Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Little help with spymaxx

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Little help with spymaxx

Unread postby dspools » June 29th, 2008, 3:38 pm

Hello,

Hoping someone could help me out I've got a desktop hijack that keeps trying to sell me fake spyware-removers. I'm also having a strange problem where attempted searches on google, yahoo, etc., never load, not sure if it's related. Here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 4:32:47 PM, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\activexdebugger32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE= ... Q305&bd=pa vilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: Shell=Explorer.exe activexdebugger32.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BMeb7c77fd] Rundll32.exe "C:\WINDOWS\system32\vbkxbayu.dll",s
O4 - HKLM\..\Run: [e84f4461] rundll32.exe "C:\WINDOWS\system32\bcmajyyp.dll",b
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
dspools
Regular Member
 
Posts: 16
Joined: June 28th, 2008, 10:30 am
Advertisement
Register to Remove

Re: Little help with spymaxx

Unread postby dan12 » June 29th, 2008, 3:44 pm

Yours is an older version

Download and Run HijackThis
Download HJTInstall.exe to your Desktop.

* Doubleclick HJTInstall.exe to install it.
* By default it will install to C:\Program Files\Trend Micro\HijackThis .
* Click on Install.
* It will create a HijackThis icon on the desktop.
* Once installed, it will launch Hijackthis.
* Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
* Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

please post new HJT log
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Little help with spymaxx

Unread postby dspools » June 29th, 2008, 5:08 pm

Here's the new log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:04:58 PM, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\activexdebugger32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE= ... Q305&bd=pa vilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: Shell=Explorer.exe activexdebugger32.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BMeb7c77fd] Rundll32.exe "C:\WINDOWS\system32\vbkxbayu.dll",s
O4 - HKLM\..\Run: [e84f4461] rundll32.exe "C:\WINDOWS\system32\bcmajyyp.dll",b
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5429 bytes
dspools
Regular Member
 
Posts: 16
Joined: June 28th, 2008, 10:30 am

Re: Little help with spymaxx

Unread postby dan12 » June 29th, 2008, 5:21 pm

You have No protection on this machine! something we need to address when we have cleaned you up.

I believe we have some files hiding from us, we need to flush them out.

Please go to the C:\Program Files\Trend Micro\HijackThis\HijackThis.exe. Right click on the HijackThis.exe file and select "Rename". Rename it dspools.exe,

Then run HijackThis again and post a new log please.

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Little help with spymaxx

Unread postby dspools » June 29th, 2008, 5:38 pm

Looks like you were right! Here's the log after the rename:
Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:10 PM, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\activexdebugger32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\dspools.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE= ... Q305&bd=pa vilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: Shell=Explorer.exe activexdebugger32.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {21C133FE-18C9-4EC5-B2F9-597E2BAB2F71} - C:\WINDOWS\system32\xxywurRl.dll
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {BA2A2046-75A4-47C0-A09C-F0DCC706D39B} - C:\WINDOWS\system32\nnnlkjKD.dll
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BMeb7c77fd] Rundll32.exe "C:\WINDOWS\system32\vbkxbayu.dll",s
O4 - HKLM\..\Run: [e84f4461] rundll32.exe "C:\WINDOWS\system32\bcmajyyp.dll",b
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O20 - Winlogon Notify: nnnlkjKD - C:\WINDOWS\SYSTEM32\nnnlkjKD.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8091 bytes
dspools
Regular Member
 
Posts: 16
Joined: June 28th, 2008, 10:30 am

Re: Little help with spymaxx

Unread postby dan12 » June 29th, 2008, 5:51 pm

One to many exe's on there, dspools.exe.exe
_____

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit

_____________

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

___________

Go to start-run copy and paste this command in the code box into the run command click ok.

regedit /a C:\mslook.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig"

You won't see anything happen!

Now copy and paste this command

type C:\mslook.txt > C:\look.txt
notepad C:\mslook.txt


post the content of the notepad that pops up on your screen.


_____________

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log. and mslook.txt

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Little help with spymaxx

Unread postby dspools » June 29th, 2008, 8:31 pm

My comments are in red. Ok I did what you said step by step. Here is the mslook results:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LSA Shellu]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lsass"
"hkey"="HKLM"
"command"="C:\\Documents and Settings\\Drew\\lsass.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"system.ini"=dword:00000000
"win.ini"=dword:00000000
"bootini"=dword:00000000
"services"=dword:00000000
"startup"=dword:00000002



And next is the combo fix, this one is pretty lengthy: (Oh and i noticed it said I didn't have the recovery console installed, I thought the system restore point it created was the same thing. I guess I got lucky)



ComboFix 08-06-20.4 - Drew 2008-06-29 19:24:17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.576 [GMT -4:00]
Running from: C:\Documents and Settings\Drew\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Drew\Application Data\macromedia\Flash Player\#SharedObjects\GX2KQHFD\www.broadcaster.com
C:\Documents and Settings\Drew\Application Data\macromedia\Flash Player\#SharedObjects\GX2KQHFD\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Drew\Application Data\macromedia\Flash Player\#SharedObjects\GX2KQHFD\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Drew\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Drew\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings. sol
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\accesss.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\BMeb7c77fd.xml
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\default.htm
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\system32\f10
C:\WINDOWS\system32\f10\kscomdll3.exe
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\lRruwyxx.ini
C:\WINDOWS\system32\lRruwyxx.ini2
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\poypcixp.ini
C:\WINDOWS\system32\pyyjamcb.ini
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\tcntaxdm.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\xxywurRl.dll
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\y.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR

((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-29 )))))))))))))))))))))))))))))))
.

2008-06-29 19:46 . 2008-06-29 19:46 95,232 --a------ C:\WINDOWS\system32\rsjcsush.dll
2008-06-29 19:44 . 2008-06-29 19:47 646,916 --ahs---- C:\WINDOWS\system32\xxxacccf.ini2
2008-06-29 19:44 . 2008-06-29 19:47 646,916 --ahs---- C:\WINDOWS\system32\xxxacccf.ini
2008-06-29 19:44 . 2008-06-29 19:46 0 --a------ C:\WINDOWS\BMeb7c77fd.xml
2008-06-29 19:43 . 2008-06-29 19:43 284,672 --a------ C:\WINDOWS\system32\fcccaxxx.dll
2008-06-29 18:04 . 2008-06-29 18:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-29 15:25 . 2008-06-29 15:25 87,040 --------- C:\WINDOWS\system32\bcmajyyp.dll
2008-06-29 15:22 . 2008-06-29 15:22 104,448 --a------ C:\WINDOWS\system32\lajhng.dll
2008-06-29 15:22 . 2008-06-29 15:22 104,448 --a------ C:\WINDOWS\system32\cantbbeo.dll
2008-06-29 15:20 . 2008-06-29 15:20 95,232 --a------ C:\WINDOWS\system32\vbkxbayu.dll
2008-06-28 11:14 . 2008-06-28 11:14 104,960 --a------ C:\WINDOWS\system32\zdpyya.dll
2008-06-28 11:14 . 2008-06-28 11:14 104,960 --a------ C:\WINDOWS\system32\qjpnfwsl.dll
2008-06-28 11:11 . 2008-06-28 11:11 94,208 --a------ C:\WINDOWS\system32\ltvscmod.dll
2008-06-28 10:38 . 2008-06-28 10:38 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-28 10:38 . 2008-06-28 11:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-28 10:30 . 2008-06-28 10:30 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-27 17:04 . 2008-06-27 17:04 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-27 17:04 . 2008-06-27 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-27 17:03 . 2008-06-27 17:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-27 16:49 . 2008-06-27 16:49 294 --ahs---- C:\WINDOWS\system32\mvuluotf.ini
2008-06-27 16:48 . 2008-06-27 16:48 87,040 --a------ C:\WINDOWS\system32\ftouluvm.dll
2008-06-27 16:42 . 2008-06-27 16:42 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-06-27 16:39 . 2008-06-27 23:40 <DIR> d--hs---- C:\WINDOWS\ZHJldyBzcG9lbHN0cmE
2008-06-27 16:38 . 2008-06-27 16:38 <DIR> d-------- C:\WINDOWS\system32\xsir
2008-06-27 16:38 . 2008-06-27 23:40 <DIR> d-------- C:\WINDOWS\system32\vec3
2008-06-27 16:38 . 2008-06-27 16:38 <DIR> d-------- C:\WINDOWS\system32\modtrux18
2008-06-27 16:38 . 2008-06-27 23:40 <DIR> d-------- C:\WINDOWS\system32\bam
2008-06-27 16:38 . 2008-06-27 16:38 <DIR> d-------- C:\Temp\syschk3
2008-06-27 16:38 . 2008-06-29 19:27 <DIR> d-------- C:\Temp
2008-06-27 16:38 . 2008-06-27 16:38 52,224 ---hs---- C:\Documents and Settings\Drew\lsass.exe
2008-06-27 16:38 . 2008-06-27 16:38 41,984 --a------ C:\WINDOWS\mrofinu1188.exe
2008-06-27 16:38 . 2008-06-27 16:38 41,984 --a------ C:\WINDOWS\mrofinu1000106.exe
2008-06-27 16:38 . 2008-06-27 16:38 34,304 --a------ C:\WINDOWS\system32\nnnlkjKD.dll
2008-06-26 19:21 . 2008-06-26 19:21 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-06-26 19:19 . 2008-06-26 19:19 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-06-26 19:18 . 2008-06-26 19:18 <DIR> d-------- C:\Documents and Settings\Drew\Application Data\DAEMON Tools
2008-06-25 20:22 . 2008-06-26 09:49 <DIR> d-------- C:\Documents and Settings\Drew\Application Data\SPORE Creature Creator
2008-06-19 23:40 . 2008-06-19 23:40 90,073 --a------ C:\WINDOWS\system32\iftuyszv.exe
2008-06-18 22:17 . 2008-06-18 22:28 <DIR> d-------- C:\Program Files\RegCleaner
2008-06-11 10:09 . 2008-06-13 09:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 10:09 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 10:26 . 2008-06-10 10:27 <DIR> d--h----- C:\Program Files\Zero G Registry
2008-06-10 10:26 . 2008-06-10 10:26 <DIR> d-------- C:\Program Files\Ubisoft
2008-06-10 10:25 . 2008-06-10 10:25 <DIR> d--h----- C:\Documents and Settings\Drew\InstallAnywhere
2008-06-09 17:56 . 2008-06-09 18:59 <DIR> d-------- C:\Program Files\The Dark Legions
2008-06-09 17:56 . 2008-06-09 17:56 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-06-07 18:50 . 2008-06-07 19:38 <DIR> d-------- C:\Program Files\TripleA
2008-06-05 17:53 . 2008-06-17 20:28 341 --a------ C:\WINDOWS\system32\(null)id.tmp
2008-06-02 19:36 . 2008-06-07 22:11 <DIR> d-------- C:\Program Files\Macromedia
2008-06-02 19:36 . 2008-06-07 22:12 <DIR> d-------- C:\Program Files\Common Files\Macromedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-29 21:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-27 21:06 --------- d-----w C:\Documents and Settings\Drew\Application Data\LimeWire
2008-06-27 20:52 --------- d-----w C:\Program Files\Image-Line
2008-06-27 20:43 --------- d-----w C:\Program Files\LimeWire
2008-06-26 00:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-26 00:18 --------- d-----w C:\Program Files\Electronic Arts
2008-06-04 13:45 --------- d-----w C:\Program Files\Hp
2008-05-29 17:07 --------- d-----w C:\Documents and Settings\Drew\Application Data\U3
2008-05-24 01:39 --------- d-----w C:\Program Files\AIM6
2008-05-24 01:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-05-23 15:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-23 15:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-22 14:30 --------- d--h--w C:\Documents and Settings\Drew\Application Data\Move Networks
2008-05-21 22:56 --------- d-----w C:\Program Files\ASIO4ALL v2
2008-05-21 22:54 --------- d-----w C:\Program Files\VstPlugins
2008-05-21 22:53 --------- d-----w C:\Program Files\Outsim
2008-05-21 21:54 --------- d-----w C:\Program Files\Telltale Games
2008-05-19 17:21 48,456 ----a-w C:\WINDOWS\system32\UninstallElectricSheep.exe
2008-05-19 14:08 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-05-18 22:12 6,086 ----a-w C:\Program Files\install.log
2008-05-18 22:12 --------- d-----w C:\Program Files\GameSpot
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 15:24 --------- d-----w C:\Program Files\Google
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-05 12:36 --------- d-----w C:\Program Files\Apple Software Update
2008-05-05 05:32 --------- d-----w C:\Program Files\iTunes
2008-05-05 05:32 --------- d-----w C:\Program Files\iPod
2008-05-05 05:30 --------- d-----w C:\Program Files\QuickTime
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-10-03 03:30 50,016 ----a-w C:\Documents and Settings\Drew\Application Data\GDIPFONTCACHEV1.DAT
2007-06-10 06:05 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2007-04-20 02:24 376,832 --sha-w C:\WINDOWS\system32\activexdebugger32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{068464C9-320D-46F6-847C-1D22699628C7}]
2008-06-29 19:43 284672 --a------ C:\WINDOWS\system32\fcccaxxx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21C133FE-18C9-4EC5-B2F9-597E2BAB2F71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e9caff6-30c7-4208-8807-e79d4ec6f806}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{566e806c-153c-4104-b7c9-5eff3465e2e8}]
2008-06-29 19:50 104448 --a------ C:\WINDOWS\system32\tkbrlz.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA2A2046-75A4-47C0-A09C-F0DCC706D39B}]
2008-06-27 16:38 34304 --a------ C:\WINDOWS\system32\nnnlkjKD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 21:51 57344]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 05:39 486856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 08:12 102492]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 08:11 692316]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-09 00:05 339968]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-10-22 15:18 229438]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 21:50 40960]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 08:00 158208]
"BMeb7c77fd"="C:\WINDOWS\system32\vbkxbayu.dll" [2008-06-29 15:20 95232]
"e84f4461"="C:\WINDOWS\system32\cqejyryj.dll" [2008-06-29 19:47 87040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system ]
"DisableTaskMgr"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shell executehooks]
"{BA2A2046-75A4-47C0-A09C-F0DCC706D39B}"= C:\WINDOWS\system32\nnnlkjKD.dll [2008-06-27 16:38 34304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\iftuy szv.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnlkjKD]
nnnlkjKD.dll 2008-06-27 16:38 34304 C:\WINDOWS\system32\nnnlkjKD.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\fcccaxxx

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSA Shellu]
---hs---- 2008-06-27 16:38 52224 C:\Documents and Settings\Drew\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 18:07 49263 C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1156437538\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1156437538\\ee\\aim6.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\ElectricSheep.scr"=

R1 SSHDRV64;SSHDRV64;C:\WINDOWS\system32\drivers\SSHDRV64.sys [2007-09-24 21:34]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S1 atmunii;atmunii;C:\WINDOWS\system32\drivers\atmunii.sys []
S3 asbp2poa;asbp2poa;C:\DOCUME~1\Drew\LOCALS~1\Temp\asbp2poa.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{31080c81-0815-11dc-b193-00c09f8e8958}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{31080c82-0815-11dc-b193-00c09f8e8958}]
\Shell\Auto\command - F:\activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - F:\activexdebugger32.exe f
\Shell\open\Command - F:\activexdebugger32.exe f

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{b569194e-6744-11db-b161-00c09f8e8958}]
\Shell\Auto\command - E:\activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - E:\activexdebugger32.exe f
\Shell\open\Command - E:\activexdebugger32.exe f

.
Contents of the 'Scheduled Tasks' folder
"2008-05-28 12:56:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-06 04:19:20 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-29 19:46:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe???????????????|?????? ???B?????????????H<C? ??????

scanning hidden files ...

C:\WINDOWS\msconfd.dll 32256 bytes
C:\WINDOWS\msspi.dll 8704 bytes
C:\WINDOWS\mssys.exe 13312 bytes
C:\WINDOWS\msupdate.exe 25088 bytes
C:\WINDOWS\mswsc10.dll 22016 bytes
C:\WINDOWS\mswsc20.dll 32256 bytes
C:\WINDOWS\mtwirl32.dll 8704 bytes
C:\WINDOWS\notepad32.exe 19200 bytes
C:\WINDOWS\olehelp.exe 30464 bytes
C:\WINDOWS\x.exe 32000 bytes
C:\WINDOWS\xplugin.dll 8704 bytes
C:\WINDOWS\xxxvideo.hta 30208 bytes
C:\WINDOWS\y.exe 21504 bytes
C:\WINDOWS\loader.exe 13312 bytes
C:\WINDOWS\gfmnaaa.dll 25344 bytes
C:\WINDOWS\helpcvs.exe 16640 bytes
C:\WINDOWS\iedll.exe 32512 bytes
C:\WINDOWS\iexplorer.exe 22784 bytes
C:\WINDOWS\default.htm 2022 bytes
C:\WINDOWS\system32\cqejyryj.dll 87040 bytes executable
C:\WINDOWS\system32\jyryjeqc.ini 1733280 bytes

scan completed successfully
hidden files: 21

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\nnnlkjKD.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\cqejyryj.dll
-> C:\WINDOWS\system32\rsjcsush.dll
-> C:\WINDOWS\system32\fcccaxxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\system32\activexdebugger32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2008-06-29 19:54:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-29 23:53:51

Pre-Run: 32,228,409,344 bytes free
Post-Run: 32,179,609,600 bytes free

352 --- E O F --- 2008-06-20 04:29:51





AND then after I rebooted I ran hijackthis (as dspools.exe.exe) one more time and received this log (A note about this i noticed the BHOs are back despite deleting them like you requested pre-combofix):





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:20, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\dspools.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE= ... Q305&bd=pa vilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {21C133FE-18C9-4EC5-B2F9-597E2BAB2F71} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: {8e2e5643-ffe5-9c7b-4014-c351c608e665} - {566e806c-153c-4104-b7c9-5eff3465e2e8} - C:\WINDOWS\system32\tkbrlz.dll
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {953A34BB-0138-49F6-BB2C-5E5C652D9D28} - C:\WINDOWS\system32\fcccaxxx.dll
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {BA2A2046-75A4-47C0-A09C-F0DCC706D39B} - C:\WINDOWS\system32\nnnlkjKD.dll
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [e84f4461] rundll32.exe "C:\WINDOWS\system32\bcmajyyp.dll",b
O4 - HKLM\..\Run: [BMeb7c77fd] Rundll32.exe "C:\WINDOWS\system32\rsjcsush.dll",s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Drew\lsass.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O20 - Winlogon Notify: nnnlkjKD - C:\WINDOWS\SYSTEM32\nnnlkjKD.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8585 bytes
dspools
Regular Member
 
Posts: 16
Joined: June 28th, 2008, 10:30 am

Re: Little help with spymaxx

Unread postby dan12 » June 30th, 2008, 1:07 am

I thought the system restore point it created was the same thing.

No, It's not the same thing

P2P Warning!

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

LimeWire

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm

I would recommend that you uninstall LimeWire, however that choice is up to you.
If you wish to keep it, please do not use it until your computer is cleaned.


Your TeaTimer is going to interfere with what we are trying to do. I need you to disable it.

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.

Leave it disabled till I tell you it's ok to turn it back on.

Please disable the Ad-Aware 2007 Service as it may interfere with the fix.
  • On your desktop, click Start.
  • Choose Run.
  • Type services.msc in the open box and click OK or press Enter.
  • Scroll down the list of services and double-click Ad-Aware 2007 Service.
  • In the service properties window that opens, click the STOP button.
  • Under Startup Type, use the pull down menu and select Manual from the list of options.
  • Click OK and exit the Services Control Manager.
  • Reboot your machine for the changes to take effect.
Once your log is clean you can re-enable those settings.



_____________


Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti
Copy/paste the the following file path into the window
C:\WINDOWS\system32\vbzip10.dll
Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
C:\WINDOWS\system32\(null)id.tmp

If Jotti is too busy please try Virustotal

_______________

1. Close any open browsers.

2. Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
KILLALL::
File::
C:\WINDOWS\system32\vbkxbayu.dll
C:\WINDOWS\system32\rsjcsush.dll
C:\WINDOWS\system32\xxxacccf.ini2
C:\WINDOWS\system32\xxxacccf.ini
C:\WINDOWS\BMeb7c77fd.xml
C:\WINDOWS\system32\fcccaxxx.dll
C:\WINDOWS\system32\bcmajyyp.dll
C:\WINDOWS\system32\lajhng.dll
C:\WINDOWS\system32\cantbbeo.dll
C:\WINDOWS\system32\zdpyya.dll
C:\WINDOWS\system32\qjpnfwsl.dll
C:\WINDOWS\system32\ltvscmod.dll
C:\WINDOWS\system32\mvuluotf.ini
C:\WINDOWS\system32\ftouluvm.dll
C:\Documents and Settings\Drew\lsass.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\system32\nnnlkjKD.dll
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\system32\tkbrlz.dll
C:\WINDOWS\system32\cqejyryj.dll
C:\WINDOWS\system32\nnnlkjKD.dll 
C:\WINDOWS\system32\fcccaxxx
Folder::
C:\WINDOWS\system32\xsir
C:\WINDOWS\system32\vec3
C:\WINDOWS\system32\modtrux18
C:\WINDOWS\system32\bam
C:\Temp\syschk3
DirLook::
C:\WINDOWS\ZHJldyBzcG9lbHN0cmE
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{068464C9-320D-46F6-847C-1D22699628C7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21C133FE-18C9-4EC5-B2F9-597E2BAB2F71}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e9caff6-30c7-4208-8807-e79d4ec6f806}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{566e806c-153c-4104-b7c9-5eff3465e2e8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA2A2046-75A4-47C0-A09C-F0DCC706D39B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMeb7c77fd"=-
"e84f4461"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shell executehooks]
"{BA2A2046-75A4-47C0-A09C-F0DCC706D39B}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnlkjKD]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00  
Driver::
atmunii
asbp2poa


    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Please let me have Jotti's report and combo report.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Little help with spymaxx

Unread postby dspools » June 30th, 2008, 11:46 am

Well things are working a little bit better now and I can actually access this site from the infected computer. Here's the jotti results in order:


Jotti

Scanner results
Scan taken on 30 Jun 2008 14:35:26 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing


Scan taken on 30 Jun 2008 14:38:48 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing






And here is the combofix log:






ComboFix 08-06-20.4 - Drew 2008-06-30 11:44:07.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.731 [GMT -4:00]
Running from: C:\Documents and Settings\Drew\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Drew\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Drew\lsass.exe
C:\WINDOWS\BMeb7c77fd.xml
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\bcmajyyp.dll
C:\WINDOWS\system32\cantbbeo.dll
C:\WINDOWS\system32\cqejyryj.dll
C:\WINDOWS\system32\fcccaxxx
C:\WINDOWS\system32\fcccaxxx.dll
C:\WINDOWS\system32\ftouluvm.dll
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\system32\lajhng.dll
C:\WINDOWS\system32\ltvscmod.dll
C:\WINDOWS\system32\mvuluotf.ini
C:\WINDOWS\system32\nnnlkjKD.dll
C:\WINDOWS\system32\qjpnfwsl.dll
C:\WINDOWS\system32\rsjcsush.dll
C:\WINDOWS\system32\tkbrlz.dll
C:\WINDOWS\system32\vbkxbayu.dll
C:\WINDOWS\system32\xxxacccf.ini
C:\WINDOWS\system32\xxxacccf.ini2
C:\WINDOWS\system32\zdpyya.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Drew\lsass.exe
C:\Temp\syschk3
C:\Temp\syschk3\tdirp5.log
C:\WINDOWS\accesss.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\BMeb7c77fd.xml
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\default.htm
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\system32\bam
C:\WINDOWS\system32\cantbbeo.dll
C:\WINDOWS\system32\cqejyryj.dll
C:\WINDOWS\system32\fcccaxxx.dll
C:\WINDOWS\system32\ftouluvm.dll
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\system32\jyryjeqc.ini
C:\WINDOWS\system32\lajhng.dll
C:\WINDOWS\system32\ltvscmod.dll
C:\WINDOWS\system32\modtrux18
C:\WINDOWS\system32\modtrux18\modtrux182328.exe
C:\WINDOWS\system32\mvuluotf.ini
C:\WINDOWS\system32\nnnlkjKD.dll
C:\WINDOWS\system32\qjpnfwsl.dll
C:\WINDOWS\system32\rsjcsush.dll
C:\WINDOWS\system32\tkbrlz.dll
C:\WINDOWS\system32\vbkxbayu.dll
C:\WINDOWS\system32\vec3
C:\WINDOWS\system32\xsir
C:\WINDOWS\system32\xsir\dragGLL1.exe
C:\WINDOWS\system32\xxxacccf.ini
C:\WINDOWS\system32\xxxacccf.ini2
C:\WINDOWS\system32\zdpyya.dll
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\y.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASBP2POA
-------\Legacy_ATMUNII
-------\Service_asbp2poa
-------\Service_atmunii


((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-29 19:50 . 2008-06-29 19:50 104,448 --a------ C:\WINDOWS\system32\kragdsov.dll
2008-06-29 18:04 . 2008-06-29 18:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-28 10:38 . 2008-06-28 10:38 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-28 10:38 . 2008-06-28 11:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-28 10:30 . 2008-06-28 10:30 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-27 17:04 . 2008-06-27 17:04 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-27 17:04 . 2008-06-27 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-27 17:03 . 2008-06-27 17:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-27 16:42 . 2008-06-27 16:42 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-06-27 16:39 . 2008-06-27 23:40 <DIR> d--hs---- C:\WINDOWS\ZHJldyBzcG9lbHN0cmE
2008-06-27 16:38 . 2008-06-30 11:47 <DIR> d-------- C:\Temp
2008-06-26 19:21 . 2008-06-26 19:21 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-06-26 19:19 . 2008-06-26 19:19 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-06-26 19:18 . 2008-06-26 19:18 <DIR> d-------- C:\Documents and Settings\Drew\Application Data\DAEMON Tools
2008-06-25 20:22 . 2008-06-26 09:49 <DIR> d-------- C:\Documents and Settings\Drew\Application Data\SPORE Creature Creator
2008-06-18 22:17 . 2008-06-18 22:28 <DIR> d-------- C:\Program Files\RegCleaner
2008-06-11 10:09 . 2008-06-13 09:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 10:09 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 10:26 . 2008-06-10 10:27 <DIR> d--h----- C:\Program Files\Zero G Registry
2008-06-10 10:26 . 2008-06-10 10:26 <DIR> d-------- C:\Program Files\Ubisoft
2008-06-10 10:25 . 2008-06-10 10:25 <DIR> d--h----- C:\Documents and Settings\Drew\InstallAnywhere
2008-06-09 17:56 . 2008-06-09 18:59 <DIR> d-------- C:\Program Files\The Dark Legions
2008-06-09 17:56 . 2008-06-09 17:56 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-06-07 18:50 . 2008-06-07 19:38 <DIR> d-------- C:\Program Files\TripleA
2008-06-05 17:53 . 2008-06-17 20:28 341 --a------ C:\WINDOWS\system32\(null)id.tmp
2008-06-02 19:36 . 2008-06-07 22:11 <DIR> d-------- C:\Program Files\Macromedia
2008-06-02 19:36 . 2008-06-07 22:12 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-05-21 18:56 . 2008-05-21 18:56 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2008-05-21 18:54 . 2008-05-21 18:54 <DIR> d-------- C:\Program Files\VstPlugins
2008-05-21 18:54 . 2002-07-07 18:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-05-21 18:54 . 2006-06-20 04:56 225,280 --a------ C:\WINDOWS\system32\rewire.dll
2008-05-21 18:53 . 2008-05-21 18:53 <DIR> d-------- C:\Program Files\Outsim
2008-05-21 18:50 . 2008-06-27 16:52 <DIR> d-------- C:\Program Files\Image-Line
2008-05-20 14:50 . 2008-06-17 20:28 341 --a------ C:\WINDOWS\system32\(null)id
2008-05-19 20:36 . 2002-11-20 21:16 180,224 --a------ C:\WINDOWS\system32\Ijl11.dll
2008-05-19 20:36 . 2004-03-09 00:00 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-05-19 20:36 . 2007-04-15 19:45 53,248 --a------ C:\WINDOWS\system32\KMON.OCX
2008-05-19 20:36 . 2001-11-22 15:00 24,626 --a------ C:\WINDOWS\system32\scrrntr.dll
2008-05-19 20:36 . 2007-03-27 15:25 20,480 --a------ C:\WINDOWS\system32\PAC.EXE
2008-05-19 20:36 . 2007-04-15 19:46 19,456 --a------ C:\WINDOWS\system32\KTKBDHK3.DLL
2008-05-19 20:36 . 2008-06-29 19:44 52 --a------ C:\WINDOWS\system\ACD2.CMD
2008-05-19 20:36 . 2008-06-29 19:44 52 --a------ C:\WINDOWS\system\ACD.CMD
2008-05-19 13:11 . 2008-05-19 13:11 <DIR> d-------- C:\WINDOWS\system32\electricsheep-cache
2008-05-19 13:11 . 2008-05-19 13:21 48,456 --a------ C:\WINDOWS\system32\UninstallElectricSheep.exe
2008-05-19 10:04 . 2008-05-21 17:54 <DIR> d-------- C:\Program Files\Telltale Games
2008-05-18 18:12 . 2008-05-18 18:12 <DIR> d-------- C:\Program Files\GameSpot
2008-05-18 18:12 . 2008-05-18 18:12 <DIR> d-------- C:\Documents and Settings\All Users\temp
2008-05-18 18:12 . 2008-05-18 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Gamespot
2008-05-17 10:21 . 2008-05-17 10:21 <DIR> d-------- C:\ATI
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-07 11:23 . 2008-06-29 17:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-05 01:32 . 2008-05-05 01:32 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 21:06 --------- d-----w C:\Documents and Settings\Drew\Application Data\LimeWire
2008-06-27 20:43 --------- d-----w C:\Program Files\LimeWire
2008-06-26 00:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-26 00:18 --------- d-----w C:\Program Files\Electronic Arts
2008-06-04 13:45 --------- d-----w C:\Program Files\Hp
2008-05-29 17:07 --------- d-----w C:\Documents and Settings\Drew\Application Data\U3
2008-05-24 01:39 --------- d-----w C:\Program Files\AIM6
2008-05-24 01:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-05-23 15:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-23 15:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-22 14:30 --------- d--h--w C:\Documents and Settings\Drew\Application Data\Move Networks
2008-05-18 22:12 6,086 ----a-w C:\Program Files\install.log
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 15:24 --------- d-----w C:\Program Files\Google
2008-05-05 12:36 --------- d-----w C:\Program Files\Apple Software Update
2008-05-05 05:32 --------- d-----w C:\Program Files\iTunes
2008-05-05 05:30 --------- d-----w C:\Program Files\QuickTime
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2007-10-03 03:30 50,016 ----a-w C:\Documents and Settings\Drew\Application Data\GDIPFONTCACHEV1.DAT
2007-06-10 06:05 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2007-04-20 02:24 376,832 --sha-w C:\WINDOWS\system32\activexdebugger32.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\ZHJldyBzcG9lbHN0cmE ----



((((((((((((((((((((((((((((( snapshot@2008-06-29_19.52.24.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-29 23:39:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-30 15:54:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 21:51 57344]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 05:39 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 08:12 102492]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 08:11 692316]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-09 00:05 339968]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-10-22 15:18 229438]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 21:50 40960]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 18:07 49263]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1156437538\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1156437538\\ee\\aim6.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\ElectricSheep.scr"=

R1 SSHDRV64;SSHDRV64;C:\WINDOWS\system32\drivers\SSHDRV64.sys [2007-09-24 21:34]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31080c81-0815-11dc-b193-00c09f8e8958}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31080c82-0815-11dc-b193-00c09f8e8958}]
\Shell\Auto\command - F:\activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - F:\activexdebugger32.exe f
\Shell\open\Command - F:\activexdebugger32.exe f

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b569194e-6744-11db-b161-00c09f8e8958}]
\Shell\Auto\command - E:\activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - E:\activexdebugger32.exe f
\Shell\open\Command - E:\activexdebugger32.exe f

.
Contents of the 'Scheduled Tasks' folder
"2008-05-28 12:56:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-06 04:19:20 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 12:26:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????4?5?4?0??????? ???B?????????????H<C? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-06-30 12:30:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-30 16:30:42
ComboFix2.txt 2008-06-29 23:54:19

Pre-Run: 32,210,350,080 bytes free
Post-Run: 32,205,647,872 bytes free

291 --- E O F --- 2008-06-20 04:29:51





And a fresh HJT log:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\dspools.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5428 bytes
dspools
Regular Member
 
Posts: 16
Joined: June 28th, 2008, 10:30 am

Re: Little help with spymaxx

Unread postby dan12 » June 30th, 2008, 12:25 pm

Thanks for your returned logs, I will be looking through them soon.In the mean time can I see an uninstall list.

Make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

Image

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Little help with spymaxx

Unread postby dspools » June 30th, 2008, 12:39 pm

Here is the unistall list you asked for:

Ad-Aware
Adobe Flash Player Plugin
Adobe Photoshop CS
Adobe Reader 6.0.1
Adobe Shockwave Player
AIM 6
Alt-Tab Task Switcher Powertoy for Windows XP
AOL Uninstaller (Choose which Products to Remove)
Apple Mobile Device Support
Apple Software Update
ASIO4ALL
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
briblo Screen Saver
Broadcom 802.11 Wireless LAN Adapter
Canon PIXMA iP1500
ClearType Tuning Control Panel Applet
Comcast High-Speed Internet Install Wizard
Conexant AC-97 Audio
Conexant Data Fax Modem with SmartCP
Desktop Doctor
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
ElectricSheep 2.6.6
FL Studio 8
GameSpot Download Manager
Google Earth
Google SketchUp 6
Google SketchUp 6
Google Toolbar for Firefox
Google Updater
HijackThis 2.0.2
HP Help and Support
HP Update
HP Wireless Assistant 1.01 A2
IL Download Manager
Image Resizer Powertoy for Windows XP
ImageMixer VCD/DVD2 for OLYMPUS
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 2
LG USB Drivers
LimeWire 4.14.10
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Magnifier Powertoy for Windows XP
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
OLYMPUS Master
PoiZone
Power Tab Editor 1.7
Quick Launch Buttons 5.10 A2
QuickTime
REALTEK Gigabit and Fast Ethernet NIC Driver
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Shadowbane - Throne of Oblivion
Sid Meier's Civilization 4
Sid Meier's Pirates!
SPORE™ Creature Creator Trial Edition
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
Toxic Biohazard
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar
Virtual Desktop Manager Powertoy for Windows XP
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885464
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892559
dspools
Regular Member
 
Posts: 16
Joined: June 28th, 2008, 10:30 am

Re: Little help with spymaxx

Unread postby dan12 » June 30th, 2008, 1:16 pm

Please copy and paste this command in to command prompt

Code: Select all
dir /a /s C:\WINDOWS\ZHJldyBzcG9lbHN0cmE >> log.txt
notepad log.txt
del log.txt




1. Close any open browsers.

2. Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
C:\WINDOWS\system32\kragdsov.dll
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\(null)id.tmp
C:\WINDOWS\system32\(null)id
C:\WINDOWS\system32\Ijl11.dll
C:\WINDOWS\system32\PAC.EXE
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"


    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



: Malwarebytes' Anti-Malware :

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt

Post combo log, malwarebytes log and fresh HJT log.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Little help with spymaxx

Unread postby dspools » June 30th, 2008, 7:25 pm

Sorry for the delay,
here are the results for the scans:



ComboFix 08-06-20.4 - Drew 2008-06-30 17:02:11.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.683 [GMT -4:00]
Running from: C:\Documents and Settings\Drew\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Drew\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\(null)id
C:\WINDOWS\system32\(null)id.tmp
C:\WINDOWS\system32\Ijl11.dll
C:\WINDOWS\system32\kragdsov.dll
C:\WINDOWS\system32\PAC.EXE
C:\WINDOWS\system32\vbzip10.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\(null)id
C:\WINDOWS\system32\(null)id.tmp
C:\WINDOWS\system32\Ijl11.dll
C:\WINDOWS\system32\kragdsov.dll
C:\WINDOWS\system32\PAC.EXE
C:\WINDOWS\system32\vbzip10.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-29 18:04 . 2008-06-29 18:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-28 10:38 . 2008-06-28 10:38 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-28 10:38 . 2008-06-28 11:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-28 10:30 . 2008-06-28 10:30 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-27 17:04 . 2008-06-27 17:04 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-27 17:04 . 2008-06-27 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-27 17:03 . 2008-06-27 17:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-27 16:39 . 2008-06-27 23:40 <DIR> d--hs---- C:\WINDOWS\ZHJldyBzcG9lbHN0cmE
2008-06-27 16:38 . 2008-06-30 11:47 <DIR> d-------- C:\Temp
2008-06-26 19:21 . 2008-06-26 19:21 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-06-26 19:19 . 2008-06-26 19:19 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-06-26 19:18 . 2008-06-26 19:18 <DIR> d-------- C:\Documents and Settings\Drew\Application Data\DAEMON Tools
2008-06-25 20:22 . 2008-06-26 09:49 <DIR> d-------- C:\Documents and Settings\Drew\Application Data\SPORE Creature Creator
2008-06-18 22:17 . 2008-06-18 22:28 <DIR> d-------- C:\Program Files\RegCleaner
2008-06-11 10:09 . 2008-06-13 09:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 10:09 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 10:26 . 2008-06-10 10:27 <DIR> d--h----- C:\Program Files\Zero G Registry
2008-06-10 10:26 . 2008-06-10 10:26 <DIR> d-------- C:\Program Files\Ubisoft
2008-06-10 10:25 . 2008-06-10 10:25 <DIR> d--h----- C:\Documents and Settings\Drew\InstallAnywhere
2008-06-09 17:56 . 2008-06-09 18:59 <DIR> d-------- C:\Program Files\The Dark Legions
2008-06-09 17:56 . 2008-06-09 17:56 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-06-07 18:50 . 2008-06-07 19:38 <DIR> d-------- C:\Program Files\TripleA
2008-06-02 19:36 . 2008-06-07 22:11 <DIR> d-------- C:\Program Files\Macromedia
2008-06-02 19:36 . 2008-06-07 22:12 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-05-21 18:56 . 2008-05-21 18:56 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2008-05-21 18:54 . 2008-05-21 18:54 <DIR> d-------- C:\Program Files\VstPlugins
2008-05-21 18:54 . 2002-07-07 18:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-05-21 18:54 . 2006-06-20 04:56 225,280 --a------ C:\WINDOWS\system32\rewire.dll
2008-05-21 18:53 . 2008-05-21 18:53 <DIR> d-------- C:\Program Files\Outsim
2008-05-21 18:50 . 2008-06-27 16:52 <DIR> d-------- C:\Program Files\Image-Line
2008-05-19 20:36 . 2004-03-09 00:00 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-05-19 20:36 . 2007-04-15 19:45 53,248 --a------ C:\WINDOWS\system32\KMON.OCX
2008-05-19 20:36 . 2001-11-22 15:00 24,626 --a------ C:\WINDOWS\system32\scrrntr.dll
2008-05-19 20:36 . 2007-04-15 19:46 19,456 --a------ C:\WINDOWS\system32\KTKBDHK3.DLL
2008-05-19 20:36 . 2008-06-29 19:44 52 --a------ C:\WINDOWS\system\ACD2.CMD
2008-05-19 20:36 . 2008-06-29 19:44 52 --a------ C:\WINDOWS\system\ACD.CMD
2008-05-19 13:11 . 2008-05-19 13:11 <DIR> d-------- C:\WINDOWS\system32\electricsheep-cache
2008-05-19 13:11 . 2008-05-19 13:21 48,456 --a------ C:\WINDOWS\system32\UninstallElectricSheep.exe
2008-05-19 10:04 . 2008-05-21 17:54 <DIR> d-------- C:\Program Files\Telltale Games
2008-05-18 18:12 . 2008-05-18 18:12 <DIR> d-------- C:\Program Files\GameSpot
2008-05-18 18:12 . 2008-05-18 18:12 <DIR> d-------- C:\Documents and Settings\All Users\temp
2008-05-18 18:12 . 2008-05-18 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Gamespot
2008-05-17 10:21 . 2008-05-17 10:21 <DIR> d-------- C:\ATI
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-07 11:23 . 2008-06-29 17:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-05 01:32 . 2008-05-05 01:32 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 21:06 --------- d-----w C:\Documents and Settings\Drew\Application Data\LimeWire
2008-06-27 20:43 --------- d-----w C:\Program Files\LimeWire
2008-06-26 00:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-26 00:18 --------- d-----w C:\Program Files\Electronic Arts
2008-06-04 13:45 --------- d-----w C:\Program Files\Hp
2008-05-29 17:07 --------- d-----w C:\Documents and Settings\Drew\Application Data\U3
2008-05-24 01:39 --------- d-----w C:\Program Files\AIM6
2008-05-24 01:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-05-23 15:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-23 15:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-22 14:30 --------- d--h--w C:\Documents and Settings\Drew\Application Data\Move Networks
2008-05-19 14:08 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-05-18 22:12 6,086 ----a-w C:\Program Files\install.log
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 15:24 --------- d-----w C:\Program Files\Google
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-05 12:36 --------- d-----w C:\Program Files\Apple Software Update
2008-05-05 05:32 --------- d-----w C:\Program Files\iTunes
2008-05-05 05:30 --------- d-----w C:\Program Files\QuickTime
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2007-10-03 03:30 50,016 ----a-w C:\Documents and Settings\Drew\Application Data\GDIPFONTCACHEV1.DAT
2007-06-10 06:05 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2007-04-20 02:24 376,832 --sha-w C:\WINDOWS\system32\activexdebugger32.exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-29_19.52.24.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-29 23:39:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-30 15:54:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 21:51 57344]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 05:39 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 08:12 102492]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 08:11 692316]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-09 00:05 339968]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-10-22 15:18 229438]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 21:50 40960]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 18:07 49263]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1156437538\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1156437538\\ee\\aim6.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\ElectricSheep.scr"=

R1 SSHDRV64;SSHDRV64;C:\WINDOWS\system32\drivers\SSHDRV64.sys [2007-09-24 21:34]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31080c81-0815-11dc-b193-00c09f8e8958}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31080c82-0815-11dc-b193-00c09f8e8958}]
\Shell\Auto\command - F:\activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - F:\activexdebugger32.exe f
\Shell\open\Command - F:\activexdebugger32.exe f

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b569194e-6744-11db-b161-00c09f8e8958}]
\Shell\Auto\command - E:\activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - E:\activexdebugger32.exe f
\Shell\open\Command - E:\activexdebugger32.exe f

.
Contents of the 'Scheduled Tasks' folder
"2008-05-28 12:56:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-06 04:19:20 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 17:03:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????4?5?4?0??????? ???B?????????????H<C? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-30 17:05:20
ComboFix-quarantined-files.txt 2008-06-30 21:04:55
ComboFix2.txt 2008-06-30 16:30:46
ComboFix3.txt 2008-06-29 23:54:19

Pre-Run: 32,186,859,520 bytes free
Post-Run: 32,176,271,360 bytes free

175 --- E O F --- 2008-06-20 04:29:51

MALWAREBYTS LOG:


Malwarebytes' Anti-Malware 1.19
Database version: 909
Windows 5.1.2600 Service Pack 2

7:22:03 PM 6/30/2008
mbam-log-6-30-2008 (19-22-03).txt

Scan type: Full Scan (C:\|)
Objects scanned: 121087
Time elapsed: 34 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1188.exe.vir (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\iftuyszv.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir (Adware.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tcntaxdm.exe.vir (Adware.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\f10\kscomdll3.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\modtrux18\modtrux182328.exe.vir (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xsir\dragGLL1.exe.vir (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BD855E1B-2EBD-44F7-8972-8B30EEE77393}\RP536\A0045265.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BD855E1B-2EBD-44F7-8972-8B30EEE77393}\RP536\A0045275.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BD855E1B-2EBD-44F7-8972-8B30EEE77393}\RP536\A0045276.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BD855E1B-2EBD-44F7-8972-8B30EEE77393}\RP536\A0045278.dll (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BD855E1B-2EBD-44F7-8972-8B30EEE77393}\RP536\A0045279.exe (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BD855E1B-2EBD-44F7-8972-8B30EEE77393}\RP536\A0045281.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BD855E1B-2EBD-44F7-8972-8B30EEE77393}\RP538\A0046583.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BD855E1B-2EBD-44F7-8972-8B30EEE77393}\RP538\A0046634.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BD855E1B-2EBD-44F7-8972-8B30EEE77393}\RP538\A0046637.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BD855E1B-2EBD-44F7-8972-8B30EEE77393}\RP541\A0047730.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BD855E1B-2EBD-44F7-8972-8B30EEE77393}\RP541\A0047731.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BD855E1B-2EBD-44F7-8972-8B30EEE77393}\RP541\A0047785.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BD855E1B-2EBD-44F7-8972-8B30EEE77393}\RP541\A0047786.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BD855E1B-2EBD-44F7-8972-8B30EEE77393}\RP541\A0047791.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HJT LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:23, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\dspools.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5445 bytes
dspools
Regular Member
 
Posts: 16
Joined: June 28th, 2008, 10:30 am

Re: Little help with spymaxx

Unread postby dan12 » July 1st, 2008, 12:38 am

Do you have the txt report from the first part of my last post also?
I will look through your reports soon.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Little help with spymaxx

Unread postby dspools » July 1st, 2008, 11:02 am

No, i missed that. What is command prompt? :oops:
dspools
Regular Member
 
Posts: 16
Joined: June 28th, 2008, 10:30 am
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 57 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware