exe. I have tried Macaffee, Adaware, and Norton. I don't know how to create a hijack log...
PrntRhd
10-08-2007, 09:52 PM
Welcome to the PC Guide forum!
Download HijackThis from the link below.
Make a new folder on your PC's HDD and unzip the downloaded file into the file you just created.
Doubleclick the file and run HJT.
Scan and make a log by clicking the Scan & Make a Log button.
Copy/Paste the complete resulting log into reply posts here, divide into sections if it is too large to post in one try.
Wait for the readers to tell you what steps to take before fixing anything.
We have a reasonable idea of what this nasty is, but we have to have the HJT log to minimize risk to your PC's installation.
http://www.spywareinfo.com/~merijn/programs.php
Infected
10-08-2007, 09:55 PM
Logfile of HijackThis v1.99.1
Scan saved at 11:48:55 AM, on 9/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cisvc.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\qiawpbjj.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Docum ents and Settings\default\Application Data\ntos.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: qiawpbjj.msdn_hlp - {026B5895-3E8E-49A9-8EEE-B52A326DA962} - C:\WINDOWS\System32\qiawpbjj.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar3.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Search - [url]http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm080YYAU[/url]
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Literati - [url]http://download2.games.yahoo.com/games/clients/y/tt5_x.cab[/url]
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Poker Superstars II\Images\stg_drm.ocx
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [url]http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15-3.cab[/url]
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - [url]https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab[/url]
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - [url]http://upload.facebook.com/controls/FacebookPhotoUploader.cab[/url]
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - [url]http://secure2.comned.com/signuptemplates/securelogin-devel.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [url]http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab[/url]
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Poker Superstars II\Images\armhelper.ocx
O16 - DPF: {E72CFC93-BAE3-8D60-85D1-129993AAC8B9} (UImageUploader Class) - [url]http://www.perfspot.com/u/UImageUploaderXP.cab[/url]
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
Infected
10-08-2007, 10:14 PM
That was it.
PrntRhd
10-08-2007, 11:30 PM
you did good, just wait for a response from the readers, at least one is on vacation right now.
Infected
10-08-2007, 11:34 PM
Thanks, I will do my best to be patient and not throw the computer away :)
classicsoftware
10-08-2007, 11:39 PM
Yes, you are infected and this is a nasty bugger to get rid off. Please be patient.
First:
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall...
and then post a fresh HJT log after a reboot and the ComboFix log...
Infected
10-09-2007, 12:36 AM
ComboFix 07-10-09.3 - default 2007-10-09 13:47:02.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.219 [GMT 10:00]
Running from: C:\Documents and Settings\default\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\ac3_0010.exe
C:\ac3_0010.exe
C:\deskbar_e21.exe
C:\deskbar_e26.exe
C:\Documents and Settings\default\Application Data\FunWebProducts
C:\drsmartload.exe
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn.h tml
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.h tml
C:\Program Files\FunWebProducts\Shared\Cache\FunBuddyIconBtn. html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.htm l
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn. html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn. html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn .html
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Cache\000377EA
C:\Program Files\MyWebSearch\bar\Cache\0006A379
C:\Program Files\MyWebSearch\bar\Cache\00A42E5B.bin
C:\Program Files\MyWebSearch\bar\Cache\00A44028.bin
C:\Program Files\MyWebSearch\bar\Cache\00A44EE7.bin
C:\Program Files\MyWebSearch\bar\Cache\00A45A90.bin
C:\Program Files\MyWebSearch\bar\Cache\00A4647F.bin
C:\Program Files\MyWebSearch\bar\Cache\00A46DED.bin
C:\Program Files\MyWebSearch\bar\Cache\00A4780E
C:\Program Files\MyWebSearch\bar\Cache\00DD791C.bin
C:\Program Files\MyWebSearch\bar\Cache\00DD8E96.bin
C:\Program Files\MyWebSearch\bar\Cache\00EDD4B2.bin
C:\Program Files\MyWebSearch\bar\Cache\00EDE12C.bin
C:\Program Files\MyWebSearch\bar\Cache\00EDE4C6.bin
C:\Program Files\MyWebSearch\bar\Cache\00EDE85F.bin
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\icons\CM.ICO
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO
C:\Program Files\MyWebSearch\bar\icons\WB.ICO
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\network monitor
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\ucmoreiex.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\Downloaded Program Files\UERS_9999_N91S2507NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UERS_9999_N91S2507NetInstaller.exe
C:\WINDOWS\dp0.dll
C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\newname.dat
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\start.exe
C:\WINDOWS\SYSTEM32\1191693177.exe
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jp g
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\secuity_center_logo.gi f
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\windows.scr
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\winh32.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe
more to come
Infected
10-09-2007, 12:38 AM
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 )))))))))))))))))))))))))))))))
.
2007-10-09 14:13 <DIR> d-------- C:\Program Files\p2pnetworks
2007-10-09 14:13 <DIR> d-------- C:\Program Files\akl
2007-10-09 14:13 <DIR> d-------- C:\Program Files\3721
2007-10-09 14:11 <DIR> d-------- C:\Program Files\e-zshopper
2007-10-09 14:10 <DIR> d-------- C:\Program Files\amsys
2007-10-09 14:07 29,184 --a------ C:\WINDOWS\764.exe
2007-10-09 13:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-08 19:21 <DIR> d--hs---- C:\WINDOWS\SYSTEM32\wsnpoem
2007-10-08 17:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-08 17:35 <DIR> d-------- C:\Program Files\McAfee
2007-10-08 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-08 17:34 <DIR> d-------- C:\Program Files\McAfee.com
2007-10-08 17:34 349,760 --a------ C:\WINDOWS\SYSTEM32\mcinsctl.dll
2007-10-08 17:34 288,320 --a------ C:\WINDOWS\SYSTEM32\mcgdmgr.dll
2007-10-08 16:47 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Google
2007-10-08 15:24 <DIR> d-------- C:\Program Files\STOPzilla!
2007-10-08 15:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-10-08 14:25 <DIR> d--hs---- C:\FOUND.011
2007-10-08 01:00 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-08 01:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-08 00:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-08 00:37 <DIR> d-------- C:\Program Files\SpyAway
2007-10-08 00:28 4 --a------ C:\WINDOWS\SYSTEM32\stfv.bin
2007-10-07 21:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\acespy
2007-10-07 21:02 24,576 --a------ C:\WINDOWS\SYSTEM32\ace16win.dll
2007-10-07 20:39 21,504 --a------ C:\WINDOWS\SYSTEM32\qiawpbjj.dll
2007-10-07 20:39 12 --a------ C:\WINDOWS\SYSTEM32\gtv_sd.bin
2007-10-07 20:38 51,200 --a------ C:\WINDOWS\SYSTEM32\g82.exe
2007-10-07 20:38 28,167 --a------ C:\WINDOWS\SYSTEM32\ld.exe
2007-10-07 20:38 2 --a------ C:\WINDOWS\SYSTEM32\faxwin32.bin
2007-10-04 03:19 <DIR> d--hs---- C:\FOUND.010
2007-09-23 01:56 <DIR> d-------- C:\Documents and Settings\default\Application Data\PlayFirst
2007-09-23 01:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-09-23 01:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2007-09-22 22:21 <DIR> d--hs---- C:\Documents and Settings\default\Application Data\wsnpoem
2007-09-22 15:18 43,520 --a------ C:\sysptgl.exe
2007-09-22 02:35 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-09-22 02:33 <DIR> d-------- C:\Program Files\Common Files\Real
2007-09-22 02:33 <DIR> d-------- C:\Documents and Settings\default\Application Data\Real
2007-09-20 23:28 1,156 --a------ C:\WINDOWS\mozver.dat
2007-09-20 22:37 0 --a------ C:\WINDOWS\nsreg.dat
2007-09-13 21:27 <DIR> d-------- C:\Program Files\Strip Poker Live
2007-09-13 21:27 131,584 --a------ C:\WINDOWS\SYSTEM32\SpoonUninstall.exe
2007-09-13 21:27 5,832 --a------ C:\WINDOWS\SYSTEM32\SpoonUninstall-SPSetup.dat
2007-09-13 15:16 <DIR> d-------- C:\Documents and Settings\default\Application Data\funkitron
2007-09-13 15:14 <DIR> d-------- C:\Documents and Settings\default\Application Data\SpinTop
2007-09-12 22:41 <DIR> d-------- C:\Program Files\Video Strip Poker
2007-09-12 22:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-10 19:29 <DIR> d--hs---- C:\FOUND.009
more to come
Infected
10-09-2007, 12:40 AM
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-10-09 04:11 8,704 ----a-w C:\WINDOWS\pbsysie.dll
2007-10-09 04:11 32,512 ----a-w C:\WINDOWS\wbeInst$.exe
2007-10-09 04:11 32,256 ----a-w C:\WINDOWS\hcwprn.exe
2007-10-09 04:11 32,000 ----a-w C:\WINDOWS\xadbrk_.exe
2007-10-09 04:11 31,488 ----a-w C:\WINDOWS\liqui.dll
2007-10-09 04:11 29,952 ----a-w C:\WINDOWS\kvnab.dll
2007-10-09 04:11 29,440 ----a-w C:\WINDOWS\kvnab.exe
2007-10-09 04:11 28,672 ----a-w C:\WINDOWS\settn.dll
2007-10-09 04:11 27,648 ----a-w C:\WINDOWS\liqui.exe
2007-10-09 04:11 26,112 ----a-w C:\WINDOWS\liqad.dll
2007-10-09 04:11 26,112 ----a-w C:\WINDOWS\kkcomp$.exe
2007-10-09 04:11 25,856 ----a-w C:\WINDOWS\xadbrk.exe
2007-10-09 04:11 24,064 ----a-w C:\WINDOWS\iexplorr23.dll
2007-10-09 04:11 22,272 ----a-w C:\WINDOWS\xadbrk.dll
2007-10-09 04:11 22,272 ----a-w C:\WINDOWS\spredirect.dll
2007-10-09 04:11 22,272 ----a-w C:\WINDOWS\kkcomp.dll
2007-10-09 04:11 21,760 ----a-w C:\WINDOWS\adbar.dll
2007-10-09 04:11 20,992 ----a-w C:\WINDOWS\cbinst$.exe
2007-10-09 04:11 20,736 ----a-w C:\WINDOWS\liqad.exe
2007-10-09 04:11 20,736 ----a-w C:\WINDOWS\jd2002.dll
2007-10-09 04:11 18,944 ----a-w C:\WINDOWS\wbeCheck.exe
2007-10-09 04:11 18,688 ----a-w C:\WINDOWS\daxtime.dll
2007-10-09 04:11 17,664 ----a-w C:\WINDOWS\kvnab$.exe
2007-10-09 04:11 17,408 ----a-w C:\WINDOWS\SYSTEM32\ESHOPEE.exe
2007-10-09 04:11 15,360 ----a-w C:\WINDOWS\liqad$.exe
2007-10-09 04:11 14,848 ----a-w C:\WINDOWS\fhfmm.exe
2007-10-09 04:11 14,848 ----a-w C:\WINDOWS\eventlowg.dll
2007-10-09 04:11 14,336 ----a-w C:\WINDOWS\fhfmm-Uninstaller.exe
2007-10-09 04:11 12,544 ----a-w C:\WINDOWS\SYSTEM32\msole32.exe
2007-10-09 04:11 12,032 ----a-w C:\WINDOWS\kkcomp.exe
2007-10-09 04:11 11,008 ----a-w C:\WINDOWS\liqui-Uninstaller.exe
2007-10-09 04:10 32,000 ----a-w C:\WINDOWS\hotporn.exe
2007-10-09 04:10 29,952 ----a-w C:\WINDOWS\ie_32.exe
2007-10-09 04:10 22,784 ----a-w C:\WINDOWS\dp0.dll
2007-10-09 04:10 21,760 ----a-w C:\WINDOWS\aconti.exe
2007-10-09 04:10 17,920 ----a-w C:\WINDOWS\7search.dll
2007-10-09 04:10 17,152 ----a-w C:\WINDOWS\flt.dll
2007-10-09 04:10 13,056 ----a-w C:\WINDOWS\xxxvideo.exe
2007-10-09 04:10 13,056 ----a-w C:\WINDOWS\pbar.dll
2007-10-09 04:10 11,520 ----a-w C:\WINDOWS\ngd.dll
2007-10-09 04:10 10,752 ----a-w C:\WINDOWS\SYSTEM32\wml.exe
2007-10-09 04:10 10,752 ----a-w C:\WINDOWS\SYSTEM32\vxddsk.exe
2007-10-08 06:50 1,024 ----a-w C:\WINDOWS\system32\drivers\15A2AA57-65E5-4DC6-88D0-E6204FF3414C.cxv
2007-10-07 10:39 841 ----a-w C:\WINDOWS\system32\drivers\perfect_cleaner_header _small.gif
2007-10-07 10:39 811 ----a-w C:\WINDOWS\system32\drivers\download_btn.gif
2007-10-07 10:39 737 ----a-w C:\WINDOWS\system32\drivers\logo_bg.gif
2007-10-07 10:39 580 ----a-w C:\WINDOWS\system32\drivers\features.gif
2007-10-07 10:39 579 ----a-w C:\WINDOWS\system32\drivers\spy_away_header_small. gif
2007-10-07 10:39 567 ----a-w C:\WINDOWS\system32\drivers\users_rating.gif
2007-10-07 10:39 5,097 ----a-w C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
2007-10-07 10:39 4,557 ----a-w C:\WINDOWS\system32\drivers\perfect_cleaner_box_sm all.jpg
2007-10-07 10:39 14,484 ----a-w C:\WINDOWS\system32\drivers\protect.gif
2007-10-07 10:39 1,804 ----a-w C:\WINDOWS\system32\drivers\perfect_cleaner_header .gif
2007-10-07 10:39 1,139 ----a-w C:\WINDOWS\system32\drivers\spy_away_header.gif
2007-10-07 10:38 746 ----a-w C:\WINDOWS\system32\drivers\buy_btn.gif
2007-10-07 10:38 427 ----a-w C:\WINDOWS\system32\drivers\4_stars.gif
2007-10-07 10:38 365 ----a-w C:\WINDOWS\system32\drivers\5_stars.gif
2007-10-07 10:38 1,009 ----a-w C:\WINDOWS\system32\drivers\arrow.gif
2007-08-10 04:29 --------- d-----w C:\Program Files\rebel software
2007-08-06 01:34 369,135 ----a-w C:\DUP1.EXE
2007-08-06 01:32 23,040 ----a-w C:\WINDOWS\SYSTEM32\Cuteqq_Cn.exe
2007-07-31 09:31 720,896 ----a-w C:\WINDOWS\iun6002.exe
2004-10-11 09:46 205,312 ----a-w C:\Program Files\ltefx13n.dll
2004-01-19 04:31 153,600 ----a-w C:\Program Files\ltfil13n.DLL
2004-01-19 03:31 27,648 ----a-w C:\Program Files\lfiff13n.dll
2004-01-19 03:31 20,480 ----a-w C:\Program Files\lfCUT13n.dll
2004-01-19 02:31 453,120 ----a-w C:\Program Files\ltkrn13n.dll
2004-01-19 02:12 89,600 ----a-w C:\Program Files\Lfcgm13n.dll
2004-01-19 01:49 278,016 ----a-w C:\Program Files\LFJ2K13n.dll
2004-01-19 01:49 180,736 ----a-w C:\Program Files\Lfpng13n.dll
2004-01-19 01:47 76,800 ----a-w C:\Program Files\Lfwmf13n.dll
2004-01-19 01:47 509,440 ----a-w C:\Program Files\LFCMW13n.dll
2004-01-19 01:45 420,352 ----a-w C:\Program Files\LFCMP13n.DLL
2004-01-19 01:44 143,872 ----a-w C:\Program Files\lftif13n.dll
2004-01-19 01:36 65,536 ----a-w C:\Program Files\Lfpct13n.dll
2004-01-19 01:36 56,832 ----a-w C:\Program Files\lfpsd13n.dll
2004-01-19 01:36 26,624 ----a-w C:\Program Files\lfpcx13n.dll
2004-01-19 01:36 19,968 ----a-w C:\Program Files\lfpcd13n.dll
2004-01-19 01:36 18,944 ----a-w C:\Program Files\lfmsp13n.dll
2004-01-19 01:35 20,992 ----a-w C:\Program Files\lfimg13n.dll
2004-01-19 01:35 18,944 ----a-w C:\Program Files\lfmac13n.dll
2004-01-19 01:34 31,744 ----a-w C:\Program Files\lfclp13n.dll
2004-01-19 01:34 30,208 ----a-w C:\Program Files\lfbmp13n.dll
2004-01-19 01:33 444,928 ----a-w C:\Program Files\ltimg13n.dll
2004-01-19 01:32 265,216 ----a-w C:\Program Files\LTDIS13n.dll
2003-01-31 22:14 500,763 ----a-w C:\Program Files\fontparadiseinstaller.exe
2002-12-11 02:17 271 --sh--w C:\Program Files\desktop.ini
2002-12-11 02:17 21,952 ---h--w C:\Program Files\folder.htt
2002-05-27 12:08 707,072 ----a-w C:\Program Files\ws_ftple.exe
2002-05-27 07:36 766,405 ----a-w C:\Program Files\NAV80TRY.EXE
2001-08-23 02:00 165,376 ----a-r C:\Documents and Settings\default\Application Data\ntos.exe
2000-05-01 18:17 212,480 ----a-w C:\Program Files\PCDLIB32.DLL
1999-11-18 13:00 284,032 ----a-w C:\Program Files\XceedZip.dll
.
more to come
Infected
10-09-2007, 12:41 AM
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{026B5895-3E8E-49A9-8EEE-B52A326DA962}]
2007-10-07 20:39 21504 --a------ C:\WINDOWS\System32\qiawpbjj.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"@"="" []
"Synchronization Manager"="mobsync.exe" [2001-08-23 12:00 C:\WINDOWS\SYSTEM32\mobsync.exe]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-11-15 00:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-22 02:33]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-07-01 19:22]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 14:26]
"_AntiSpyware"="c:\progra~1\mcafee\MCAFEE~1\masalert.exe" [2005-07-30 02:10]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-27 16:13]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"@"="" []
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-23 12:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" [2007-02-07 15:04]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 18:11]
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce]
"^SetupICWDesktop"=
"tscuninstall"=
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"internat.exe"=internat.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Network Device Switch.lnk - C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe [2001-05-18 20:28:12]
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2002-12-13 13:15:10]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System 32\ntos.exe,"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sglfb.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\tga.sys]
@="Driver"
R3 TOSHIBASoftModem;Toshiba Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSMT.sys
R3 trid3d;trid3d;C:\WINDOWS\System32\DRIVERS\trid3dm. sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 04:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2007-10-08 06:28:42 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
"2007-10-09 04:20:12 C:\WINDOWS\Tasks\Symantec NetDetect.job"
"2007-10-08 07:37:34 C:\WINDOWS\Tasks\McAfee AntiSpyware.job"
- c:\progra~1\mcafee\MCAFEE~1\MASCon.exe
.
************************************************** ************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-10-09 14:17:13
Windows 5.1.2600 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2007-10-09 14:21:03 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-09 14:20
.
--- E O F ---
thats it
classicsoftware
10-09-2007, 12:59 AM
Post a fresh Hijackthis log an tell us how the system is running.....
Infected
10-09-2007, 02:36 AM
Logfile of HijackThis v1.99.1
Scan saved at 4:32:46 PM, on 9/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cisvc.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\System32\ntos.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: qiawpbjj.msdn_hlp - {026B5895-3E8E-49A9-8EEE-B52A326DA962} - C:\WINDOWS\System32\qiawpbjj.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar3.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Search - [url]http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm080YYAU[/url]
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Literati - [url]http://download2.games.yahoo.com/games/clients/y/tt5_x.cab[/url]
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Poker Superstars II\Images\stg_drm.ocx
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [url]http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15-3.cab[/url]
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - [url]https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab[/url]
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - [url]http://upload.facebook.com/controls/FacebookPhotoUploader.cab[/url]
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - [url]http://secure2.comned.com/signuptemplates/securelogin-devel.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [url]http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab[/url]
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Poker Superstars II\Images\armhelper.ocx
O16 - DPF: {E72CFC93-BAE3-8D60-85D1-129993AAC8B9} (UImageUploader Class) - [url]http://www.perfspot.com/u/UImageUploaderXP.cab[/url]
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
Infected
10-09-2007, 04:12 AM
Still having the same problems
Infected
10-09-2007, 04:35 AM
The desktop is still black with the big red warning. Much less pop ups though.
classicsoftware
10-09-2007, 08:15 AM
Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)]
Infected
10-09-2007, 10:29 AM
SmitFraudFix v2.239
Scan done at 0:26:17.34, Wed 10/10/2007
Run from C:\Documents and Settings\default\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\alg.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\qiawpbjj.exe
C:\WINDOWS\System32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\ace16win.dll FOUND !
C:\WINDOWS\system32\migicons.exe FOUND !
C:\WINDOWS\system32\msole32.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\default
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\default\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\default\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Speedstream Ethernet USB Adapter
DNS Server Search Order: 10.0.0.138
DNS Server Search Order: 10.0.0.138
HKLM\SYSTEM\CCS\Services\Tcpip\..\{194AD687-F5D0-424D-9E63-79E6463C59A5}: DhcpNameServer=10.0.0.138 10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\..\{194AD687-F5D0-424D-9E63-79E6463C59A5}: DhcpNameServer=10.0.0.138 10.0.0.138
HKLM\SYSTEM\CS2\Services\Tcpip\..\{194AD687-F5D0-424D-9E63-79E6463C59A5}: DhcpNameServer=10.0.0.138 10.0.0.138
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138 10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138 10.0.0.138
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138 10.0.0.138
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Infected
10-09-2007, 10:32 AM
I have as yet not deleted anything. Should I have done? I still have the black screen, red warning. And Task Manager is still being disabled. But the winh32 file no longer exists, I am still getting the pop ups, but not the Load Library problems. The pop ups are still trying to get me to purchase something, and McAfee still comes up with UserShellFolders changes. )Sorry, just realised I hadn't been giving very good updates - does this mean there is more than one virus?).
classicsoftware
10-09-2007, 10:52 AM
Well it's sort of one massive infection with many parts.
I'm off to work until 9:30PM est. I'll post back with further instructions at that time.
Infected
10-09-2007, 11:04 AM
Thanks heaps for all your efforts. I'm not sure what time you mean as I am in Oz and it is 1am here now. The Load Library problem just resurfaced. I will just pop in in the morning (well, later in the morning anyway) and see if you have replied.
Thanks again.
The winh32 file is back (actually it may never have gone away - I just realised I was searching in My Documents for it!) and there are now 3 files with that name - winh32.exe in directory C:\WINDOWS, 18KB Application, created 30 mins ago (though it was saying created yesterday 24 hours ago) modified in the last half hour; WINH32.EXE-31ED1260.pf in C:\WINDOWS\Prefetch, 102KB PF File Created 3 dyas ago, modified in the last hour; winh32.exe.vir in C:\qoobox\Quarantine\C\WINDOWS 18KB VIR File, created two days ago, modified yesterday.
9:30 PM US-Eastern....about 14 hrs difference.
classicsoftware
10-09-2007, 09:56 PM
Please do this:
It would be a good idea to print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
Just before the Windows icon appears, tap the F8 key;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
Reboot and post that log and a fresh HJT log in a Reply...
Infected
10-09-2007, 10:26 PM
SmitFraudFix v2.239
Scan done at 12:04:58.23, Wed 10/10/2007
Run from C:\Documents and Settings\default\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\ace16win.dll Deleted
C:\WINDOWS\system32\migicons.exe Deleted
C:\WINDOWS\system32\msole32.exe Deleted
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{194AD687-F5D0-424D-9E63-79E6463C59A5}: DhcpNameServer=10.0.0.138 10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\..\{194AD687-F5D0-424D-9E63-79E6463C59A5}: DhcpNameServer=10.0.0.138 10.0.0.138
HKLM\SYSTEM\CS2\Services\Tcpip\..\{194AD687-F5D0-424D-9E63-79E6463C59A5}: DhcpNameServer=10.0.0.138 10.0.0.138
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138 10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138 10.0.0.138
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138 10.0.0.138
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Infected
10-09-2007, 10:27 PM
Logfile of HijackThis v1.99.1
Scan saved at 12:22:37 PM, on 10/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\alg.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\qiawpbjj.exe
C:\Program Files\Hijackthis\HijackThis.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\System32\ntos.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: qiawpbjj.msdn_hlp - {026B5895-3E8E-49A9-8EEE-B52A326DA962} - C:\WINDOWS\System32\qiawpbjj.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar3.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Search - [url]http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm080YYAU[/url]
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Literati - [url]http://download2.games.yahoo.com/games/clients/y/tt5_x.cab[/url]
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Poker Superstars II\Images\stg_drm.ocx
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [url]http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15-3.cab[/url]
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - [url]https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab[/url]
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - [url]http://upload.facebook.com/controls/FacebookPhotoUploader.cab[/url]
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - [url]http://secure2.comned.com/signuptemplates/securelogin-devel.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [url]http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab[/url]
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Poker Superstars II\Images\armhelper.ocx
O16 - DPF: {E72CFC93-BAE3-8D60-85D1-129993AAC8B9} (UImageUploader Class) - [url]http://www.perfspot.com/u/UImageUploaderXP.cab[/url]
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
The problem appeared to be fixed for about one minute then it all started again (I even had a blank blue desktop for about a minute, now it's black again!)
classicsoftware
10-09-2007, 10:27 PM
Also download a new copy of Comboxfix and give me a fresh log. Once I have that I will work up a customized fix. If you can stay off the net once you do that it would be helpful. By that I mean un-plug it from the net. You would need another PC to access the net to get the messages.
Infected
10-09-2007, 10:59 PM
ComboFix 07-10-09.3 - default 2007-10-10 12:31:48.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.246 [GMT 10:00]
Running from: C:\Documents and Settings\default\Desktop\ComboFix(2).exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\winh32.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe
Infected
10-09-2007, 10:59 PM
.
((((((((((((((((((((((((( Files Created from 2007-09-10 to 2007-10-10 )))))))))))))))))))))))))))))))
.
2007-10-10 12:41 26,112 --a------ C:\WINDOWS\764.exe
2007-10-10 12:41 22,784 --a------ C:\WINDOWS\7search.dll
2007-10-10 12:41 19,968 --a------ C:\WINDOWS\pbar.dll
2007-10-10 12:41 13,568 --a------ C:\WINDOWS\flt.dll
2007-10-10 12:41 13,056 --a------ C:\WINDOWS\SYSTEM32\wml.exe
2007-10-10 12:41 9,728 --a------ C:\WINDOWS\SYSTEM32\vxddsk.exe
2007-10-10 12:22 15,104 --a------ C:\WINDOWS\SYSTEM32\ace16win.dll
2007-10-10 12:04 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-10-10 12:04 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-10-10 12:04 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-10-10 12:04 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-10-10 12:04 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-10-10 00:26 1,368 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-10-09 14:10 18,176 --a------ C:\WINDOWS\hotporn.exe
2007-10-09 13:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-08 19:21 <DIR> d--hs---- C:\WINDOWS\SYSTEM32\wsnpoem
2007-10-08 17:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-08 17:35 <DIR> d-------- C:\Program Files\McAfee
2007-10-08 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-08 17:34 <DIR> d-------- C:\Program Files\McAfee.com
2007-10-08 17:34 349,760 --a------ C:\WINDOWS\SYSTEM32\mcinsctl.dll
2007-10-08 17:34 288,320 --a------ C:\WINDOWS\SYSTEM32\mcgdmgr.dll
2007-10-08 16:47 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Google
2007-10-08 15:24 <DIR> d-------- C:\Program Files\STOPzilla!
2007-10-08 15:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-10-08 14:25 <DIR> d--hs---- C:\FOUND.011
2007-10-08 01:00 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-08 01:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-08 00:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-08 00:37 <DIR> d-------- C:\Program Files\SpyAway
2007-10-08 00:28 4 --a------ C:\WINDOWS\SYSTEM32\stfv.bin
2007-10-07 21:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\acespy
2007-10-07 20:39 21,504 --a------ C:\WINDOWS\SYSTEM32\qiawpbjj.dll
2007-10-07 20:39 12 --a------ C:\WINDOWS\SYSTEM32\gtv_sd.bin
2007-10-07 20:38 51,200 --a------ C:\WINDOWS\SYSTEM32\g82.exe
2007-10-07 20:38 28,167 --a------ C:\WINDOWS\SYSTEM32\ld.exe
2007-10-07 20:38 2 --a------ C:\WINDOWS\SYSTEM32\faxwin32.bin
2007-10-04 03:19 <DIR> d--hs---- C:\FOUND.010
2007-09-23 01:56 <DIR> d-------- C:\Documents and Settings\default\Application Data\PlayFirst
2007-09-23 01:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-09-23 01:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2007-09-22 22:21 <DIR> d--hs---- C:\Documents and Settings\default\Application Data\wsnpoem
2007-09-22 15:18 43,520 --a------ C:\sysptgl.exe
2007-09-22 02:35 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-09-22 02:33 <DIR> d-------- C:\Program Files\Common Files\Real
2007-09-22 02:33 <DIR> d-------- C:\Documents and Settings\default\Application Data\Real
2007-09-20 23:28 1,156 --a------ C:\WINDOWS\mozver.dat
2007-09-20 22:37 0 --a------ C:\WINDOWS\nsreg.dat
2007-09-13 21:27 <DIR> d-------- C:\Program Files\Strip Poker Live
2007-09-13 21:27 131,584 --a------ C:\WINDOWS\SYSTEM32\SpoonUninstall.exe
2007-09-13 21:27 5,832 --a------ C:\WINDOWS\SYSTEM32\SpoonUninstall-SPSetup.dat
2007-09-13 15:16 <DIR> d-------- C:\Documents and Settings\default\Application Data\funkitron
2007-09-13 15:14 <DIR> d-------- C:\Documents and Settings\default\Application Data\SpinTop
2007-09-12 22:41 <DIR> d-------- C:\Program Files\Video Strip Poker
2007-09-12 22:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-10 19:29 <DIR> d--hs---- C:\FOUND.009
.
Infected
10-09-2007, 11:00 PM
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-10-10 02:43 9,472 ----a-w C:\WINDOWS\fhfmm-Uninstaller.exe
2007-10-10 02:43 8,960 ----a-w C:\WINDOWS\liqad.dll
2007-10-10 02:43 8,704 ----a-w C:\WINDOWS\xadbrk.exe
2007-10-10 02:43 8,704 ----a-w C:\WINDOWS\wbeCheck.exe
2007-10-10 02:43 8,192 ----a-w C:\WINDOWS\xadbrk_.exe
2007-10-10 02:43 30,976 ----a-w C:\WINDOWS\eventlowg.dll
2007-10-10 02:43 30,720 ----a-w C:\WINDOWS\hcwprn.exe
2007-10-10 02:43 29,184 ----a-w C:\WINDOWS\liqui.dll
2007-10-10 02:43 29,184 ----a-w C:\WINDOWS\kvnab$.exe
2007-10-10 02:43 28,416 ----a-w C:\WINDOWS\SYSTEM32\msole32.exe
2007-10-10 02:43 26,368 ----a-w C:\WINDOWS\wbeInst$.exe
2007-10-10 02:43 24,832 ----a-w C:\WINDOWS\fhfmm.exe
2007-10-10 02:43 23,552 ----a-w C:\WINDOWS\cbinst$.exe
2007-10-10 02:43 23,296 ----a-w C:\WINDOWS\liqui-Uninstaller.exe
2007-10-10 02:43 21,760 ----a-w C:\WINDOWS\pbsysie.dll
2007-10-10 02:43 19,712 ----a-w C:\WINDOWS\kvnab.exe
2007-10-10 02:43 19,712 ----a-w C:\WINDOWS\kkcomp.exe
2007-10-10 02:43 19,712 ----a-w C:\WINDOWS\kkcomp.dll
2007-10-10 02:43 18,688 ----a-w C:\WINDOWS\kvnab.dll
2007-10-10 02:43 16,640 ----a-w C:\WINDOWS\daxtime.dll
2007-10-10 02:43 15,872 ----a-w C:\WINDOWS\settn.dll
2007-10-10 02:43 15,616 ----a-w C:\WINDOWS\liqui.exe
2007-10-10 02:43 15,360 ----a-w C:\WINDOWS\kkcomp$.exe
2007-10-10 02:43 13,824 ----a-w C:\WINDOWS\liqad$.exe
2007-10-10 02:43 13,568 ----a-w C:\WINDOWS\xadbrk.dll
2007-10-10 02:43 13,568 ----a-w C:\WINDOWS\liqad.exe
2007-10-10 02:42 8,448 ----a-w C:\WINDOWS\ngd.dll
2007-10-10 02:42 32,000 ----a-w C:\WINDOWS\adbar.dll
2007-10-10 02:42 29,440 ----a-w C:\WINDOWS\iexplorr23.dll
2007-10-10 02:42 27,392 ----a-w C:\WINDOWS\aconti.exe
2007-10-10 02:42 26,368 ----a-w C:\WINDOWS\dp0.dll
2007-10-10 02:42 19,968 ----a-w C:\WINDOWS\SYSTEM32\ESHOPEE.exe
2007-10-10 02:42 19,968 ----a-w C:\WINDOWS\spredirect.dll
2007-10-10 02:42 19,456 ----a-w C:\WINDOWS\jd2002.dll
2007-10-10 02:42 15,616 ----a-w C:\WINDOWS\xxxvideo.exe
2007-10-10 02:42 10,240 ----a-w C:\WINDOWS\ie_32.exe
2007-10-08 06:50 1,024 ----a-w C:\WINDOWS\system32\drivers\15A2AA57-65E5-4DC6-88D0-E6204FF3414C.cxv
2007-10-07 10:39 841 ----a-w C:\WINDOWS\system32\drivers\perfect_cleaner_header _small.gif
2007-10-07 10:39 811 ----a-w C:\WINDOWS\system32\drivers\download_btn.gif
2007-10-07 10:39 737 ----a-w C:\WINDOWS\system32\drivers\logo_bg.gif
2007-10-07 10:39 580 ----a-w C:\WINDOWS\system32\drivers\features.gif
2007-10-07 10:39 579 ----a-w C:\WINDOWS\system32\drivers\spy_away_header_small. gif
2007-10-07 10:39 567 ----a-w C:\WINDOWS\system32\drivers\users_rating.gif
2007-10-07 10:39 5,097 ----a-w C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
2007-10-07 10:39 4,557 ----a-w C:\WINDOWS\system32\drivers\perfect_cleaner_box_sm all.jpg
2007-10-07 10:39 14,484 ----a-w C:\WINDOWS\system32\drivers\protect.gif
2007-10-07 10:39 1,804 ----a-w C:\WINDOWS\system32\drivers\perfect_cleaner_header .gif
2007-10-07 10:39 1,139 ----a-w C:\WINDOWS\system32\drivers\spy_away_header.gif
2007-10-07 10:38 746 ----a-w C:\WINDOWS\system32\drivers\buy_btn.gif
2007-10-07 10:38 427 ----a-w C:\WINDOWS\system32\drivers\4_stars.gif
2007-10-07 10:38 365 ----a-w C:\WINDOWS\system32\drivers\5_stars.gif
2007-10-07 10:38 1,009 ----a-w C:\WINDOWS\system32\drivers\arrow.gif
2007-08-10 04:29 --------- d-----w C:\Program Files\rebel software
2007-08-06 01:34 369,135 ----a-w C:\DUP1.EXE
2007-08-06 01:32 23,040 ----a-w C:\WINDOWS\SYSTEM32\Cuteqq_Cn.exe
2007-07-31 09:31 720,896 ----a-w C:\WINDOWS\iun6002.exe
2004-10-11 09:46 205,312 ----a-w C:\Program Files\ltefx13n.dll
2004-01-19 04:31 153,600 ----a-w C:\Program Files\ltfil13n.DLL
2004-01-19 03:31 27,648 ----a-w C:\Program Files\lfiff13n.dll
2004-01-19 03:31 20,480 ----a-w C:\Program Files\lfCUT13n.dll
2004-01-19 02:31 453,120 ----a-w C:\Program Files\ltkrn13n.dll
2004-01-19 02:12 89,600 ----a-w C:\Program Files\Lfcgm13n.dll
2004-01-19 01:49 278,016 ----a-w C:\Program Files\LFJ2K13n.dll
2004-01-19 01:49 180,736 ----a-w C:\Program Files\Lfpng13n.dll
2004-01-19 01:47 76,800 ----a-w C:\Program Files\Lfwmf13n.dll
2004-01-19 01:47 509,440 ----a-w C:\Program Files\LFCMW13n.dll
2004-01-19 01:45 420,352 ----a-w C:\Program Files\LFCMP13n.DLL
2004-01-19 01:44 143,872 ----a-w C:\Program Files\lftif13n.dll
2004-01-19 01:36 65,536 ----a-w C:\Program Files\Lfpct13n.dll
2004-01-19 01:36 56,832 ----a-w C:\Program Files\lfpsd13n.dll
2004-01-19 01:36 26,624 ----a-w C:\Program Files\lfpcx13n.dll
2004-01-19 01:36 19,968 ----a-w C:\Program Files\lfpcd13n.dll
2004-01-19 01:36 18,944 ----a-w C:\Program Files\lfmsp13n.dll
2004-01-19 01:35 20,992 ----a-w C:\Program Files\lfimg13n.dll
2004-01-19 01:35 18,944 ----a-w C:\Program Files\lfmac13n.dll
2004-01-19 01:34 31,744 ----a-w C:\Program Files\lfclp13n.dll
2004-01-19 01:34 30,208 ----a-w C:\Program Files\lfbmp13n.dll
2004-01-19 01:33 444,928 ----a-w C:\Program Files\ltimg13n.dll
2004-01-19 01:32 265,216 ----a-w C:\Program Files\LTDIS13n.dll
2003-01-31 22:14 500,763 ----a-w C:\Program Files\fontparadiseinstaller.exe
2002-12-11 02:17 271 --sh--w C:\Program Files\desktop.ini
2002-12-11 02:17 21,952 ---h--w C:\Program Files\folder.htt
2002-05-27 12:08 707,072 ----a-w C:\Program Files\ws_ftple.exe
2002-05-27 07:36 766,405 ----a-w C:\Program Files\NAV80TRY.EXE
2001-08-23 02:00 165,376 ----a-r C:\Documents and Settings\default\Application Data\ntos.exe
2000-05-01 18:17 212,480 ----a-w C:\Program Files\PCDLIB32.DLL
1999-11-18 13:00 284,032 ----a-w C:\Program Files\XceedZip.dll
.
Infected
10-09-2007, 11:01 PM
((((((((((((((((((((((((((((( snapshot@2007-10-09_14.19.00.38 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 40,960 2006-01-09 00:36:06 C:\WINDOWS\SYSTEM32\swsc.exe
----a-w 79,360 2006-11-30 20:20:34 C:\WINDOWS\SYSTEM32\swxcacls.exe
----a-w 32,768 2007-10-10 02:45:08 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 49,152 2007-10-10 02:45:08 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 16,384 2007-10-10 02:45:08 C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\i ndex.dat
----a-w 7,217 2007-10-10 02:18:26 C:\WINDOWS\SYSTEM32\wsnpoem\video.dll
---ha-w 1,048,576 2007-10-10 02:44:04 C:\WINDOWS\Application Data\Microsoft\Windows\UsrClass.dat
----a-w 163,328 2007-03-13 00:57:12 C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
.
----a-w 212,480 2006-11-30 19:20:32 C:\WINDOWS\SYSTEM32\swxcacls.exe
----a-w 370,688 2006-11-29 07:21:30 C:\WINDOWS\SYSTEM32\swsc.exe
----a-w 32,768 2007-10-09 04:16:14 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-10-09 04:16:14 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 16,384 2007-10-09 04:16:14 C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\i ndex.dat
---ha-w 1,048,576 2007-10-09 04:14:00 C:\WINDOWS\Application Data\Microsoft\Windows\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{026B5895-3E8E-49A9-8EEE-B52A326DA962}]
2007-10-07 20:39 21504 --a------ C:\WINDOWS\System32\qiawpbjj.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"@"="" []
"Synchronization Manager"="mobsync.exe" [2001-08-23 12:00 C:\WINDOWS\SYSTEM32\mobsync.exe]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-11-15 00:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-22 02:33]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-07-01 19:22]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 14:26]
"_AntiSpyware"="c:\progra~1\mcafee\MCAFEE~1\masalert.exe" [2005-07-30 02:10]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-27 16:13]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"@"="" []
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-23 12:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" [2007-02-07 15:04]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 18:11]
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce]
"^SetupICWDesktop"=
"tscuninstall"=
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"internat.exe"=internat.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Network Device Switch.lnk - C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe [2001-05-18 20:28:12]
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2002-12-13 13:15:10]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System 32\ntos.exe,"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sglfb.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\tga.sys]
@="Driver"
R3 TOSHIBASoftModem;Toshiba Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSMT.sys
R3 trid3d;trid3d;C:\WINDOWS\System32\DRIVERS\trid3dm. sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 04:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2007-10-09 06:28:28 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
"2007-10-10 02:49:02 C:\WINDOWS\Tasks\Symantec NetDetect.job"
"2007-10-08 07:37:34 C:\WINDOWS\Tasks\McAfee AntiSpyware.job"
- c:\progra~1\mcafee\MCAFEE~1\MASCon.exe
.
************************************************** ************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-10-10 12:46:08
Windows 5.1.2600 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2007-10-10 12:50:31 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-09 14:21
C:\ComboFix-quarantined-files.txt ... 2007-10-10 12:50
.
--- E O F ---
Infected
10-09-2007, 11:01 PM
I don't have another computer if I unplug this one...
I don't have another computer if I unplug this one...
Then get a copy of Knoppix (http://www.knoppix.org/)...that way you can access the internet without using Windows and without using your hard drive.
Infected
10-09-2007, 11:54 PM
What will knoppix do to my system - will it damage anything? I have always been told that I should never run linux on a Windows operating computer?
I will have to look into the purchase as I am not paying for anything online until I get this fixed (is this creating a catch 22?) and I don't have a cd burner to download to.
PrntRhd
10-10-2007, 12:00 AM
No, what it is called is a LIVE CD.
You set the CD-ROM to boot first, the system runs the OS from the CD-ROM itself, finds your hardware and asks you to log on. When you log on you can actually go to the web and everything with nothing being written to the Windows installation.
When you shut down, nothing is changed in the Windows install. Windows does not even record that you did anything.
It is a free download. It can also be purchased for a service fee by professional outfits that burn the CD and mail the disk to you, usually less than $10.
Ubuntu Linux, MEPIS Linux, all free downloads and have the Live CD option will also work just as well.
http://distrowatch.com/
Ummm.....riiiiiiiiiiight.
Obviously a case of FUD...the person who told you this does not know of which they speak...
Since Knoppix is run from the CD, not installed and by default cannot write to an NTFS partition and cannot write to ANY partition without the user's explicit permission...ABSOLUTELY NOTHING!!!
Running your infected machine, connected to the Internet, is much more dangerous than running Linux on it.
classicsoftware
10-11-2007, 03:19 AM
Sorry for the delay. I am finishing the fix. There are almost 200 items in the combofix log I have to go through one at a time and categorize for the fix to work. Be done soon.....
classicsoftware
10-11-2007, 05:05 PM
Download the latest copy of Combofix
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\flt.dll
C:\WINDOWS\SYSTEM32\wml.exe
C:\WINDOWS\SYSTEM32\vxddsk.exe
C:\WINDOWS\SYSTEM32\ace16win.dll
C:\WINDOWS\SYSTEM32\VCCLSID.exe
CC:\WINDOWS\SYSTEM32\tmp.reg
C:\WINDOWS\hotporn.exe
C:\WINDOWS\SYSTEM32\stfv.bin
C:\WINDOWS\SYSTEM32\qiawpbjj.dll
C:\WINDOWS\SYSTEM32\gtv_sd.bin
C:\WINDOWS\SYSTEM32\g82.exe
C:\WINDOWS\SYSTEM32\ld.exe
C:\WINDOWS\SYSTEM32\faxwin32.bin
C:\sysptgl.exe
C:\WINDOWS\SYSTEM32\SpoonUninstall.exe
C:\WINDOWS\SYSTEM32\SpoonUninstall-SPSetup.dat
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\SYSTEM32\msole32.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kvnab.dll
C:\WINDOWS\daxtime.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\adbar.dll
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\aconti.exe
C:\WINDOWS\dp0.dll
C:\WINDOWS\SYSTEM32\ESHOPEE.exe
C:\WINDOWS\spredirect.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\xxxvideo.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\system32\drivers\15A2AA57-65E5-4DC6-88D0-E6204FF3414C.cxv
C:\WINDOWS\system32\drivers\perfect_cleaner_header _small.gif
C:\WINDOWS\system32\drivers\download_btn.gif
C:\WINDOWS\system32\drivers\logo_bg.gif
C:\WINDOWS\system32\drivers\features.gif
C:\WINDOWS\system32\drivers\spy_away_header_small. gif
C:\WINDOWS\system32\drivers\users_rating.gif
C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
C:\WINDOWS\system32\drivers\perfect_cleaner_box_sm all.jpg
C:\WINDOWS\system32\drivers\protect.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_header .gif
C:\WINDOWS\system32\drivers\spy_away_header.gif
C:\WINDOWS\system32\drivers\buy_btn.gif
C:\WINDOWS\system32\drivers\4_stars.gif
C:\WINDOWS\system32\drivers\5_stars.gif
C:\WINDOWS\system32\drivers\arrow.gif
C:\DUP1.EXE
C:\WINDOWS\SYSTEM32\Cuteqq_Cn.exe
C:\WINDOWS\iun6002.exe
C:\Program Files\ltefx13n.dll
C:\Program Files\ltfil13n.DLL
C:\Program Files\lfiff13n.dll
C:\Program Files\lfCUT13n.dll
C:\Program Files\ltkrn13n.dll
C:\Program Files\Lfcgm13n.dll
C:\Program Files\LFJ2K13n.dll
C:\Program Files\Lfpng13n.dll
C:\Program Files\Lfwmf13n.dll
C:\Program Files\LFCMW13n.dll
C:\Program Files\LFCMP13n.DLL
C:\Program Files\lftif13n.dll
C:\Program Files\Lfpct13n.dll
C:\Program Files\lfpsd13n.dll
C:\Program Files\lfpcx13n.dll
C:\Program Files\lfpcd13n.dll
C:\Program Files\lfmsp13n.dll
C:\Program Files\lfimg13n.dll
C:\Program Files\lfmac13n.dll
C:\Program Files\lfclp13n.dll
C:\Program Files\lfbmp13n.dll
C:\Program Files\ltimg13n.dll
C:\Program Files\LTDIS13n.dll
C:\Program Files\fontparadiseinstaller.exe
C:\Program Files\desktop.ini
C:\Program Files\folder.htt
C:\Documents and Settings\default\Application Data\ntos.exe
Folder::
C:\Documents and Settings\default\Application Data\funkitron
C:\Documents and Settings\default\Application Data\SpinTop
C:\Program Files\Video Strip Poker
C:\Documents and Settings\All Users\Application Data\TEMP
C:\FOUND.011
C:\FOUND.010
C:\FOUND.009
C:\FOUND.008
C:\FOUND.007
C:\FOUND.006
C:\FOUND.005
C:\FOUND.004
C:\FOUND.003
C:\FOUND.002
C:\FOUND.001
C:\Documents and Settings\default\Application Data\PlayFirst
C:\Documents and Settings\All Users\Application Data\PlayFirst
C:\Documents and Settings\All Users\Application Data\Trymedia
C:\Documents and Settings\default\Application Data\wsnpoem
C:\Program Files\Common Files\xing shared
C:\Program Files\Strip Poker Live
C:\WINDOWS\SYSTEM32\wsnpoem
C:\Program Files\SpyAway
C:\WINDOWS\SYSTEM32\acespy
C:\Program Files\rebel software
Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{026B5895-3E8E-49A9-8EEE-B52A326DA962}]
2007-10-07 20:39 21504 --a------ C:\WINDOWS\System32\qiawpbjj.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"@"="" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"@"="" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WI NDOWS\System32\ntos.exe,"
Driver::
perfect_cleaner_header _small
download_btn
buy_btn
logo_bg
features
spy_away_header_small
users_rating
spy_away_box_small
perfect_cleaner_box_sm all
4_stars
5_stars
perfect_cleaner_header
protect
spy_away_header
drivers\arrow
neokdss
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Referring to the picture above, drag CFScript.txt into ComboFix.exe
Post the log in your next response...
Infected
10-13-2007, 09:38 PM
OK, still don't have my desktop, here is the new log (part 1)
ComboFix 07-10-12.4 - default 2007-10-14 11:11:04.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.277 [GMT 10:00]
Running from: C:\Documents and Settings\default\Desktop\ComboFix(3).exe
Command switches used :: C:\Documents and Settings\default\Desktop\CFScript.txt
* Created a new restore point
FILE::
C:\Documents and Settings\default\Application Data\ntos.exe
C:\DUP1.EXE
C:\Program Files\desktop.ini
C:\Program Files\folder.htt
C:\Program Files\fontparadiseinstaller.exe
C:\Program Files\lfbmp13n.dll
C:\Program Files\Lfcgm13n.dll
C:\Program Files\lfclp13n.dll
C:\Program Files\LFCMP13n.DLL
C:\Program Files\LFCMW13n.dll
C:\Program Files\lfCUT13n.dll
C:\Program Files\lfiff13n.dll
C:\Program Files\lfimg13n.dll
C:\Program Files\LFJ2K13n.dll
C:\Program Files\lfmac13n.dll
C:\Program Files\lfmsp13n.dll
C:\Program Files\lfpcd13n.dll
C:\Program Files\Lfpct13n.dll
C:\Program Files\lfpcx13n.dll
C:\Program Files\Lfpng13n.dll
C:\Program Files\lfpsd13n.dll
C:\Program Files\lftif13n.dll
C:\Program Files\Lfwmf13n.dll
C:\Program Files\LTDIS13n.dll
C:\Program Files\ltefx13n.dll
C:\Program Files\ltfil13n.DLL
C:\Program Files\ltimg13n.dll
C:\Program Files\ltkrn13n.dll
C:\sysptgl.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\iun6002.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\SYSTEM32\ace16win.dll
C:\WINDOWS\SYSTEM32\Cuteqq_Cn.exe
C:\WINDOWS\system32\drivers\15A2AA57-65E5-4DC6-88D0-E6204FF3414C.cxv
C:\WINDOWS\system32\drivers\4_stars.gif
C:\WINDOWS\system32\drivers\5_stars.gif
C:\WINDOWS\system32\drivers\arrow.gif
C:\WINDOWS\system32\drivers\buy_btn.gif
C:\WINDOWS\system32\drivers\download_btn.gif
C:\WINDOWS\system32\drivers\features.gif
C:\WINDOWS\system32\drivers\logo_bg.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box_sm all.jpg
C:\WINDOWS\system32\drivers\perfect_cleaner_header .gif
C:\WINDOWS\system32\drivers\perfect_cleaner_header _small.gif
C:\WINDOWS\system32\drivers\protect.gif
C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
C:\WINDOWS\system32\drivers\spy_away_header.gif
C:\WINDOWS\system32\drivers\spy_away_header_small. gif
C:\WINDOWS\system32\drivers\users_rating.gif
C:\WINDOWS\SYSTEM32\ESHOPEE.exe
C:\WINDOWS\SYSTEM32\faxwin32.bin
C:\WINDOWS\SYSTEM32\g82.exe
C:\WINDOWS\SYSTEM32\gtv_sd.bin
C:\WINDOWS\SYSTEM32\ld.exe
C:\WINDOWS\SYSTEM32\msole32.exe
C:\WINDOWS\SYSTEM32\qiawpbjj.dll
C:\WINDOWS\SYSTEM32\SpoonUninstall-SPSetup.dat
C:\WINDOWS\SYSTEM32\SpoonUninstall.exe
C:\WINDOWS\SYSTEM32\stfv.bin
C:\WINDOWS\SYSTEM32\VCCLSID.exe
C:\WINDOWS\SYSTEM32\vxddsk.exe
C:\WINDOWS\SYSTEM32\wml.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe
CC:\WINDOWS\SYSTEM32\tmp.reg
.
Infected
10-13-2007, 09:39 PM
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\PlayFirst
C:\Documents and Settings\All Users\Application Data\TEMP
C:\Documents and Settings\All Users\Application Data\TEMP\364682BC.TMP
C:\Documents and Settings\All Users\Application Data\TEMP\7329DE7F.TMP
C:\Documents and Settings\All Users\Application Data\Trymedia
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{3A7E1BB2-6996-B27C-F2B5-2BA4DA53F25F}
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{742D7429-7193-CA9C-ACA0-89E0FE5A9233}
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{911EC7F7-578E-F03A-FBE8-9F85D2EF079F}
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{962C6E61-426F-C967-ADDA-A064DD938BC8}
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{AC38A3C6-91F8-678D-5F1D-F10FEEF37B37}
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{B5DACCC0-B65D-DD28-C7B5-75962F416F86}
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{CA9D510E-A9D0-76F6-1513-C6B0D082F75F}
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{E7C6428B-B80D-9CF0-63BE-8FC5CA754323}
C:\Documents and Settings\default\Application Data\funkitron
C:\Documents and Settings\default\Application Data\funkitron\Poker Superstars II\Poker2.cfg
C:\Documents and Settings\default\Application Data\ntos.exe
C:\Documents and Settings\default\Application Data\PlayFirst
C:\Documents and Settings\default\Application Data\PlayFirst\weddingdash\hiscore.dat
C:\Documents and Settings\default\Application Data\PlayFirst\weddingdash\logfile.txt
C:\Documents and Settings\default\Application Data\PlayFirst\weddingdash\prefs.dat
C:\Documents and Settings\default\Application Data\SpinTop
C:\Documents and Settings\default\Application Data\SpinTop\spintop.ico
C:\Documents and Settings\default\Application Data\wsnpoem
C:\Documents and Settings\default\Application Data\wsnpoem\audio.dll
C:\Documents and Settings\default\Application Data\wsnpoem\video.dll
C:\DUP1.EXE
C:\FOUND.001
C:\FOUND.001\FILE0000.CHK
C:\FOUND.001\FILE0001.CHK
C:\FOUND.002
C:\FOUND.002\FILE0000.CHK
C:\FOUND.002\FILE0001.CHK
C:\FOUND.002\FILE0002.CHK
C:\FOUND.002\FILE0003.CHK
C:\FOUND.002\FILE0004.CHK
C:\FOUND.003
C:\FOUND.003\FILE0000.CHK
C:\FOUND.003\FILE0001.CHK
C:\FOUND.004
C:\FOUND.004\FILE0000.CHK
C:\FOUND.005
C:\FOUND.005\FILE0000.CHK
C:\FOUND.005\FILE0001.CHK
C:\FOUND.006
C:\FOUND.006\FILE0000.CHK
C:\FOUND.007
C:\FOUND.007\FILE0000.CHK
C:\FOUND.007\FILE0001.CHK
C:\FOUND.007\FILE0002.CHK
C:\FOUND.007\FILE0003.CHK
C:\FOUND.007\FILE0004.CHK
C:\FOUND.007\FILE0005.CHK
C:\FOUND.007\FILE0006.CHK
C:\FOUND.007\FILE0007.CHK
C:\FOUND.007\FILE0008.CHK
C:\FOUND.007\FILE0009.CHK
C:\FOUND.007\FILE0010.CHK
C:\FOUND.007\FILE0011.CHK
C:\FOUND.007\FILE0012.CHK
C:\FOUND.007\FILE0013.CHK
C:\FOUND.007\FILE0014.CHK
C:\FOUND.007\FILE0015.CHK
C:\FOUND.007\FILE0016.CHK
C:\FOUND.007\FILE0017.CHK
C:\FOUND.007\FILE0018.CHK
C:\FOUND.007\FILE0019.CHK
C:\FOUND.007\FILE0020.CHK
C:\FOUND.008
C:\FOUND.008\FILE0000.CHK
C:\FOUND.008\FILE0001.CHK
C:\FOUND.008\FILE0002.CHK
C:\FOUND.008\FILE0003.CHK
C:\FOUND.008\FILE0004.CHK
C:\FOUND.008\FILE0005.CHK
C:\FOUND.008\FILE0006.CHK
C:\FOUND.008\FILE0007.CHK
C:\FOUND.008\FILE0008.CHK
C:\FOUND.008\FILE0009.CHK
C:\FOUND.009
C:\FOUND.009\FILE0000.CHK
C:\FOUND.009\FILE0001.CHK
C:\FOUND.009\FILE0002.CHK
C:\FOUND.009\FILE0003.CHK
C:\FOUND.009\FILE0004.CHK
C:\FOUND.009\FILE0005.CHK
C:\FOUND.009\FILE0006.CHK
C:\FOUND.009\FILE0007.CHK
C:\FOUND.009\FILE0008.CHK
C:\FOUND.009\FILE0009.CHK
C:\FOUND.009\FILE0010.CHK
C:\FOUND.009\FILE0011.CHK
C:\FOUND.009\FILE0012.CHK
C:\FOUND.009\FILE0013.CHK
C:\FOUND.009\FILE0014.CHK
C:\FOUND.009\FILE0015.CHK
C:\FOUND.009\FILE0016.CHK
C:\FOUND.009\FILE0017.CHK
C:\FOUND.009\FILE0018.CHK
C:\FOUND.009\FILE0019.CHK
C:\FOUND.009\FILE0020.CHK
C:\FOUND.009\FILE0021.CHK
C:\FOUND.009\FILE0022.CHK
C:\FOUND.009\FILE0023.CHK
C:\FOUND.009\FILE0024.CHK
C:\FOUND.009\FILE0025.CHK
C:\FOUND.009\FILE0026.CHK
C:\FOUND.009\FILE0027.CHK
C:\FOUND.010
C:\FOUND.010\FILE0000.CHK
C:\FOUND.010\FILE0001.CHK
C:\FOUND.010\FILE0002.CHK
C:\FOUND.010\FILE0003.CHK
C:\FOUND.010\FILE0004.CHK
C:\FOUND.010\FILE0005.CHK
C:\FOUND.010\FILE0006.CHK
C:\FOUND.010\FILE0007.CHK
C:\FOUND.010\FILE0008.CHK
C:\FOUND.010\FILE0009.CHK
C:\FOUND.010\FILE0010.CHK
C:\FOUND.011
C:\FOUND.011\FILE0000.CHK
C:\FOUND.011\FILE0001.CHK
C:\FOUND.011\FILE0002.CHK
C:\FOUND.011\FILE0003.CHK
C:\Program Files\Common Files\xing shared
C:\Program Files\Common Files\xing shared\mpeg encode\xmencmp3.dll
C:\Program Files\desktop.ini
C:\Program Files\folder.htt
C:\Program Files\fontparadiseinstaller.exe
C:\Program Files\lfbmp13n.dll
C:\Program Files\Lfcgm13n.dll
C:\Program Files\lfclp13n.dll
C:\Program Files\LFCMP13n.DLL
C:\Program Files\LFCMW13n.dll
C:\Program Files\lfCUT13n.dll
C:\Program Files\lfiff13n.dll
C:\Program Files\lfimg13n.dll
C:\Program Files\LFJ2K13n.dll
C:\Program Files\lfmac13n.dll
C:\Program Files\lfmsp13n.dll
C:\Program Files\lfpcd13n.dll
C:\Program Files\Lfpct13n.dll
C:\Program Files\lfpcx13n.dll
C:\Program Files\Lfpng13n.dll
C:\Program Files\lfpsd13n.dll
C:\Program Files\lftif13n.dll
C:\Program Files\Lfwmf13n.dll
C:\Program Files\LTDIS13n.dll
C:\Program Files\ltefx13n.dll
C:\Program Files\ltfil13n.DLL
C:\Program Files\ltimg13n.dll
C:\Program Files\ltkrn13n.dll
C:\Program Files\rebel software
C:\Program Files\rebel software\zap\downloads\bindys32.exe
C:\Program Files\rebel software\zap\downloads\rebel14c.exe
C:\Program Files\rebel software\zap\incomplete\bindys.zap.log
C:\Program Files\rebel software\zap\incomplete\rebel1406c.zap.log
C:\Program Files\rebel software\zap\zap.exe
C:\Program Files\rebel software\zap\Zap.log
C:\Program Files\SpyAway
C:\Program Files\SpyAway\stat.bin
C:\Program Files\SpyAway\uninstall.exe
C:\Program Files\SpyAway\uninstall.log
C:\Program Files\Strip Poker Live
C:\Program Files\Strip Poker Live\CamSettings.exe
C:\Program Files\Strip Poker Live\Cards\101.gif
C:\Program Files\Strip Poker Live\Cards\102.gif
C:\Program Files\Strip Poker Live\Cards\103.gif
C:\Program Files\Strip Poker Live\Cards\104.gif
C:\Program Files\Strip Poker Live\Cards\11.gif
C:\Program Files\Strip Poker Live\Cards\111.gif
C:\Program Files\Strip Poker Live\Cards\112.gif
C:\Program Files\Strip Poker Live\Cards\113.gif
C:\Program Files\Strip Poker Live\Cards\114.gif
C:\Program Files\Strip Poker Live\Cards\12.gif
C:\Program Files\Strip Poker Live\Cards\121.gif
C:\Program Files\Strip Poker Live\Cards\122.gif
C:\Program Files\Strip Poker Live\Cards\123.gif
C:\Program Files\Strip Poker Live\Cards\124.gif
C:\Program Files\Strip Poker Live\Cards\13.gif
C:\Program Files\Strip Poker Live\Cards\131.gif
C:\Program Files\Strip Poker Live\Cards\132.gif
C:\Program Files\Strip Poker Live\Cards\133.gif
C:\Program Files\Strip Poker Live\Cards\134.gif
C:\Program Files\Strip Poker Live\Cards\14.gif
C:\Program Files\Strip Poker Live\Cards\21.gif
C:\Program Files\Strip Poker Live\Cards\22.gif
C:\Program Files\Strip Poker Live\Cards\23.gif
C:\Program Files\Strip Poker Live\Cards\24.gif
C:\Program Files\Strip Poker Live\Cards\31.gif
C:\Program Files\Strip Poker Live\Cards\32.gif
C:\Program Files\Strip Poker Live\Cards\33.gif
C:\Program Files\Strip Poker Live\Cards\34.gif
C:\Program Files\Strip Poker Live\Cards\41.gif
C:\Program Files\Strip Poker Live\Cards\42.gif
C:\Program Files\Strip Poker Live\Cards\43.gif
C:\Program Files\Strip Poker Live\Cards\44.gif
C:\Program Files\Strip Poker Live\Cards\51.gif
C:\Program Files\Strip Poker Live\Cards\52.gif
C:\Program Files\Strip Poker Live\Cards\53.gif
C:\Program Files\Strip Poker Live\Cards\54.gif
C:\Program Files\Strip Poker Live\Cards\61.gif
C:\Program Files\Strip Poker Live\Cards\62.gif
C:\Program Files\Strip Poker Live\Cards\63.gif
C:\Program Files\Strip Poker Live\Cards\64.gif
C:\Program Files\Strip Poker Live\Cards\71.gif
C:\Program Files\Strip Poker Live\Cards\72.gif
C:\Program Files\Strip Poker Live\Cards\73.gif
C:\Program Files\Strip Poker Live\Cards\74.gif
C:\Program Files\Strip Poker Live\Cards\81.gif
C:\Program Files\Strip Poker Live\Cards\82.gif
C:\Program Files\Strip Poker Live\Cards\83.gif
C:\Program Files\Strip Poker Live\Cards\84.gif
C:\Program Files\Strip Poker Live\Cards\91.gif
C:\Program Files\Strip Poker Live\Cards\92.gif
C:\Program Files\Strip Poker Live\Cards\93.gif
C:\Program Files\Strip Poker Live\Cards\94.gif
C:\Program Files\Strip Poker Live\Cards\b.gif
C:\Program Files\Strip Poker Live\Log.txt
C:\Program Files\Strip Poker Live\Res\COMDLG32.OCX
C:\Program Files\Strip Poker Live\Res\ezVidC60.ocx
C:\Program Files\Strip Poker Live\Res\FileRegister.bat
C:\Program Files\Strip Poker Live\Res\ijl11.dll
C:\Program Files\Strip Poker Live\Res\MSADODC.OCX
C:\Program Files\Strip Poker Live\Res\MSCHRT20.OCX
C:\Program Files\Strip Poker Live\Res\mscomctl.ocx
C:\Program Files\Strip Poker Live\Res\MSCOMM32.OCX
C:\Program Files\Strip Poker Live\Res\MSDATGRD.OCX
C:\Program Files\Strip Poker Live\Res\MSDATLST.OCX
C:\Program Files\Strip Poker Live\Res\MSFLXGRD.OCX
C:\Program Files\Strip Poker Live\Res\MSINET.OCX
C:\Program Files\Strip Poker Live\Res\MSMAPI32.OCX
C:\Program Files\Strip Poker Live\Res\MSMASK32.OCX
C:\Program Files\Strip Poker Live\Res\MSWINSCK.OCX
C:\Program Files\Strip Poker Live\Res\PicFormat32.ocx
C:\Program Files\Strip Poker Live\Res\RichTx32.ocx
C:\Program Files\Strip Poker Live\SPLoader.exe
C:\Program Files\Strip Poker Live\Spoker.exe
C:\Program Files\Strip Poker Live\Spoker.exe.Manifest
C:\Program Files\Strip Poker Live\Spoker.pdb
C:\Program Files\Strip Poker Live\Strip Poker Live! - Amateur Strip Poker.url
C:\Program Files\Strip Poker Live\TIPOFDAY.TXT
C:\Program Files\Video Strip Poker
C:\Program Files\Video Strip Poker\a_temp.wma
C:\Program Files\Video Strip Poker\msvbvm60.dll
C:\Program Files\Video Strip Poker\uninstall.exe
Infected
10-13-2007, 09:40 PM
C:\Program Files\Video Strip Poker\v_temp.wmv
C:\Program Files\Video Strip Poker\VideoStripPoker.exe
C:\sysptgl.exe
C:\WINDOWS\764.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\7search.dll
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\iun6002.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\SYSTEM32\ace16win.dll
C:\WINDOWS\SYSTEM32\acespy
C:\WINDOWS\SYSTEM32\acespy\__acelog.ndx
C:\WINDOWS\SYSTEM32\acespy\systune.exe
C:\WINDOWS\SYSTEM32\Cuteqq_Cn.exe
C:\WINDOWS\system32\drivers\15A2AA57-65E5-4DC6-88D0-E6204FF3414C.cxv
C:\WINDOWS\system32\drivers\4_stars.gif
C:\WINDOWS\system32\drivers\4_stars.gif
C:\WINDOWS\system32\drivers\5_stars.gif
C:\WINDOWS\system32\drivers\5_stars.gif
C:\WINDOWS\system32\drivers\arrow.gif
C:\WINDOWS\system32\drivers\arrow.gif
C:\WINDOWS\system32\drivers\buy_btn.gif
C:\WINDOWS\system32\drivers\buy_btn.gif
C:\WINDOWS\system32\drivers\download_btn.gif
C:\WINDOWS\system32\drivers\download_btn.gif
C:\WINDOWS\system32\drivers\features.gif
C:\WINDOWS\system32\drivers\features.gif
C:\WINDOWS\system32\drivers\logo_bg.gif
C:\WINDOWS\system32\drivers\logo_bg.gif
C:\WINDOWS\system32\drivers\protect.gif
C:\WINDOWS\system32\drivers\protect.gif
C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
C:\WINDOWS\system32\drivers\spy_away_header.gif
C:\WINDOWS\system32\drivers\spy_away_header.gif
C:\WINDOWS\system32\drivers\users_rating.gif
C:\WINDOWS\system32\drivers\users_rating.gif
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\SYSTEM32\ESHOPEE.exe
C:\WINDOWS\SYSTEM32\faxwin32.bin
C:\WINDOWS\SYSTEM32\g82.exe
C:\WINDOWS\SYSTEM32\gtv_sd.bin
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\SYSTEM32\ld.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\SYSTEM32\msole32.exe
C:\WINDOWS\SYSTEM32\qiawpbjj.dll
C:\WINDOWS\SYSTEM32\SpoonUninstall-SPSetup.dat
C:\WINDOWS\SYSTEM32\SpoonUninstall.exe
C:\WINDOWS\SYSTEM32\stfv.bin
C:\WINDOWS\SYSTEM32\VCCLSID.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\SYSTEM32\vxddsk.exe
C:\WINDOWS\SYSTEM32\wml.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe
C:\WINDOWS\xxxvideo.exe
Infected
10-13-2007, 09:41 PM
.
((((((((((((((((((((((((( Files Created from 2007-09-14 to 2007-10-14 )))))))))))))))))))))))))))))))
.
2007-10-10 12:04 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-10-10 12:04 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-10-10 12:04 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-10-10 12:04 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-10-10 00:26 1,368 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-10-09 13:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-08 19:21 <DIR> d--hs---- C:\WINDOWS\SYSTEM32\wsnpoem
2007-10-08 17:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-08 17:35 <DIR> d-------- C:\Program Files\McAfee
2007-10-08 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-08 17:34 <DIR> d-------- C:\Program Files\McAfee.com
2007-10-08 17:34 349,760 --a------ C:\WINDOWS\SYSTEM32\mcinsctl.dll
2007-10-08 17:34 288,320 --a------ C:\WINDOWS\SYSTEM32\mcgdmgr.dll
2007-10-08 15:24 <DIR> d-------- C:\Program Files\STOPzilla!
2007-10-08 15:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-10-08 01:00 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-08 01:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-08 00:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-22 02:33 <DIR> d-------- C:\Program Files\Common Files\Real
2007-09-20 23:28 1,156 --a------ C:\WINDOWS\mozver.dat
2007-09-20 22:37 0 --a------ C:\WINDOWS\nsreg.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-10-07 10:39 841 ----a-w C:\WINDOWS\system32\drivers\perfect_cleaner_header _small.gif
2007-10-07 10:39 579 ----a-w C:\WINDOWS\system32\drivers\spy_away_header_small. gif
2007-10-07 10:39 4,557 ----a-w C:\WINDOWS\system32\drivers\perfect_cleaner_box_sm all.jpg
2007-10-07 10:39 1,804 ----a-w C:\WINDOWS\system32\drivers\perfect_cleaner_header .gif
2002-05-27 12:08 707,072 ----a-w C:\Program Files\ws_ftple.exe
2002-05-27 07:36 766,405 ----a-w C:\Program Files\NAV80TRY.EXE
2000-05-01 18:17 212,480 ----a-w C:\Program Files\PCDLIB32.DLL
1999-11-18 13:00 284,032 ----a-w C:\Program Files\XceedZip.dll
.
((((((((((((((((((((((((((((( snapshot@2007-10-09_14.19.00.38 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-09 04:14:00 1,048,576 ---ha-w C:\WINDOWS\Application Data\Microsoft\Windows\UsrClass.dat
+ 2007-10-14 01:28:14 1,048,576 ---ha-w C:\WINDOWS\Application Data\Microsoft\Windows\UsrClass.dat
- 2007-10-09 04:16:14 16,384 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\i ndex.dat
+ 2007-10-14 01:29:22 16,384 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\i ndex.dat
- 2007-10-09 04:16:14 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-14 01:29:22 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-10-09 04:16:14 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-10-14 01:29:24 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-29 07:21:30 370,688 ----a-w C:\WINDOWS\SYSTEM32\swsc.exe
+ 2006-01-09 00:36:06 40,960 ----a-w C:\WINDOWS\SYSTEM32\swsc.exe
- 2006-11-30 19:20:32 212,480 ----a-w C:\WINDOWS\SYSTEM32\swxcacls.exe
+ 2006-11-30 20:20:34 79,360 ----a-w C:\WINDOWS\SYSTEM32\swxcacls.exe
+ 2007-10-14 01:02:36 7,217 ----a-w C:\WINDOWS\SYSTEM32\wsnpoem\video.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"@"="" []
"Synchronization Manager"="mobsync.exe" [2001-08-23 12:00 C:\WINDOWS\SYSTEM32\mobsync.exe]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-11-15 00:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-22 02:33]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-07-01 19:22]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 14:26]
"_AntiSpyware"="c:\progra~1\mcafee\MCAFEE~1\masalert.exe" [2005-07-30 02:10]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-27 16:13]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"@"="" []
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-23 12:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" [2007-02-07 15:04]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 18:11]
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce]
"^SetupICWDesktop"=
"tscuninstall"=
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"internat.exe"=internat.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Network Device Switch.lnk - C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe [2001-05-18 20:28:12]
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2002-12-13 13:15:10]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System 32\ntos.exe,"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sglfb.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\tga.sys]
@="Driver"
R3 TOSHIBASoftModem;Toshiba Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSMT.sys
R3 trid3d;trid3d;C:\WINDOWS\System32\DRIVERS\trid3dm. sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 04:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2007-10-09 06:28:28 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
"2007-10-14 01:24:34 C:\WINDOWS\Tasks\Symantec NetDetect.job"
"2007-10-08 07:37:34 C:\WINDOWS\Tasks\McAfee AntiSpyware.job"
- c:\progra~1\mcafee\MCAFEE~1\MASCon.exe
.
************************************************** ************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-10-14 11:30:05
Windows 5.1.2600 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2007-10-14 11:33:39 - machine was rebooted
C:\ComboFix3.txt ... 2007-10-09 14:21
C:\ComboFix2.txt ... 2007-10-10 12:50
C:\ComboFix-quarantined-files.txt ... 2007-10-10 12:50
.
--- E O F ---
Infected
10-13-2007, 09:41 PM
And that's it.
classicsoftware
10-14-2007, 09:10 AM
What do you mean you don't have your desktop?
Are you still getting pop-ups?
How is the system running?
Can you give me a fresh HJT log.
Infected
10-14-2007, 10:56 AM
The desktop is still black with the big warning (as the computer starts up it is blue even though it's meant to be a photo then as it fully loads up it switches to black). I haven't noticed the pop ups for a while, but I haven't been able to be on the computer for very long at a time. The system seems to be running normal speed, which has always be sluggish. I will post the HJT log momentarily... Oh, and I have Task Manager back, so definitely looking up :).
Infected
10-14-2007, 10:57 AM
HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:57:12 AM, on 15/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\alg.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Hijackthis\HijackThis.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\System32\ntos.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar3.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Search - [url]http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm080YYAU[/url]
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Literati - [url]http://download2.games.yahoo.com/games/clients/y/tt5_x.cab[/url]
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Poker Superstars II\Images\stg_drm.ocx
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [url]http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15-3.cab[/url]
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - [url]https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab[/url]
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - [url]http://upload.facebook.com/controls/FacebookPhotoUploader.cab[/url]
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - [url]http://secure2.comned.com/signuptemplates/securelogin-devel.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [url]http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab[/url]
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Poker Superstars II\Images\armhelper.ocx
O16 - DPF: {E72CFC93-BAE3-8D60-85D1-129993AAC8B9} (UImageUploader Class) - [url]http://www.perfspot.com/u/UImageUploaderXP.cab[/url]
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
classicsoftware
10-14-2007, 12:00 PM
Open Hiajackthis and place a ckeck next to:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\System32\ntos.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
Close all open program and browser windows except for Hijackthis and click fix checked....
If this fails, it may be the Mcafee antispyware is preventing the fixes from working and we may have to disable this feature.
Infected
10-14-2007, 09:32 PM
OK, I have done that and restarted, still have the desktop problem but that appears to be it. Should I disable the mcafee so I can rerun one of the programs you've given me, and then re - enable it, or disable it permanently?
classicsoftware
10-15-2007, 07:24 AM
I need to see the log....
Infected
10-15-2007, 09:39 AM
I assume you mean HJT?
Logfile of HijackThis v1.99.1
Scan saved at 11:38:58 PM, on 15/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\alg.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\System32\ntos.exe,
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Search - [url]http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm080YYAU[/url]
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Literati - [url]http://download2.games.yahoo.com/games/clients/y/tt5_x.cab[/url]
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Poker Superstars II\Images\stg_drm.ocx
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [url]http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15-3.cab[/url]
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - [url]https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab[/url]
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - [url]http://upload.facebook.com/controls/FacebookPhotoUploader.cab[/url]
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - [url]http://secure2.comned.com/signuptemplates/securelogin-devel.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [url]http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab[/url]
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Poker Superstars II\Images\armhelper.ocx
O16 - DPF: {E72CFC93-BAE3-8D60-85D1-129993AAC8B9} (UImageUploader Class) - [url]http://www.perfspot.com/u/UImageUploaderXP.cab[/url]
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
classicsoftware
10-16-2007, 12:10 AM
The log is looking better. The BHO's are all gone and the only thing left is:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\System32\ntos.exe,
Follow these steps:
1) Create the CFscript file again with only this:
File::
C:\WINDOWS\System32\ntos.exe
2) Open Hijackthis and fix the following:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\System32\ntos.exe,
DO NOT Re-boot
3) Go to start->Search and search for System.ini. Rt click and choose open and remove the line the NTOS in it.
4) Run the Combofix by dragging the file onto the Icon.
Re-boot and give me:
1) The combofix log
2) A new HJT log
3) How the system is running.
Infected
10-17-2007, 11:26 AM
OK, I tried to do what you said but I couldn't find the line of code to remove in the System.ini (by the way, it came up with 56 files, most of which appeared to be back ups of some kind. I looked in the one spelt the same way - uppercase s and the rest lower - then looked in any others that had the open option on right click...). So, I don't think it made any difference (it certainly hasn't appeared to and the file I fixed with HJT is back). It's very late though so maybe I just didn't see it... Here are the logs anyway.
Logfile of HijackThis v1.99.1
Scan saved at 1:16:41 AM, on 18/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\alg.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hijackthis\HijackThis.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\System32\ntos.exe,
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Search - [url]http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm080YYAU[/url]
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Literati - [url]http://download2.games.yahoo.com/games/clients/y/tt5_x.cab[/url]
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Poker Superstars II\Images\stg_drm.ocx
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [url]http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15-3.cab[/url]
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - [url]https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab[/url]
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - [url]http://upload.facebook.com/controls/FacebookPhotoUploader.cab[/url]
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - [url]http://secure2.comned.com/signuptemplates/securelogin-devel.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [url]http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab[/url]
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Poker Superstars II\Images\armhelper.ocx
O16 - DPF: {E72CFC93-BAE3-8D60-85D1-129993AAC8B9} (UImageUploader Class) - [url]http://www.perfspot.com/u/UImageUploaderXP.cab[/url]
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
Infected
10-17-2007, 11:27 AM
ComboFix 07-10-17.8 - default 2007-10-18 0:56:50.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.263 [GMT 10:00]
Running from: C:\Documents and Settings\default\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\default\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\perfect_cleaner_box_sm all.jpg
C:\WINDOWS\system32\drivers\perfect_cleaner_header .gif
C:\WINDOWS\system32\drivers\perfect_cleaner_header _small.gif
C:\WINDOWS\system32\drivers\spy_away_header_small. gif
.
((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))))))))
.
2007-10-10 12:04 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-10-10 12:04 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-10-10 12:04 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-10-10 12:04 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-10-10 00:26 1,368 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-10-09 13:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-08 17:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-08 17:35 <DIR> d-------- C:\Program Files\McAfee
2007-10-08 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-08 17:34 <DIR> d-------- C:\Program Files\McAfee.com
2007-10-08 17:34 349,760 --a------ C:\WINDOWS\SYSTEM32\mcinsctl.dll
2007-10-08 17:34 288,320 --a------ C:\WINDOWS\SYSTEM32\mcgdmgr.dll
2007-10-08 15:24 <DIR> d-------- C:\Program Files\STOPzilla!
2007-10-08 15:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-10-08 01:00 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-08 01:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-08 00:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-22 02:33 <DIR> d-------- C:\Program Files\Common Files\Real
2007-09-20 23:28 1,156 --a------ C:\WINDOWS\mozver.dat
2007-09-20 22:37 0 --a------ C:\WINDOWS\nsreg.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2002-05-27 12:08 707,072 ----a-w C:\Program Files\ws_ftple.exe
2002-05-27 07:36 766,405 ----a-w C:\Program Files\NAV80TRY.EXE
2000-05-01 18:17 212,480 ----a-w C:\Program Files\PCDLIB32.DLL
1999-11-18 13:00 284,032 ----a-w C:\Program Files\XceedZip.dll
.
((((((((((((((((((((((((((((( snapshot@2007-10-09_14.19.00.38 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-09 04:14:00 1,048,576 ---ha-w C:\WINDOWS\Application Data\Microsoft\Windows\UsrClass.dat
+ 2007-10-16 03:11:04 1,048,576 ---ha-w C:\WINDOWS\Application Data\Microsoft\Windows\UsrClass.dat
+ 2007-03-13 00:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
- 2007-10-09 04:16:14 16,384 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\i ndex.dat
+ 2007-10-17 14:29:42 16,384 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\i ndex.dat
- 2007-10-09 04:16:14 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-17 14:29:42 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-10-09 04:16:14 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-10-17 14:29:42 49,152 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-29 07:21:30 370,688 ----a-w C:\WINDOWS\SYSTEM32\swsc.exe
+ 2006-01-09 00:36:06 40,960 ----a-w C:\WINDOWS\SYSTEM32\swsc.exe
- 2006-11-30 19:20:32 212,480 ----a-w C:\WINDOWS\SYSTEM32\swxcacls.exe
+ 2006-11-30 20:20:34 79,360 ----a-w C:\WINDOWS\SYSTEM32\swxcacls.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Synchronization Manager"="mobsync.exe" [2001-08-23 12:00 C:\WINDOWS\SYSTEM32\mobsync.exe]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-11-15 00:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-22 02:33]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-07-01 19:22]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 14:26]
"_AntiSpyware"="c:\progra~1\mcafee\MCAFEE~1\masalert.exe" [2005-07-30 02:10]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-27 16:13]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-23 12:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" [2007-02-07 15:04]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 18:11]
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce]
"^SetupICWDesktop"=
"tscuninstall"=
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"internat.exe"=internat.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Network Device Switch.lnk - C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe [2001-05-18 20:28:12]
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2002-12-13 13:15:10]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System 32\ntos.exe,"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sglfb.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\tga.sys]
@="Driver"
R3 TOSHIBASoftModem;Toshiba Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSMT.sys
R3 trid3d;trid3d;C:\WINDOWS\System32\DRIVERS\trid3dm. sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 04:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2007-10-09 06:28:28 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
"2007-10-17 14:29:56 C:\WINDOWS\Tasks\Symantec NetDetect.job"
"2007-10-08 07:37:34 C:\WINDOWS\Tasks\McAfee AntiSpyware.job"
- c:\progra~1\mcafee\MCAFEE~1\MASCon.exe
.
************************************************** ************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-10-18 01:07:31
Windows 5.1.2600 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32ntos.exe 278528 bytes
C:\WINDOWS\system32wsnpoem
scan completed successfully
hidden files: 2
************************************************** ************************
.
Completion time: 2007-10-18 1:10:24
C:\ComboFix3.txt ... 2007-10-10 12:50
C:\ComboFix-quarantined-files.txt ... 2007-10-10 12:50
C:\ComboFix2.txt ... 2007-10-14 11:33
.
--- E O F ---
Infected
10-17-2007, 11:28 AM
So, do you think I should follow your last instructions again and just try to find the right bit?
classicsoftware
10-17-2007, 10:21 PM
Where is the Combofix log????
Infected
10-18-2007, 12:14 PM
Umm, above? Post 51... Have I posted the wrong thing?
Budfred
10-20-2007, 08:03 AM
classicsoftware asked me to step in because he won't be around today... Please do this:
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
Just before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the Registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the Desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your Desktop icons.
Finally open the SDFix folder on your Desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log.
Infected
10-21-2007, 09:58 PM
Hi, the desktop is still displaying the warning, still black. Again, I thought it was going to be normal, but it changed just as the icons appear.
Here is the SD Fix log:
SDFix: Version 1.110
Run by default on Mon 22/10/2007 at 11:35 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted
Folder C:\WINDOWS\system32\wsnpoem - Removed
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
Remaining Files:
---------------
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Wed 4 Apr 2001 129,078 ..SH. --- "C:\LOGO.SYS"
Sun 4 Nov 2001 194 ..SH. --- "C:\AUTOEXEC.BAK"
Thu 7 Dec 2006 4,348 ..SH. --- "C:\WINDOWS\DRM\DRMv1.bak"
Thu 8 Jun 2000 118,784 A.SHR --- "C:\WINDOWS\COMMAND\EBD\WINBOOT.SYS"
Mon 14 Mar 2005 299,008 A..H. --- "C:\Program Files\Canon\MP Navigator 2.0\Maint.exe"
Mon 28 Feb 2005 61,440 A..H. --- "C:\Program Files\Canon\MP Navigator 2.0\uinstrsc.dll"
Wed 21 Feb 2007 20 A..H. --- "C:\My Documents\My Music\License Backup\drmv1lic.bak"
Thu 7 Dec 2006 4,348 ...H. --- "C:\My Documents\My Music\License Backup\drmv1key.bak"
Wed 21 Feb 2007 9,654 A.SH. --- "C:\My Documents\My Music\License Backup\drmv2key.bak"
Fri 13 Dec 2002 27,136 ...H. --- "C:\Documents and Settings\default\Application Data\Microsoft\Templates\~WRL3563.tmp"
Thu 17 Apr 2003 29,696 ...H. --- "C:\Documents and Settings\default\Application Data\Microsoft\Word\~WRL3556.tmp"
Thu 17 Apr 2003 31,232 ...H. --- "C:\Documents and Settings\default\Application Data\Microsoft\Word\~WRL0806.tmp"
Mon 26 Jun 2006 20,480 ...H. --- "C:\Documents and Settings\default\Application Data\Microsoft\Word\~WRL2017.tmp"
Thu 30 Jun 2005 23,040 ...H. --- "C:\Documents and Settings\default\Application Data\Microsoft\Word\~WRL0622.tmp"
Finished!
Infected
10-21-2007, 09:59 PM
HiJack This
Logfile of HijackThis v1.99.1
Scan saved at 11:58:28 AM, on 22/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Search - [url]http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm080YYAU[/url]
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Literati - [url]http://download2.games.yahoo.com/games/clients/y/tt5_x.cab[/url]
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Poker Superstars II\Images\stg_drm.ocx
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [url]http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15-3.cab[/url]
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - [url]https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab[/url]
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - [url]http://upload.facebook.com/controls/FacebookPhotoUploader.cab[/url]
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - [url]http://secure2.comned.com/signuptemplates/securelogin-devel.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [url]http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab[/url]
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Poker Superstars II\Images\armhelper.ocx
O16 - DPF: {E72CFC93-BAE3-8D60-85D1-129993AAC8B9} (UImageUploader Class) - [url]http://www.perfspot.com/u/UImageUploaderXP.cab[/url]
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
Infected
10-21-2007, 10:10 PM
(And because iut's always asked for heres the Combofix log...)
ComboFix 07-10-20.6 - default 2007-10-22 12:02:50.5 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.279 [GMT 10:00]
Running from: C:\Documents and Settings\default\Desktop\ComboFix(2).exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
.
((((((((((((((((((((((((( Files Created from 2007-09-22 to 2007-10-22 )))))))))))))))))))))))))))))))
.
2007-10-22 11:34 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-10 12:04 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-10-10 12:04 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-10-10 12:04 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-10-10 12:04 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-10-10 00:26 1,368 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-10-09 13:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-08 17:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-08 17:35 <DIR> d-------- C:\Program Files\McAfee
2007-10-08 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-08 17:34 <DIR> d-------- C:\Program Files\McAfee.com
2007-10-08 17:34 349,760 --a------ C:\WINDOWS\SYSTEM32\mcinsctl.dll
2007-10-08 17:34 288,320 --a------ C:\WINDOWS\SYSTEM32\mcgdmgr.dll
2007-10-08 15:24 <DIR> d-------- C:\Program Files\STOPzilla!
2007-10-08 15:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-10-08 01:00 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-08 01:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-08 00:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-22 02:33 <DIR> d-------- C:\Program Files\Common Files\Real
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2002-05-27 12:08 707,072 ----a-w C:\Program Files\ws_ftple.exe
2002-05-27 07:36 766,405 ----a-w C:\Program Files\NAV80TRY.EXE
2000-05-01 18:17 212,480 ----a-w C:\Program Files\PCDLIB32.DLL
1999-11-18 13:00 284,032 ----a-w C:\Program Files\XceedZip.dll
.
((((((((((((((((((((((((((((( snapshot@2007-10-09_14.19.00.38 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-09 04:14:00 1,048,576 ---ha-w C:\WINDOWS\Application Data\Microsoft\Windows\UsrClass.dat
+ 2007-10-22 01:50:14 1,048,576 ---ha-w C:\WINDOWS\Application Data\Microsoft\Windows\UsrClass.dat
- 2007-09-27 23:06:10 135,168 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-19 20:03:32 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-03-13 00:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
+ 2007-10-20 16:57:58 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-10-22 01:34:32 6,070,272 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-10-22 01:34:32 860,160 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-10-20 16:57:58 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-10-22 01:34:16 6,070,272 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\nt user.dat
+ 2007-10-22 01:34:16 860,160 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\Us rClass.dat
- 2007-10-09 04:16:14 16,384 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\i ndex.dat
+ 2007-10-22 01:30:52 16,384 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\i ndex.dat
- 2007-10-09 04:16:14 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-22 01:30:52 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-10-09 04:16:14 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-10-22 01:30:52 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-29 07:21:30 370,688 ----a-w C:\WINDOWS\SYSTEM32\swsc.exe
+ 2006-01-09 00:36:06 40,960 ----a-w C:\WINDOWS\SYSTEM32\swsc.exe
- 2006-11-30 19:20:32 212,480 ----a-w C:\WINDOWS\SYSTEM32\swxcacls.exe
+ 2006-11-30 20:20:34 79,360 ----a-w C:\WINDOWS\SYSTEM32\swxcacls.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Synchronization Manager"="mobsync.exe" [2001-08-23 12:00 C:\WINDOWS\SYSTEM32\mobsync.exe]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-11-15 00:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-22 02:33]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-07-01 19:22]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 14:26]
"_AntiSpyware"="c:\progra~1\mcafee\MCAFEE~1\masalert.exe" [2005-07-30 02:10]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-27 16:13]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-23 12:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" [2007-02-07 15:04]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 18:11]
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce]
"^SetupICWDesktop"=
"tscuninstall"=
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"internat.exe"=internat.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Network Device Switch.lnk - C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe [2001-05-18 20:28:12]
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2002-12-13 13:15:10]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sglfb.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\tga.sys]
@="Driver"
R3 TOSHIBASoftModem;Toshiba Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSMT.sys
R3 trid3d;trid3d;C:\WINDOWS\System32\DRIVERS\trid3dm. sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 04:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2007-10-09 06:28:28 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
"2007-10-21 10:29:30 C:\WINDOWS\Tasks\Symantec NetDetect.job"
"2007-10-08 07:37:34 C:\WINDOWS\Tasks\McAfee AntiSpyware.job"
- c:\progra~1\mcafee\MCAFEE~1\MASCon.exe
.
************************************************** ************************
catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-10-22 12:07:23
Windows 5.1.2600 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2007-10-22 12:08:14
C:\ComboFix2.txt ... 2007-10-18 01:10
C:\ComboFix-quarantined-files.txt ... 2007-10-10 12:50
C:\ComboFix3.txt ... 2007-10-14 11:33
.
--- E O F ---
Budfred
10-21-2007, 11:51 PM
Actually, I wasn't planning to ask for the ComboFix log... I will ask for a couple of others however... You will need to use IE for the first one:
* Click here (http://support.f-secure.com/enu/home/ols.shtml) to use the F-Secure Online Scanner
Then click the Start Scanning button below.
You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
In case you are having problems with installing the ActiveX/starting the scan, please read here (http://support.f-secure.com/enu/home/ols-faq.shtml).
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.
and then....
Please run Option 2 of SmitfraudFix again and post that log...
Please post the logs in as many posts as needed...
Infected
10-22-2007, 04:45 AM
Just before I do that, is it OK if I use Firefox instead of IE? Only I think IE is part of the problem and haven't used it since...
Budfred
10-22-2007, 07:12 AM
You can use FireFox if you wish, but it won't work... F-Secure only works with IE... I wouldn't have said you need to use IE if that was not true...
Infected
10-22-2007, 09:08 AM
Sorry, didn't mean to offend, just most people seem to assume that IE is the only browser I know (Yes, I really am a technobimbo) and automatically tell me that I need to use IE meaning an internet browser, however I thought you probably meant IE because it was necessary, but wanted to check just in case.
Infected
10-27-2007, 10:09 AM
Scanning Report
Saturday, October 27, 2007 10:48:17 - 15:34:23
Computer name: BARBAROONIE
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
--------------------------------------------------------------------------------
Result: 256 malware found
Backdoor.Win32.Hupigon.ffn (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP236\A0066188.EXE (Renamed & Submitted)
Backdoor.Win32.VB.bnb (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP236\A0066219.EXE (Renamed)
Text/Deskbar.A (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP229\A0063766.BAT (Submitted)
Tracking Cookie (spyware)
System (Disinfected)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
Trojan-Downloader.Win32.Adload.gt (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP235\A0065729.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Alphabet.gen (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP235\A0065732.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Small.cyh (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP235\A0065726.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Small.elj (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP236\A0066217.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.VB.anb (virus)
C:\SYSIF.EXE (Renamed & Submitted)
C:\VIPTEST.EXE (Renamed & Submitted)
Trojan-Spy.Win32.Broker.r (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP237\A0066349.EXE (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP236\A0066187.EXE (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP236\A0066214.EXE (Renamed & Submitted)
Trojan-Spy.Win32.Zbot.ba (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP239\A0066546.EXE (Renamed & Submitted)
Trojan.Win32.Obfuscated.ig (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP236\A0066218.EXE (Renamed & Submitted)
Trojan.Win32.VB.azo (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP235\A0065724.EXE (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP235\A0065958.EXE (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP235\A0065982.EXE (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP234\A0065692.EXE (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP234\A0065722.EXE (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP233\A0065665.EXE (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP232\A0065642.EXE (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP231\A0065505.EXE (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP229\A0063727.EXE (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP229\A0064046.EXE (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP227\A0063688.EXE (Renamed & Submitted)
Ucmore.FB.dropper (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP235\A0065777.EXE (Submitted)
W32/Downloader.FZC.dropper (virus)
C:\PP4ICO.EXE (Submitted)
C:\MY DOCUMENTS\DOWNLOADED UPDATES\STOPZILLA_SETUP.EXE (Submitted)
Win32.Backdoor.Agent (spyware)
System (Disinfected)
not-virus:Hoax.Win32.Renos.ln (virus)
C:\WINDOWS\SYSTEM32\QIAWPBJJ.EXE (Submitted)
--------------------------------------------------------------------------------
Statistics
Scanned:
Files: 33724
System: 4337
Not scanned: 5
Actions:
Disinfected: 3
Renamed: 24
Deleted: 0
None: 229
Submitted: 28
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\TEMP\SQLITE_LPRBEPHAD6MMZGH
C:\WINDOWS\TEMP\SQLITE_QRBXTW0GLXIJMO8
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
--------------------------------------------------------------------------------
Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-10-26
F-Secure AVP: 7.0.171, 2007-10-26
F-Secure Orion: 1.2.37, 2007-10-26
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 2007-10-15
F-Secure Pegasus: 1.19.0, 2007-09-18
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics
--------------------------------------------------------------------------------
Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
Infected
10-27-2007, 10:11 AM
OK, that's the f-secure log. The whole thing took over 6 hours! It hasn't changed anything noticeable, I will run the smithfraud fix next.
Infected
10-27-2007, 09:27 PM
SmitFraudFix v2.242
Scan done at 12:20:05.82, Sun 28/10/2007
Run from C:\Documents and Settings\default\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{194AD687-F5D0-424D-9E63-79E6463C59A5}: DhcpNameServer=10.0.0.138 10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\..\{194AD687-F5D0-424D-9E63-79E6463C59A5}: DhcpNameServer=10.0.0.138 10.0.0.138
HKLM\SYSTEM\CS2\Services\Tcpip\..\{194AD687-F5D0-424D-9E63-79E6463C59A5}: DhcpNameServer=10.0.0.138 10.0.0.138
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138 10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138 10.0.0.138
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138 10.0.0.138
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Infected
10-27-2007, 09:29 PM
I think it's fixed!!!!! Thankyou so much! My desktop is staying blue, I can't believe it, this is awesome. How do I know if it is really gone though? I want to be able to re-activate my banking, but I don't want to unless I know this virus is completely gone...
Budfred
10-27-2007, 11:29 PM
I am not sure if F-Secure is actually deleting all of those infections... Please run these scans so we can be more sure:
First...
http://www.atribune.org/ccount/click.php?id=1
* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
If you use Firefox browser
* Click Firefox at the top and choose:Select All
* Click the Empty Selected button.
* NOTE: If you would like to keep your saved passwords, please click
* No at the prompt.
If you use Opera browser
* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
* NOTE:If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
and then.............
Download AVG Anti-Spyware from HERE (http://www.ewido.net/en/download/)
Install AVG Anti-Spyware
Double-click the icon on Desktop to launch AVG Anti-Spyware
You will need to update AVG Anti-Spyware to the latest definition files.
On the top of the main screen click Shield and then [active] to change it to inactive
On the top of the main screen click Update and then Start Update.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Close ALL open Windows / Programs / Folders. Run AVG Anti-Spyware with it's updated definitions: (...it's important that all windows must be closed)
* Click Scanner and then the Scan tab
* Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
* If you have any infections you will prompted, then select "Apply all actions"
* Once finished, click the Save report button, then click Save Report As and save it to your Desktop. (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and Reboot.
and wrap it up by downloading a fresh copy of ComboFix and running it...
Post the logs when done...
Infected
10-28-2007, 03:06 AM
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 5:22:29 PM 28/10/2007
+ Scan result:
C:\System Volume Information\_restore{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP235\A0065727.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\deskbar_e21.exe.vir -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP235\A0065777.exe/empty_00000001 -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\ucmoreiex.exe.vir/empty_00000001 -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\WINDOWS\winsysdir.exe.bad -> Backdoor.SdBot.aad : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP235\A0065729.0XE -> Downloader.Adload.gt : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\drsmartload.exe.vir -> Downloader.Adload.gt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP235\A0065726.0XE -> Downloader.Small : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\ac3_0010.exe.vir -> Downloader.Small : Cleaned with backup (quarantined).
C:\SYSIF.0XE -> Downloader.VB.anb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP242\A0066828.EXE -> Downloader.VB.anb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP242\A0066829.EXE -> Downloader.VB.anb : Cleaned with backup (quarantined).
C:\VIPTEST.0XE -> Downloader.VB.anb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP236\A0066187.0XE -> Logger.Bancos.afh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP236\A0066214.0XE -> Logger.Bancos.afh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP237\A0066349.0XE -> Logger.Bancos.afh : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\Documents and Settings\default\Application Data\ntos.exe.vir -> Logger.Bancos.afh : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\sysptgl.exe.vir -> Logger.Bancos.afh : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\UERS_9999_N91S2507NetInstaller.exe.vir -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
:mozilla.182:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.183:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.184:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.364:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.440:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.598:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.448:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.449:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.450:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.451:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.452:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.86:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.425:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.426:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.427:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.428:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.30:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.649:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.613:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.614:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.302:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.303:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.304:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.305:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.306:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.309:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.310:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.311:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.15:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.106:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.569:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.570:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.571:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.367:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.368:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.369:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.370:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.371:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.307:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.308:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.532:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.365:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.63:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.64:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.65:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.39:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Imrworldwide : Cleaned.
Infected
10-28-2007, 03:07 AM
:mozilla.40:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.279:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.280:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.126:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.127:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.34:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.136:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.434:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.435:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.436:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.161:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.162:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.163:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.164:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.165:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.166:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.499:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.500:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.501:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.316:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.317:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.318:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.319:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.320:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.321:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.322:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.323:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.324:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.85:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.50:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Web-stat : Cleaned.
:mozilla.51:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Web-stat : Cleaned.
:mozilla.52:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Web-stat : Cleaned.
:mozilla.815:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.558:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.70:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.71:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.72:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.73:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.74:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.75:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.544:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.545:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.546:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\p88wpdif.default\coo kies.txt -> TrackingCookie.Zedo : Cleaned.
C:\pp4ico.exe -> Trojan.Favadd : Cleaned with backup (quarantined).
C:\BadFiles\IA\KE.vbs.bad -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP227\A0063688.0XE -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP229\A0063727.0XE -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP229\A0064046.0XE -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP231\A0065505.0XE -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP232\A0065642.0XE -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP233\A0065665.0XE -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP234\A0065692.0XE -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP234\A0065722.0XE -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP235\A0065724.0XE -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP235\A0065730.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP235\A0065958.0XE -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{372F504F-7CEC-40E8-A1A9-A9D5D8CFAE15}\RP235\A0065982.0XE -> Trojan.Small : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\WINDOWS\uninstall_nmon.vbs. vir -> Trojan.Small : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\WINDOWS\winh32.exe.vir -> Trojan.Small : Cleaned with backup (quarantined).
::Report end
Infected
10-28-2007, 03:09 AM
ComboFix 07-10-26.4 - default 2007-10-28 17:56:48.6 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.306 [GMT 11:00]
Running from: C:\Documents and Settings\default\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-28 )))))))))))))))))))))))))))))))
.
2007-10-28 16:20 <DIR> d-------- C:\Documents and Settings\default\Application Data\Grisoft
2007-10-28 16:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-28 16:20 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-10-28 15:37 <DIR> d-------- C:\Program Files\S4F
2007-10-28 15:37 164,864 --a------ C:\WINDOWS\SYSTEM32\UNWISE.EXE
2007-10-28 15:37 118,784 --a------ C:\WINDOWS\SYSTEM32\wins4f.dll
2007-10-28 15:29 8,704 --a------ C:\WINDOWS\SYSTEM32\sporder.dll
2007-10-28 12:19 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-10-22 11:34 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-10 12:04 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-10-10 12:04 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-10-10 12:04 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-10-10 12:04 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-10-10 00:26 1,368 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-10-09 13:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-08 17:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-08 17:35 <DIR> d-------- C:\Program Files\McAfee
2007-10-08 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-08 15:24 <DIR> d-------- C:\Program Files\STOPzilla!
2007-10-08 15:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
.
Infected
10-28-2007, 03:09 AM
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-09-21 15:33 --------- d-----w C:\Program Files\Common Files\Real
2002-05-27 11:08 707,072 ----a-w C:\Program Files\ws_ftple.exe
2002-05-27 06:36 766,405 ----a-w C:\Program Files\NAV80TRY.EXE
.
((((((((((((((((((((((((((((( snapshot@2007-10-09_14.19.00.38 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-08-23 02:00:00 2,044,928 ------w C:\WINDOWS\$MSI31Uninstall_KB893803v2$\msi.dll
+ 2001-08-23 01:00:00 2,044,928 ------w C:\WINDOWS\$MSI31Uninstall_KB893803v2$\msi.dll
- 2001-08-23 02:00:00 63,488 ------w C:\WINDOWS\$MSI31Uninstall_KB893803v2$\msiexec.exe
+ 2001-08-23 01:00:00 63,488 ------w C:\WINDOWS\$MSI31Uninstall_KB893803v2$\msiexec.exe
- 2001-08-23 02:00:00 304,640 ------w C:\WINDOWS\$MSI31Uninstall_KB893803v2$\msihnd.dll
+ 2001-08-23 01:00:00 304,640 ------w C:\WINDOWS\$MSI31Uninstall_KB893803v2$\msihnd.dll
- 2001-08-23 02:00:00 847,872 ------w C:\WINDOWS\$MSI31Uninstall_KB893803v2$\msimsg.dll
+ 2001-08-23 01:00:00 847,872 ------w C:\WINDOWS\$MSI31Uninstall_KB893803v2$\msimsg.dll
- 2001-08-23 02:00:00 39,936 ------w C:\WINDOWS\$MSI31Uninstall_KB893803v2$\msisip.dll
+ 2001-08-23 01:00:00 39,936 ------w C:\WINDOWS\$MSI31Uninstall_KB893803v2$\msisip.dll
- 2005-05-03 02:58:22 209,632 ------w C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\sp uninst.exe
+ 2005-05-03 01:58:22 209,632 ------w C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\sp uninst.exe
- 2005-05-03 02:58:22 371,936 ------w C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\up dspapi.dll
+ 2005-05-03 01:58:22 371,936 ------w C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\up dspapi.dll
- 2002-04-29 08:14:52 44,032 ------w C:\WINDOWS\$NtUninstallQ321856$\spuninst\spuninst. exe
+ 2002-04-29 07:14:52 44,032 ------w C:\WINDOWS\$NtUninstallQ321856$\spuninst\spuninst. exe
- 2005-06-24 14:19:40 176,128 ----a-w C:\WINDOWS\3075C5C308074924AF8FFF27052C12AE.TMP\Wi seCustomCalla.dll
+ 2005-06-24 13:19:40 176,128 ----a-w C:\WINDOWS\3075C5C308074924AF8FFF27052C12AE.TMP\Wi seCustomCalla.dll
- 2007-02-24 07:38:28 228,088 ----a-w C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT
+ 2007-02-24 06:38:28 228,088 ----a-w C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT
- 2002-03-05 11:23:12 815,104 ----a-w C:\WINDOWS\Application Data\Macromedia\Flash MX\Configuration\authplay.dll
+ 2002-03-05 10:23:12 815,104 ----a-w C:\WINDOWS\Application Data\Macromedia\Flash MX\Configuration\authplay.dll
- 2002-03-05 13:38:36 147,456 ----a-w C:\WINDOWS\Application Data\Macromedia\Flash MX\Configuration\Importers\AIImport.dll
+ 2002-03-05 12:38:36 147,456 ----a-w C:\WINDOWS\Application Data\Macromedia\Flash MX\Configuration\Importers\AIImport.dll
- 2002-02-06 02:23:02 1,085,440 ----a-w C:\WINDOWS\Application Data\Macromedia\Flash MX\Configuration\Importers\FhDbRdr.dll
+ 2002-02-06 01:23:02 1,085,440 ----a-w C:\WINDOWS\Application Data\Macromedia\Flash MX\Configuration\Importers\FhDbRdr.dll
- 2002-02-02 00:52:54 2,088,960 ----a-w C:\WINDOWS\Application Data\Macromedia\Flash MX\Configuration\Importers\Fireworks Importer.dll
+ 2002-02-01 23:52:54 2,088,960 ----a-w C:\WINDOWS\Application Data\Macromedia\Flash MX\Configuration\Importers\Fireworks Importer.dll
- 2002-01-24 01:00:58 1,798,144 ----a-w C:\WINDOWS\Application Data\Macromedia\Flash MX\Configuration\Importers\ToonboomStudioImportPlu gin.dll
+ 2002-01-24 00:00:58 1,798,144 ----a-w C:\WINDOWS\Application Data\Macromedia\Flash MX\Configuration\Importers\ToonboomStudioImportPlu gin.dll
- 2002-05-27 07:22:06 86,532 ----a-w C:\WINDOWS\Application Data\Microsoft\FORMS\FRMCACHE.DAT
+ 2002-05-27 06:22:06 86,532 ----a-w C:\WINDOWS\Application Data\Microsoft\FORMS\FRMCACHE.DAT
- 2007-03-16 11:38:26 8,728 ----a-w C:\WINDOWS\Application Data\Microsoft\HelpCtr\HelpSessionHistory.dat
+ 2007-03-16 10:38:26 8,728 ----a-w C:\WINDOWS\Application Data\Microsoft\HelpCtr\HelpSessionHistory.dat
- 2002-10-08 10:09:16 8,678 ----a-w C:\WINDOWS\Application Data\Microsoft\HTML Help\hh.dat
+ 2002-10-08 09:09:16 8,678 ----a-w C:\WINDOWS\Application Data\Microsoft\HTML Help\hh.dat
- 2001-11-17 09:24:56 155,136 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\accicons.exe
+ 2001-11-17 08:24:56 155,136 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\accicons.exe
- 2001-11-17 09:24:58 22,528 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\bindico.exe
+ 2001-11-17 08:24:58 22,528 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\bindico.exe
- 2001-11-17 09:24:58 73,216 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
+ 2001-11-17 08:24:58 73,216 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
- 2001-11-17 09:24:58 28,160 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\misc.exe
+ 2001-11-17 08:24:58 28,160 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\misc.exe
- 2001-11-17 09:24:58 104,960 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\outicon.exe
+ 2001-11-17 08:24:58 104,960 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\outicon.exe
- 2001-11-17 09:24:58 11,264 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
+ 2001-11-17 08:24:58 11,264 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
- 2001-11-17 09:24:58 30,208 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\pptico.exe
+ 2001-11-17 08:24:58 30,208 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\pptico.exe
Infected
10-28-2007, 03:10 AM
- 2001-11-17 09:24:58 35,328 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
+ 2001-11-17 08:24:58 35,328 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
- 2001-11-17 09:24:58 69,120 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
+ 2001-11-17 08:24:58 69,120 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
- 2001-11-17 09:34:18 155,136 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00040409-78E1-11D2-B60F-006097C998E7}\accicons.exe
+ 2001-11-17 08:34:18 155,136 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00040409-78E1-11D2-B60F-006097C998E7}\accicons.exe
- 2001-11-17 09:34:20 22,528 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00040409-78E1-11D2-B60F-006097C998E7}\bindico.exe
+ 2001-11-17 08:34:20 22,528 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00040409-78E1-11D2-B60F-006097C998E7}\bindico.exe
- 2001-11-17 09:34:20 28,160 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00040409-78E1-11D2-B60F-006097C998E7}\misc.exe
+ 2001-11-17 08:34:20 28,160 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00040409-78E1-11D2-B60F-006097C998E7}\misc.exe
- 2001-11-17 09:34:20 11,264 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00040409-78E1-11D2-B60F-006097C998E7}\pubs.exe
+ 2001-11-17 08:34:20 11,264 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00040409-78E1-11D2-B60F-006097C998E7}\pubs.exe
- 2002-06-03 09:07:06 155,136 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00120409-78E1-11D2-B60F-006097C998E7}\accicons.exe
+ 2002-06-03 08:07:06 155,136 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00120409-78E1-11D2-B60F-006097C998E7}\accicons.exe
- 2002-06-03 09:07:06 22,528 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00120409-78E1-11D2-B60F-006097C998E7}\bindico.exe
+ 2002-06-03 08:07:06 22,528 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00120409-78E1-11D2-B60F-006097C998E7}\bindico.exe
- 2002-06-03 09:07:06 73,216 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00120409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
+ 2002-06-03 08:07:06 73,216 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00120409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
- 2002-06-03 09:07:04 28,160 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00120409-78E1-11D2-B60F-006097C998E7}\misc.exe
+ 2002-06-03 08:07:04 28,160 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00120409-78E1-11D2-B60F-006097C998E7}\misc.exe
- 2002-06-03 09:07:06 104,960 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00120409-78E1-11D2-B60F-006097C998E7}\outicon.exe
+ 2002-06-03 08:07:06 104,960 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00120409-78E1-11D2-B60F-006097C998E7}\outicon.exe
- 2002-06-03 09:07:06 11,264 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00120409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
+ 2002-06-03 08:07:06 11,264 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00120409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
- 2002-06-03 09:07:06 30,208 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00120409-78E1-11D2-B60F-006097C998E7}\pptico.exe
+ 2002-06-03 08:07:06 30,208 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00120409-78E1-11D2-B60F-006097C998E7}\pptico.exe
- 2002-06-03 09:07:06 35,328 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00120409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
+ 2002-06-03 08:07:06 35,328 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00120409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
- 2002-06-03 09:07:06 69,120 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00120409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
+ 2002-06-03 08:07:06 69,120 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{00120409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
- 2002-04-26 09:54:54 15,118 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\aeTour_icon.exe
+ 2002-04-26 08:54:54 15,118 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\aeTour_icon.exe
- 2002-04-26 09:54:54 10,134 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\AnimDoc.exe
+ 2002-04-26 08:54:54 10,134 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\AnimDoc.exe
- 2002-04-26 09:54:54 10,134 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\as3.exe
+ 2002-04-26 08:54:54 10,134 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\as3.exe
- 2002-04-26 09:54:54 13,390 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\browse7b.exe
+ 2002-04-26 08:54:54 13,390 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\browse7b.exe
- 2002-04-26 09:54:54 8,478 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\jmc.exe
+ 2002-04-26 08:54:54 8,478 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\jmc.exe
- 2002-04-26 09:54:54 8,478 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\jmcdoc.exe
+ 2002-04-26 08:54:54 8,478 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\jmcdoc.exe
- 2002-04-26 09:54:54 13,390 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\psp.exe
+ 2002-04-26 08:54:54 13,390 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\psp.exe
- 2002-04-26 09:54:54 18,374 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\Psp7File.exe
+ 2002-04-26 08:54:54 18,374 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\Psp7File.exe
- 2002-04-26 09:54:54 11,022 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\PSP7workspace.exe
+ 2002-04-26 08:54:54 11,022 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\PSP7workspace.exe
- 2002-04-26 09:54:54 4,526 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\tubeconverter.exe
+ 2002-04-26 08:54:54 4,526 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\tubeconverter.exe
- 2002-04-26 09:54:54 18,374 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\tutorials_icon.exe
+ 2002-04-26 08:54:54 18,374 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\tutorials_icon.exe
- 2002-04-26 09:54:54 11,022 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\workspace2as.exe
+ 2002-04-26 08:54:54 11,022 ----a-r C:\WINDOWS\Application Data\Microsoft\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\workspace2as.exe
- 2002-10-13 00:34:56 16,384 ----a-w C:\WINDOWS\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
+ 2002-10-12 23:34:56 16,384 ----a-w C:\WINDOWS\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
- 2007-10-09 04:14:00 1,048,576 ---ha-w C:\WINDOWS\Application Data\Microsoft\Windows\UsrClass.dat
+ 2007-10-28 06:24:12 1,048,576 ---ha-w C:\WINDOWS\Application Data\Microsoft\Windows\UsrClass.dat
- 2001-08-23 02:00:00 1,229,312 ----a-w C:\WINDOWS\AppPatch\AcGenral.dll
+ 2001-08-23 01:00:00 1,229,312 ----a-w C:\WINDOWS\AppPatch\AcGenral.dll
- 2001-08-23 02:00:00 370,688 ----a-w C:\WINDOWS\AppPatch\AcLayers.dll
+ 2001-08-23 01:00:00 370,688 ----a-w C:\WINDOWS\AppPatch\AcLayers.dll
- 2001-08-23 02:00:00 45,568 ----a-w C:\WINDOWS\AppPatch\AcLua.dll
+ 2001-08-23 01:00:00 45,568 ----a-w C:\WINDOWS\AppPatch\AcLua.dll
- 2001-08-23 02:00:00 204,288 ----a-w C:\WINDOWS\AppPatch\AcSpecfc.dll
+ 2001-08-23 01:00:00 204,288 ----a-w C:\WINDOWS\AppPatch\AcSpecfc.dll
- 2001-08-23 02:00:00 148,480 ----a-w C:\WINDOWS\AppPatch\AcVerfyr.dll
+ 2001-08-23 01:00:00 148,480 ----a-w C:\WINDOWS\AppPatch\AcVerfyr.dll
- 2001-08-23 02:00:00 105,472 ----a-w C:\WINDOWS\AppPatch\AcXtrnal.dll
+ 2001-08-23 01:00:00 105,472 ----a-w C:\WINDOWS\AppPatch\AcXtrnal.dll
- 1999-12-07 02:00:00 11,024 ----a-w C:\WINDOWS\AppPatch\shcmn.dll
+ 1999-12-07 01:00:00 11,024 ----a-w C:\WINDOWS\AppPatch\shcmn.dll
- 2007-06-05 10:26:28 68,608 ----a-w C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0. 0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2007-06-05 09:26:28 68,608 ----a-w C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0. 0__b03f5f7f11d50a3a\CustomMarshalers.dll
Infected
10-28-2007, 03:11 AM
- 2007-06-05 10:27:48 72,192 ----a-w C:\WINDOWS\assembly\GAC_32\ISymWrapper\2.0.0.0__b0 3f5f7f11d50a3a\ISymWrapper.dll
+ 2007-06-05 09:27:48 72,192 ----a-w C:\WINDOWS\assembly\GAC_32\ISymWrapper\2.0.0.0__b0 3f5f7f11d50a3a\ISymWrapper.dll
- 2007-06-05 10:27:52 4,308,992 ----a-w C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5 c561934e089\mscorlib.dll
+ 2007-06-05 09:27:52 4,308,992 ----a-w C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5 c561934e089\mscorlib.dll
- 2007-06-05 10:27:58 482,304 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data.OracleClien t\2.0.0.0__b77a5c561934e089\System.Data.OracleClie nt.dll
+ 2007-06-05 09:27:58 482,304 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data.OracleClien t\2.0.0.0__b77a5c561934e089\System.Data.OracleClie nt.dll
- 2007-06-05 10:27:26 2,878,976 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b7 7a5c561934e089\System.Data.dll
+ 2007-06-05 09:27:26 2,878,976 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b7 7a5c561934e089\System.Data.dll
- 2007-06-05 10:25:56 258,048 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServic es\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServ ices.dll
+ 2007-06-05 09:25:56 258,048 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServic es\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServ ices.dll
- 2007-06-05 10:25:56 114,176 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServic es\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServ ices.Wrapper.dll
+ 2007-06-05 09:25:56 114,176 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServic es\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServ ices.Wrapper.dll
- 2007-06-05 10:28:24 260,096 ----a-w C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0 .0.0__b77a5c561934e089\System.Transactions.dll
+ 2007-06-05 09:28:24 260,096 ----a-w C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0 .0.0__b77a5c561934e089\System.Transactions.dll
- 2007-06-05 10:26:46 5,025,792 ----a-w C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03 f5f7f11d50a3a\System.Web.dll
+ 2007-06-05 09:26:46 5,025,792 ----a-w C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03 f5f7f11d50a3a\System.Web.dll
- 2007-06-05 10:26:22 10,752 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Accessibility\2.0.0.0 __b03f5f7f11d50a3a\Accessibility.dll
+ 2007-06-05 09:26:22 10,752 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Accessibility\2.0.0.0 __b03f5f7f11d50a3a\Accessibility.dll
- 2007-06-05 10:25:54 503,808 ----a-w C:\WINDOWS\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0_ _b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2007-06-05 09:25:54 503,808 ----a-w C:\WINDOWS\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0_ _b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2007-06-05 10:26:02 13,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b0 3f5f7f11d50a3a\cscompmgd.dll
+ 2007-06-05 09:26:02 13,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b0 3f5f7f11d50a3a\cscompmgd.dll
- 2007-06-05 10:27:40 8,192 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0_ _b03f5f7f11d50a3a\IEExecRemote.dll
+ 2007-06-05 09:27:40 8,192 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0_ _b03f5f7f11d50a3a\IEExecRemote.dll
- 2007-06-05 10:27:42 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5 f7f11d50a3a\IEHost.dll
+ 2007-06-05 09:27:42 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5 f7f11d50a3a\IEHost.dll
- 2007-06-05 10:27:44 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f 5f7f11d50a3a\IIEHost.dll
+ 2007-06-05 09:27:44 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f 5f7f11d50a3a\IIEHost.dll
- 2007-06-05 10:26:08 413,696 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Engin e\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine .dll
+ 2007-06-05 09:26:08 413,696 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Engin e\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine .dll
- 2007-06-05 10:26:12 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Frame work\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Fra mework.dll
+ 2007-06-05 09:26:12 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Frame work\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Fra mework.dll
- 2007-06-05 10:26:14 647,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Tasks \2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.d ll
+ 2007-06-05 09:26:14 647,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Tasks \2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.d ll
- 2007-06-05 10:26:18 73,728 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Utili ties\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Uti lities.dll
+ 2007-06-05 09:26:18 73,728 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Utili ties\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Uti lities.dll
- 2007-06-05 10:26:04 745,472 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.JScript\8.0 .0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2007-06-05 09:26:04 745,472 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.JScript\8.0 .0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2007-06-05 10:28:36 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic .Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Micr osoft.VisualBasic.Compatibility.Data.dll
+ 2007-06-05 09:28:36 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic .Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Micr osoft.VisualBasic.Compatibility.Data.dll
- 2007-06-05 10:28:34 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic .Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft .VisualBasic.Compatibility.dll
+ 2007-06-05 09:28:34 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic .Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft .VisualBasic.Compatibility.dll
- 2007-06-05 10:25:40 28,672 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic .Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBas ic.Vsa.dll
+ 2007-06-05 09:25:40 28,672 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic .Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBas ic.Vsa.dll
- 2007-06-05 10:28:30 667,648 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic \8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.d ll
+ 2007-06-05 09:28:30 667,648 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic \8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.d ll
- 2007-06-05 10:28:38 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC\8.0 .0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2007-06-05 09:28:38 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC\8.0 .0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2007-06-05 10:25:50 12,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa.Vb.Code DOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.V sa.Vb.CodeDOMProcessor.dll
+ 2007-06-05 09:25:50 12,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa.Vb.Code DOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.V sa.Vb.CodeDOMProcessor.dll
- 2007-06-05 10:25:44 32,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0 __b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2007-06-05 09:25:44 32,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0 __b03f5f7f11d50a3a\Microsoft.Vsa.dll
Infected
10-28-2007, 03:17 AM
- 2007-06-05 10:25:46 7,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0 .0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2007-06-05 09:25:46 7,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0 .0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2007-06-05 10:28:12 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03 f5f7f11d50a3a\sysglobl.dll
+ 2007-06-05 09:28:12 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03 f5f7f11d50a3a\sysglobl.dll
- 2007-06-05 10:26:30 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration. Install\2.0.0.0__b03f5f7f11d50a3a\System.Configura tion.Install.dll
+ 2007-06-05 09:26:30 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration. Install\2.0.0.0__b03f5f7f11d50a3a\System.Configura tion.Install.dll
- 2007-06-05 10:28:14 389,120 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\ 2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2007-06-05 09:28:14 389,120 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\ 2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2007-06-05 10:28:00 716,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Data.SqlXml\2. 0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2007-06-05 09:28:00 716,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Data.SqlXml\2. 0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2007-06-05 10:26:00 884,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Deployment\2.0 .0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2007-06-05 09:26:00 884,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Deployment\2.0 .0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2007-06-05 10:27:32 5,050,368 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Design\2.0.0.0 __b03f5f7f11d50a3a\System.Design.dll
+ 2007-06-05 09:27:32 5,050,368 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Design\2.0.0.0 __b03f5f7f11d50a3a\System.Design.dll
- 2007-06-05 10:26:36 188,416 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServi ces.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.Dir ectoryServices.Protocols.dll
+ 2007-06-05 09:26:36 188,416 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServi ces.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.Dir ectoryServices.Protocols.dll
- 2007-06-05 10:26:34 397,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServi ces\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServ ices.dll
+ 2007-06-05 09:26:34 397,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServi ces\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServ ices.dll
- 2007-06-05 10:26:40 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing.Design \2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.d ll
+ 2007-06-05 09:26:40 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing.Design \2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.d ll
- 2007-06-05 10:28:20 700,416 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0. 0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2007-06-05 09:28:20 700,416 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0. 0__b03f5f7f11d50a3a\System.Drawing.dll
- 2007-06-05 10:28:04 368,640 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0 .0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2007-06-05 09:28:04 368,640 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0 .0.0__b03f5f7f11d50a3a\System.Management.dll
- 2007-06-05 10:28:22 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Messaging\2.0. 0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2007-06-05 09:28:22 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Messaging\2.0. 0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2007-06-05 10:28:06 299,008 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoti ng\2.0.0.0__b77a5c561934e089\System.Runtime.Remoti ng.dll
+ 2007-06-05 09:28:06 299,008 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoti ng\2.0.0.0__b77a5c561934e089\System.Runtime.Remoti ng.dll
- 2007-06-05 10:28:08 131,072 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serial ization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\ System.Runtime.Serialization.Formatters.Soap.dll
+ 2007-06-05 09:28:08 131,072 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serial ization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\ System.Runtime.Serialization.Formatters.Soap.dll
- 2007-06-05 10:26:26 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Security\2.0.0 .0__b03f5f7f11d50a3a\System.Security.dll
Infected
10-28-2007, 03:17 AM
+ 2007-06-05 09:26:26 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Security\2.0.0 .0__b03f5f7f11d50a3a\System.Security.dll
- 2007-06-05 10:26:42 114,688 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess \2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.d ll
+ 2007-06-05 09:26:42 114,688 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess \2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.d ll
- 2007-06-05 10:28:28 835,584 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Mobile\2.0 .0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2007-06-05 09:28:28 835,584 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Mobile\2.0 .0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2007-06-05 10:27:10 86,016 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.RegularExp ressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.Regu larExpressions.dll
+ 2007-06-05 09:27:10 86,016 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.RegularExp ressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.Regu larExpressions.dll
- 2007-06-05 10:27:14 823,296 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Services\2 .0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2007-06-05 09:27:14 823,296 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Services\2 .0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2007-06-05 10:27:16 5,316,608 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\ 2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2007-06-05 09:27:16 5,316,608 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\ 2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2007-06-05 10:27:22 2,035,712 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b 77a5c561934e089\System.XML.dll
+ 2007-06-05 09:27:22 2,035,712 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b 77a5c561934e089\System.XML.dll
- 2007-06-05 10:28:16 3,018,752 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5 c561934e089\System.dll
+ 2007-06-05 09:28:16 3,018,752 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5 c561934e089\System.dll
- 2007-06-05 10:48:16 26,624 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Acc essibility\5936d630ae9e814aa328c11f0e45c3cf\Access ibility.ni.dll
+ 2007-06-05 09:48:16 26,624 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Acc essibility\5936d630ae9e814aa328c11f0e45c3cf\Access ibility.ni.dll
- 2007-06-06 00:04:12 860,160 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Asp NetMMCExt\13af3b35996c674a9a4d13a917d637fc\AspNetM MCExt.ni.dll
+ 2007-06-05 23:04:12 860,160 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Asp NetMMCExt\13af3b35996c674a9a4d13a917d637fc\AspNetM MCExt.ni.dll
- 2007-06-06 00:04:16 237,568 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Cus tomMarshalers\3a14abfad9cb2840824543a83b470198\Cus tomMarshalers.ni.dll
+ 2007-06-05 23:04:16 237,568 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Cus tomMarshalers\3a14abfad9cb2840824543a83b470198\Cus tomMarshalers.ni.dll
- 2007-06-06 00:04:14 15,360 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfs vc\02f64075e07c804893edc1af44c3849a\dfsvc.ni.exe
+ 2007-06-05 23:04:14 15,360 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfs vc\02f64075e07c804893edc1af44c3849a\dfsvc.ni.exe
- 2007-06-06 00:04:22 880,640 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Mic rosoft.Build.Eng#\2bb75caa80444248bd86c782a4208c11 \Microsoft.Build.Engine.ni.dll
+ 2007-06-05 23:04:22 880,640 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Mic rosoft.Build.Eng#\2bb75caa80444248bd86c782a4208c11 \Microsoft.Build.Engine.ni.dll
- 2007-06-06 00:04:24 81,920 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Mic rosoft.Build.Fra#\a212ee47df7e4a48b9c36b978dd628c7 \Microsoft.Build.Framework.ni.dll
+ 2007-06-05 23:04:24 81,920 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Mic rosoft.Build.Fra#\a212ee47df7e4a48b9c36b978dd628c7 \Microsoft.Build.Framework.ni.dll
- 2007-06-06 00:04:36 1,691,648 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Mic rosoft.Build.Tas#\b6ea26265155ab47832e4cea7ecaf496 \Microsoft.Build.Tasks.ni.dll
+ 2007-06-05 23:04:36 1,691,648 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Mic rosoft.Build.Tas#\b6ea26265155ab47832e4cea7ecaf496 \Microsoft.Build.Tasks.ni.dll
- 2007-06-06 00:04:40 163,840 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Mic rosoft.Build.Uti#\a05b6a3c0ce8744c8e1b47fd220cd539 \Microsoft.Build.Utilities.ni.dll
+ 2007-06-05 23:04:40 163,840 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Mic rosoft.Build.Uti#\a05b6a3c0ce8744c8e1b47fd220cd539 \Microsoft.Build.Utilities.ni.dll
Infected
10-28-2007, 03:18 AM
- 2007-06-06 00:04:50 1,724,416 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Mic rosoft.VisualBas#\d38382709cbfab439a55c1a8815d04e6 \Microsoft.VisualBasic.ni.dll
+ 2007-06-05 23:04:50 1,724,416 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Mic rosoft.VisualBas#\d38382709cbfab439a55c1a8815d04e6 \Microsoft.VisualBasic.ni.dll
- 2007-06-05 10:31:08 11,415,552 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\msc orlib\e174c7f08221174d8ab5873de3365047\mscorlib.ni .dll
+ 2007-06-05 09:31:08 11,415,552 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\msc orlib\e174c7f08221174d8ab5873de3365047\mscorlib.ni .dll
- 2007-06-06 00:04:56 962,560 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Configuration\2768c96a3401594aa64e897540a3445a \System.Configuration.ni.dll
+ 2007-06-05 23:04:56 962,560 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Configuration\2768c96a3401594aa64e897540a3445a \System.Configuration.ni.dll
- 2007-06-05 10:36:00 6,688,768 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Data\a36d0283df0ebe4d8f32b6718de43c96\System.D ata.ni.dll
+ 2007-06-05 09:36:00 6,688,768 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Data\a36d0283df0ebe4d8f32b6718de43c96\System.D ata.ni.dll
- 2007-06-06 00:05:04 1,712,128 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Deployment\5db48e994592f34ea9a0646fcba72f38\Sy stem.Deployment.ni.dll
+ 2007-06-05 23:05:04 1,712,128 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Deployment\5db48e994592f34ea9a0646fcba72f38\Sy stem.Deployment.ni.dll
- 2007-06-05 10:37:14 10,723,328 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Design\71022ff506c79744becac6846ed9e5ad\System .Design.ni.dll
+ 2007-06-05 09:37:14 10,723,328 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Design\71022ff506c79744becac6846ed9e5ad\System .Design.ni.dll
- 2007-06-06 00:05:12 1,220,608 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.DirectorySer#\671c370ba816f747864094956d886d3a \System.DirectoryServices.ni.dll
+ 2007-06-05 23:05:12 1,220,608 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.DirectorySer#\671c370ba816f747864094956d886d3a \System.DirectoryServices.ni.dll
- 2007-06-06 00:05:14 512,000 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.DirectorySer#\7d07287d0320af45a2f3321caeb47880 \System.DirectoryServices.Protocols.ni.dll
+ 2007-06-05 23:05:14 512,000 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.DirectorySer#\7d07287d0320af45a2f3321caeb47880 \System.DirectoryServices.Protocols.ni.dll
- 2007-06-05 10:32:40 229,376 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Drawing.Desi#\75d3aa44140ac54290081b36acd217fd \System.Drawing.Design.ni.dll
+ 2007-06-05 09:32:40 229,376 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Drawing.Desi#\75d3aa44140ac54290081b36acd217fd \System.Drawing.Design.ni.dll
- 2007-06-05 10:33:04 1,626,112 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Drawing\49c029d7179de84cbb6d277993aa0408\Syste m.Drawing.ni.dll
+ 2007-06-05 09:33:04 1,626,112 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Drawing\49c029d7179de84cbb6d277993aa0408\Syste m.Drawing.ni.dll
- 2007-06-06 00:05:20 659,456 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.EnterpriseSe#\7eb85f98c487454d8ab2f60a11bc7809 \System.EnterpriseServices.ni.dll
+ 2007-06-05 23:05:20 659,456 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.EnterpriseSe#\7eb85f98c487454d8ab2f60a11bc7809 \System.EnterpriseServices.ni.dll
- 2007-06-06 00:05:20 294,912 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.EnterpriseSe#\7eb85f98c487454d8ab2f60a11bc7809 \System.EnterpriseServices.Wrapper.dll
+ 2007-06-05 23:05:20 294,912 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.EnterpriseSe#\7eb85f98c487454d8ab2f60a11bc7809 \System.EnterpriseServices.Wrapper.dll
- 2007-06-06 00:05:24 729,088 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Security\a4a006caaf0f3b419af7588fd5d2d0d2\Syst em.Security.ni.dll
+ 2007-06-05 23:05:24 729,088 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Security\a4a006caaf0f3b419af7588fd5d2d0d2\Syst em.Security.ni.dll
- 2007-06-06 00:05:30 684,032 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Transactions\481063c35231ba4981d002c93f74dbd7\ System.Transactions.ni.dll
+ 2007-06-05 23:05:30 684,032 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Transactions\481063c35231ba4981d002c93f74dbd7\ System.Transactions.ni.dll
- 2007-06-06 00:22:54 2,310,144 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Web.Mobile\0254955c4c7fb24296738f6739fe5b6d\Sy stem.Web.Mobile.ni.dll
+ 2007-06-05 23:22:54 2,310,144 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Web.Mobile\0254955c4c7fb24296738f6739fe5b6d\Sy stem.Web.Mobile.ni.dll
- 2007-06-06 00:22:58 237,568 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Web.RegularE#\04fce16a807ea544b3e14cd3b430117e \System.Web.RegularExpressions.ni.dll
Infected
10-28-2007, 03:18 AM
+ 2007-06-05 23:22:58 237,568 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Web.RegularE#\04fce16a807ea544b3e14cd3b430117e \System.Web.RegularExpressions.ni.dll
- 2007-06-06 00:23:12 1,945,600 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Web.Services\a0d61bb9a072ef45954bd515498fa2ab\ System.Web.Services.ni.dll
+ 2007-06-05 23:23:12 1,945,600 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Web.Services\a0d61bb9a072ef45954bd515498fa2ab\ System.Web.Services.ni.dll
- 2007-06-06 00:22:22 11,808,768 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Web\94cd5dd57806c24fbed7e43c6d81764f\System.We b.ni.dll
+ 2007-06-05 23:22:22 11,808,768 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Web\94cd5dd57806c24fbed7e43c6d81764f\System.We b.ni.dll
- 2007-06-05 10:34:26 13,107,200 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Windows.Forms\d7a736f66668194f9d1dcaab39e1097c \System.Windows.Forms.ni.dll
+ 2007-06-05 09:34:26 13,107,200 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Windows.Forms\d7a736f66668194f9d1dcaab39e1097c \System.Windows.Forms.ni.dll
- 2007-06-05 10:35:08 5,640,192 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Xml\3cdb8a9c6b989e4ebaf4776b91b0409c\System.Xm l.ni.dll
+ 2007-06-05 09:35:08 5,640,192 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem.Xml\3cdb8a9c6b989e4ebaf4776b91b0409c\System.Xm l.ni.dll
- 2007-06-05 10:32:32 8,093,696 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem\695146f09d5f994ebceb44dada817e71\System.ni.dll
+ 2007-06-05 09:32:32 8,093,696 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Sys tem\695146f09d5f994ebceb44dada817e71\System.ni.dll
- 2007-09-27 23:06:10 135,168 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-19 19:03:32 136,192 ----a-w C:\WINDOWS\catchme.exe
- 2000-06-08 07:00:00 116,736 ----a-w C:\WINDOWS\COMMAND\EBD\IO.SYS
+ 2000-06-08 06:00:00 116,736 ----a-w C:\WINDOWS\COMMAND\EBD\IO.SYS
- 2000-06-08 07:00:00 118,784 --sha-r C:\WINDOWS\COMMAND\EBD\WINBOOT.SYS
+ 2000-06-08 06:00:00 118,784 --sha-r C:\WINDOWS\COMMAND\EBD\WINBOOT.SYS
- 1999-12-07 02:00:00 5,392 ----a-w C:\WINDOWS\delttsul.exe
+ 1999-12-07 01:00:00 5,392 ----a-w C:\WINDOWS\delttsul.exe
+ 2007-05-07 05:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-07 05:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-07 05:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
- 2004-10-08 06:01:22 372,736 ----a-w C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
+ 2004-10-08 05:01:22 372,736 ----a-w C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
- 2004-09-22 05:59:24 110,592 ----a-w C:\WINDOWS\Downloaded Program Files\PURen-us.dll
+ 2004-09-22 04:59:24 110,592 ----a-w C:\WINDOWS\Downloaded Program Files\PURen-us.dll
- 2007-06-19 02:12:04 241,152 ----a-w C:\WINDOWS\Downloaded Program Files\UImageUploader.dll
+ 2007-06-19 01:12:04 241,152 ----a-w C:\WINDOWS\Downloaded Program Files\UImageUploader.dll
- 2004-07-08 18:26:38 11,392 ----a-w C:\WINDOWS\Driver Cache\i386\bdasup.sys
+ 2004-07-08 17:26:38 11,392 ----a-w C:\WINDOWS\Driver Cache\i386\bdasup.sys
- 2004-07-08 18:26:38 16,384 ----a-w C:\WINDOWS\Driver Cache\i386\ccdecode.sys
+ 2004-07-08 17:26:38 16,384 ----a-w C:\WINDOWS\Driver Cache\i386\ccdecode.sys
- 2002-12-11 14:14:32 130,304 ----a-w C:\WINDOWS\Driver Cache\i386\ks.sys
+ 2002-12-11 13:14:32 130,304 ----a-w C:\WINDOWS\Driver Cache\i386\ks.sys
- 2002-12-11 14:14:32 4,096 ----a-w C:\WINDOWS\Driver Cache\i386\ksuser.dll
+ 2002-12-11 13:14:32 4,096 ----a-w C:\WINDOWS\Driver Cache\i386\ksuser.dll
Infected
10-28-2007, 03:20 AM
Actually, I think I have done something wrong as this will end up as over 100 posts. I am going to try the combo fix again later (but I am running late for work now...)
Budfred
10-28-2007, 05:05 AM
Actually, I think I have done something wrong as this will end up as over 100 posts. I am going to try the combo fix again later (but I am running late for work now...)
Yes, I am not sure what happened there... Please download a fresh copy of ComboFix before running it again... Also, it looks like you didn't run ATF...
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.