|
|||||||
| Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
 |
|
|
Topic Tools |
|
#1
December 25th, 2007, 09:49 AM
|
||||
|
||||
|
Help please: Moved from XP by Murray
I have a problem. My messengers and most of my start up items have been deleted. Ive tried running anti virus things, and AVG just found some things but it didnt fix them earlier. Should AVG take care of this problem or am I going to have to find my restore disks?
|
|
#3
December 25th, 2007, 09:57 AM
|
||||
|
||||
|
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:55:36 AM, on 12/25/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\cp\catserv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe c:\TOSHIBA\IVP\swupdate\swupdtmr.exe C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\system32\TDispVol.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe C:\WINDOWS\system32\TPSBattM.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\iTunes\iTunes.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe C:\Program Files\Grisoft\AVG7\avgwb.dat C:\Program Files\Mozilla Firefox\firefox.exe C:\PROGRA~1\EACCEL~1\Station\station.exe C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe C:\Documents and Settings\Justin Nyle Holt\Desktop\aswclnr.exe C:\Documents and Settings\Justin Nyle Holt\Desktop\aswclnr.tmp C:\Documents and Settings\Justin Nyle Holt\Desktop\HiJackThis_v2.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gaiaonline.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O2 - BHO: (no name) - {D5F41F66-0DCE-4CEE-BA7D-D6F5C419845C} - C:\WINDOWS\system32\ssqpq.dll (file missing) O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [TDispVol] TDispVol.exe O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [CATTRAY] C:\Program Files\cp\cattray.exe O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus O4 - HKLM\..\Run: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k O4 - HKLM\..\RunOnce: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus /ro O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user') O4 - Global Startup: Bluetooth Monitor.lnk = ? O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/re...s/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://test.update.microsoft.com/mic...?1175195710078 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://test.update.microsoft.com/mic...?1175195604312 O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - http://rpm.cnsres.muskingum.edu/CAT/CNICAT.cab O20 - Winlogon Notify: awttuvw - awttuvw.dll (file missing) O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: CATPRO Service (catservice) - AllSecure Networks - C:\Program Files\cp\catserv.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 14328 bytes
|
|
#4
December 25th, 2007, 03:05 PM
|
||||
|
||||
|
You need to post your log file in Cyber Safety. That's where the experts are that you need to help you... Here.. http://www.cybertechhelp.com/forums/...splay.php?f=25
|
|
#5
December 26th, 2007, 01:37 AM
|
||||
|
||||
|
Welcome to CTH justme568. The log shows some serious infection there. That removed startup is unclear just yet - some malware replaces legit startups with it's own files, and then it is possible some scan tool there removed that. But let's do some steps and check after to see. You also have too much protective software loaded with AVG and StopSign, so need to uninstall one of those. The choice might be made easier if you read this information, which discusses the history and known problems with eAccelation's software. Hopefully it wasn't involved in creating problems already. If you choose you can uninstall any listings for StopSign/eAcceleration through Add/Remove Programs now.
Once you have done that please reboot. Then let's do other removal steps. First you need to disable Windows Defender, as it may interfere with repairs. * Click Start > Programs > Windows Defender or launch from the system tray icon. * Click on Tools & Settings > Options. * Under Real-time protection options, uncheck the "Real-time protection" check box. * Click Save. * Go to Start > Control Panel > Security > Windows Defender, at the bottom of the Window Defenders page uncheck under Administrator Options "use Windows Defender" and then Save. * (When we are done, you can re-enable Defender using the same steps but this time place a check next to "Turn on real-time protection" check box.) Also disable AVG while these steps are being done. Then Download ComboFix.exe from here to your desktop, and click the downloaded file to run the repair. When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. (ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver. For this run ComboFix will also suspend your net connection - if this does not return after running this go to Start - Settings - Network Connections, right click your Internet Connection and select Repair, or reboot the computer to reset the connection if needed). Post back the C:\ComboFix.txt log as well as a new HijackThis log please.
|
|
#6
December 26th, 2007, 06:41 AM
|
||||
|
||||
|
Here's the combofix log:
ComboFix 07-12-26.3 - Justin Nyle Holt 2007-12-26 0:27:40.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.420 [GMT -5:00] Running from: C:\Documents and Settings\Justin Nyle Holt\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\qpqss.ini C:\WINDOWS\system32\qpqss.ini2 . ((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 ))))))))))))))))))))))))))))))) . 2007-12-25 14:45 . 2007-12-25 14:45 <DIR> d-------- C:\Documents and Settings\Justin Nyle Holt\Application Data\Uniblue 2007-12-25 14:35 . 2007-12-06 18:12 110,592 --a------ C:\WINDOWS\system32\SynTPCo4.dll 2007-12-25 14:23 . 2007-12-25 14:23 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition 2007-12-25 14:22 . 2007-12-25 14:23 <DIR> d-------- C:\Program Files\Windows Live Toolbar 2007-12-25 14:22 . 2007-12-25 14:22 <DIR> d-------- C:\Program Files\Windows Live Favorites 2007-12-25 14:16 . 2007-12-25 14:24 <DIR> d-------- C:\Program Files\Windows Live 2007-12-25 14:16 . 2007-12-25 14:19 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller 2007-12-25 14:15 . 2007-12-25 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2007-12-25 10:24 . 2007-12-25 10:25 67 --a------ C:\WINDOWS\swupdate.INI 2007-12-25 09:30 . 2007-12-25 09:30 <DIR> d-------- C:\Program Files\Western Digital Technologies 2007-12-24 02:00 . 2007-12-24 02:00 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe 2007-12-24 01:58 . 2007-12-25 01:48 118,784 --a------ C:\WINDOWS\system32\igfxpers .exe 2007-12-24 01:58 . 2007-12-25 01:48 98,304 --a------ C:\WINDOWS\system32\igfxtray .exe 2007-12-24 01:58 . 2007-12-25 01:48 77,824 --a------ C:\WINDOWS\system32\hkcmd .exe 2007-12-23 03:21 . 2007-12-23 03:21 28,932 --a------ C:\barsettingx.~dat 2007-12-23 03:09 . 2007-12-23 03:09 <DIR> d-------- C:\Program Files\Magic Music Studio Pro 2007-12-10 04:10 . 2007-12-10 04:10 <DIR> d-------- C:\Program Files\Rouge-Guild 2007-12-03 05:24 . 2007-12-03 20:25 1,890 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys 2007-12-03 05:24 . 2007-12-03 05:24 56 -r-hs---- C:\WINDOWS\system32\CE560AA6B5.sys 2007-12-03 05:23 . 2007-12-03 05:23 <DIR> d-------- C:\Program Files\Enterbrain 2007-12-03 05:22 . 2007-12-03 05:22 <DIR> d-------- C:\Program Files\Common Files\Enterbrain . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2007-12-26 05:33 --------- d-----w C:\Documents and Settings\Justin Nyle Holt\Application Data\uTorrent 2007-12-25 21:35 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment 2007-12-25 20:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2007-12-25 19:40 --------- d-----w C:\Program Files\Google 2007-12-25 19:34 --------- d-----w C:\Program Files\Common Files\Nero 2007-12-25 19:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero 2007-12-25 19:24 --------- d-----w C:\Program Files\Yahoo! 2007-12-25 19:20 --------- d-----w C:\Program Files\MSN Messenger 2007-12-25 19:19 --------- d-----w C:\Program Files\AIM6 2007-12-25 19:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2007-12-25 19:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL 2007-12-25 11:54 --------- d-----w C:\Program Files\Microsoft ActiveSync 2007-12-25 06:57 --------- d-----w C:\Program Files\Windows Defender 2007-12-25 06:57 --------- d-----w C:\Program Files\cp 2007-12-25 06:48 --------- d-----w C:\Program Files\Microsoft Works 2007-12-24 00:32 --------- d-----w C:\Documents and Settings\Justin Nyle Holt\Application Data\AVG7 2007-12-21 19:42 --------- d-----w C:\Program Files\uTorrent 2007-12-15 19:45 --------- d-----w C:\Program Files\Gpotato 2007-12-12 04:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2007-12-06 22:41 220,032 ----a-w C:\WINDOWS\system32\drivers\SynTP.sys 2007-12-01 02:32 --------- d-----w C:\Program Files\PeerGuardian2 2007-11-24 00:14 --------- d-----w C:\Program Files\The Weather Channel FW 2007-11-23 22:05 --------- d-----w C:\Program Files\DAMN NFO Viewer 2007-11-22 08:44 --------- d-----w C:\Program Files\TOSHIBA 2007-11-22 08:43 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-11-22 07:58 --------- d-----w C:\Program Files\Combined Community Codec Pack 2007-11-22 07:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\River Past G5 2007-11-22 07:20 --------- d-----w C:\Program Files\River Past 2007-11-22 07:18 --------- d-----w C:\Documents and Settings\Justin Nyle Holt\Application Data\River Past G5 2007-11-19 07:51 --------- d-----w C:\Program Files\Microsoft Games 2007-11-16 16:23 --------- d-----w C:\Documents and Settings\Justin Nyle Holt\Application Data\Screenshot Studio Files 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-11-09 15:15 --------- d--h--r C:\Documents and Settings\Justin Nyle Holt\Application Data\yahoo! 2007-11-09 15:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo! 2007-11-06 07:40 --------- d-----w C:\Program Files\iTunes 2007-11-06 07:39 --------- d-----w C:\Program Files\iPod 2007-11-06 07:38 --------- d-----w C:\Program Files\QuickTime 2007-11-05 01:51 --------- d-----w C:\Program Files\Riva 2007-11-05 01:51 --------- d-----w C:\Program Files\Common Files\SWF Studio 2007-11-03 03:29 --------- d-----w C:\Program Files\Maxis 2007-11-02 05:06 --------- d-----w C:\Program Files\Common Files\PocketSoft 2007-11-02 02:06 --------- d-----w C:\Program Files\AutoMacroRecorder 2007-11-02 01:50 --------- d-----w C:\Program Files\YRefresher 2007-10-29 03:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS 2007-10-23 22:06 585,728 ----a-w C:\WINDOWS\WLXPGSS.SCR 2007-10-08 12:29 1,759,744 ----a-w C:\Documents and Settings\Justin Nyle Holt\Neuz.exe 2004-09-03 03:12 370,688 ----a-w C:\Documents and Settings\Justin Nyle Holt\mss32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D5F41F66-0DCE-4CEE-BA7D-D6F5C419845C}] C:\WINDOWS\system32\ssqpq.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-12-18 14:04] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34] "Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "TFncKy"="TFncKy.exe" [] "TDispVol"="TDispVol.exe" [2005-03-11 18:03 C:\WINDOWS\system32\TDispVol.exe] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 16:56] "AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 09:29 C:\WINDOWS\agrsmmsg.exe] "NDSTray.exe"="NDSTray.exe" [] "TPSMain"="TPSMain.exe" [2005-06-01 00:00 C:\WINDOWS\system32\TPSMain.exe] "PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [] "CATTRAY"="C:\Program Files\cp\cattray.exe" [] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-25 16:20] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 17:20] "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" [2007-08-24 03:18] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-26 11:35] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Bluetooth Monitor.lnk - C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe [2007-11-22 03:43:44] RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-02-15 11:31:42] [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks] "{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}"= C:\WINDOWS\system32\awttuvw.dll [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awttuvw] awttuvw.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Odometer.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Odometer.lnk backup=C:\WINDOWS\pss\Odometer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Justin Nyle Holt^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=C:\Documents and Settings\Justin Nyle Holt\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0] 2007-05-10 21:46 624248 --a------ C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM] 2007-03-20 15:40 1884160 --a------ C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VER SIO~2.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootSkin Startup Jobs] C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.ex e /StartupJobs [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] C:\Program Files\DAEMON Tools\daemon.exe -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4] C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2007-11-02 18:36 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] C:\Program Files\MSN Messenger\msnmsgr.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian] 2005-09-18 17:40 1421824 --a------ C:\Program Files\PeerGuardian2\pg2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\QTTask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2007-06-14 17:32 132760 --a------ C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 03:05] S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Gpotato\Flyff\GameGuard\dump_wmimmc.sys [] S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2004-05-17 15:18] Start Pending2 catservice;CATPRO Service;C:\Program Files\cp\catserv.exe [2007-09-23 17:05] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5f7625b3-71c7-11dc-a233-00130216c921}] \Shell\AutoRun\command - F:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder "2007-12-22 02:46:44 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2007-12-26 05:04:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE "2007-12-26 05:38:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe . ************************************************** ************************ catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-26 00:36:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\c atservice] "ImagePath"="C:\Program Files\cp\catserv.exe /startedbyscm:58859EE1-40E2E001-catservice" . Completion time: 2007-12-26 0:39:05 - machine was rebooted . 2007-12-20 23:24:41 --- E O F ---
|
|
#7
December 26th, 2007, 06:42 AM
|
||||
|
||||
|
and heres hijacker:
Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 12:41:22 AM, on 12/26/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\WINDOWS\system32\cmd.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\cp\catserv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\eHome\ehRecvr.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\system32\TDispVol.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe c:\TOSHIBA\IVP\swupdate\swupdtmr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Justin Nyle Holt\Desktop\Games\My Things\Anti-Virus\New Folder\HiJackThis_v2.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: (no name) - {D5F41F66-0DCE-4CEE-BA7D-D6F5C419845C} - C:\WINDOWS\system32\ssqpq.dll (file missing) O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [TDispVol] TDispVol.exe O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [CATTRAY] C:\Program Files\cp\cattray.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user') O4 - Global Startup: Bluetooth Monitor.lnk = ? O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/re...s/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://test.update.microsoft.com/mic...?1175195710078 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://test.update.microsoft.com/mic...?1175195604312 O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - http://rpm.cnsres.muskingum.edu/CAT/CNICAT.cab O20 - Winlogon Notify: awttuvw - awttuvw.dll (file missing) O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: CATPRO Service (catservice) - AllSecure Networks - C:\Program Files\cp\catserv.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 13098 bytes
|
|
#9
December 26th, 2007, 05:08 PM
|
||||
|
||||
|
Looks like some infection had been removed, and now ComboFix has done more as well. You have Viewpoint software showing there. As the next scan to use here includes them as adware to remove best if you go to Add/Remove Programs and uninstall all Viewpoint items listed first.
Once you have done that Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it: Code:
File::
C:\barsettingx.~dat
C:\WINDOWS\system32\ssqpq.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D5F41F66-0DCE-4CEE-BA7D-D6F5C419845C}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awttuvw]
(include the "quotation marks" with the name)  Referring to the picture above, drag CFScript.txt into ComboFix.exe ComboFix will now run as it did before. When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. ----------------------- Go here and download the free version of SUPERAntiSpyware and install it. After installation accept any prompts to allow SUPERAntiSpyware to install the latest infection definition files. Next follow the prompts to complete the installation. For now, uncheck the option to have SUPERAntiSpyware "Automatically check for program and definition updates". Providing an email address and allowing the software to send diagnostic reports to it's research center are up to you. Do NOT allow SUPERAntiSpyware to Protect your Home Page settings. Once the installation is complete open SUPERAntiSpyware and press the Preferences button. Under the General and Startup tab, uncheck the following (leaving all other settings as is). Start-up Options: *Start SUPERAntiSpyware when Windows starts Automatic Updates: *Check for program updates when the application starts. Start-up Scanning: *Check for updates before scanning on startup. Then select Close. Don't scan just yet though. Also Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF). If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective. =============================================== Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode). Open SUPERAntiSpyware and click the Scan your Computer button. You may need to start SUPERAntiSpyware, then right click the Taskbar icon (the little bug shaped icon) and select "Scan for Spyware, Adware, Malware..." to access the scan panel. Making sure that Fixed Drive (NTFS) is checked (typically the C Drive), check "Perform Complete Scan", then click Next. SUPERAntiSpyware will now complete a system scan. SUPERAntiSpyware will now scan your computer and when its finished it will list all the infections it has found. Make sure that they all have a check next to them and click next. If prompted allow the reboot (or manually reboot at this time), and after the reboot open SUPERAntiSpyware again (double click the bug-shaped Taskbar icon). Click Preferences, then under the Statistics/Logs tab, click to select the most recent Scan Log, then click View Log. Save the log to your desktop, and copy/paste the text from the log back here along with the ComboFix.txt log and a new HijackThis log please.
|
|
#10
December 27th, 2007, 08:38 AM
|
||||
|
||||
|
Here's the first combofix log:
ComboFix 07-12-26.3 - Justin Nyle Holt 2007-12-27 2:32:35.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.432 [GMT -5:00] Running from: C:\Documents and Settings\Justin Nyle Holt\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Justin Nyle Holt\Desktop\CFScript * Created a new restore point FILE C:\barsettingx.~dat C:\WINDOWS\system32\ssqpq.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\barsettingx.~dat . ((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 ))))))))))))))))))))))))))))))) . 2007-12-27 02:29 . 2007-12-27 02:30 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2007-12-27 02:29 . 2007-12-27 02:29 <DIR> d-------- C:\Documents and Settings\Justin Nyle Holt\Application Data\SUPERAntiSpyware.com 2007-12-27 02:29 . 2007-12-27 02:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2007-12-27 02:28 . 2007-12-27 02:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-12-25 14:45 . 2007-12-25 14:45 <DIR> d-------- C:\Documents and Settings\Justin Nyle Holt\Application Data\Uniblue 2007-12-25 14:35 . 2007-12-06 18:12 110,592 --a------ C:\WINDOWS\system32\SynTPCo4.dll 2007-12-25 14:23 . 2007-12-25 14:23 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition 2007-12-25 14:22 . 2007-12-25 14:23 <DIR> d-------- C:\Program Files\Windows Live Toolbar 2007-12-25 14:22 . 2007-12-25 14:22 <DIR> d-------- C:\Program Files\Windows Live Favorites 2007-12-25 14:16 . 2007-12-25 14:24 <DIR> d-------- C:\Program Files\Windows Live 2007-12-25 14:16 . 2007-12-25 14:19 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller 2007-12-25 14:15 . 2007-12-25 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2007-12-25 10:24 . 2007-12-25 10:25 67 --a------ C:\WINDOWS\swupdate.INI 2007-12-25 09:30 . 2007-12-25 09:30 <DIR> d-------- C:\Program Files\Western Digital Technologies 2007-12-24 02:00 . 2007-12-24 02:00 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe 2007-12-24 01:58 . 2007-12-25 01:48 118,784 --a------ C:\WINDOWS\system32\igfxpers .exe 2007-12-24 01:58 . 2007-12-25 01:48 98,304 --a------ C:\WINDOWS\system32\igfxtray .exe 2007-12-24 01:58 . 2007-12-25 01:48 77,824 --a------ C:\WINDOWS\system32\hkcmd .exe 2007-12-23 03:09 . 2007-12-23 03:09 <DIR> d-------- C:\Program Files\Magic Music Studio Pro 2007-12-10 04:10 . 2007-12-10 04:10 <DIR> d-------- C:\Program Files\Rouge-Guild 2007-12-03 05:24 . 2007-12-03 20:25 1,890 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys 2007-12-03 05:24 . 2007-12-03 05:24 56 -r-hs---- C:\WINDOWS\system32\CE560AA6B5.sys 2007-12-03 05:23 . 2007-12-03 05:23 <DIR> d-------- C:\Program Files\Enterbrain 2007-12-03 05:22 . 2007-12-03 05:22 <DIR> d-------- C:\Program Files\Common Files\Enterbrain . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2007-12-27 07:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2007-12-27 07:19 --------- d-----w C:\Program Files\Viewpoint 2007-12-26 20:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2007-12-26 05:33 --------- d-----w C:\Documents and Settings\Justin Nyle Holt\Application Data\uTorrent 2007-12-25 21:35 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment 2007-12-25 19:40 --------- d-----w C:\Program Files\Google 2007-12-25 19:34 --------- d-----w C:\Program Files\Common Files\Nero 2007-12-25 19:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero 2007-12-25 19:24 --------- d-----w C:\Program Files\Yahoo! 2007-12-25 19:20 --------- d-----w C:\Program Files\MSN Messenger 2007-12-25 19:19 --------- d-----w C:\Program Files\AIM6 2007-12-25 19:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL 2007-12-25 11:54 --------- d-----w C:\Program Files\Microsoft ActiveSync 2007-12-25 06:57 --------- d-----w C:\Program Files\Windows Defender 2007-12-25 06:57 --------- d-----w C:\Program Files\cp 2007-12-25 06:48 --------- d-----w C:\Program Files\Microsoft Works 2007-12-24 00:32 --------- d-----w C:\Documents and Settings\Justin Nyle Holt\Application Data\AVG7 2007-12-21 19:42 --------- d-----w C:\Program Files\uTorrent 2007-12-15 19:45 --------- d-----w C:\Program Files\Gpotato 2007-12-12 04:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2007-12-06 22:41 220,032 ----a-w C:\WINDOWS\system32\drivers\SynTP.sys 2007-12-06 22:20 147,456 ----a-w C:\WINDOWS\system32\SynTPAPI.dll 2007-12-06 22:09 196,608 ----a-w C:\WINDOWS\system32\SynCtrl.dll 2007-12-06 22:08 163,840 ----a-w C:\WINDOWS\system32\SynCOM.dll 2007-12-01 02:32 --------- d-----w C:\Program Files\PeerGuardian2 2007-11-24 00:14 --------- d-----w C:\Program Files\The Weather Channel FW 2007-11-23 22:05 --------- d-----w C:\Program Files\DAMN NFO Viewer 2007-11-22 08:44 --------- d-----w C:\Program Files\TOSHIBA 2007-11-22 08:43 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-11-22 08:22 36,734 ----a-w C:\WINDOWS\system32\OggDSuninst.exe 2007-11-22 07:58 --------- d-----w C:\Program Files\Combined Community Codec Pack 2007-11-22 07:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\River Past G5 2007-11-22 07:20 --------- d-----w C:\Program Files\River Past 2007-11-22 07:18 --------- d-----w C:\Documents and Settings\Justin Nyle Holt\Application Data\River Past G5 2007-11-19 07:51 --------- d-----w C:\Program Files\Microsoft Games 2007-11-16 16:23 --------- d-----w C:\Documents and Settings\Justin Nyle Holt\Application Data\Screenshot Studio Files 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-11-09 15:15 --------- d--h--r C:\Documents and Settings\Justin Nyle Holt\Application Data\yahoo! 2007-11-09 15:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo! 2007-11-06 07:40 --------- d-----w C:\Program Files\iTunes 2007-11-06 07:39 --------- d-----w C:\Program Files\iPod 2007-11-06 07:38 --------- d-----w C:\Program Files\QuickTime 2007-11-05 01:51 --------- d-----w C:\Program Files\Riva 2007-11-05 01:51 --------- d-----w C:\Program Files\Common Files\SWF Studio 2007-11-03 03:29 --------- d-----w C:\Program Files\Maxis 2007-11-02 05:06 --------- d-----w C:\Program Files\Common Files\PocketSoft 2007-11-02 02:06 --------- d-----w C:\Program Files\AutoMacroRecorder 2007-11-02 01:50 --------- d-----w C:\Program Files\YRefresher 2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-29 03:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS 2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll 2007-10-23 22:06 585,728 ----a-w C:\WINDOWS\WLXPGSS.SCR 2007-10-22 07:39 267,272 ----a-w C:\WINDOWS\system32\xactengine2_10.dll 2007-10-22 07:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll 2007-10-18 16:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll 2007-10-12 19:14 3,734,536 ----a-w C:\WINDOWS\system32\d3dx9_36.dll 2007-10-12 19:14 1,374,232 ----a-w C:\WINDOWS\system32\D3DCompiler_36.dll 2007-10-08 12:29 1,759,744 ----a-w C:\Documents and Settings\Justin Nyle Holt\Neuz.exe 2007-10-02 13:56 444,776 ----a-w C:\WINDOWS\system32\d3dx10_36.dll 2004-09-03 03:12 370,688 ----a-w C:\Documents and Settings\Justin Nyle Holt\mss32.dll . ((((((((((((((((((((((((((((( snapshot@2007-12-26_ 0.38.17.04 ))))))))))))))))))))))))))))))))))))))))) . + 2007-12-27 07:29:13 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe + 2007-12-27 07:29:13 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe + 2007-12-27 07:29:13 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-12-18 14:04] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34] "Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "TFncKy"="TFncKy.exe" [] "TDispVol"="TDispVol.exe" [2005-03-11 18:03 C:\WINDOWS\system32\TDispVol.exe] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 16:56] "AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 09:29 C:\WINDOWS\agrsmmsg.exe] "NDSTray.exe"="NDSTray.exe" [] "TPSMain"="TPSMain.exe" [2005-06-01 00:00 C:\WINDOWS\system32\TPSMain.exe] "PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [] "CATTRAY"="C:\Program Files\cp\cattray.exe" [] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-25 16:20] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 17:20] "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" [2007-08-24 03:18] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-26 11:35] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Bluetooth Monitor.lnk - C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe [2007-11-22 03:43:44] RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-02-15 11:31:42] [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Odometer.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Odometer.lnk backup=C:\WINDOWS\pss\Odometer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Justin Nyle Holt^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=C:\Documents and Settings\Justin Nyle Holt\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0] 2007-05-10 21:46 624248 --a------ C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM] 2007-03-20 15:40 1884160 --a------ C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VER SIO~2.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootSkin Startup Jobs] C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.ex e /StartupJobs [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] C:\Program Files\DAEMON Tools\daemon.exe -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4] C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2007-11-02 18:36 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] C:\Program Files\MSN Messenger\msnmsgr.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian] 2005-09-18 17:40 1421824 --a------ C:\Program Files\PeerGuardian2\pg2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\QTTask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2007-06-14 17:32 132760 --a------ C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 03:05] R2 catservice;CATPRO Service;C:\Program Files\cp\catserv.exe [2007-09-23 17:05] S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Gpotato\Flyff\GameGuard\dump_wmimmc.sys [] S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2004-05-17 15:18] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5f7625b3-71c7-11dc-a233-00130216c921}] \Shell\AutoRun\command - F:\LaunchU3.exe -a *Newly Created Service* - SASDIFSV *Newly Created Service* - SASENUM *Newly Created Service* - SASKUTIL . Contents of the 'Scheduled Tasks' folder "2007-12-22 02:46:44 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2007-12-27 07:04:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE "2007-12-27 07:05:04 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe . ************************************************** ************************ catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-27 02:37:12 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\c atservice] "ImagePath"="C:\Program Files\cp\catserv.exe /startedbyscm:58859EE1-40E2E001-catservice" . Completion time: 2007-12-27 2:37:41 C:\ComboFix2.txt ... 2007-12-26 00:39 . 2007-12-20 23:24:41 --- E O F ---
|
|
#12
December 27th, 2007, 06:18 PM
|
||||
|
||||
|
Here's the superantispyware log:
SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 12/27/2007 at 03:57 AM Application Version : 3.9.1008 Core Rules Database Version : 3369 Trace Rules Database Version: 1365 Scan type : Complete Scan Total Scan Time : 01:09:47 Memory items scanned : 177 Memory threats detected : 0 Registry items scanned : 7293 Registry threats detected : 5 File items scanned : 37522 File threats detected : 1 Adware.Vundo Variant HKLM\Software\Classes\CLSID\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D} HKCR\CLSID\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D} HKCR\CLSID\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}\InprocServer32 HKCR\CLSID\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}\InprocServer32#ThreadingModel C:\WINDOWS\SYSTEM32\AWTTUVW.DLL HKCR\CLSID\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}
|
|
#13
December 27th, 2007, 06:19 PM
|
||||
|
||||
|
Here's the hijackthis log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 12:18:31 PM, on 12/27/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\cp\catserv.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\system32\TDispVol.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\WINDOWS\system32\TPSBattM.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\eHome\ehRecvr.exe C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe c:\TOSHIBA\IVP\swupdate\swupdtmr.exe C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Justin Nyle Holt\Desktop\Games\My Things\Anti-Virus\New Folder\HiJackThis_v2.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [TDispVol] TDispVol.exe O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [CATTRAY] C:\Program Files\cp\cattray.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user') O4 - Global Startup: Bluetooth Monitor.lnk = ? O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/re...s/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://test.update.microsoft.com/mic...?1175195710078 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://test.update.microsoft.com/mic...?1175195604312 O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - http://rpm.cnsres.muskingum.edu/CAT/CNICAT.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: CATPRO Service (catservice) - AllSecure Networks - C:\Program Files\cp\catserv.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- End of file - 12700 bytes
|
|
#15
December 27th, 2007, 10:28 PM
|
||||
|
||||
|
Things are looking good so far. One unknown startup that shows now with no file being found that perhaps you can provide info on:
"CATTRAY"="C:\Program Files\cp\cattray.exe" [] [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\c atservice] "ImagePath"="C:\Program Files\cp\catserv.exe /startedbyscm:58859EE1-40E2E001-catservice" The log shows many startups disabled through msconfig, though none appear to be infection items. These should all be re-enabled at least once to do a complete cleaning here, and also one additional scan based on the active file Super picked up. Go to Start - Run, type msconfig (and Enter). Under the Startup tab, click Enable All, then Apply/OK to close msconfig. Allow the reboot at this time. You can expect to receive alerts/error messages at reboot after this, but we will be addressing all this during the repairs. After the reboot run and post back new ComboFix and HijackThis logs. Also Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE). To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top of IE if needed to allow this). Once the download has completed click Next, then Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click "My Computer" to begin the scan. Save the Report as a text file and post that back here. To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)", and post that log as well please.
|
|
| Bookmarks |
«
Previous Topic
|
Next Topic
»
| Topic Tools | |
|
|
Similar Topics
|
||||
| Topic | Topic Starter | Forum | Replies | Last Post |
| Help Please: Moved from XP by Murray | notveronica | Malware Removal | 41 | May 13th, 2008 02:04 AM |
| Just Don't get it: Moved from 98 by Murray | Cjcclarke | Malware Removal | 13 | January 19th, 2008 02:30 AM |
| Pop Ups: Moved from XP by Murray | Bigdave1971 | Malware Removal | 19 | June 16th, 2007 10:15 PM |
| HJT help: Moved from ME by Murray | dammtheman | Malware Removal | 3 | April 24th, 2007 07:08 PM |
| Can someone help: Moved by Murray from XP | ZachDavis | Malware Removal | 2 | August 13th, 2006 06:08 AM |
All times are GMT +1. The time now is 08:07 AM.