Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Infected with Antispyware Master (log included)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Infected with Antispyware Master (log included)

Unread postby snauss » July 30th, 2008, 12:52 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:11:56 PM, on 30/07/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\M-Audio Ozone\OZTask.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [b89746b6] rundll32.exe "C:\WINDOWS\System32\sncqobhg.dll",b
O4 - HKLM\..\Run: [BMbba4752a] Rundll32.exe "C:\WINDOWS\System32\knxhjcxy.dll",s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: M-Audio Ozone Control Panel Launcher.lnk = C:\Program Files\M-Audio Ozone\OZTask.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resou ... NPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4241563335
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_ ... ofupld.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://prod1.centra.com/SiteRoots/main/ ... loader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/chuzzl ... er_v10.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/acti ... 0.0.10.cab?
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Ozone Installer (OzoneInstallerService) - Nemesis - C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 9040 bytes


Hope you can help.

Thanks,

snauss
snauss
Regular Member
 
Posts: 31
Joined: July 30th, 2008, 12:44 pm
Top
Advertisement
Register to Remove

Re: Infected with Antispyware Master (log included)

Unread postby Shaba » August 1st, 2008, 1:32 am

Hi snauss

  1. Please download this tool from Microsoft.
  2. Double click on MGADiag.exe to run it.
  3. Click Continue.
  4. The program will run. It takes a while to finish the diagnosis, please be patient.
  5. Once done, click on Copy.
  6. Open Notepad and paste the contents in. Save this file and post it in your next reply.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Top

Re: Infected with Antispyware Master (log included)

Unread postby snauss » August 1st, 2008, 9:49 am

Thanks for the help!
I did this in safe mode, is that OK? It only took a few seconds to run.

Diagnostic Report (1.7.0095.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-GD6GR-K6DP3-4C8MT
Windows Product Key Hash: s2kt66ZJWfV4nS1wFD5F9bxTSDw=
Windows Product ID: 55277-OEM-2111907-00102
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.1.0.hom
CSVLK Server: N/A
CSVLK PID: N/A
ID: {7C684972-75BC-4199-963C-7F0428578614}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.5.512.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1_16E0B333-156-80004005
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office XP Small Business - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-171-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\WINDOWS\system32\oembios.bin[hr = 0x80070714]
File Mismatch: C:\WINDOWS\system32\oembios.dat[hr = 0x80070714]
File Mismatch: C:\WINDOWS\system32\oembios.sig[hr = 0x80070714]

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{7C684972-75BC-4199-963C-7F0428578614}</UGUID><Version>1.7.0095.0</Version><OS>5.1.2600.2.00010300.1.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-4C8MT</PKey><PID>55277-OEM-2111907-00102</PID><PIDType>2</PIDType><SID>S-1-5-21-1841877954-1195689297-1920293390</SID><SYSTEM><Manufacturer>Dell Computer Corporation</Manufacturer><Model>Inspiron 5100 </Model></SYSTEM><BIOS><Manufacturer>Dell Computer Corporation</Manufacturer><Version>A32</Version><SMBIOSVersion major="2" minor="3"/><Date>20041018******.******+***</Date><SLPBIOS>Dell System,Dell Computer,Dell System,Dell System</SLPBIOS></BIOS><HWID>5B7F3807018400C2</HWID><UserLCID>1009</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Atlantic Standard Time(GMT-04:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Dell Computer Corporation</name><model>Dell INSPIRON I5100</model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>100</Result><Products><Product GUID="{91130409-6000-11D3-8CFE-0050048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office XP Small Business</Name><Ver>10</Ver><Val>888F4296F6D0F8C</Val><Hash>xyaaRMQ7lzP+rlwQ4QdAT0xfofo=</Hash><Pid>54188-OEM-1793474-09190</Pid><PidType>4</PidType></Product></Products><Applications><App Id="16" Version="10" Result="100"/><App Id="19" Version="10" Result="100"/><App Id="1A" Version="10" Result="100"/><App Id="1B" Version="10" Result="100"/></Applications></Office></Software></GenuineResults>
snauss
Regular Member
 
Posts: 31
Joined: July 30th, 2008, 12:44 pm
Top

Re: Infected with Antispyware Master (log included)

Unread postby Shaba » August 1st, 2008, 11:44 am

Hi

Rename HijackThis.exe to snauss.exe.

After that:

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Top

Re: Infected with Antispyware Master (log included)

Unread postby snauss » August 1st, 2008, 12:33 pm

COMBOFIX LOG
ComboFix 08-07-31.06 - Sharon Nauss 2008-08-01 12:52:36.1 - NTFSx86 NETWORK
Running from: C:\Documents and Settings\Sharon Nauss\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Sharon Nauss\Application Data\macromedia\Flash Player\#SharedObjects\JMFHFEPA\interclick.com
C:\Documents and Settings\Sharon Nauss\Application Data\macromedia\Flash Player\#SharedObjects\JMFHFEPA\interclick.com\ud.sol
C:\Documents and Settings\Sharon Nauss\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Sharon Nauss\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\BMbba4752a.txt
C:\WINDOWS\BMbba4752a.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\SYSTEM32\eeqxfhft.ini
C:\WINDOWS\system32\geBroNhg.dll
C:\WINDOWS\system32\ghboqcns.ini
C:\WINDOWS\system32\jkkKefGy.dll
C:\WINDOWS\system32\ljJYSige.dll
C:\WINDOWS\SYSTEM32\lyptxmtc.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pWaadfii.ini
C:\WINDOWS\SYSTEM32\pWaadfii.ini2
C:\WINDOWS\system32\tuvSifDT.dll
C:\WINDOWS\system32\vtUlMgHY.dll
C:\WINDOWS\system32\wvUkLBuU.dll
C:\WINDOWS\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService


((((((((((((((((((((((((( Files Created from 2008-07-01 to 2008-08-01 )))))))))))))))))))))))))))))))
.

2008-08-01 13:02 . 2008-08-01 13:04 294 ---hs---- C:\WINDOWS\SYSTEM32\lyptxmtc.ini
2008-08-01 13:01 . 2008-08-01 13:03 111,577 --a------ C:\WINDOWS\BMbba4752a.xml
2008-08-01 13:01 . 2008-08-01 13:01 22 --a------ C:\WINDOWS\pskt.ini
2008-08-01 10:44 . 2008-08-01 10:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-08-01 10:44 . 2008-08-01 10:44 83,456 --a------ C:\WINDOWS\SYSTEM32\ctmxtpyl.dll
2008-08-01 10:42 . 2008-08-01 10:42 114,176 --a------ C:\WINDOWS\SYSTEM32\owiyik.dll
2008-08-01 10:42 . 2008-08-01 10:42 114,176 --a------ C:\WINDOWS\SYSTEM32\jucnjoxc.dll
2008-08-01 10:42 . 2008-08-01 10:42 91,648 --a------ C:\WINDOWS\SYSTEM32\gpyjdegb.dll
2008-07-30 13:10 . 2008-07-30 13:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-30 10:52 . 2008-07-30 10:52 10,240 --a------ C:\WINDOWS\quit.exe
2008-07-29 21:05 . 2008-07-29 21:05 83,456 --a------ C:\WINDOWS\SYSTEM32\sncqobhg.dll
2008-07-29 21:02 . 2008-07-29 21:02 105,472 --a------ C:\WINDOWS\SYSTEM32\ybmilo.dll
2008-07-29 21:02 . 2008-07-29 21:02 105,472 --a------ C:\WINDOWS\SYSTEM32\lmvuvxuk.dll
2008-07-29 21:02 . 2008-07-29 21:02 91,648 --a------ C:\WINDOWS\SYSTEM32\knxhjcxy.dll
2008-07-29 16:42 . 2008-07-29 16:42 105,472 --a------ C:\WINDOWS\SYSTEM32\fzplev.dll
2008-07-29 16:42 . 2008-07-29 16:42 105,472 --a------ C:\WINDOWS\SYSTEM32\dqvvdagr.dll
2008-07-29 16:41 . 2008-07-29 16:41 314,880 --a------ C:\WINDOWS\SYSTEM32\iifdaaWp.dll
2008-07-29 16:36 . 2008-07-29 17:13 <DIR> d--hs---- C:\WINDOWS\U2hhcm9uIE5hdXNz
2008-07-29 16:36 . 2008-07-29 19:44 <DIR> d-------- C:\WINDOWS\SYSTEM32\ppt2
2008-07-29 16:36 . 2008-07-29 16:36 <DIR> d-------- C:\WINDOWS\SYSTEM32\heg2
2008-07-29 16:35 . 2008-07-29 16:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\kBin19
2008-07-29 16:35 . 2008-07-29 16:36 <DIR> d-------- C:\Temp\epr1
2008-07-29 16:35 . 2008-08-01 12:53 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 20:18 --------- d--h--w C:\Program Files\InstallJammer Registry
2008-06-11 22:51 63,888 ----a-w C:\Documents and Settings\Sharon Nauss\Application Data\GDIPFONTCACHEV1.DAT
2008-06-10 00:24 --------- d-----w C:\Program Files\Java
2008-06-07 22:56 --------- d-----w C:\Documents and Settings\Sharon Nauss\Application Data\Share-to-Web Upload Folder
2005-07-29 19:24 472 --sha-r C:\WINDOWS\U2hhcm9uIE5hdXNz\oZ11wA6RKHc1xrhW.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46F89BE3-80DC-481B-B35C-80DA2E3BFB73}]
2008-07-29 16:41 314880 --a------ C:\WINDOWS\System32\iifdaaWp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a895529d-ac11-4543-8826-bb2012150aa0}]
2008-08-01 10:42 114176 --a------ C:\WINDOWS\System32\owiyik.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-02 20:18 68856]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 19:21 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 19:15 610304]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 14:30 335872]
"DadApp"="C:\Program Files\Dell\AccessDirect\dadapp.exe" [2002-11-01 18:47 208560]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2003-06-20 16:18 368640]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 12:18 28672]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-02-27 15:17 90112]
"MCAgentExe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2002-09-06 20:15 192512]
"MCUpdateExe"="C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe" [2002-09-04 12:28 151552]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 14:28 684032]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2002-10-04 17:09 139264]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11 57344]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 20:26 217088]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-23 15:04 1544192]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19 49152]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 03:00 99840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2003-09-09 00:01 26112]
"b89746b6"="C:\WINDOWS\System32\ctmxtpyl.dll" [2008-08-01 10:44 83456]
"BMbba4752a"="C:\WINDOWS\System32\gpyjdegb.dll" [2008-08-01 10:42 91648]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 19:17 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 18:18 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe [2003-10-06 20:32:01 1269836]
D-Link AirPlus G Wireless Utility.lnk - C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe [2006-07-19 15:40:12 782412]
D-Link REG Utility.lnk - C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\Reg.exe [2006-07-19 15:40:11 24576]
M-Audio Ozone Control Panel Launcher.lnk - C:\Program Files\M-Audio Ozone\OZTask.exe [2003-01-31 14:34:50 98304]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 03:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=owiyik.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi2"= usbnz1x1.dll
"midi3"= usbnz1x1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2003-09-09 00:01 26112 C:\Program Files\Real\RealPlayer\realplay.exe

R0 BTMgr;Bluelet Device Manager Service;C:\WINDOWS\System32\Drivers\BTMgr.sys [2002-06-12 13:43]
R2 CVPNDRV;Cisco Systems IPsec Driver;C:\WINDOWS\System32\Drivers\CVPNDRV.sys [2002-08-07 13:23]
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\System32\DRIVERS\RimSerial.sys [2005-08-16 13:02]
S3 Btusb;Bluetooth USB;C:\WINDOWS\System32\Drivers\Btusb.sys [2001-12-10 14:16]
S3 ccBirdPacket;Birdman's Packet Filter, 2001/02/18;C:\WINDOWS\System32\drivers\BgWinNT.sys [2002-02-22 12:34]
S3 EWAVE;EWAVE;C:\WINDOWS\System32\drivers\ew.sys []
S3 FILESPY;FILESPY;C:\WINDOWS\System32\drivers\FILESPY.sys []
S3 GBGSIF;FX-MAX virtual GSIF driver;C:\WINDOWS\System32\Drivers\GBGSIF.sys [2005-03-06 23:21]
S3 ma763008;M-Audio Ozone;C:\WINDOWS\System32\drivers\MA763008.sys [2007-10-01 12:43]
S3 MADFU008;MADFU008;C:\WINDOWS\System32\DRIVERS\MADFU008.sys [2007-10-01 12:43]
S3 MagixASIODrv;MAGIX_ASIO_BoostDriver;C:\Program Files\MAGIX\Samplitude_SE_No9\mxasio.sys [2002-04-16 12:10]
S3 NSTATION;NSTATION;C:\WINDOWS\System32\drivers\nstation.sys []
S3 SynasUSB;SynasUSB;C:\WINDOWS\System32\drivers\SynasUSB.sys [2002-11-25 03:46]
S3 USBNZ1X1;M-Audio Ozone Midi;C:\WINDOWS\System32\drivers\usbnz1x1.sys [2007-10-01 12:43]
.
Contents of the 'Scheduled Tasks' folder

2008-08-01 C:\WINDOWS\Tasks\McAfee.com Update Check (D9PHFG31-Owner).job
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 12:28]

2008-08-01 C:\WINDOWS\Tasks\McAfee.com Update Check (D9PHFG31-Owner).job
- C:\PROGRA~1\McAfee.com\Agent [2008-03-08 23:24]

2008-08-01 C:\WINDOWS\Tasks\McAfee.com Update Check (SHARON-Sharon Nauss).job
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 12:28]

2008-08-01 C:\WINDOWS\Tasks\McAfee.com Update Check (SHARON-Sharon Nauss).job
- C:\PROGRA~1\McAfee.com\Agent [2008-03-08 23:24]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.ca/
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie
R0 -: HKLM-Main,Start Page = hxxp://www.dellnet.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
R1 -: HKCU-Internet Settings,ProxyOverride = 127.0.0.1
R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O18 -: Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - hxxp://prod1.centra.com/SiteRoots/main/ ... loader.cab
C:\WINDOWS\Downloaded Program Files\CentraDownloader.inf
C:\WINDOWS\Downloaded Program Files\CentraDownloader.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-01 13:01:23
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\pskt.ini 22 bytes
C:\WINDOWS\system32\lyptxmtc.ini 1487794 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\System32\ctmxtpyl.dll
-> C:\WINDOWS\System32\gpyjdegb.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\acs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\McAfee.com\VSO\mcvsrte.exe
C:\Program Files\M-Audio Ozone\Install\ozinst.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\McAfee.com\VSO\McShield.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-08-01 13:18:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-01 16:17:14

Pre-Run: 19,232,747,520 bytes free
Post-Run: 19,071,164,416 bytes free
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:28 PM, on 01/08/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\M-Audio Ozone\OZTask.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\snauss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10C0A1A1-32AB-45E4-9DFF-A8615C6ADFED} - C:\WINDOWS\System32\iifdaaWp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: {0c6e04ed-6f24-6b6a-4fd4-d664b87d87be} - {eb78d78b-466d-4df4-a6b6-42f6de40e6c0} - C:\WINDOWS\System32\eohvao.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [b89746b6] rundll32.exe "C:\WINDOWS\System32\ctmxtpyl.dll",b
O4 - HKLM\..\Run: [BMbba4752a] Rundll32.exe "C:\WINDOWS\System32\nlyipnry.dll",s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: M-Audio Ozone Control Panel Launcher.lnk = C:\Program Files\M-Audio Ozone\OZTask.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resou ... NPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4241563335
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_ ... ofupld.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://prod1.centra.com/SiteRoots/main/ ... loader.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/acti ... 0.0.10.cab?
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O20 - AppInit_DLLs: owiyik.dll eohvao.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Ozone Installer (OzoneInstallerService) - Nemesis - C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 10007 bytes

215

HIJACKTHIS LOG
snauss
Regular Member
 
Posts: 31
Joined: July 30th, 2008, 12:44 pm
Top

Re: Infected with Antispyware Master (log included)

Unread postby Shaba » August 1st, 2008, 12:54 pm

Hi

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
Rootkit::
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\lyptxmtc.ini

File::
C:\WINDOWS\BMbba4752a.xml
C:\WINDOWS\SYSTEM32\ctmxtpyl.dll
C:\WINDOWS\SYSTEM32\owiyik.dll
C:\WINDOWS\SYSTEM32\jucnjoxc.dll
C:\WINDOWS\SYSTEM32\gpyjdegb.dll
C:\WINDOWS\SYSTEM32\sncqobhg.dll
C:\WINDOWS\SYSTEM32\ybmilo.dll
C:\WINDOWS\SYSTEM32\lmvuvxuk.dll
C:\WINDOWS\SYSTEM32\knxhjcxy.dll
C:\WINDOWS\SYSTEM32\fzplev.dll
C:\WINDOWS\SYSTEM32\dqvvdagr.dll
C:\WINDOWS\SYSTEM32\iifdaaWp.dll

Folder::
C:\WINDOWS\U2hhcm9uIE5hdXNz
C:\WINDOWS\SYSTEM32\ppt2
C:\WINDOWS\SYSTEM32\heg2
C:\WINDOWS\SYSTEM32\kBin19
C:\Temp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46F89BE3-80DC-481B-B35C-80DA2E3BFB73}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a895529d-ac11-4543-8826-bb2012150aa0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"b89746b6"=-
"BMbba4752a"=-


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Top

Re: Infected with Antispyware Master (log included)

Unread postby snauss » August 1st, 2008, 2:07 pm

COMBOFIX LOG
ComboFix 08-07-31.06 - Sharon Nauss 2008-08-01 14:26:01.2 - NTFSx86
Running from: C:\Documents and Settings\Sharon Nauss\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sharon Nauss\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BMbba4752a.xml
C:\WINDOWS\SYSTEM32\ctmxtpyl.dll
C:\WINDOWS\SYSTEM32\dqvvdagr.dll
C:\WINDOWS\SYSTEM32\fzplev.dll
C:\WINDOWS\SYSTEM32\gpyjdegb.dll
C:\WINDOWS\SYSTEM32\iifdaaWp.dll
C:\WINDOWS\SYSTEM32\jucnjoxc.dll
C:\WINDOWS\SYSTEM32\knxhjcxy.dll
C:\WINDOWS\SYSTEM32\lmvuvxuk.dll
C:\WINDOWS\SYSTEM32\owiyik.dll
C:\WINDOWS\SYSTEM32\sncqobhg.dll
C:\WINDOWS\SYSTEM32\ybmilo.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp
C:\Temp\epr1\K19i.log
C:\WINDOWS\BMbba4752a.txt
C:\WINDOWS\BMbba4752a.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\dqvvdagr.dll
C:\WINDOWS\SYSTEM32\fzplev.dll
C:\WINDOWS\SYSTEM32\gpyjdegb.dll
C:\WINDOWS\SYSTEM32\heg2
C:\WINDOWS\SYSTEM32\hpwrvjbj.ini
C:\WINDOWS\SYSTEM32\iifdaaWp.dll
C:\WINDOWS\SYSTEM32\jucnjoxc.dll
C:\WINDOWS\SYSTEM32\kBin19
C:\WINDOWS\SYSTEM32\kBin19\kBin191065.exe
C:\WINDOWS\SYSTEM32\knxhjcxy.dll
C:\WINDOWS\SYSTEM32\lmvuvxuk.dll
C:\WINDOWS\SYSTEM32\lyptxmtc.ini
C:\WINDOWS\SYSTEM32\owiyik.dll
C:\WINDOWS\SYSTEM32\ppt2
C:\WINDOWS\SYSTEM32\pWaadfii.ini
C:\WINDOWS\SYSTEM32\pWaadfii.ini2
C:\WINDOWS\SYSTEM32\sncqobhg.dll
C:\WINDOWS\SYSTEM32\ybmilo.dll
C:\WINDOWS\U2hhcm9uIE5hdXNz
C:\WINDOWS\U2hhcm9uIE5hdXNz\oZ11wA6RKHc1xrhW.vbs

.
((((((((((((((((((((((((( Files Created from 2008-07-01 to 2008-08-01 )))))))))))))))))))))))))))))))
.

2008-08-01 13:24 . 2008-08-01 13:24 83,456 --a------ C:\WINDOWS\SYSTEM32\jbjvrwph.dll
2008-08-01 13:22 . 2008-08-01 13:22 114,176 --a------ C:\WINDOWS\SYSTEM32\tgnaqjvw.dll
2008-08-01 13:22 . 2008-08-01 13:22 114,176 --a------ C:\WINDOWS\SYSTEM32\eohvao.dll
2008-08-01 13:22 . 2008-08-01 13:22 91,648 --a------ C:\WINDOWS\SYSTEM32\nlyipnry.dll
2008-08-01 10:44 . 2008-08-01 10:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-07-30 13:10 . 2008-07-30 13:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-30 10:52 . 2008-07-30 10:52 10,240 --a------ C:\WINDOWS\quit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 20:18 --------- d--h--w C:\Program Files\InstallJammer Registry
2008-06-11 22:51 63,888 ----a-w C:\Documents and Settings\Sharon Nauss\Application Data\GDIPFONTCACHEV1.DAT
2008-06-10 00:24 --------- d-----w C:\Program Files\Java
2008-06-07 22:56 --------- d-----w C:\Documents and Settings\Sharon Nauss\Application Data\Share-to-Web Upload Folder
.

((((((((((((((((((((((((((((( snapshot@2008-08-01_13.16.06.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-01 15:59:22 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-08-01 17:48:04 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2008-07-30 16:29:22 262,144 ---ha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2008-08-01 17:47:23 262,144 ---ha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
- 2008-08-01 15:59:22 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-08-01 17:48:04 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2008-08-01 15:59:22 81,920 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-01 17:48:04 81,920 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-01 16:04:15 53,166 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-08-01 16:08:54 53,166 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-08-01 16:04:16 380,918 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-08-01 16:08:55 380,918 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{eb78d78b-466d-4df4-a6b6-42f6de40e6c0}]
2008-08-01 13:22 114176 --a------ C:\WINDOWS\System32\eohvao.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-02 20:18 68856]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 19:21 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 19:15 610304]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 14:30 335872]
"DadApp"="C:\Program Files\Dell\AccessDirect\dadapp.exe" [2002-11-01 18:47 208560]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2003-06-20 16:18 368640]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 12:18 28672]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-02-27 15:17 90112]
"MCAgentExe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2002-09-06 20:15 192512]
"MCUpdateExe"="C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe" [2002-09-04 12:28 151552]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 14:28 684032]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2002-10-04 17:09 139264]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11 57344]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 20:26 217088]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-23 15:04 1544192]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19 49152]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 03:00 99840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2003-09-09 00:01 26112]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 19:17 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 18:18 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe [2003-10-06 20:32:01 1269836]
D-Link AirPlus G Wireless Utility.lnk - C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe [2006-07-19 15:40:12 782412]
D-Link REG Utility.lnk - C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\Reg.exe [2006-07-19 15:40:11 24576]
M-Audio Ozone Control Panel Launcher.lnk - C:\Program Files\M-Audio Ozone\OZTask.exe [2003-01-31 14:34:50 98304]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 03:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=owiyik.dll eohvao.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi2"= usbnz1x1.dll
"midi3"= usbnz1x1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2003-09-09 00:01 26112 C:\Program Files\Real\RealPlayer\realplay.exe

R0 BTMgr;Bluelet Device Manager Service;C:\WINDOWS\System32\Drivers\BTMgr.sys [2002-06-12 13:43]
R2 CVPNDRV;Cisco Systems IPsec Driver;C:\WINDOWS\System32\Drivers\CVPNDRV.sys [2002-08-07 13:23]
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\System32\DRIVERS\RimSerial.sys [2005-08-16 13:02]
S3 Btusb;Bluetooth USB;C:\WINDOWS\System32\Drivers\Btusb.sys [2001-12-10 14:16]
S3 ccBirdPacket;Birdman's Packet Filter, 2001/02/18;C:\WINDOWS\System32\drivers\BgWinNT.sys [2002-02-22 12:34]
S3 EWAVE;EWAVE;C:\WINDOWS\System32\drivers\ew.sys []
S3 FILESPY;FILESPY;C:\WINDOWS\System32\drivers\FILESPY.sys []
S3 GBGSIF;FX-MAX virtual GSIF driver;C:\WINDOWS\System32\Drivers\GBGSIF.sys [2005-03-06 23:21]
S3 ma763008;M-Audio Ozone;C:\WINDOWS\System32\drivers\MA763008.sys [2007-10-01 12:43]
S3 MADFU008;MADFU008;C:\WINDOWS\System32\DRIVERS\MADFU008.sys [2007-10-01 12:43]
S3 MagixASIODrv;MAGIX_ASIO_BoostDriver;C:\Program Files\MAGIX\Samplitude_SE_No9\mxasio.sys [2002-04-16 12:10]
S3 NSTATION;NSTATION;C:\WINDOWS\System32\drivers\nstation.sys []
S3 SynasUSB;SynasUSB;C:\WINDOWS\System32\drivers\SynasUSB.sys [2002-11-25 03:46]
S3 USBNZ1X1;M-Audio Ozone Midi;C:\WINDOWS\System32\drivers\usbnz1x1.sys [2007-10-01 12:43]
.
Contents of the 'Scheduled Tasks' folder

2008-08-01 C:\WINDOWS\Tasks\McAfee.com Update Check (D9PHFG31-Owner).job
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 12:28]

2008-08-01 C:\WINDOWS\Tasks\McAfee.com Update Check (D9PHFG31-Owner).job
- C:\PROGRA~1\McAfee.com\Agent [2008-03-08 23:24]

2008-08-01 C:\WINDOWS\Tasks\McAfee.com Update Check (SHARON-Sharon Nauss).job
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 12:28]

2008-08-01 C:\WINDOWS\Tasks\McAfee.com Update Check (SHARON-Sharon Nauss).job
- C:\PROGRA~1\McAfee.com\Agent [2008-03-08 23:24]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-01 14:48:51
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\acs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\McAfee.com\VSO\mcvsrte.exe
C:\Program Files\M-Audio Ozone\Install\ozinst.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\McAfee.com\VSO\McShield.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-08-01 15:01:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-01 18:00:56
ComboFix2.txt 2008-08-01 16:18:49

Pre-Run: 19,031,904,256 bytes free
Post-Run: 19,012,329,472 bytes free
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:54 PM, on 01/08/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\M-Audio Ozone\OZTask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\snauss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: {0c6e04ed-6f24-6b6a-4fd4-d664b87d87be} - {eb78d78b-466d-4df4-a6b6-42f6de40e6c0} - C:\WINDOWS\System32\eohvao.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: M-Audio Ozone Control Panel Launcher.lnk = C:\Program Files\M-Audio Ozone\OZTask.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resou ... NPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4241563335
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_ ... ofupld.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://prod1.centra.com/SiteRoots/main/ ... loader.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/acti ... 0.0.10.cab?
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O20 - AppInit_DLLs: owiyik.dll eohvao.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Ozone Installer (OzoneInstallerService) - Nemesis - C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 9713 bytes

184

HIJACKTHIS LOG
snauss
Regular Member
 
Posts: 31
Joined: July 30th, 2008, 12:44 pm
Top

Re: Infected with Antispyware Master (log included)

Unread postby Shaba » August 1st, 2008, 2:38 pm

There is some stuff which has been downloaded between combofix logs. Let's remove it next :)

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
C:\WINDOWS\SYSTEM32\jbjvrwph.dll
C:\WINDOWS\SYSTEM32\tgnaqjvw.dll
C:\WINDOWS\SYSTEM32\eohvao.dll
C:\WINDOWS\SYSTEM32\nlyipnry.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{eb78d78b-466d-4df4-a6b6-42f6de40e6c0}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Top

Re: Infected with Antispyware Master (log included)

Unread postby snauss » August 1st, 2008, 3:07 pm

Hi again, logs are below
COMBOFIX LOG
ComboFix 08-07-31.06 - Sharon Nauss 2008-08-01 15:43:19.3 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.132 [GMT -3:00]
Running from: C:\Documents and Settings\Sharon Nauss\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sharon Nauss\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\SYSTEM32\eohvao.dll
C:\WINDOWS\SYSTEM32\jbjvrwph.dll
C:\WINDOWS\SYSTEM32\nlyipnry.dll
C:\WINDOWS\SYSTEM32\tgnaqjvw.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\eohvao.dll
C:\WINDOWS\SYSTEM32\jbjvrwph.dll
C:\WINDOWS\SYSTEM32\nlyipnry.dll
C:\WINDOWS\SYSTEM32\tgnaqjvw.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-01 to 2008-08-01 )))))))))))))))))))))))))))))))
.

2008-08-01 10:44 . 2008-08-01 10:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-07-30 13:10 . 2008-07-30 13:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-30 10:52 . 2008-07-30 10:52 10,240 --a------ C:\WINDOWS\quit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 20:18 --------- d--h--w C:\Program Files\InstallJammer Registry
2008-06-11 22:51 63,888 ----a-w C:\Documents and Settings\Sharon Nauss\Application Data\GDIPFONTCACHEV1.DAT
2008-06-10 00:24 --------- d-----w C:\Program Files\Java
2008-06-07 22:56 --------- d-----w C:\Documents and Settings\Sharon Nauss\Application Data\Share-to-Web Upload Folder
.

((((((((((((((((((((((((((((( snapshot@2008-08-01_13.16.06.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-01 15:59:22 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-08-01 18:47:47 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2008-07-30 16:29:22 262,144 ---ha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2008-08-01 18:35:37 262,144 ---ha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
- 2008-08-01 15:59:22 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-08-01 18:47:47 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2008-08-01 15:59:22 81,920 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-01 18:47:47 81,920 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-01 16:04:15 53,166 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-08-01 16:08:54 53,166 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-08-01 16:04:16 380,918 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-08-01 16:08:55 380,918 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-02 20:18 68856]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 19:21 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 19:15 610304]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 14:30 335872]
"DadApp"="C:\Program Files\Dell\AccessDirect\dadapp.exe" [2002-11-01 18:47 208560]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2003-06-20 16:18 368640]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 12:18 28672]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-02-27 15:17 90112]
"MCAgentExe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2002-09-06 20:15 192512]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2002-09-04 12:28 151552]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 14:28 684032]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2002-10-04 17:09 139264]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11 57344]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 20:26 217088]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-23 15:04 1544192]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19 49152]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 03:00 99840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2003-09-09 00:01 26112]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 19:17 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 18:18 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe [2003-10-06 20:32:01 1269836]
D-Link AirPlus G Wireless Utility.lnk - C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe [2006-07-19 15:40:12 782412]
D-Link REG Utility.lnk - C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\Reg.exe [2006-07-19 15:40:11 24576]
M-Audio Ozone Control Panel Launcher.lnk - C:\Program Files\M-Audio Ozone\OZTask.exe [2003-01-31 14:34:50 98304]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 03:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi2"= usbnz1x1.dll
"midi3"= usbnz1x1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2003-09-09 00:01 26112 C:\Program Files\Real\RealPlayer\realplay.exe

R0 BTMgr;Bluelet Device Manager Service;C:\WINDOWS\System32\Drivers\BTMgr.sys [2002-06-12 13:43]
R2 CVPNDRV;Cisco Systems IPsec Driver;C:\WINDOWS\System32\Drivers\CVPNDRV.sys [2002-08-07 13:23]
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\System32\DRIVERS\RimSerial.sys [2005-08-16 13:02]
S3 Btusb;Bluetooth USB;C:\WINDOWS\System32\Drivers\Btusb.sys [2001-12-10 14:16]
S3 ccBirdPacket;Birdman's Packet Filter, 2001/02/18;C:\WINDOWS\System32\drivers\BgWinNT.sys [2002-02-22 12:34]
S3 EWAVE;EWAVE;C:\WINDOWS\System32\drivers\ew.sys []
S3 FILESPY;FILESPY;C:\WINDOWS\System32\drivers\FILESPY.sys []
S3 GBGSIF;FX-MAX virtual GSIF driver;C:\WINDOWS\System32\Drivers\GBGSIF.sys [2005-03-06 23:21]
S3 ma763008;M-Audio Ozone;C:\WINDOWS\System32\drivers\MA763008.sys [2007-10-01 12:43]
S3 MADFU008;MADFU008;C:\WINDOWS\System32\DRIVERS\MADFU008.sys [2007-10-01 12:43]
S3 MagixASIODrv;MAGIX_ASIO_BoostDriver;C:\Program Files\MAGIX\Samplitude_SE_No9\mxasio.sys [2002-04-16 12:10]
S3 NSTATION;NSTATION;C:\WINDOWS\System32\drivers\nstation.sys []
S3 SynasUSB;SynasUSB;C:\WINDOWS\System32\drivers\SynasUSB.sys [2002-11-25 03:46]
S3 USBNZ1X1;M-Audio Ozone Midi;C:\WINDOWS\System32\drivers\usbnz1x1.sys [2007-10-01 12:43]
.
Contents of the 'Scheduled Tasks' folder

2008-08-01 C:\WINDOWS\Tasks\McAfee.com Update Check (D9PHFG31-Owner).job
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 12:28]

2008-08-01 C:\WINDOWS\Tasks\McAfee.com Update Check (D9PHFG31-Owner).job
- C:\PROGRA~1\McAfee.com\Agent [2008-03-08 23:24]

2008-08-01 C:\WINDOWS\Tasks\McAfee.com Update Check (SHARON-Sharon Nauss).job
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 12:28]

2008-08-01 C:\WINDOWS\Tasks\McAfee.com Update Check (SHARON-Sharon Nauss).job
- C:\PROGRA~1\McAfee.com\Agent [2008-03-08 23:24]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-01 15:48:24
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\acs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\McAfee.com\VSO\mcvsrte.exe
C:\Program Files\M-Audio Ozone\Install\ozinst.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\McAfee.com\VSO\McShield.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-08-01 16:00:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-01 19:00:40
ComboFix2.txt 2008-08-01 18:01:23
ComboFix3.txt 2008-08-01 16:18:49

Pre-Run: 19,205,816,320 bytes free
Post-Run: 18,919,915,520 bytes free

148

HIJACKTHIS LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:02:51 PM, on 01/08/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\M-Audio Ozone\OZTask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\snauss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: M-Audio Ozone Control Panel Launcher.lnk = C:\Program Files\M-Audio Ozone\OZTask.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resou ... NPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4241563335
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_ ... ofupld.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://prod1.centra.com/SiteRoots/main/ ... loader.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/acti ... 0.0.10.cab?
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Ozone Installer (OzoneInstallerService) - Nemesis - C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 9546 bytes

Thanks again for your help!! Greatly appreciated!
snauss
Regular Member
 
Posts: 31
Joined: July 30th, 2008, 12:44 pm
Top

Re: Infected with Antispyware Master (log included)

Unread postby Shaba » August 1st, 2008, 3:23 pm

Looks good :)

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Top

Re: Infected with Antispyware Master (log included)

Unread postby snauss » August 1st, 2008, 5:04 pm

Kaspersky log
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, August 1, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 1 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 01, 2008 20:30:28
Records in database: 1041748
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 50730
Threat name: 10
Infected objects: 28
Suspicious objects: 0
Duration of the scan: 01:11:22


File name / Threat name / Threats count
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir Infected: Trojan-Downloader.Win32.Homles.bz 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dqvvdagr.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.buv 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fzplev.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.buv 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jkkKefGy.dll.vir Infected: Trojan.Win32.Monderb.agl 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jucnjoxc.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bzp 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kBin19\kBin191065.exe.vir Infected: Trojan-Downloader.Win32.VB.gfh 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\knxhjcxy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aejn 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ljJYSige.dll.vir Infected: Trojan.Win32.Monderb.agl 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lmvuvxuk.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.buv 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\owiyik.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bzp 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\sncqobhg.dll.vir Infected: Trojan.Win32.Monder.bdp 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tuvSifDT.dll.vir Infected: Trojan.Win32.Monderb.agl 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vtUlMgHY.dll.vir Infected: Trojan.Win32.Monderb.agl 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wvUkLBuU.dll.vir Infected: Trojan.Win32.Monderb.agl 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ybmilo.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.buv 1
C:\QooBox\Quarantine\catchme2008-08-01_125752.24.zip Infected: Trojan.Win32.Monderb.agl 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001001.dll Infected: Trojan.Win32.Monder.bwt 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0001042.exe Infected: Trojan-Downloader.Win32.VB.gfh 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0001044.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.buv 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0001045.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.buv 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0001048.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bzp 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0001049.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aejn 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0001050.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.buv 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0001051.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bzp 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0001052.dll Infected: Trojan.Win32.Monder.bdp 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0001053.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.buv 1
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b 1
C:\WINDOWS\quit.exe Infected: Trojan.Win32.KillFiles.vx 1

The selected area was scanned.

Hijackthis logLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:01:48 PM, on 01/08/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\M-Audio Ozone\OZTask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\snauss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: M-Audio Ozone Control Panel Launcher.lnk = C:\Program Files\M-Audio Ozone\OZTask.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resou ... NPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4241563335
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_ ... ofupld.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://prod1.centra.com/SiteRoots/main/ ... loader.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/acti ... 0.0.10.cab?
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Ozone Installer (OzoneInstallerService) - Nemesis - C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 9546 bytes
snauss
Regular Member
 
Posts: 31
Joined: July 30th, 2008, 12:44 pm
Top

Re: Infected with Antispyware Master (log included)

Unread postby Shaba » August 2nd, 2008, 4:42 am

Have you downloaded this?

C:\WINDOWS\quit.exe Infected: Trojan.Win32.KillFiles.vx 1
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Top

Re: Infected with Antispyware Master (log included)

Unread postby snauss » August 2nd, 2008, 8:58 am

No, I did not.
snauss
Regular Member
 
Posts: 31
Joined: July 30th, 2008, 12:44 pm
Top

Re: Infected with Antispyware Master (log included)

Unread postby Shaba » August 2nd, 2008, 9:34 am

Thanks for the info.

Empty this folder:

C:\QooBox\Quarantine

Delete this:

C:\WINDOWS\quit.exe

Empty Recycle Bin.

All other viruses are in system restore and inactive

I give you later instructions how to empty it.

Other than that, any problems left?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Top

Re: Infected with Antispyware Master (log included)

Unread postby snauss » August 2nd, 2008, 11:50 am

Hi Shaba,

Both files are now deleted.

There doesn't seem to be any problems now.

Thanks again!

snauss
snauss
Regular Member
 
Posts: 31
Joined: July 30th, 2008, 12:44 pm
Top
Advertisement
Register to Remove
Next
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 149 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index