Go Back   Cyber Tech Help Support Forums > Software > Malware Removal
Reload this Page Hijacked Browser - HijackThis Fix didn't work completely
Register FAQ Calendar Today's Active Topics Search

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
Page 2 of 2 1 2
 
Topic Tools
  #16  
Old May 23rd, 2008, 03:45 AM
Racerx369's Avatar
Racerx369 Racerx369 is offline
New Member
  
Join Date: Jan 2005
Posts: 23
And here is the latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:39:46 PM, on 5/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
D:\PROGRA~1\Devices\Utils\OneTouch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA CA.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Upromise\Upromise.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Upromise\UpromiseUa.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
D:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://address.mail.yahoo.com/yab/us?v=YM
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\PROGRAM FILES\EBAY\EBAY TOOLBAR2\eBayTB.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\rpbrowserrecordplugin.dll
O2 - BHO: WCNetMon Class - {3BE313C3-DAD6-4da6-801D-75860118A0B5} - C:\Program Files\blcorp\WCCSC\WCPStop\wcpstop.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Web Replay BHO - {8B57DF7C-9BF9-4D52-B94E-37ACE3893F7D} - D:\Program Files\Deskperience\Web Replay\inetie.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\s wg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MaxtorOneTouch] D:\PROGRA~1\Devices\Utils\OneTouch.exe
O4 - HKLM\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA CA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB002" /M "Stylus CX3800"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZRxdm103YYUS
O9 - Extra button: (no name) - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - (no file) (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
Reply With Quote
  #17  
Old May 23rd, 2008, 04:32 AM
Racerx369's Avatar
Racerx369 Racerx369 is offline
New Member
  
Join Date: Jan 2005
Posts: 23
And here is the latest HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:39:46 PM, on 5/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
D:\PROGRA~1\Devices\Utils\OneTouch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA CA.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Upromise\Upromise.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Upromise\UpromiseUa.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
D:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://address.mail.yahoo.com/yab/us?v=YM
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\PROGRAM FILES\EBAY\EBAY TOOLBAR2\eBayTB.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\rpbrowserrecordplugin.dll
O2 - BHO: WCNetMon Class - {3BE313C3-DAD6-4da6-801D-75860118A0B5} - C:\Program Files\blcorp\WCCSC\WCPStop\wcpstop.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Web Replay BHO - {8B57DF7C-9BF9-4D52-B94E-37ACE3893F7D} - D:\Program Files\Deskperience\Web Replay\inetie.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\s wg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MaxtorOneTouch] D:\PROGRA~1\Devices\Utils\OneTouch.exe
O4 - HKLM\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA CA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB002" /M "Stylus CX3800"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZRxdm103YYUS
O9 - Extra button: (no name) - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - (no file) (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
Reply With Quote
  #18  
Old May 23rd, 2008, 06:01 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
  
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
I guess you figured out how to disable McAfee Racerx369?

Close Internet Explorer and any open windows and run Hijack This again. Check the below entries and click on Fix Checked.

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZRxdm103YYUS

O9 - Extra button: (no name) - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - (no file) (HKCU)

Reboot please. I am going to need to see some files.

Open notepad and copy and paste the text in the codebox below into it:

Code:
File::
C:\WINDOWS\system32\nwotiabg.ini

Suspect::
C:\WINDOWS\system32\MRT.INI
C:\WINDOWS\SaveBHOProf.pro
Go to File > Save As and save the file as CFScript.txt and set the location to your Desktop. Drag CFScript.txt and drop it into ComboFix.exe. See below:



ComboFix will run again. When the fix completes it will create a C:\ComboFix.txt log. Please post that log in your next reply. Also post a new Hijack This log.

Additionally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip. Please send this file to anniefriday@xtra.co.nz and include a link to this thread. Title your email "Requested Files".
Reply With Quote
  #19  
Old May 23rd, 2008, 10:20 PM
Racerx369's Avatar
Racerx369 Racerx369 is offline
New Member
  
Join Date: Jan 2005
Posts: 23
I sent the zipped Submit {Date-Time} file to anniefriday.
Here is the Latest ComboFix Log:
ComboFix 08-05-21.3 - Dan Linke 2008-05-23 16:24:16.2 - FAT32x86
Running from: C:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dan Linke\Desktop\CFScript.txt
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\nwotiabg.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\nwotiabg.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.

2008-05-22 22:51 . 2008-05-22 22:51 <DIR> d-------- C:\Documents and Settings\Dan Linke\System Scans and Fixes
2008-05-22 22:04 . 2008-05-22 22:04 1,974,863 --a------ C:\ComboFix.exe
2008-05-22 17:58 . 2008-05-22 17:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-22 17:58 . 2008-05-22 17:58 <DIR> d-------- C:\Documents and Settings\Dan Linke\Application Data\Malwarebytes
2008-05-22 17:58 . 2008-05-22 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-22 17:58 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-22 17:58 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-22 17:57 . 2008-05-22 17:57 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-17 20:18 . 2008-05-17 20:18 <DIR> d-------- C:\Deckard
2008-05-17 03:11 . 2008-05-17 03:11 206 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-13 23:35 . 2008-05-13 23:35 <DIR> d-------- C:\Program Files\Unlocker
2008-05-13 23:35 . 2008-05-13 23:35 <DIR> d-------- C:\Documents and Settings\Marlene Linke\Application Data\Desktopicon
2008-05-12 22:24 . 2008-05-12 22:24 225 --a------ C:\WINDOWS\SaveBHOProf.pro
2008-05-10 02:11 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-07 23:29 . 2008-05-07 23:29 <DIR> d-------- C:\Documents and Settings\Dan Linke\Application Data\Business Logic
2008-05-04 23:34 . 2007-11-08 16:49 495,616 --a------ C:\WINDOWS\system32\p365vip.dll
2008-05-04 23:34 . 2000-10-24 17:12 352,256 --a------ C:\WINDOWS\system32\Activeskin.ocx
2008-05-04 22:47 . 2008-05-04 22:47 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-05-04 22:19 . 2003-06-12 23:25 7,062 --a------ C:\WINDOWS\system32\audiopid.vxd
2008-05-04 20:58 . 2008-05-04 20:58 <DIR> d-------- C:\Documents and Settings\Dan Linke\Application Data\Deskperience
2008-05-04 12:41 . 2008-05-04 12:41 <DIR> d-------- C:\Documents and Settings\Dan Linke\Trillian
2008-04-29 22:08 . 2008-04-29 22:08 <DIR> d-------- C:\Program Files\Audible

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-04-18 19:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-15 14:12 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-04-15 14:12 --------- d-----w C:\Documents and Settings\Marlene Linke\Application Data\Deskperience
2008-04-14 20:19 --------- d-----w C:\Documents and Settings\Jacqueline Linke\Application Data\Comodo
2008-04-13 17:33 --------- d-----w C:\Documents and Settings\Marlene Linke\Application Data\Comodo
2008-04-13 17:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2008-04-13 17:29 --------- d-----w C:\Program Files\Comodo
2008-04-10 00:22 --------- d-----w C:\Program Files\Adobe Media Player
2008-03-31 21:36 --------- d-----w C:\Documents and Settings\Marlene Linke\Application Data\Move Networks
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-01 16:41 110 ----a-w C:\Documents and Settings\All Users\Application Data\Mo****nGameId.bin
2006-11-09 13:23 0 ---ha-w C:\Documents and Settings\All Users\Application Data\hpothb07.dat
2006-07-13 22:02 320 ---ha-w C:\Documents and Settings\Owner\hpothb07.dat
2006-07-13 22:02 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2005-09-04 19:31 1,721 ---ha-w C:\Documents and Settings\Marlene Linke\hpothb07.dat
2004-05-08 19:11 0 ---ha-w C:\Documents and Settings\Marlene Linke\Application Data\hpothb07.dat
2003-04-05 23:10 723 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((( snapshot@2008-05-22_22.35.30.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-23 02:28:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 19:03:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-06-23 07:16 68856]
"Upromise"="C:\Program Files\Upromise\Upromise.exe" [2007-07-10 15:00 385024]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"eBayToolbar"="C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2008-03-22 14:49 652528]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-04 22:45 185896]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [ ]
"WebTrapNT.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe" [ ]
"Pop3trap.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe" [ ]
"nwiz"="nwiz.exe" [2003-05-02 15:19 323584 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-02 15:19 4640768]
"MaxtorOneTouch"="D:\PROGRA~1\Devices\Utils\OneTou ch.exe" [2003-05-21 15:30 45056]
"LDM"="C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2005-02-16 16:15 221184]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 18:41 163840]
"EPSON Stylus CX3800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\ 3\E_FATIACA.exe" [2005-02-07 22:00 98304]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc. exe" [ ]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 00:15 15872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 03:56 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-11 51984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-disabled]
"MMTray"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SonyFanC;FAN Control Device Service;C:\WINDOWS\system32\Drivers\SonyFanC.sys [2001-09-06 16:21]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]
S3 MXBULK;DualCam Still, MXBulk3.Sys;C:\WINDOWS\system32\Drivers\MXBulk3.sy s []
S3 MXCap;DSC-06 Video Camera;C:\WINDOWS\system32\DRIVERS\MXCap3.sys []
S4 UWCService;UWCService;C:\Program Files\blcorp\WCCSC\WCOC\UWCSrvc.exe [2004-07-08 09:28]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2004-12-01 19:44:06 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1082316984.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-05-01 05:00:04 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-05-15 05:00:04 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-05-23 20:30:04 C:\WINDOWS\Tasks\User_Feed_Synchronization-{B0612B8D-0155-4E80-95C3-97CF6E5AE1ED}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 16:29:53
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\U WCService]
"ImagePath"="C:\Program Files\blcorp\WCCSC\WCOC\UWCSrvc.exe /startedbyscm:3573F0EA-40E2714E-UWCService"
.
Completion time: 2008-05-23 16:32:03
ComboFix-quarantined-files.txt 2008-05-23 20:31:56
ComboFix2.txt 2008-05-23 02:36:46

Pre-Run: 1,854,128,128 bytes free
Post-Run: 1,856,540,672 bytes free

159 --- E O F --- 2008-05-17 07:12:30
Reply With Quote
  #20  
Old May 23rd, 2008, 10:29 PM
Racerx369's Avatar
Racerx369 Racerx369 is offline
New Member
  
Join Date: Jan 2005
Posts: 23
....and here is the accompanying HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:06:51 PM, on 5/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
D:\PROGRA~1\Devices\Utils\OneTouch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA CA.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Upromise\Upromise.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Upromise\UpromiseUa.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\taskmgr.exe
D:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://address.mail.yahoo.com/yab/us?v=YM
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\PROGRAM FILES\EBAY\EBAY TOOLBAR2\eBayTB.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\rpbrowserrecordplugin.dll
O2 - BHO: WCNetMon Class - {3BE313C3-DAD6-4da6-801D-75860118A0B5} - C:\Program Files\blcorp\WCCSC\WCPStop\wcpstop.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Web Replay BHO - {8B57DF7C-9BF9-4D52-B94E-37ACE3893F7D} - D:\Program Files\Deskperience\Web Replay\inetie.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\s wg.dll
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MaxtorOneTouch] D:\PROGRA~1\Devices\Utils\OneTouch.exe
O4 - HKLM\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA CA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB002" /M "Stylus CX3800"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

.....Thanks so much for spending so much time with my issues. I really appreciate it. Dan
Reply With Quote
  #21  
Old May 23rd, 2008, 10:54 PM
Racerx369's Avatar
Racerx369 Racerx369 is offline
New Member
  
Join Date: Jan 2005
Posts: 23
FYI - When ComboFix gen'ed the zipped Submit file, it prompted me to send a copy to Bleeping Computer (http://www.bleepingcomputer.com/), to be analyzed by some admin there.

The exact event was:
Message Box titled: Submit Files for Further Analysis
Message: ComboFix needs to submit Malware files for further analysis. Please ensure that you're connected to the internet before clicking OK.
Click Box: OK

Just wanted to ensure you knew about this and to ensure it was not part of the Malware infestation. Thanks.
Reply With Quote
  #22  
Old May 24th, 2008, 06:01 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
  
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Yes that's ok and I did get the files. One was fine, the other was generated by the malware so we will get rid of it. It may be a randomly named file but if I notice it again elsewhere, I will forward it to the ComboFix developer.

Open notepad and copy and paste the text in the codebox below into it. Save the file as CFScript.txt and drop it on ComboFix like you did before.

Code:
File::
C:\WINDOWS\SaveBHOProf.pro
ComboFix will run again. Please post the new log.

Your Hijack This log is fine now and once you have run ComboFix, I'm hoping that your operating system will be clean. Just to be sure that nothing else is lurking, go here and download ATF cleaner (do not download the Recommended Download on the mirror site). Use it to remove all Temp Files, Cookies and Temp Internet Files, Java Cache and any others that you would like to remove. If you also use Opera or Firefox, also click on the cleaning options for each browser.

Next, disable your antivirus program. To do this, rightclick on the Icon in the Notification area (lower righthand corner of your screen) and choose Quit, Exit, Close or whatever option is offered. Now go here and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee. When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit > Select All then copy the log and paste it back here.

Let me know if you still have any problems please.
Reply With Quote
  #23  
Old May 24th, 2008, 01:59 PM
Racerx369's Avatar
Racerx369 Racerx369 is offline
New Member
  
Join Date: Jan 2005
Posts: 23
FYI - I try to use Mozilla Firefox exclusively. Other family members utilize IE and recently downloaded IE 7, which I advised them not to do, as I was wary of it.

Here is the new CF log:

ComboFix 08-05-21.3 - Dan Linke 2008-05-24 8:39:48.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.82 [GMT -4:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dan Linke\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\SaveBHOProf.pro
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\SaveBHOProf.pro
.
((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.
2008-05-22 22:51 . 2008-05-22 22:51 <DIR> d-------- C:\Documents and Settings\Dan Linke\System Scans and Fixes
2008-05-22 22:04 . 2008-05-22 22:04 1,974,863 --a------ C:\ComboFix.exe
2008-05-22 17:58 . 2008-05-22 17:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-22 17:58 . 2008-05-22 17:58 <DIR> d-------- C:\Documents and Settings\Dan Linke\Application Data\Malwarebytes
2008-05-22 17:58 . 2008-05-22 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-22 17:58 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-22 17:58 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-22 17:57 . 2008-05-22 17:57 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-17 20:18 . 2008-05-17 20:18 <DIR> d-------- C:\Deckard
2008-05-17 03:11 . 2008-05-17 03:11 206 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-13 23:35 . 2008-05-13 23:35 <DIR> d-------- C:\Program Files\Unlocker
2008-05-13 23:35 . 2008-05-13 23:35 <DIR> d-------- C:\Documents and Settings\Marlene Linke\Application Data\Desktopicon
2008-05-10 02:11 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-07 23:29 . 2008-05-07 23:29 <DIR> d-------- C:\Documents and Settings\Dan Linke\Application Data\Business Logic
2008-05-04 23:34 . 2007-11-08 16:49 495,616 --a------ C:\WINDOWS\system32\p365vip.dll
2008-05-04 23:34 . 2000-10-24 17:12 352,256 --a------ C:\WINDOWS\system32\Activeskin.ocx
2008-05-04 22:47 . 2008-05-04 22:47 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-05-04 22:19 . 2003-06-12 23:25 7,062 --a------ C:\WINDOWS\system32\audiopid.vxd
2008-05-04 20:58 . 2008-05-04 20:58 <DIR> d-------- C:\Documents and Settings\Dan Linke\Application Data\Deskperience
2008-05-04 12:41 . 2008-05-04 12:41 <DIR> d-------- C:\Documents and Settings\Dan Linke\Trillian
2008-04-29 22:08 . 2008-04-29 22:08 <DIR> d-------- C:\Program Files\Audible
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-04-18 19:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-15 14:12 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-04-15 14:12 --------- d-----w C:\Documents and Settings\Marlene Linke\Application Data\Deskperience
2008-04-14 20:19 --------- d-----w C:\Documents and Settings\Jacqueline Linke\Application Data\Comodo
2008-04-13 17:33 --------- d-----w C:\Documents and Settings\Marlene Linke\Application Data\Comodo
2008-04-13 17:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2008-04-13 17:29 --------- d-----w C:\Program Files\Comodo
2008-04-10 00:22 --------- d-----w C:\Program Files\Adobe Media Player
2008-03-31 21:36 --------- d-----w C:\Documents and Settings\Marlene Linke\Application Data\Move Networks
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-01 16:41 110 ----a-w C:\Documents and Settings\All Users\Application Data\Mo****nGameId.bin
2006-11-09 13:23 0 ---ha-w C:\Documents and Settings\All Users\Application Data\hpothb07.dat
2006-07-13 22:02 320 ---ha-w C:\Documents and Settings\Owner\hpothb07.dat
2006-07-13 22:02 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2005-09-04 19:31 1,721 ---ha-w C:\Documents and Settings\Marlene Linke\hpothb07.dat
2004-05-08 19:11 0 ---ha-w C:\Documents and Settings\Marlene Linke\Application Data\hpothb07.dat
2003-04-05 23:10 723 ----a-w C:\Program Files\INSTALL.LOG
.
((((((((((((((((((((((((((((( snapshot@2008-05-22_22.35.30.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-23 02:28:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 19:03:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-06-23 07:16 68856]
"Upromise"="C:\Program Files\Upromise\Upromise.exe" [2007-07-10 15:00 385024]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"eBayToolbar"="C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2008-03-22 14:49 652528]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-04 22:45 185896]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [ ]
"WebTrapNT.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe" [ ]
"Pop3trap.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe" [ ]
"nwiz"="nwiz.exe" [2003-05-02 15:19 323584 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-02 15:19 4640768]
"MaxtorOneTouch"="D:\PROGRA~1\Devices\Utils\OneTou ch.exe" [2003-05-21 15:30 45056]
"LDM"="C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2005-02-16 16:15 221184]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 18:41 163840]
"EPSON Stylus CX3800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\ 3\E_FATIACA.exe" [2005-02-07 22:00 98304]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc. exe" [ ]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 00:15 15872]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 03:56 53760 C:\WINDOWS\system32\narrator.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-11 51984]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-disabled]
"MMTray"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 SonyFanC;FAN Control Device Service;C:\WINDOWS\system32\Drivers\SonyFanC.sys [2001-09-06 16:21]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]
S3 MXBULK;DualCam Still, MXBulk3.Sys;C:\WINDOWS\system32\Drivers\MXBulk3.sy s []
S3 MXCap;DSC-06 Video Camera;C:\WINDOWS\system32\DRIVERS\MXCap3.sys []
S4 UWCService;UWCService;C:\Program Files\blcorp\WCCSC\WCOC\UWCSrvc.exe [2004-07-08 09:28]
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2004-12-01 19:44:06 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1082316984.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-05-01 05:00:04 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-05-15 05:00:04 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-05-24 12:40:06 C:\WINDOWS\Tasks\User_Feed_Synchronization-{B0612B8D-0155-4E80-95C3-97CF6E5AE1ED}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-24 08:43:47
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\U WCService]
"ImagePath"="C:\Program Files\blcorp\WCCSC\WCOC\UWCSrvc.exe /startedbyscm:3573F0EA-40E2714E-UWCService"
.
Completion time: 2008-05-24 8:45:06
ComboFix-quarantined-files.txt 2008-05-24 12:45:02
ComboFix3.txt 2008-05-23 02:36:46
ComboFix2.txt 2008-05-23 20:32:06
Pre-Run: 1,830,821,888 bytes free
Post-Run: 1,816,977,408 bytes free
160 --- E O F --- 2008-05-17 07:12:30
Reply With Quote
  #24  
Old May 24th, 2008, 11:02 PM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
  
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
The ComboFix log is fine so I just need to see the results of your online scan now. Dont forget to tell me if you still have any problems.
Reply With Quote
  #25  
Old May 25th, 2008, 12:08 AM
Racerx369's Avatar
Racerx369 Racerx369 is offline
New Member
  
Join Date: Jan 2005
Posts: 23
Smile
Here is the BitDefender scan log:

BitDefender Online Scanner


Scan report generated at: Sat, May 24, 2008 - 10:33:31



Scan path: A:\;C:\;D:\;E:\;F:\;G:\;H:\;





Statistics
Time
01:15:36
Files
175490
Folders
7528
Boot Sectors
3
Archives
7421
Packed Files
9756


Results
Identified Viruses
8
Infected Files
10
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
10


Engines Info
Virus Definitions
1230929
Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)
Scan plugins
16
Archive plugins
42
Unpack plugins
7
E-mail plugins
6
System plugins
5


Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions

Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes


Scanned File
Status
C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\winter_dreams.exe=>wise0016
Infected with: Dropped:Application.Peopleonpage.Aproposmedia.D
C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\winter_dreams.exe=>wise0016
Disinfection failed
C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\winter_dreams.exe=>wise0016
Deleted
C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\winter_dreams.exe
Update failed
C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\winter_dreams.exe=>wise0017
Detected with: Adware.Gator.AD
C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\winter_dreams.exe=>wise0017
Deleted
C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\winter_dreams.exe
Update failed
C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\winter_dreams.exe=>wise0018
Detected with: Adware.Newdotnet.A
C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\winter_dreams.exe=>wise0018
Deleted
C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\winter_dreams.exe
Update failed
C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0035=>(CAB Sfx r)=>Save.exe
Infected with: Trojan.Adware.Whenu.A
C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0035=>(CAB Sfx r)=>Save.exe
Deleted
C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0035=>(CAB Sfx r)
Update failed
C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0035=>(CAB Sfx r)=>SaveUninst.exe
Detected with: Application.Whenu.AJ
C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0035=>(CAB Sfx r)=>SaveUninst.exe
Disinfection failed
C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0035=>(CAB Sfx r)=>SaveUninst.exe
Deleted
C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0035=>(CAB Sfx r)
Update failed
C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0035=>(CAB Sfx 2r)
Detected with: Adware.Whenu.Savenow.U
C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0035=>(CAB Sfx 2r)
Deleted
C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0035
Update failed
C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0036
Detected with: Adware.Newdotnet.A
C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe=>wise0036
Deleted
C:\Documents and Settings\Marlene Linke\Desktop\Unused Desktop Shortcuts\Pictures\autumnfree.exe
Update failed
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\TopMoxie2.zip=>JavaRun.exe
Infected with: Trojan.Ebates.A
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\TopMoxie2.zip=>JavaRun.exe
Deleted
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\TopMoxie2.zip
Updated
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\TopMoxie6.zip=>JavaRun.exe
Infected with: Trojan.Ebates.A
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\TopMoxie6.zip=>JavaRun.exe
Deleted
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\TopMoxie6.zip
Updated
C:\QooBox\Quarantine\C\WINDOWS\system32\lUDJRXbc.i ni.vir
Infected with: Trojan.Vundo.DVS
C:\QooBox\Quarantine\C\WINDOWS\system32\lUDJRXbc.i ni.vir
Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\system32\lUDJRXbc.i ni.vir
Deleted




Reply With Quote
  #26  
Old May 25th, 2008, 12:14 AM
Racerx369's Avatar
Racerx369 Racerx369 is offline
New Member
  
Join Date: Jan 2005
Posts: 23
Some of my (latest added) Desktop icons seemed to be repositioning themselves. ????
Firefox encountered some error and closed itself. Only problems so far.
Reply With Quote
  #27  
Old May 25th, 2008, 12:53 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
  
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Quote:
Some of my (latest added) Desktop icons seemed to be repositioning themselves. ????
ComboFix stops and starts Explorer so your Icons may reposition depending on what View setting you have chosen.

Quote:
Firefox encountered some error and closed itself
If it just happened once, it's no cause for concern. If it happens again, post back here and we can take a look at it. Everything else looks fine now so you are good to go.
Reply With Quote
  #28  
Old May 25th, 2008, 01:59 AM
Racerx369's Avatar
Racerx369 Racerx369 is offline
New Member
  
Join Date: Jan 2005
Posts: 23
Thank you for all your guidance and patience.
Reply With Quote
  #29  
Old May 25th, 2008, 03:09 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
  
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
You are very welcome Dan.
Reply With Quote
Reply
Page 2 of 2 1 2

Bookmarks

« Previous Topic | Next Topic »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
browser is hijacked & malwarebytes and Hijackthis & super anti spyware won't work GretaLovejoy Malware Removal 27 October 28th, 2009 01:32 PM
Hijacked Browser - HijackThis Fix didn't work Racerx369 Internet / Browsers 1 May 13th, 2008 08:26 PM
Need help with Hijackthis.logfile; browser has been hijacked sjjsmom35 Malware Removal 19 November 20th, 2005 10:21 PM
Please check HiJackThis log! Browser was hijacked! Sherryk30 Malware Removal 5 December 22nd, 2004 09:45 AM
IE hijacked, Adaware & Spybot didn't help! iamintrouble Malware Removal 8 August 15th, 2004 04:26 AM


All times are GMT +1. The time now is 11:05 PM.