Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijack log 3/2/2008 -- any help appreciated!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Hijack log 3/2/2008 -- any help appreciated!

Unread postby dan12 » March 5th, 2008, 12:06 am

Did you update your java, from my last post?

Because the malwarebytes log picked up quite a few entries I'd like to run another tool just for peace of mind that we have everything.
Log is looking a lot better now.
____________

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofi ... e-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Dan :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Advertisement
Register to Remove

Re: Hijack log 3/2/2008 -- any help appreciated!

Unread postby ITManager » March 6th, 2008, 12:39 am

Hi, Dan!

Yes, I updated both Java and Adobe Reader, as instructed. :)

Here's the Combofix log, and the new HJT log:

ComboFix 08-03-05.1 - Becky 2008-03-05 22:27:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.177 [GMT -6:00]
Running from: C:\Documents and Settings\Becky\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.ini
C:\WINDOWS\aconti.log
C:\WINDOWS\aconti.sdb
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

----- BITS: Possible infected sites -----

hxxp://80.93.59.108
.
((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.

2008-03-05 22:26 . 2008-03-05 22:26 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-04 20:14 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-04 20:13 . 2008-03-04 20:14 <DIR> d-------- C:\Program Files\Java
2008-03-04 20:13 . 2008-03-04 20:13 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-03 06:45 . 2008-03-03 06:45 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-03 06:45 . 2008-03-03 06:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-02 21:40 . 2008-03-02 21:40 <DIR> d-------- C:\Documents and Settings\Becky\Application Data\Malwarebytes
2008-03-02 21:39 . 2008-03-02 21:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-02 21:39 . 2008-03-02 21:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-02 21:17 . 2008-03-02 21:17 <DIR> d-------- C:\Program Files\CCleaner
2008-03-02 08:58 . 2008-03-02 08:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 21:58 . 2008-03-01 22:34 2,956 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-01 21:56 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-01 21:56 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-01 21:56 . 2008-03-01 23:12 86,016 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-01 21:56 . 2008-02-29 23:48 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-01 21:56 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-01 21:56 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-01 21:56 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-01 14:17 . 2008-03-01 14:18 <DIR> d-------- C:\WINDOWS\kdldubmh
2008-03-01 14:17 . 2008-03-01 14:17 195,584 --a------ C:\WINDOWS\ahqxencr.dll
2008-03-01 14:17 . 2008-03-01 14:17 41,984 --a------ C:\WINDOWS\yjejixsv.exe
2008-02-24 22:50 . 2008-02-24 22:50 <DIR> d--hs---- C:\found.000
2008-02-24 22:42 . 2008-02-24 22:42 401 --a------ C:\WINDOWS\system32\L91CA.tmp
2008-02-16 19:55 . 2008-02-16 19:55 <DIR> d-------- C:\Program Files\Audacity
2008-02-16 19:07 . 2008-02-16 19:07 58 --a------ C:\WINDOWS\coolacm.ini
2008-02-16 17:49 . 2005-07-30 21:00 114,688 --a------ C:\WINDOWS\system32\OdiOlDVR.dll
2008-02-16 17:49 . 2005-07-30 21:14 86,016 --a------ C:\WINDOWS\system32\STRDEVAPI.dll
2008-02-16 17:49 . 2003-06-13 17:49 73,728 --a------ C:\WINDOWS\system32\DW90USB.DLL
2008-02-16 17:49 . 2004-06-21 10:14 53,248 --a------ C:\WINDOWS\system32\OdiAPI.dll
2008-02-16 17:49 . 2001-04-09 19:17 39,096 --a------ C:\WINDOWS\system32\drivers\DW90USB.SYS
2008-02-16 17:48 . 2008-02-16 17:49 <DIR> d-------- C:\Program Files\Olympus
2008-02-16 17:44 . 2006-04-07 17:05 73,728 --a------ C:\WINDOWS\system32\VNUSB.dll
2008-02-16 17:44 . 2006-04-07 17:06 38,496 --a------ C:\WINDOWS\system32\drivers\VNUSB.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-05 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-05 02:19 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-05 00:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-05 00:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-03 02:58 --------- d-----w C:\Program Files\Network Associates
2008-03-03 02:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Network Associates
2008-02-24 00:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-16 23:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-05-14 23:38 2,326,901 ----a-w C:\Program Files\DVDFabHDDecrypter3112.exe
2006-05-06 15:00 19,552 ----a-w C:\Documents and Settings\Becky\Application Data\GDIPFONTCACHEV1.DAT
2005-09-02 19:28 614,943 ----a-w C:\Program Files\lame-3.96.1.zip
2005-09-02 19:27 1,665,325 ----a-w C:\Program Files\agsetup.exe
2005-08-30 00:23 1,094,021 ----a-w C:\Program Files\dvdshrink32setup.zip
2005-08-30 00:18 520,898 ----a-w C:\Program Files\DVD43_3-6-2_Setup.exe
2001-05-31 08:02 1,119,232 ----a-w C:\Program Files\mirc59t.exe
1995-05-27 15:13 551,584 ----a-w C:\Program Files\LVIEWP1B.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2004-08-20 10:47 1912832]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-20 19:46 579072]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-12 18:50 33792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 17:15 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2008-02-16 17:49:35 118784]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PVR Agent]
--a------ 2004-03-03 20:33 729600 C:\Program Files\V-Stream\PVR Plus\TVR\Scheduled.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=

S3 USB28xxBGA;USB 2800 Device;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2006-09-12 21:21]
S3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2006-08-21 23:38]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2006-04-07 17:06]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-05 07:32:26 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 22:29:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-05 22:30:48
ComboFix-quarantined-files.txt 2008-03-06 04:30:34
.
2008-03-01 21:29:43 --- E O F ---

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:28 PM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe

--
End of file - 3841 bytes
ITManager
Regular Member
 
Posts: 17
Joined: March 2nd, 2008, 11:57 am

Re: Hijack log 3/2/2008 -- any help appreciated!

Unread postby dan12 » March 6th, 2008, 4:30 am

Thanks for returned logs.
Your java entry "Java\jre1.6.0_05 s" in the log is the old version.
Please repeat that task again as instructed.

We have still a bit to go as you can see by the returned combo log. hope to be working on it later.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Hijack log 3/2/2008 -- any help appreciated!

Unread postby dan12 » March 6th, 2008, 8:55 pm

Just awaiting your HJT log :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Hijack log 3/2/2008 -- any help appreciated!

Unread postby ITManager » March 7th, 2008, 12:48 am

Hi, Dan! Sorry, I had work all day today and class tonight. (And I have a similar schedule for tomorrow.)

But one thing does have me confused. You told me,

"Your java entry "Java\jre1.6.0_05 s" in the log is the old version.
Please repeat that task again as instructed."

But isn't that actually a *newer* version than the one mentioned in your instructions,
"Download the latest version of Java(TM) SE Runtime Environment 6u4"?

Because, when I go the the Java page (http://java.sun.com/javase/downloads/index.jsp), the newest version is this:
"Java Runtime Environment (JRE) 6 Update 5. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."

That's the one I downloaded and installed. So isn't that right??
ITManager
Regular Member
 
Posts: 17
Joined: March 2nd, 2008, 11:57 am

Re: Hijack log 3/2/2008 -- any help appreciated!

Unread postby dan12 » March 7th, 2008, 3:14 am

Hi,ITManager,
Reference java, your absolutely correct, it was a mistake on my part you have the latest running. :oops:

I have a few logs to get through so bare with me and will get back to you soon.
dan :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Hijack log 3/2/2008 -- any help appreciated!

Unread postby ITManager » March 7th, 2008, 7:43 am

Hi, Dan! Good to know I did manage to get the latest and correct version of Java running. :) After that, I think you said you were just awaiting my HJT log. So here is the latest:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:40:08 AM, on 3/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe

--
End of file - 3909 bytes
ITManager
Regular Member
 
Posts: 17
Joined: March 2nd, 2008, 11:57 am

Re: Hijack log 3/2/2008 -- any help appreciated!

Unread postby dan12 » March 7th, 2008, 1:02 pm

Hi, log is looking really well now just a few bits totidy up, hope its running ok.
I expect a few bits in system restore but I will deal with that at the end.

Is this the Installer C:\Program Files\lame-3.96.1.zip mp3 encoder? for the program? maybe you know a little about it.

I want to see what these following files are:

Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath,browse and find the file click open which will place it in the field.

C:\WINDOWS\system32\L91CA.tmp
C:\WINDOWS\coolacm.ini
C:\WINDOWS\system32\OdiOlDVR.dll
C:\WINDOWS\system32\STRDEVAPI.dll
C:\WINDOWS\system32\OdiAPI.dll


Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html

----------------------------------

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
    File::
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\kdldubmh
C:\WINDOWS\ahqxencr.dll
 C:\WINDOWS\yjejixsv.exe


    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


_______________


Can you run malwarebytes again for me.
I'd like to see another Kaspersky also

Please include in your next post:
  • Combofix log txt
  • Malwarebytes log
  • Kaspersky scan log
  • New highjackthis log

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Hijack log 3/2/2008 -- any help appreciated!

Unread postby ITManager » March 9th, 2008, 5:21 pm

Hi, Dan! Thanks for your patience during a very busy last few days...

Yes, the "C:\Program Files\lame-3.96.1.zip mp3" is the installer for the Lame codec, which converts WAV files to MP3s. It, in turn, is used by a freeware program called "Audiograbber", which is my favorite program for ripping my CDs to MP3s.

Jotti's service load was near 100%, so I used Virus Total instead. The results were generated in table format, which copying and pasting kinda destroys, so I hope you can make sense of them. I added some extra spaces in the first few rows of the first few reports to indicate where the columns should be.

From Total Virus...

"C:\WINDOWS\system32\L91CA.tmp" yeilded the following report....

File L91CA.tmp
Current status: finished
Result: 0/32 (0%)

Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.07 -
AntiVir 7.6.0.73 2008.03.07 -
Authentium 4.93.8 2008.03.07 -
Avast 4.7.1098.0 2008.03.09 -
AVG 7.5.0.516 2008.03.09 -
BitDefender 7.2 2008.03.09 -
CAT-QuickHeal 9.50 2008.03.08 -
ClamAV 0.92.1 2008.03.09 -
DrWeb 4.44.0.09170 2008.03.09 -
eSafe 7.0.15.0 2008.03.09 -
eTrust-Vet 31.3.5597 2008.03.07 -
Ewido 4.0 2008.03.09 -
FileAdvisor 1 2008.03.09 -
Fortinet 3.14.0.0 2008.03.08 -
F-Prot 4.4.2.54 2008.03.09 -
F-Secure 6.70.13260.0 2008.03.09 -
Ikarus T3.1.1.20 2008.03.09 -
Kaspersky 7.0.0.125 2008.03.09 -
McAfee 5247 2008.03.07 -
Microsoft 1.3301 2008.03.07 -
NOD32v2 2932 2008.03.09 -
Norman 5.80.02 2008.03.07 -
Panda 9.0.0.4 2008.03.09 -
Prevx1 V2 2008.03.09 -
Rising 20.34.62.00 2008.03.09 -
Sophos 4.27.0 2008.03.09 -
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.09 -
TheHacker 6.2.92.238 2008.03.08 -
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.09 -
Webwasher-Gateway 6.6.2 2008.03.09 -

Additional information
File size: 401 bytes
MD5: 3da212c0785808b3efcd0b1693096684
SHA1: 3c4b84d050637ec90f5e26e3e3cd70d5413ba2eb
PEiD: -

~~~~~~~~~~~~~~~

"C:\WINDOWS\coolacm.ini" yeilded the following report...

File coolacm.ini
Current status: finished
Result: 0/32 (0%)

Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.07 -
AntiVir 7.6.0.73 2008.03.07 -
Authentium 4.93.8 2008.03.07 -
Avast 4.7.1098.0 2008.03.09 -
AVG 7.5.0.516 2008.03.09 -
BitDefender 7.2 2008.03.09 -
CAT-QuickHeal 9.50 2008.03.08 -
ClamAV 0.92.1 2008.03.09 -
DrWeb 4.44.0.09170 2008.03.09 -
eSafe 7.0.15.0 2008.03.09 -
eTrust-Vet 31.3.5597 2008.03.07 -
Ewido 4.0 2008.03.09 -
FileAdvisor 1 2008.03.09 -
Fortinet 3.14.0.0 2008.03.08 -
F-Prot 4.4.2.54 2008.03.09 -
F-Secure 6.70.13260.0 2008.03.09 -
Ikarus T3.1.1.20 2008.03.09 -
Kaspersky 7.0.0.125 2008.03.09 -
McAfee 5247 2008.03.07 -
Microsoft 1.3301 2008.03.07 -
NOD32v2 2932 2008.03.09 -
Norman 5.80.02 2008.03.07 -
Panda 9.0.0.4 2008.03.09 -
Prevx1 V2 2008.03.09 -
Rising 20.34.62.00 2008.03.09 -
Sophos 4.27.0 2008.03.09 -
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.09 -
TheHacker 6.2.92.238 2008.03.08 -
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.09 -
Webwasher-Gateway 6.6.2 2008.03.09 -

Additional information
File size: 58 bytes
MD5: ecea7d841d87ba783a30c6068b795d06
SHA1: 525808e12e274a990a4f3811091f65d07c0616f3
PEiD: -

~~~~~~~~~~~~~~~~~~~~~

"C:\WINDOWS\system32\OdiOlDVR.dll" yeilded the following report...

File OdiOlDVR.dll
Current status: finished
Result: 0/32 (0%)

Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.07 -
AntiVir 7.6.0.73 2008.03.07 -
Authentium 4.93.8 2008.03.07 -
Avast 4.7.1098.0 2008.03.09 -
AVG 7.5.0.516 2008.03.09 -
BitDefender 7.2 2008.03.09 -
CAT-QuickHeal 9.50 2008.03.08 -
ClamAV 0.92.1 2008.03.09 -
DrWeb 4.44.0.09170 2008.03.09 -
eSafe 7.0.15.0 2008.03.09 -
eTrust-Vet 31.3.5597 2008.03.07 -
Ewido 4.0 2008.03.09 -
FileAdvisor 1 2008.03.09 -
Fortinet 3.14.0.0 2008.03.08 -
F-Prot 4.4.2.54 2008.03.09 -
F-Secure 6.70.13260.0 2008.03.09 -
Ikarus T3.1.1.20 2008.03.09 -
Kaspersky 7.0.0.125 2008.03.09 -
McAfee 5247 2008.03.07 -
Microsoft 1.3301 2008.03.07 -
NOD32v2 2932 2008.03.09 -
Norman 5.80.02 2008.03.07 -
Panda 9.0.0.4 2008.03.09 -
Prevx1 V2 2008.03.09 -
Rising 20.34.62.00 2008.03.09 -
Sophos 4.27.0 2008.03.09 -
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.09 -
TheHacker 6.2.92.238 2008.03.08 -
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.09 -
Webwasher-Gateway 6.6.2 2008.03.09 -

Additional information
File size: 114688 bytes
MD5: bffe6b72ad586b066472c8a9f99cc08e
SHA1: 8589a467822a32d694ee66fe4024fc58c31a3f3b
PEiD: Armadillo v1.xx - v2.xx

~~~~~~~~~~~~~~~~~~~~~~~~~

"C:\WINDOWS\system32\STRDEVAPI.dll" yeilded the following report...

File STRDEVAPI.dll
Current status: finished
Result: 0/32 (0%)

Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.07 -
AntiVir 7.6.0.73 2008.03.07 -
Authentium 4.93.8 2008.03.07 -
Avast 4.7.1098.0 2008.03.09 -
AVG 7.5.0.516 2008.03.09 -
BitDefender 7.2 2008.03.09 -
CAT-QuickHeal 9.50 2008.03.08 -
ClamAV 0.92.1 2008.03.09 -
DrWeb 4.44.0.09170 2008.03.09 -
eSafe 7.0.15.0 2008.03.09 -
eTrust-Vet 31.3.5597 2008.03.07 -
Ewido 4.0 2008.03.09 -
FileAdvisor 1 2008.03.09 -
Fortinet 3.14.0.0 2008.03.08 -
F-Prot 4.4.2.54 2008.03.09 -
F-Secure 6.70.13260.0 2008.03.09 -
Ikarus T3.1.1.20 2008.03.09 -
Kaspersky 7.0.0.125 2008.03.09 -
McAfee 5247 2008.03.07 -
Microsoft 1.3301 2008.03.07 -
NOD32v2 2932 2008.03.09 -
Norman 5.80.02 2008.03.07 -
Panda 9.0.0.4 2008.03.09 -
Prevx1 V2 2008.03.09 -
Rising 20.34.62.00 2008.03.09 -
Sophos 4.27.0 2008.03.09 -
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.09 -
TheHacker 6.2.92.238 2008.03.08 -
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.09 -
Webwasher-Gateway 6.6.2 2008.03.09 -

Additional information
File size: 86016 bytes
MD5: 6ecab4b8456b2eedfa298843691a04b3
SHA1: 54f52f50cb89883f6d12667fbbe25f5ec6247d34
PEiD: Armadillo v1.xx - v2.xx

~~~~~~~~~~~~~~~~~~~~~~~~~

"C:\WINDOWS\system32\OdiAPI.dll" yeilded the following report...

File OdiAPI.dll
Current status: finished
Result: 0/32 (0%)

Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.07 -
AntiVir 7.6.0.73 2008.03.07 -
Authentium 4.93.8 2008.03.07 -
Avast 4.7.1098.0 2008.03.09 -
AVG 7.5.0.516 2008.03.09 -
BitDefender 7.2 2008.03.09 -
CAT-QuickHeal 9.50 2008.03.08 -
ClamAV 0.92.1 2008.03.09 -
DrWeb 4.44.0.09170 2008.03.09 -
eSafe 7.0.15.0 2008.03.09 -
eTrust-Vet 31.3.5597 2008.03.07 -
Ewido 4.0 2008.03.09 -
FileAdvisor 1 2008.03.09 -
Fortinet 3.14.0.0 2008.03.08 -
F-Prot 4.4.2.54 2008.03.09 -
F-Secure 6.70.13260.0 2008.03.09 -
Ikarus T3.1.1.20 2008.03.09 -
Kaspersky 7.0.0.125 2008.03.09 -
McAfee 5247 2008.03.07 -
Microsoft 1.3301 2008.03.07 -
NOD32v2 2932 2008.03.09 -
Norman 5.80.02 2008.03.07 -
Panda 9.0.0.4 2008.03.09 -
Prevx1 V2 2008.03.09 -
Rising 20.34.62.00 2008.03.09 -
Sophos 4.27.0 2008.03.09 -
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.09 -
TheHacker 6.2.92.239 2008.03.09 -
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.09 -
Webwasher-Gateway 6.6.2 2008.03.09 -

Additional information
File size: 53248 bytes
MD5: a9117f57d940498c6230b4c49d2c7c77
SHA1: bb7b2372f1db4c6c1cd5824d859c10092f4a0d55
PEiD: Armadillo v1.xx - v2.xx

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here's the Combofix log txt you asked for:

ComboFix 08-03-05.1 - Becky 2008-03-09 14:11:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.108 [GMT -5:00]
Running from: C:\Documents and Settings\Becky\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Becky\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\ahqxencr.dll
C:\WINDOWS\kdldubmh
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\yjejixsv.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\ahqxencr.dll
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\yjejixsv.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-05 23:26 . 2008-03-05 23:26 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-04 21:14 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-04 21:13 . 2008-03-04 21:14 <DIR> d-------- C:\Program Files\Java
2008-03-04 21:13 . 2008-03-04 21:13 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-03 07:45 . 2008-03-03 07:45 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-03 07:45 . 2008-03-03 07:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-02 22:40 . 2008-03-02 22:40 <DIR> d-------- C:\Documents and Settings\Becky\Application Data\Malwarebytes
2008-03-02 22:39 . 2008-03-02 22:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-02 22:39 . 2008-03-02 22:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-02 22:17 . 2008-03-02 22:17 <DIR> d-------- C:\Program Files\CCleaner
2008-03-02 09:58 . 2008-03-02 09:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 22:56 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-01 15:17 . 2008-03-01 15:18 <DIR> d-------- C:\WINDOWS\kdldubmh
2008-02-24 23:50 . 2008-02-24 23:50 <DIR> d--hs---- C:\found.000
2008-02-24 23:42 . 2008-02-24 23:42 401 --a------ C:\WINDOWS\system32\L91CA.tmp
2008-02-16 20:55 . 2008-02-16 20:55 <DIR> d-------- C:\Program Files\Audacity
2008-02-16 20:07 . 2008-02-16 20:07 58 --a------ C:\WINDOWS\coolacm.ini
2008-02-16 18:49 . 2005-07-30 22:00 114,688 --a------ C:\WINDOWS\system32\OdiOlDVR.dll
2008-02-16 18:49 . 2005-07-30 22:14 86,016 --a------ C:\WINDOWS\system32\STRDEVAPI.dll
2008-02-16 18:49 . 2003-06-13 18:49 73,728 --a------ C:\WINDOWS\system32\DW90USB.DLL
2008-02-16 18:49 . 2004-06-21 11:14 53,248 --a------ C:\WINDOWS\system32\OdiAPI.dll
2008-02-16 18:49 . 2001-04-09 20:17 39,096 --a------ C:\WINDOWS\system32\drivers\DW90USB.SYS
2008-02-16 18:48 . 2008-02-16 18:49 <DIR> d-------- C:\Program Files\Olympus
2008-02-16 18:44 . 2006-04-07 18:05 73,728 --a------ C:\WINDOWS\system32\VNUSB.dll
2008-02-16 18:44 . 2006-04-07 18:06 38,496 --a------ C:\WINDOWS\system32\drivers\VNUSB.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 16:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-05 02:19 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-05 00:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-05 00:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-03 02:58 --------- d-----w C:\Program Files\Network Associates
2008-03-03 02:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Network Associates
2008-02-24 00:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-16 23:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-14 23:38 2,326,901 ----a-w C:\Program Files\DVDFabHDDecrypter3112.exe
2006-05-06 15:00 19,552 ----a-w C:\Documents and Settings\Becky\Application Data\GDIPFONTCACHEV1.DAT
2005-09-02 19:28 614,943 ----a-w C:\Program Files\lame-3.96.1.zip
2005-09-02 19:27 1,665,325 ----a-w C:\Program Files\agsetup.exe
2005-08-30 00:23 1,094,021 ----a-w C:\Program Files\dvdshrink32setup.zip
2005-08-30 00:18 520,898 ----a-w C:\Program Files\DVD43_3-6-2_Setup.exe
2001-05-31 08:02 1,119,232 ----a-w C:\Program Files\mirc59t.exe
1995-05-27 15:13 551,584 ----a-w C:\Program Files\LVIEWP1B.EXE
.

((((((((((((((((((((((((((((( snapshot@2008-03-05_22.30.21.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 13:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
- 2000-08-31 14:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 13:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
- 2008-03-04 16:38:52 154,176 ----a-w C:\WINDOWS\SoftwareDistribution\Download\Install\mpas-d.exe
- 2000-08-31 14:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 13:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2004-08-20 11:47 1912832]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 19:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-20 20:46 579072]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-12 19:50 33792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-09-11 22:11 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 18:15 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2008-02-16 18:49:35 118784]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PVR Agent]
--a------ 2004-03-03 21:33 729600 C:\Program Files\V-Stream\PVR Plus\TVR\Scheduled.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=

S3 USB28xxBGA;USB 2800 Device;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2006-09-12 22:21]
S3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2006-08-22 00:38]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2006-04-07 18:06]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-09 07:32:38 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 14:13:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-09 14:14:16
ComboFix-quarantined-files.txt 2008-03-09 19:14:02
ComboFix2.txt 2008-03-06 04:30:48
.
2008-03-07 04:58:33 --- E O F ---

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here's the Malwarebytes log you asked for:

Malwarebytes' Anti-Malware 1.05
Database version: 442

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 77153
Time elapsed: 37 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

~~~~~~~~~~~~~~~~~~~~~~~~~

Here's the Kaspersky scan log you asked for:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 09, 2008 4:10:30 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/03/2008
Kaspersky Anti-Virus database records: 619352
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 51840
Number of viruses found: 9
Number of infected objects: 21
Number of suspicious objects: 6
Duration of the scan process: 00:46:01

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12132006-130534.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak17.zip/hcwprn.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak17.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC9.zip/wml.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC9.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip/msole32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Becky\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Becky\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Becky\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Becky\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Becky\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Becky\Local Settings\History\History.IE5\MSHist012008030920080310\index.dat Object is locked skipped
C:\Documents and Settings\Becky\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Becky\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Becky\My Documents\My Downloads\mirc62.exe/stream/data0006 Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
C:\Documents and Settings\Becky\My Documents\My Downloads\mirc62.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
C:\Documents and Settings\Becky\My Documents\My Downloads\mirc62.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Becky\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Becky\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Becky\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\mirc\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
C:\oldmIRC\mirc32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.59 skipped
C:\oldmIRC2\mirc32-2.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.59 skipped
C:\Program Files\Sygate\SSA\debug.log Object is locked skipped
C:\Program Files\Sygate\SSA\rawlog.log Object is locked skipped
C:\Program Files\Sygate\SSA\seclog.log Object is locked skipped
C:\Program Files\Sygate\SSA\syslog.log Object is locked skipped
C:\Program Files\Sygate\SSA\tralog.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\ahqxencr.dll.vir Infected: Trojan.Win32.Obfuscated.gx skipped
C:\QooBox\Quarantine\C\WINDOWS\yjejixsv.exe.vir Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{C6026DF1-CB8C-4AFA-B4A4-051661024E55}\RP1018\A0058891.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\System Volume Information\_restore{C6026DF1-CB8C-4AFA-B4A4-051661024E55}\RP1018\A0058891.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.AdBand.h skipped
C:\System Volume Information\_restore{C6026DF1-CB8C-4AFA-B4A4-051661024E55}\RP1018\A0058891.exe/stream/data0004 Infected: Trojan-Downloader.Win32.Agent.jjq skipped
C:\System Volume Information\_restore{C6026DF1-CB8C-4AFA-B4A4-051661024E55}\RP1018\A0058891.exe/stream Infected: Trojan-Downloader.Win32.Agent.jjq skipped
C:\System Volume Information\_restore{C6026DF1-CB8C-4AFA-B4A4-051661024E55}\RP1018\A0058891.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{C6026DF1-CB8C-4AFA-B4A4-051661024E55}\RP1028\A0059919.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{C6026DF1-CB8C-4AFA-B4A4-051661024E55}\RP1028\A0059919.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{C6026DF1-CB8C-4AFA-B4A4-051661024E55}\RP1031\A0060796.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{C6026DF1-CB8C-4AFA-B4A4-051661024E55}\RP1031\A0060810.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{C6026DF1-CB8C-4AFA-B4A4-051661024E55}\RP1031\A0060810.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{C6026DF1-CB8C-4AFA-B4A4-051661024E55}\RP1031\A0060810.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{C6026DF1-CB8C-4AFA-B4A4-051661024E55}\RP1044\A0061532.dll Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{C6026DF1-CB8C-4AFA-B4A4-051661024E55}\RP1044\A0061540.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{C6026DF1-CB8C-4AFA-B4A4-051661024E55}\RP1044\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6D75E633-1F5D-41E6-B42B-05B50B0CA227}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{C6026DF1-CB8C-4AFA-B4A4-051661024E55}\RP1044\change.log Object is locked skipped

Scan process completed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

And finally, here is the New highjackthis log you asked for:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:11:14 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe

--
End of file - 3980 bytes
ITManager
Regular Member
 
Posts: 17
Joined: March 2nd, 2008, 11:57 am

Re: Hijack log 3/2/2008 -- any help appreciated!

Unread postby dan12 » March 9th, 2008, 6:54 pm

Hi,ITManager , I'm pleased with your log, .I will deal with other items kav scan flagged in my last post as they are save for now
I'd just like to tidy these loose ends up

Can you open up spybot and delete the following folders in recovery:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak17.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC9.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip

The results were all ok, I have one more Id like you to check out at jotti's or virus total for me:

C:\WINDOWS\kdldubmh

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Hijack log 3/2/2008 -- any help appreciated!

Unread postby ITManager » March 9th, 2008, 7:38 pm

Hi, Dan! I was able to delete the three ZIP files you listed, but you said "delete the following *folders* in recovery". Did you mean you wanted me to delete the entire *folders* these three files were in, and all the other files in those folders with them --or just the three files you listed?

Also, "C:\WINDOWS\kdldubmh" is a *folder*, not a file. So neither Jotti nor Total Virus would check it. Was there a particular file in that folder you needed checked?
ITManager
Regular Member
 
Posts: 17
Joined: March 2nd, 2008, 11:57 am

Re: Hijack log 3/2/2008 -- any help appreciated!

Unread postby dan12 » March 9th, 2008, 8:03 pm

Hi, what you did was fine the zip files is what I wanted. It should of read following files, my apology.
I had a suspicion that was a folder can you see what's in its content , if empty delete it.
let me know then we can wrap this up.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Hijack log 3/2/2008 -- any help appreciated!

Unread postby ITManager » March 9th, 2008, 10:34 pm

Hi, Dan! :)

Here's what's in folder that folder. What would you like me to do?

Directory of C:\WINDOWS\kdldubmh

03/01/2008 03:18 PM <DIR> .
03/01/2008 03:18 PM <DIR> ..
03/01/2008 04:24 PM 662 1.png
03/01/2008 04:24 PM 667 2.png
03/01/2008 04:24 PM 670 3.png
03/01/2008 04:24 PM 663 4.png
03/01/2008 04:24 PM 810 5.png
03/01/2008 04:24 PM 822 6.png
03/01/2008 04:24 PM 794 7.png
03/01/2008 04:24 PM 839 8.png
03/01/2008 04:24 PM 835 9.png
03/01/2008 04:24 PM 314 bottom-rc.gif
03/01/2008 04:24 PM 2,539 config.png
03/01/2008 04:24 PM 2,053 content.png
03/01/2008 04:24 PM 3,595 download.gif
03/01/2008 04:24 PM 721 frame-bg.gif
03/01/2008 04:24 PM 4,819 frame-bottom-left.gif
03/01/2008 04:24 PM 800 frame-h1bg.gif
03/01/2008 04:24 PM 3,917 head.png
03/01/2008 04:24 PM 1,638 icon.png
03/01/2008 04:24 PM 17,396 indexwp.html
03/01/2008 04:24 PM 3,913 main.css
03/01/2008 04:24 PM 2,830 memory-prots.png
03/01/2008 04:24 PM 2,400 net.png
03/01/2008 04:24 PM 1,928 pc-mag.gif
03/01/2008 04:24 PM 2,281 pc.gif
03/01/2008 04:24 PM 1,582 poloska1.png
03/01/2008 04:24 PM 1,499 poloska2.png
03/01/2008 04:24 PM 857 poloska3.png
03/01/2008 04:24 PM 1,997 promowp1.html
03/01/2008 04:24 PM 4,948 promowp2.html
03/01/2008 04:24 PM 4,126 promowp3.html
03/01/2008 04:24 PM 3,446 promowp4.html
03/01/2008 04:24 PM 5,269 promowp5.html
03/01/2008 04:24 PM 2,527 reg.png
03/01/2008 04:24 PM 225 repair.png
03/01/2008 04:24 PM 21,564 scr-1.png
03/01/2008 04:24 PM 19,371 scr-2.png
03/01/2008 04:24 PM 1,470 start.png
03/01/2008 04:24 PM 2,038 styles.css
03/01/2008 04:24 PM 49,152 Thumbs.db
03/01/2008 04:24 PM 128 top-rc.gif
03/01/2008 04:24 PM 1,931 vline.gif
03/01/2008 04:24 PM 1,616 wp.png
42 File(s) 181,652 bytes
2 Dir(s) 51,582,267,392 bytes free
ITManager
Regular Member
 
Posts: 17
Joined: March 2nd, 2008, 11:57 am

Re: Hijack log 3/2/2008 -- any help appreciated!

Unread postby dan12 » March 10th, 2008, 7:03 am

Hi, ITManager,

I'd like to have a closer look at these files in this folder, this should give me the paths to research.

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
   DirLook::
C:\WINDOWS\kdldubmh

    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Hijack log 3/2/2008 -- any help appreciated!

Unread postby ITManager » March 10th, 2008, 12:16 pm

Hi, Dan! Here's the ComboFix log on that "kdldubmh" folder:

ComboFix 08-03-05.1 - Becky 2008-03-10 11:08:17.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.148 [GMT -5:00]
Running from: C:\Documents and Settings\Becky\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Becky\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))
.

2008-03-05 23:26 . 2008-03-05 23:26 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-04 21:14 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-04 21:13 . 2008-03-04 21:14 <DIR> d-------- C:\Program Files\Java
2008-03-04 21:13 . 2008-03-04 21:13 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-03 07:45 . 2008-03-03 07:45 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-03 07:45 . 2008-03-03 07:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-02 22:40 . 2008-03-02 22:40 <DIR> d-------- C:\Documents and Settings\Becky\Application Data\Malwarebytes
2008-03-02 22:39 . 2008-03-02 22:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-02 22:39 . 2008-03-02 22:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-02 22:17 . 2008-03-02 22:17 <DIR> d-------- C:\Program Files\CCleaner
2008-03-02 09:58 . 2008-03-02 09:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 22:56 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-01 15:17 . 2008-03-01 15:18 <DIR> d-------- C:\WINDOWS\kdldubmh
2008-02-24 23:50 . 2008-02-24 23:50 <DIR> d--hs---- C:\found.000
2008-02-24 23:42 . 2008-02-24 23:42 401 --a------ C:\WINDOWS\system32\L91CA.tmp
2008-02-16 20:55 . 2008-02-16 20:55 <DIR> d-------- C:\Program Files\Audacity
2008-02-16 20:07 . 2008-02-16 20:07 58 --a------ C:\WINDOWS\coolacm.ini
2008-02-16 18:49 . 2005-07-30 22:00 114,688 --a------ C:\WINDOWS\system32\OdiOlDVR.dll
2008-02-16 18:49 . 2005-07-30 22:14 86,016 --a------ C:\WINDOWS\system32\STRDEVAPI.dll
2008-02-16 18:49 . 2003-06-13 18:49 73,728 --a------ C:\WINDOWS\system32\DW90USB.DLL
2008-02-16 18:49 . 2004-06-21 11:14 53,248 --a------ C:\WINDOWS\system32\OdiAPI.dll
2008-02-16 18:49 . 2001-04-09 20:17 39,096 --a------ C:\WINDOWS\system32\drivers\DW90USB.SYS
2008-02-16 18:48 . 2008-02-16 18:49 <DIR> d-------- C:\Program Files\Olympus
2008-02-16 18:44 . 2006-04-07 18:05 73,728 --a------ C:\WINDOWS\system32\VNUSB.dll
2008-02-16 18:44 . 2006-04-07 18:06 38,496 --a------ C:\WINDOWS\system32\drivers\VNUSB.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-10 09:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-05 02:19 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-05 00:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-05 00:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-03 02:58 --------- d-----w C:\Program Files\Network Associates
2008-03-03 02:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Network Associates
2008-02-24 00:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-16 23:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-14 23:38 2,326,901 ----a-w C:\Program Files\DVDFabHDDecrypter3112.exe
2006-05-06 15:00 19,552 ----a-w C:\Documents and Settings\Becky\Application Data\GDIPFONTCACHEV1.DAT
2005-09-02 19:28 614,943 ----a-w C:\Program Files\lame-3.96.1.zip
2005-09-02 19:27 1,665,325 ----a-w C:\Program Files\agsetup.exe
2005-08-30 00:23 1,094,021 ----a-w C:\Program Files\dvdshrink32setup.zip
2005-08-30 00:18 520,898 ----a-w C:\Program Files\DVD43_3-6-2_Setup.exe
2001-05-31 08:02 1,119,232 ----a-w C:\Program Files\mirc59t.exe
1995-05-27 15:13 551,584 ----a-w C:\Program Files\LVIEWP1B.EXE
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\kdldubmh ----

2008-03-01 16:24 857 --a------ C:\WINDOWS\kdldubmh\poloska3.png
2008-03-01 16:24 839 --a------ C:\WINDOWS\kdldubmh\8.png
2008-03-01 16:24 835 --a------ C:\WINDOWS\kdldubmh\9.png
2008-03-01 16:24 822 --a------ C:\WINDOWS\kdldubmh\6.png
2008-03-01 16:24 810 --a------ C:\WINDOWS\kdldubmh\5.png
2008-03-01 16:24 800 --a------ C:\WINDOWS\kdldubmh\frame-h1bg.gif
2008-03-01 16:24 794 --a------ C:\WINDOWS\kdldubmh\7.png
2008-03-01 16:24 721 --a------ C:\WINDOWS\kdldubmh\frame-bg.gif
2008-03-01 16:24 670 --a------ C:\WINDOWS\kdldubmh\3.png
2008-03-01 16:24 667 --a------ C:\WINDOWS\kdldubmh\2.png
2008-03-01 16:24 663 --a------ C:\WINDOWS\kdldubmh\4.png
2008-03-01 16:24 662 --a------ C:\WINDOWS\kdldubmh\1.png
2008-03-01 16:24 5269 --a------ C:\WINDOWS\kdldubmh\promowp5.html
2008-03-01 16:24 4948 --a------ C:\WINDOWS\kdldubmh\promowp2.html
2008-03-01 16:24 49152 --a------ C:\WINDOWS\kdldubmh\Thumbs.db
2008-03-01 16:24 4819 --a------ C:\WINDOWS\kdldubmh\frame-bottom-left.gif
2008-03-01 16:24 4126 --a------ C:\WINDOWS\kdldubmh\promowp3.html
2008-03-01 16:24 3917 --a------ C:\WINDOWS\kdldubmh\head.png
2008-03-01 16:24 3913 --a------ C:\WINDOWS\kdldubmh\main.css
2008-03-01 16:24 3595 --a------ C:\WINDOWS\kdldubmh\download.gif
2008-03-01 16:24 3446 --a------ C:\WINDOWS\kdldubmh\promowp4.html
2008-03-01 16:24 314 --a------ C:\WINDOWS\kdldubmh\bottom-rc.gif
2008-03-01 16:24 2830 --a------ C:\WINDOWS\kdldubmh\memory-prots.png
2008-03-01 16:24 2539 --a------ C:\WINDOWS\kdldubmh\config.png
2008-03-01 16:24 2527 --a------ C:\WINDOWS\kdldubmh\reg.png
2008-03-01 16:24 2400 --a------ C:\WINDOWS\kdldubmh\net.png
2008-03-01 16:24 2281 --a------ C:\WINDOWS\kdldubmh\pc.gif
2008-03-01 16:24 225 --a------ C:\WINDOWS\kdldubmh\repair.png
2008-03-01 16:24 21564 --a------ C:\WINDOWS\kdldubmh\scr-1.png
2008-03-01 16:24 2053 --a------ C:\WINDOWS\kdldubmh\content.png
2008-03-01 16:24 2038 --a------ C:\WINDOWS\kdldubmh\styles.css
2008-03-01 16:24 1997 --a------ C:\WINDOWS\kdldubmh\promowp1.html
2008-03-01 16:24 19371 --a------ C:\WINDOWS\kdldubmh\scr-2.png
2008-03-01 16:24 1931 --a------ C:\WINDOWS\kdldubmh\vline.gif
2008-03-01 16:24 1928 --a------ C:\WINDOWS\kdldubmh\pc-mag.gif
2008-03-01 16:24 17396 --a------ C:\WINDOWS\kdldubmh\indexwp.html
2008-03-01 16:24 1638 --a------ C:\WINDOWS\kdldubmh\icon.png
2008-03-01 16:24 1616 --a------ C:\WINDOWS\kdldubmh\wp.png
2008-03-01 16:24 1582 --a------ C:\WINDOWS\kdldubmh\poloska1.png
2008-03-01 16:24 1499 --a------ C:\WINDOWS\kdldubmh\poloska2.png
2008-03-01 16:24 1470 --a------ C:\WINDOWS\kdldubmh\start.png
2008-03-01 16:24 128 --a------ C:\WINDOWS\kdldubmh\top-rc.gif


((((((((((((((((((((((((((((( snapshot@2008-03-05_22.30.21.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 13:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
- 2000-08-31 14:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 13:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
- 2008-03-04 16:38:52 154,176 ----a-w C:\WINDOWS\SoftwareDistribution\Download\Install\mpas-d.exe
- 2000-08-31 14:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 13:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2004-08-20 11:47 1912832]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 19:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-20 20:46 579072]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-12 19:50 33792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-09-11 22:11 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 18:15 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2008-02-16 18:49:35 118784]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PVR Agent]
--a------ 2004-03-03 21:33 729600 C:\Program Files\V-Stream\PVR Plus\TVR\Scheduled.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=

S3 USB28xxBGA;USB 2800 Device;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2006-09-12 22:21]
S3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2006-08-22 00:38]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2006-04-07 18:06]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-10 06:32:19 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 11:10:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-10 11:11:29
ComboFix-quarantined-files.txt 2008-03-10 16:11:14
ComboFix2.txt 2008-03-09 19:14:17
ComboFix3.txt 2008-03-06 04:30:48
.
2008-03-07 04:58:33 --- E O F ---
ITManager
Regular Member
 
Posts: 17
Joined: March 2nd, 2008, 11:57 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 65 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware