Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware Removal

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malware Removal

Unread postby loadmaster43 » December 29th, 2007, 5:34 pm

Please help. I thought I had removed any problems. Maybe it is my imagination, but my computer still seems to be acting funny. :pale:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:12 PM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Windows Defender\MsMpEng.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\SOUNDMAN.EXE
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Windows Defender\MSASCui.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\PROGRA~1\Grisoft\AVG7\avgcc.exe
H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\SpywareBot\SpywareBot.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Common Files\LightScribe\LSSrvc.exe
H:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
H:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
H:\Program Files\palmOne\Hotsync.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
H:\Program Files\Greetings Workshop\GWREMIND.EXE
h:\program files\common files\mcafee\mna\mcnasvc.exe
H:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
H:\PROGRA~1\McAfee\MSC\mcpromgr.exe
h:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
h:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
H:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
H:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
H:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
h:\PROGRA~1\mcafee.com\agent\mcagent.exe
H:\Program Files\McAfee\MPF\MPFSrv.exe
H:\PROGRA~1\McAfee\MPS\mps.exe
H:\WINDOWS\system32\PSIService.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\McAfee\MPS\mpsevh.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.msnbc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - H:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - h:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - H:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "H:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpywareBot] H:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] H:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] H:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Greetings Workshop Reminders.lnk = H:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: DataViz Inc Messenger.lnk = H:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = H:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://H:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Open with WordPerfect - H:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - H:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/downl ... st_Win.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_de ... Plugin.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - H:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - H:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - H:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - H:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - h:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - H:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - H:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - h:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - h:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - H:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - H:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - H:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - H:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NMIndexingService - Nero AG - H:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - H:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - H:\WINDOWS\system32\PSIService.exe
O24 - Desktop Component 0: (no name) - http://www-pao.ksc.nasa.gov/kscpao/imag ... 2750-t.jpg

--
End of file - 10320 bytes
loadmaster43
Regular Member
 
Posts: 25
Joined: December 29th, 2007, 5:21 pm
Advertisement
Register to Remove

Re: Malware Removal

Unread postby beynac » December 31st, 2007, 8:15 am

Welcome to Malware Removal. :)

I'm looking through your log and will post again shortly.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Re: Malware Removal

Unread postby beynac » December 31st, 2007, 9:19 am

Good afternoon.

Your HijackThis log doesn't show any malware, apart from one rogue program. Your main problem is that you have two real-time antivirus programs running - AVG and McAfee. This is a very bad idea as it can cause all sorts of conflicts. You need to uninstall one of them. If AVG is the free version and your subcription for McAfee is current, I suggest that you uninstall AVG AntiVirus immediately (using Control Panel/Add or Remove Programs). I also strongly recommend that you uninstall SpywareBot as this is a known rogue program. Once this is uninstalled, find and delete the following folder: H:\Program Files\SpywareBot\.

------------------------------------------------------

Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 3.
  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Click on the link named Java Runtime Environment (JRE) 6 Update 3
  • Click on the radio button to Accept License Agreement
  • Click on Windows Offline Installation, Multi-language and save the downloaded file to your desktop
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 2 Runtime Environment, JRE or JSE)
  • Reboot your computer
  • Delete the folder C:\Program Files\Java, if present
  • Install the new version by running the newly-downloaded file, and follow the on-screen instructions.
  • Reboot your computer

-----------------------------------------------------

I thought I had removed any problems. Maybe it is my imagination, but my computer still seems to be acting funny.

The computer is probably "acting funny" because of the two antivirus programs running. However, if you have had some problems, I think that it would be a good idea to check into this a bit deeper.

ComboFix by sUBs

Important: If you already have ComboFix on your computer, please delete it and download the latest version.
  • Download this file - ComboFix.exe. (Please save it on your desktop).
  • Close all open windows.
  • Double click ComboFix.exe and follow the prompts.
  • When finished, it will produce a log for you. Please post that log in your next reply
Important: Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

If necessary, please split the log into separate posts to ensure that they don't get cut off. It is important that I see the full log.

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

------------------------------------------------

Please post the following, as a reply to this thread:
  • The ComboFix log
  • A new HijackThis log
Please also let me know if the computer is running better now that you have uninstalled AVG AntiVirus. If not, please give details of any problems.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Re: Malware Removal

Unread postby loadmaster43 » December 31st, 2007, 11:01 pm

It seems to be running a little smoother as of this reply. I performed the recommended actions. Here are the new logs:

ComboFix 07-12-31.4 - Frank 2007-12-31 21:49:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1531 [GMT -5:00]
Running from: H:\Documents and Settings\Frank\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

H:\WINDOWS\system32\autorun.ini
H:\WINDOWS\system32\winio.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-01 to 2008-01-01 )))))))))))))))))))))))))))))))
.

2007-12-31 21:47 . 2000-08-31 08:00 51,200 --a------ H:\WINDOWS\NirCmd.exe
2007-12-31 21:40 . 2007-12-31 21:40 <DIR> d-------- H:\Program Files\Sun
2007-12-31 21:40 . 2007-09-24 23:31 69,632 --a------ H:\WINDOWS\system32\javacpl.cpl
2007-12-31 21:37 . 2007-12-31 21:40 <DIR> d-------- H:\Program Files\Java
2007-12-31 21:35 . 2007-12-31 21:35 <DIR> d-------- H:\Program Files\Common Files\Java
2007-12-31 20:36 . 2007-12-31 20:36 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Avg7
2007-12-23 18:55 . 2004-05-08 10:21 35,840 --a------ H:\WINDOWS\system32\drivers\AmdK8.sys
2007-12-23 18:54 . 2004-12-07 02:59 45,695 --------- H:\WINDOWS\system32\En.ini
2007-12-23 18:47 . 2007-12-23 18:47 <DIR> d-------- H:\Program Files\Project1
2007-12-23 18:47 . 2007-12-23 18:47 286,720 --------- H:\WINDOWS\Setup1.exe
2007-12-23 18:47 . 2007-12-23 18:47 73,216 --a------ H:\WINDOWS\ST6UNST.EXE
2007-12-19 19:58 . 2007-12-19 19:58 <DIR> d-------- H:\Program Files\Windows Defender
2007-12-18 19:01 . 2007-12-18 19:01 0 --a------ H:\WINDOWS\ativpsrm.bin
2007-12-17 23:31 . 2007-12-30 13:29 <DIR> d-------- H:\Documents and Settings\Frank\Application Data\SpywareBot
2007-12-16 15:18 . 2007-12-16 18:24 1,674 --a------ H:\WINDOWS\system32\tmp.reg
2007-12-16 13:42 . 2007-12-16 13:42 <DIR> d-------- H:\Program Files\Lavasoft
2007-12-16 13:42 . 2007-12-16 13:42 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-16 13:36 . 2007-12-31 21:43 54,156 --ah----- H:\WINDOWS\QTFont.qfn
2007-12-16 13:36 . 2007-12-16 13:36 1,409 --a------ H:\WINDOWS\QTFont.for
2007-12-10 20:32 . 2007-12-13 19:56 251 --a------ H:\WINDOWS\123Movies2IPOD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 02:43 --------- d-----w H:\Program Files\Greetings Workshop
2008-01-01 02:41 --------- d-----w H:\Documents and Settings\Frank\Application Data\ComcastToolbar
2008-01-01 00:11 --------- d---a-w H:\Documents and Settings\All Users\Application Data\TEMP
2007-12-31 02:04 --------- d-----w H:\Program Files\palmOne
2007-12-24 00:26 --------- d-----w H:\Program Files\XoftSpySE
2007-12-23 23:55 --------- d--h--w H:\Program Files\InstallShield Installation Information
2007-12-23 23:55 --------- d-----w H:\Program Files\AMD
2007-12-19 01:05 --------- d-----w H:\Program Files\Common Files\scanner
2007-12-16 18:42 --------- d-----w H:\Program Files\Common Files\Wise Installation Wizard
2007-12-13 22:39 --------- d-----w H:\Program Files\123CopyDVDGold
2007-12-13 22:38 --------- d-----w H:\Program Files\AviSynth 2.5
2007-11-22 00:00 --------- d-----w H:\Program Files\McAfee
2007-11-20 03:03 --------- d-----w H:\Program Files\Documents To Go
2007-11-18 00:19 --------- d-----w H:\Program Files\Trend Micro
2007-11-13 10:25 20,480 ----a-w H:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 01:53 --------- d-----w H:\Program Files\iTunes
2007-11-09 01:53 --------- d-----w H:\Program Files\iPod
2007-11-09 01:51 --------- d-----w H:\Program Files\QuickTime
2007-10-29 22:43 1,287,680 ----a-w H:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w H:\WINDOWS\system32\wmasf.dll
2007-10-24 06:47 96,760 ----a-w H:\WINDOWS\system32\dfshim.dll
2007-10-24 06:47 84,480 ----a-w H:\WINDOWS\system32\mscories.dll
2007-10-24 06:47 282,112 ----a-w H:\WINDOWS\system32\mscoree.dll
2007-10-24 06:47 158,720 ----a-w H:\WINDOWS\system32\mscorier.dll
2007-10-11 14:55 88,576 ----a-w H:\WINDOWS\system32\infocardapi.dll
2007-10-11 14:55 579,584 ----a-w H:\WINDOWS\system32\icardagt.exe
2007-10-11 14:55 11,776 ----a-w H:\WINDOWS\system32\icardres.dll
2007-10-09 18:03 779,800 ----a-w H:\WINDOWS\system32\PresentationNative_v0300.dll
2007-10-09 18:03 73,752 ----a-w H:\WINDOWS\system32\dxva2.dll
2007-10-09 18:03 493,080 ----a-w H:\WINDOWS\system32\evr.dll
2007-10-09 18:03 350,744 ----a-w H:\WINDOWS\system32\PresentationHost.exe
2007-10-09 18:03 33,304 ----a-w H:\WINDOWS\system32\PresentationHostProxy.dll
2007-10-09 18:03 161,304 ----a-w H:\WINDOWS\system32\UIAutomationCore.dll
2007-10-09 18:03 106,520 ----a-w H:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2007-10-09 18:03 1,986,072 ----a-w H:\WINDOWS\system32\milcore.dll
2007-10-09 17:58 16,896 ----a-w H:\WINDOWS\system32\tswpfwrp.exe
2007-04-29 00:07 356,352 -c--a-w H:\Documents and Settings\Frank\cwshredder.dll
2007-09-08 19:06 168 -csh--r H:\WINDOWS\system32\8E521A408F.sys
2007-09-08 19:06 2,516 -csha-w H:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 40,048 2007-05-11 07:06:32 H:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe

----a-w 106,496 2006-06-28 20:42:52 H:\Program Files\AMD\amd_dc_opt\bak\amd_dc_opt.exe

----a-w 344,064 2004-12-01 01:10:00 H:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 155,648 2006-01-12 19:40:44 H:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe

----a-w 49,152 2005-02-17 03:11:42 H:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 241,664 2005-01-12 18:54:58 H:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe

----a-w 267,064 2007-09-26 18:42:04 H:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,048 2007-11-02 23:36:42 H:\Program Files\iTunes\iTunesHelper.exe

----a-w 217,088 2005-06-10 09:21:01 H:\Program Files\Microsoft IntelliPoint\bak\point32.exe

----a-w 114,688 2003-05-15 23:45:54 H:\Program Files\Microsoft IntelliType Pro\bak\type32.exe

----a-w 366,400 2007-06-15 23:15:02 H:\Program Files\Picasa2\bak\PicasaMediaDetector.exe
----a-w 443,968 2007-09-28 01:17:36 H:\Program Files\Picasa2\PicasaMediaDetector.exe

----a-w 286,720 2007-06-29 10:24:52 H:\Program Files\QuickTime\bak\QTTask.exe
----a-w 286,720 2007-10-20 01:16:26 H:\Program Files\QuickTime\QTTask.exe

----a-w 204,288 2006-10-19 01:05:26 H:\Program Files\Windows Media Player\bak\WMPNSCFG.exe

----a-w 132,496 2007-07-12 08:00:36 H:\RECYCLER\S-1-5-21-2000478354-1417001333-839522115-1003\Dh2\jre1.6.0_02\bin\bak\jusched.exe

-c--a-w 15,360 2004-08-04 12:00:00 H:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 12:00:00 H:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 05:23 67584 H:\WINDOWS\SOUNDMAN.EXE]
"Adobe Reader Speed Launcher"="H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"QuickTime Task"="H:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16 286720]
"iTunesHelper"="H:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"Windows Defender"="H:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"SunJavaUpdateSched"="H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="H:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 20:17 443968]

H:\Documents and Settings\Frank\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - H:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-03 23:00:00]

H:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DataViz Inc Messenger.lnk - H:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2005-08-04 20:43:13]
HOTSYNCSHORTCUTNAME.lnk - H:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:27:34]
HP Digital Imaging Monitor.lnk - H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 21:31:38]
HP Image Zone Fast Start.lnk - H:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 22:06:36]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

S1 AmdPPM;AMD HwPState Processor Driver;H:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 21:46]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 00:51:03 H:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- H:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-15 06:00:02 H:\WINDOWS\Tasks\McDefragTask.job"
- h:\program files\mcafee\mqc\QcConsol.exe'
"2007-12-31 06:00:17 H:\WINDOWS\Tasks\McQcTask.job"
- h:\program files\mcafee\mqc\QcConsol.exe
"2008-01-01 02:46:01 H:\WINDOWS\Tasks\MP Scheduled Scan.job"
- H:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-01 02:00:58 H:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- H:\Program Files\SpywareBot\SpywareBot.ex
- H:\Program Files\SpywareBot
"2008-01-01 02:43:47 H:\WINDOWS\Tasks\XoftSpySE 2.job"
- H:\Program Files\XoftSpySE\XoftSpy.exe
"2007-12-26 10:36:50 H:\WINDOWS\Tasks\XoftSpySE.job"
- H:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 21:52:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-31 21:52:45
H:\qoobox\ComboFix-quarantined-files.txt 2008-01-01 02:52:43
.
2007-12-20 21:39:54 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:18 PM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Windows Defender\MsMpEng.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Common Files\LightScribe\LSSrvc.exe
H:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
H:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
h:\program files\common files\mcafee\mna\mcnasvc.exe
H:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
H:\PROGRA~1\McAfee\MSC\mcpromgr.exe
h:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
h:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
H:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
H:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
H:\Program Files\McAfee\MPF\MPFSrv.exe
H:\PROGRA~1\McAfee\MPS\mps.exe
H:\WINDOWS\system32\PSIService.exe
H:\WINDOWS\system32\svchost.exe
h:\PROGRA~1\mcafee.com\agent\mcagent.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Windows Defender\MSASCui.exe
H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
H:\Program Files\palmOne\Hotsync.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\Greetings Workshop\GWREMIND.EXE
H:\Program Files\McAfee\MPS\mpsevh.exe
H:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\WINDOWS\explorer.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.msnbc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - H:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - h:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - H:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "H:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] H:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] H:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Greetings Workshop Reminders.lnk = H:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: DataViz Inc Messenger.lnk = H:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = H:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://H:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Open with WordPerfect - H:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - H:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/downl ... st_Win.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_de ... Plugin.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - H:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - H:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - H:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - H:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - h:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - H:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - H:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - h:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - h:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - H:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - H:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - H:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - H:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NMIndexingService - Nero AG - H:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - H:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - H:\WINDOWS\system32\PSIService.exe
O24 - Desktop Component 0: (no name) - http://www-pao.ksc.nasa.gov/kscpao/imag ... 2750-t.jpg

--
End of file - 9287 bytes


Hopefully with the above logs, you can ascertain any further problems. Happy New Year
loadmaster43
Regular Member
 
Posts: 25
Joined: December 29th, 2007, 5:21 pm

Re: Malware Removal

Unread postby beynac » January 1st, 2008, 8:31 am

Happy New Year! :)

The ComboFix log shows a couple of things which need tidying up. Otherwise everything looks good. I'm working on the basis that you uninstalled SpywareBot, as it has gone from your HijackThis log. If this is not the case, please stop and let me know. Do not carry out the following.

---------------------------------------------

Open Notepad and copy/paste the text in the quotebox below into it:
File::
H:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job

Folder::
H:\Documents and Settings\Frank\Application Data\SpywareBot

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=-


Save this on your Desktop as CFScript.txt

Image

ComboFix should also be on your Desktop. Referring to the picture above, drag CFScript.txt into ComboFix.exe. ComboFix will then run. When finished, it will produce a log (C:\ComboFix.txt). Post that log in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running as this may cause it to stall.

------------------------------------------------

Please post, as a reply to this thread:
  • The ComboFix log
  • A new HijackThis log
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Re: Malware Removal

Unread postby loadmaster43 » January 1st, 2008, 12:11 pm

I am not sure wether I have performed the tasks you recently assigned correctly, but am positive you will know. I do appreciate your help. As far as I can tell I have uninstalled Spybot.
mboFix 07-12-31.4 - Frank 2008-01-01 11:03:58.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1426 [GMT -5:00]
Running from: H:\Documents and Settings\Frank\Desktop\ComboFix.exe
Command switches used :: H:\Documents and Settings\Frank\Desktop\CFScript[1].gif
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-12-01 to 2008-01-01 )))))))))))))))))))))))))))))))
.

2007-12-31 21:47 . 2000-08-31 08:00 51,200 --a------ H:\WINDOWS\NirCmd.exe
2007-12-31 21:40 . 2007-12-31 21:40 <DIR> d-------- H:\Program Files\Sun
2007-12-31 21:40 . 2007-09-24 23:31 69,632 --a------ H:\WINDOWS\system32\javacpl.cpl
2007-12-31 21:37 . 2007-12-31 21:40 <DIR> d-------- H:\Program Files\Java
2007-12-31 21:35 . 2007-12-31 21:35 <DIR> d-------- H:\Program Files\Common Files\Java
2007-12-31 20:36 . 2007-12-31 20:36 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Avg7
2007-12-23 18:55 . 2004-05-08 10:21 35,840 --a------ H:\WINDOWS\system32\drivers\AmdK8.sys
2007-12-23 18:54 . 2004-12-07 02:59 45,695 --------- H:\WINDOWS\system32\En.ini
2007-12-23 18:47 . 2007-12-23 18:47 <DIR> d-------- H:\Program Files\Project1
2007-12-23 18:47 . 2007-12-23 18:47 286,720 --------- H:\WINDOWS\Setup1.exe
2007-12-23 18:47 . 2007-12-23 18:47 73,216 --a------ H:\WINDOWS\ST6UNST.EXE
2007-12-19 19:58 . 2007-12-19 19:58 <DIR> d-------- H:\Program Files\Windows Defender
2007-12-18 19:01 . 2007-12-18 19:01 0 --a------ H:\WINDOWS\ativpsrm.bin
2007-12-17 23:31 . 2007-12-30 13:29 <DIR> d-------- H:\Documents and Settings\Frank\Application Data\SpywareBot
2007-12-16 15:18 . 2007-12-16 18:24 1,674 --a------ H:\WINDOWS\system32\tmp.reg
2007-12-16 13:36 . 2007-12-31 21:43 54,156 --ah----- H:\WINDOWS\QTFont.qfn
2007-12-16 13:36 . 2007-12-16 13:36 1,409 --a------ H:\WINDOWS\QTFont.for
2007-12-10 20:32 . 2007-12-13 19:56 251 --a------ H:\WINDOWS\123Movies2IPOD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 15:57 --------- d-----w H:\Documents and Settings\Frank\Application Data\ComcastToolbar
2008-01-01 14:56 --------- d---a-w H:\Documents and Settings\All Users\Application Data\TEMP
2008-01-01 11:42 --------- d-----w H:\Program Files\Greetings Workshop
2008-01-01 03:06 --------- d-----w H:\Program Files\Common Files\Wise Installation Wizard
2007-12-31 02:04 --------- d-----w H:\Program Files\palmOne
2007-12-24 00:26 --------- d-----w H:\Program Files\XoftSpySE
2007-12-23 23:55 --------- d--h--w H:\Program Files\InstallShield Installation Information
2007-12-23 23:55 --------- d-----w H:\Program Files\AMD
2007-12-19 01:05 --------- d-----w H:\Program Files\Common Files\scanner
2007-12-13 22:39 --------- d-----w H:\Program Files\123CopyDVDGold
2007-12-13 22:38 --------- d-----w H:\Program Files\AviSynth 2.5
2007-11-22 00:00 --------- d-----w H:\Program Files\McAfee
2007-11-20 03:03 --------- d-----w H:\Program Files\Documents To Go
2007-11-18 00:19 --------- d-----w H:\Program Files\Trend Micro
2007-11-13 10:25 20,480 ----a-w H:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 01:53 --------- d-----w H:\Program Files\iTunes
2007-11-09 01:53 --------- d-----w H:\Program Files\iPod
2007-11-09 01:51 --------- d-----w H:\Program Files\QuickTime
2007-10-29 22:43 1,287,680 ----a-w H:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w H:\WINDOWS\system32\wmasf.dll
2007-10-24 06:47 96,760 ----a-w H:\WINDOWS\system32\dfshim.dll
2007-10-24 06:47 84,480 ----a-w H:\WINDOWS\system32\mscories.dll
2007-10-24 06:47 282,112 ----a-w H:\WINDOWS\system32\mscoree.dll
2007-10-24 06:47 158,720 ----a-w H:\WINDOWS\system32\mscorier.dll
2007-10-11 14:55 88,576 ----a-w H:\WINDOWS\system32\infocardapi.dll
2007-10-11 14:55 579,584 ----a-w H:\WINDOWS\system32\icardagt.exe
2007-10-11 14:55 11,776 ----a-w H:\WINDOWS\system32\icardres.dll
2007-10-09 18:03 779,800 ----a-w H:\WINDOWS\system32\PresentationNative_v0300.dll
2007-10-09 18:03 73,752 ----a-w H:\WINDOWS\system32\dxva2.dll
2007-10-09 18:03 493,080 ----a-w H:\WINDOWS\system32\evr.dll
2007-10-09 18:03 350,744 ----a-w H:\WINDOWS\system32\PresentationHost.exe
2007-10-09 18:03 33,304 ----a-w H:\WINDOWS\system32\PresentationHostProxy.dll
2007-10-09 18:03 161,304 ----a-w H:\WINDOWS\system32\UIAutomationCore.dll
2007-10-09 18:03 106,520 ----a-w H:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2007-10-09 18:03 1,986,072 ----a-w H:\WINDOWS\system32\milcore.dll
2007-10-09 17:58 16,896 ----a-w H:\WINDOWS\system32\tswpfwrp.exe
2007-04-29 00:07 356,352 -c--a-w H:\Documents and Settings\Frank\cwshredder.dll
2007-09-08 19:06 168 -csh--r H:\WINDOWS\system32\8E521A408F.sys
2007-09-08 19:06 2,516 -csha-w H:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 40,048 2007-05-11 07:06:32 H:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe

----a-w 106,496 2006-06-28 20:42:52 H:\Program Files\AMD\amd_dc_opt\bak\amd_dc_opt.exe

----a-w 344,064 2004-12-01 01:10:00 H:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 155,648 2006-01-12 19:40:44 H:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe

----a-w 49,152 2005-02-17 03:11:42 H:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 241,664 2005-01-12 18:54:58 H:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe

----a-w 267,064 2007-09-26 18:42:04 H:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,048 2007-11-02 23:36:42 H:\Program Files\iTunes\iTunesHelper.exe

----a-w 217,088 2005-06-10 09:21:01 H:\Program Files\Microsoft IntelliPoint\bak\point32.exe

----a-w 114,688 2003-05-15 23:45:54 H:\Program Files\Microsoft IntelliType Pro\bak\type32.exe

----a-w 366,400 2007-06-15 23:15:02 H:\Program Files\Picasa2\bak\PicasaMediaDetector.exe
----a-w 443,968 2007-09-28 01:17:36 H:\Program Files\Picasa2\PicasaMediaDetector.exe

----a-w 286,720 2007-06-29 10:24:52 H:\Program Files\QuickTime\bak\QTTask.exe
----a-w 286,720 2007-10-20 01:16:26 H:\Program Files\QuickTime\QTTask.exe

----a-w 204,288 2006-10-19 01:05:26 H:\Program Files\Windows Media Player\bak\WMPNSCFG.exe

-c--a-w 15,360 2004-08-04 12:00:00 H:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 12:00:00 H:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 05:23 67584 H:\WINDOWS\SOUNDMAN.EXE]
"Adobe Reader Speed Launcher"="H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"QuickTime Task"="H:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16 286720]
"iTunesHelper"="H:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"Windows Defender"="H:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"SunJavaUpdateSched"="H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="H:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 20:17 443968]

H:\Documents and Settings\Frank\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - H:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-03 23:00:00]

H:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DataViz Inc Messenger.lnk - H:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2005-08-04 20:43:13]
HOTSYNCSHORTCUTNAME.lnk - H:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:27:34]
HP Digital Imaging Monitor.lnk - H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 21:31:38]
HP Image Zone Fast Start.lnk - H:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 22:06:36]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

S1 AmdPPM;AMD HwPState Processor Driver;H:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 21:46]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 00:51:03 H:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- H:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-15 06:00:02 H:\WINDOWS\Tasks\McDefragTask.job"
- h:\program files\mcafee\mqc\QcConsol.exe'
"2007-12-31 06:00:17 H:\WINDOWS\Tasks\McQcTask.job"
- h:\program files\mcafee\mqc\QcConsol.exe
"2008-01-01 11:42:47 H:\WINDOWS\Tasks\MP Scheduled Scan.job"
- H:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-01 02:00:58 H:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- H:\Program Files\SpywareBot\SpywareBot.ex
- H:\Program Files\SpywareBot
"2008-01-01 02:43:47 H:\WINDOWS\Tasks\XoftSpySE 2.job"
- H:\Program Files\XoftSpySE\XoftSpy.exe
"2007-12-26 10:36:50 H:\WINDOWS\Tasks\XoftSpySE.job"
- H:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-01 11:05:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-01 11:05:49
H:\qoobox\ComboFix-quarantined-files.txt 2008-01-01 16:05:40
H:\qoobox\ComboFix2.txt 2008-01-01 15:34:02
H:\qoobox\ComboFix3.txt 2008-01-01 02:52:46
.
2007-12-20 21:39:54 --- E O F ---

gfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:19 AM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Windows Defender\MsMpEng.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Common Files\LightScribe\LSSrvc.exe
H:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
H:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
h:\program files\common files\mcafee\mna\mcnasvc.exe
H:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
H:\PROGRA~1\McAfee\MSC\mcpromgr.exe
h:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
h:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
H:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
H:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
H:\Program Files\McAfee\MPF\MPFSrv.exe
H:\PROGRA~1\McAfee\MPS\mps.exe
H:\WINDOWS\system32\PSIService.exe
H:\WINDOWS\system32\svchost.exe
h:\PROGRA~1\mcafee.com\agent\mcagent.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Windows Defender\MSASCui.exe
H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
H:\Program Files\palmOne\Hotsync.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\Greetings Workshop\GWREMIND.EXE
H:\Program Files\McAfee\MPS\mpsevh.exe
H:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\WINDOWS\explorer.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.msnbc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - H:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - h:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - H:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "H:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] H:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] H:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Greetings Workshop Reminders.lnk = H:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: DataViz Inc Messenger.lnk = H:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = H:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://H:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Open with WordPerfect - H:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - H:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/downl ... st_Win.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_de ... Plugin.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - H:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - H:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - H:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - H:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - h:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - H:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - H:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - h:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - h:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - H:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - H:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - H:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - H:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NMIndexingService - Nero AG - H:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - H:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - H:\WINDOWS\system32\PSIService.exe
O24 - Desktop Component 0: (no name) - http://www-pao.ksc.nasa.gov/kscpao/imag ... 2750-t.jpg

--
End of file - 9157 bytes
loadmaster43
Regular Member
 
Posts: 25
Joined: December 29th, 2007, 5:21 pm

Re: Malware Removal

Unread postby beynac » January 1st, 2008, 1:17 pm

Hi.

I am not sure wether I have performed the tasks you recently assigned correctly.

I'm afraid that you didn't. ;) You seem to have dragged the graphic from my post into ComboFix, rather than the saved text file. I'll repeat the instructions with a bit more clarification. Please let me know if you have any questions.

-------------------------------------------------

Click on Start then Run. Type notepad into the text box and click OK. This will open Notepad. Select the text in the following quotebox and copy/paste it into the open Notepad.
File::
H:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job

Folder::
H:\Documents and Settings\Frank\Application Data\SpywareBot

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=-


Go to File (upper menu bar) in Notepad, and select: Save As...
In the Save as prompt:
Save in: Desktop (click the Desktop button on the left-hand side of the dialog box).
File Name: CFScript.txt
Save as Type: Text Documents (*.txt)
Click: Save
Exit out of Notepad.

You should see the file CFScript.txt on your Desktop. Drag this text file into your ComboFix icon, as shown in this picture:

Image

ComboFix will then run. When finished, it will produce a log (C:\ComboFix.txt). Post that log in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running as this may cause it to stall.

------------------------------------------------

Please post, as a reply to this thread:
  • The ComboFix log
  • A new HijackThis log
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Re: Malware Removal

Unread postby loadmaster43 » January 1st, 2008, 2:01 pm

I'd wager I had better success this time?

ComboFix 07-12-31.4 - Frank 2008-01-01 12:38:07.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1417 [GMT -5:00]
Running from: H:\Documents and Settings\Frank\Desktop\ComboFix.exe
Command switches used :: H:\Documents and Settings\Frank\Desktop\CFScript.txt
* Created a new restore point

FILE
H:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

H:\Documents and Settings\Frank\Application Data\SpywareBot
H:\Documents and Settings\Frank\Application Data\SpywareBot\fp.dat
H:\Documents and Settings\Frank\Application Data\SpywareBot\Log\2007 Dec 31 - 09_00_52 PM_671.log
H:\Documents and Settings\Frank\Application Data\SpywareBot\rs.dat
H:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job

.
((((((((((((((((((((((((( Files Created from 2007-12-01 to 2008-01-01 )))))))))))))))))))))))))))))))
.

2007-12-31 21:47 . 2000-08-31 08:00 51,200 --a------ H:\WINDOWS\NirCmd.exe
2007-12-31 21:40 . 2007-12-31 21:40 <DIR> d-------- H:\Program Files\Sun
2007-12-31 21:40 . 2007-09-24 23:31 69,632 --a------ H:\WINDOWS\system32\javacpl.cpl
2007-12-31 21:37 . 2007-12-31 21:40 <DIR> d-------- H:\Program Files\Java
2007-12-31 21:35 . 2007-12-31 21:35 <DIR> d-------- H:\Program Files\Common Files\Java
2007-12-31 20:36 . 2007-12-31 20:36 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Avg7
2007-12-23 18:55 . 2004-05-08 10:21 35,840 --a------ H:\WINDOWS\system32\drivers\AmdK8.sys
2007-12-23 18:54 . 2004-12-07 02:59 45,695 --------- H:\WINDOWS\system32\En.ini
2007-12-23 18:47 . 2007-12-23 18:47 <DIR> d-------- H:\Program Files\Project1
2007-12-23 18:47 . 2007-12-23 18:47 286,720 --------- H:\WINDOWS\Setup1.exe
2007-12-23 18:47 . 2007-12-23 18:47 73,216 --a------ H:\WINDOWS\ST6UNST.EXE
2007-12-19 19:58 . 2007-12-19 19:58 <DIR> d-------- H:\Program Files\Windows Defender
2007-12-18 19:01 . 2007-12-18 19:01 0 --a------ H:\WINDOWS\ativpsrm.bin
2007-12-16 15:18 . 2007-12-16 18:24 1,674 --a------ H:\WINDOWS\system32\tmp.reg
2007-12-16 13:36 . 2007-12-31 21:43 54,156 --ah----- H:\WINDOWS\QTFont.qfn
2007-12-16 13:36 . 2007-12-16 13:36 1,409 --a------ H:\WINDOWS\QTFont.for
2007-12-10 20:32 . 2007-12-13 19:56 251 --a------ H:\WINDOWS\123Movies2IPOD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 17:29 --------- d-----w H:\Documents and Settings\Frank\Application Data\ComcastToolbar
2008-01-01 17:28 --------- d---a-w H:\Documents and Settings\All Users\Application Data\TEMP
2008-01-01 11:42 --------- d-----w H:\Program Files\Greetings Workshop
2008-01-01 03:06 --------- d-----w H:\Program Files\Common Files\Wise Installation Wizard
2007-12-31 02:04 --------- d-----w H:\Program Files\palmOne
2007-12-24 00:26 --------- d-----w H:\Program Files\XoftSpySE
2007-12-23 23:55 --------- d--h--w H:\Program Files\InstallShield Installation Information
2007-12-23 23:55 --------- d-----w H:\Program Files\AMD
2007-12-19 01:05 --------- d-----w H:\Program Files\Common Files\scanner
2007-12-13 22:39 --------- d-----w H:\Program Files\123CopyDVDGold
2007-12-13 22:38 --------- d-----w H:\Program Files\AviSynth 2.5
2007-11-22 00:00 --------- d-----w H:\Program Files\McAfee
2007-11-20 03:03 --------- d-----w H:\Program Files\Documents To Go
2007-11-18 00:19 --------- d-----w H:\Program Files\Trend Micro
2007-11-13 10:25 20,480 ----a-w H:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 01:53 --------- d-----w H:\Program Files\iTunes
2007-11-09 01:53 --------- d-----w H:\Program Files\iPod
2007-11-09 01:51 --------- d-----w H:\Program Files\QuickTime
2007-10-29 22:43 1,287,680 ----a-w H:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w H:\WINDOWS\system32\wmasf.dll
2007-10-24 06:47 96,760 ----a-w H:\WINDOWS\system32\dfshim.dll
2007-10-24 06:47 84,480 ----a-w H:\WINDOWS\system32\mscories.dll
2007-10-24 06:47 282,112 ----a-w H:\WINDOWS\system32\mscoree.dll
2007-10-24 06:47 158,720 ----a-w H:\WINDOWS\system32\mscorier.dll
2007-10-11 14:55 88,576 ----a-w H:\WINDOWS\system32\infocardapi.dll
2007-10-11 14:55 579,584 ----a-w H:\WINDOWS\system32\icardagt.exe
2007-10-11 14:55 11,776 ----a-w H:\WINDOWS\system32\icardres.dll
2007-10-09 18:03 779,800 ----a-w H:\WINDOWS\system32\PresentationNative_v0300.dll
2007-10-09 18:03 73,752 ----a-w H:\WINDOWS\system32\dxva2.dll
2007-10-09 18:03 493,080 ----a-w H:\WINDOWS\system32\evr.dll
2007-10-09 18:03 350,744 ----a-w H:\WINDOWS\system32\PresentationHost.exe
2007-10-09 18:03 33,304 ----a-w H:\WINDOWS\system32\PresentationHostProxy.dll
2007-10-09 18:03 161,304 ----a-w H:\WINDOWS\system32\UIAutomationCore.dll
2007-10-09 18:03 106,520 ----a-w H:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2007-10-09 18:03 1,986,072 ----a-w H:\WINDOWS\system32\milcore.dll
2007-10-09 17:58 16,896 ----a-w H:\WINDOWS\system32\tswpfwrp.exe
2007-04-29 00:07 356,352 -c--a-w H:\Documents and Settings\Frank\cwshredder.dll
2007-09-08 19:06 168 -csh--r H:\WINDOWS\system32\8E521A408F.sys
2007-09-08 19:06 2,516 -csha-w H:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 40,048 2007-05-11 07:06:32 H:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe

----a-w 106,496 2006-06-28 20:42:52 H:\Program Files\AMD\amd_dc_opt\bak\amd_dc_opt.exe

----a-w 344,064 2004-12-01 01:10:00 H:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 155,648 2006-01-12 19:40:44 H:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe

----a-w 49,152 2005-02-17 03:11:42 H:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 241,664 2005-01-12 18:54:58 H:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe

----a-w 267,064 2007-09-26 18:42:04 H:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,048 2007-11-02 23:36:42 H:\Program Files\iTunes\iTunesHelper.exe

----a-w 217,088 2005-06-10 09:21:01 H:\Program Files\Microsoft IntelliPoint\bak\point32.exe

----a-w 114,688 2003-05-15 23:45:54 H:\Program Files\Microsoft IntelliType Pro\bak\type32.exe

----a-w 366,400 2007-06-15 23:15:02 H:\Program Files\Picasa2\bak\PicasaMediaDetector.exe
----a-w 443,968 2007-09-28 01:17:36 H:\Program Files\Picasa2\PicasaMediaDetector.exe

----a-w 286,720 2007-06-29 10:24:52 H:\Program Files\QuickTime\bak\QTTask.exe
----a-w 286,720 2007-10-20 01:16:26 H:\Program Files\QuickTime\QTTask.exe

----a-w 204,288 2006-10-19 01:05:26 H:\Program Files\Windows Media Player\bak\WMPNSCFG.exe

-c--a-w 15,360 2004-08-04 12:00:00 H:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 12:00:00 H:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 05:23 67584 H:\WINDOWS\SOUNDMAN.EXE]
"Adobe Reader Speed Launcher"="H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"QuickTime Task"="H:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16 286720]
"iTunesHelper"="H:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"Windows Defender"="H:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"SunJavaUpdateSched"="H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="H:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 20:17 443968]

H:\Documents and Settings\Frank\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - H:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-03 23:00:00]

H:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DataViz Inc Messenger.lnk - H:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2005-08-04 20:43:13]
HOTSYNCSHORTCUTNAME.lnk - H:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:27:34]
HP Digital Imaging Monitor.lnk - H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 21:31:38]
HP Image Zone Fast Start.lnk - H:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 22:06:36]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

S1 AmdPPM;AMD HwPState Processor Driver;H:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 21:46]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 00:51:03 H:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- H:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-15 06:00:02 H:\WINDOWS\Tasks\McDefragTask.job"
- h:\program files\mcafee\mqc\QcConsol.exe'
"2007-12-31 06:00:17 H:\WINDOWS\Tasks\McQcTask.job"
- h:\program files\mcafee\mqc\QcConsol.exe
"2008-01-01 11:42:47 H:\WINDOWS\Tasks\MP Scheduled Scan.job"
- H:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-01 02:43:47 H:\WINDOWS\Tasks\XoftSpySE 2.job"
- H:\Program Files\XoftSpySE\XoftSpy.exe
"2007-12-26 10:36:50 H:\WINDOWS\Tasks\XoftSpySE.job"
- H:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-01 12:39:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-01 12:40:23
H:\qoobox\ComboFix-quarantined-files.txt 2008-01-01 17:40:14
H:\qoobox\ComboFix2.txt 2008-01-01 16:05:49
H:\qoobox\ComboFix3.txt 2008-01-01 15:34:02
H:\qoobox\ComboFix4.txt 2008-01-01 02:52:46
.
2007-12-20 21:39:54 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:10 PM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Windows Defender\MsMpEng.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Common Files\LightScribe\LSSrvc.exe
H:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
H:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
h:\program files\common files\mcafee\mna\mcnasvc.exe
H:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
H:\PROGRA~1\McAfee\MSC\mcpromgr.exe
h:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
h:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
H:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
H:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
H:\Program Files\McAfee\MPF\MPFSrv.exe
H:\PROGRA~1\McAfee\MPS\mps.exe
H:\WINDOWS\system32\PSIService.exe
H:\WINDOWS\system32\svchost.exe
h:\PROGRA~1\mcafee.com\agent\mcagent.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Windows Defender\MSASCui.exe
H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
H:\Program Files\palmOne\Hotsync.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\Greetings Workshop\GWREMIND.EXE
H:\Program Files\McAfee\MPS\mpsevh.exe
H:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\WINDOWS\explorer.exe
H:\WINDOWS\system32\notepad.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.msnbc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - H:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - h:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - H:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "H:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] H:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] H:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Greetings Workshop Reminders.lnk = H:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: DataViz Inc Messenger.lnk = H:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = H:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://H:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Open with WordPerfect - H:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - H:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/downl ... st_Win.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_de ... Plugin.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - H:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - H:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - H:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - H:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - h:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - H:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - H:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - h:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - h:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - H:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - H:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - H:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - H:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NMIndexingService - Nero AG - H:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - H:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - H:\WINDOWS\system32\PSIService.exe
O24 - Desktop Component 0: (no name) - http://www-pao.ksc.nasa.gov/kscpao/imag ... 2750-t.jpg

--
End of file - 9035 bytes
loadmaster43
Regular Member
 
Posts: 25
Joined: December 29th, 2007, 5:21 pm

Re: Malware Removal

Unread postby beynac » January 1st, 2008, 4:30 pm

Hi.

That's got it! :)

Is the computer still "acting funny"? If so, could you please give me a few details. Everything is looking good, but I'd like to run another check if you are still having problems.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Re: Malware Removal

Unread postby loadmaster43 » January 1st, 2008, 4:55 pm

Everything seems to be operating within "Normal" limits so far. I will give it a couple of days, and then get back to you with any problems, imagined or otherwise. I most certainly appreciate your help up to now. :cheers: One or two of the issues I am still having that are not associated with the original posting? are as follows: I am not able to access or change my power settings, hence my PC goes into sleep mode much faster than I would like, and I have to click the mouse or press a key to start. The other is that I had a utility program that monitored and gave me the temp of my CPU as well as the speed of three of my fans, that program is from Soltek. Any suggestions to a solution and is it just coincidence to my original post?
loadmaster43
Regular Member
 
Posts: 25
Joined: December 29th, 2007, 5:21 pm

Re: Malware Removal

Unread postby beynac » January 2nd, 2008, 10:38 am

I've been doing some research on the issues that you mentioned.

I had a utility program that monitored and gave me the temp of my CPU as well as the speed of three of my fans, that program is from Soltek.

Are you saying that this program disappeared while you were fixing your problem, or are you asking for a suggestion for an alternative program? I found this utility for use with Soltek motherboards. Is this the one?

-------------------------------------------------

I have looked at your problem with the power settings but have not been able to find a clear resolution. It could be that the malware changed a registry entry or it could be another program that has disabled it. I need some more details of your original problem and what you did to resolve it. There are signs in the ComboFix log of an infection which replaces some of your startup programs with copies of itself. The startup registry entries and the bad files appear to have been deleted. None of the programs, that I can see in the log, should affect the power settings but I would like to know what else was deleted. Please give me as much detail as possible.

-------------------------------------------------

I also think that it would be a good idea to run an online scan to check whether there are any more corrupted files.

Kaspersky Online Scanner

Be aware that downloading the definition files and scanning the computer may take an hour or more.

Using Internet Explorer, go to: http://www.kaspersky.com/virusscanner
  • Click on Kaspersky Online Scanner
  • Click the Accept button (see the note below if using IE7)
  • Follow the prompts to download and install the ActiveX component(s) and other software
    • If a yellow information bar appears at the top of the browser window, click on it and select Install ActiveX Control
    • If a message box appears, click on OK or Run as appropriate
  • Click Accept again (see the note below if using IE7)
  • When a message box appears, click on Install to allow the installation
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click 'Next'.
  • Now click on 'Scan Settings'
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database: 'Extended' (If available, otherwise 'Standard')
    • Scan Options: 'Scan Archives' and 'Scan Mail Bases'
  • Click 'OK'
  • Now under 'Select a target to scan' select 'My Computer'
  • The scan will take a while, so be patient and let it run. Once the scan is complete, it will display whether your system has been infected.
  • Now click on the Save as... button:
  • Save the report to your desktop (N.B. Save as type: Text document (txt))
Note: You may get a window without the Accept/Decline buttons. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

---------------------------------------------

Please post the answers to my questions and the Kaspersky report as a reply to this thread.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Re: Malware Removal

Unread postby loadmaster43 » January 8th, 2008, 8:17 pm

I very well could have not followed your instructions to the letter, but I had nothing but trouble following your last post. That is one reason why it has taken so long for me to reply. All Kaspersky did was take for ever, I am talking days (I did not finish) and slow down the works. I tried it twice, before giving up. In regards to the utility program I am not sure where to begin. I tried reinstalling the program from the CD, but no success. Problem #2 is when I click on control panel, then power settings, that is as far as I can get. I used to be able to input specific settings like, 'always on', '15 min' etc, but now nothing. As I mentioned in a previous post, it may be coincidence, but the problem seemed to have occured when I thought I had contacted a vires or malware. So, now after about fifteen minutes of the screen saver being on, the monitor will go into a sleep mode, then I have to either move the mouse or click a key. Hope this helps.
loadmaster43
Regular Member
 
Posts: 25
Joined: December 29th, 2007, 5:21 pm

Re: Malware Removal

Unread postby beynac » January 9th, 2008, 4:43 am

I'm sorry that you've had problems. :(

We do need to see the results of an online scan. Let's try a different one.

-----------------------------------------------------

ATF Cleaner by Atribune ©

Download ATF Cleaner by Atribune © from here : http://www.atribune.org/ccount/click.php?id=1
This is a stand-alone program that does not need to be installed. Save it to a convenient location and make a shortcut on your desktop. Using this program will remove temporary files, temporary internet files and cookies from your system, which will mean that any scans will run faster.
  • Make sure that all browser windows are closed
  • Double-click the shortcut on your desktop to run the program.
  • Under Main, choose Select All
  • Untick Prefetch
  • Click Empty Selected
  • If you use Firefox browser,
    • Click Firefox at the top and choose Select All
    • Click on Empty Selected
    • NOTE: If you would like to keep any saved passwords, please untick that option.
  • Click Exit to close.
  • If you use Opera browser,
    • Click Opera at the top and choose Select All
    • Click on Empty Selected
    • NOTE: If you would like to keep any saved passwords, please untick that option.
  • Click Exit to close.

----------------------------------------------------

ESET Online Scanner

Please run the ESET Online Scanner. You must use Internet Explorer to run the scan.
  • Check the box to accept the Terms of Use
  • Click Start
  • When prompted, left-click on the Information Bar which pops up at the top of your browser window
  • Click on Install ActiveX Control
  • A message box will pop up. Click on Install to install the software
  • Click Start
  • Do not check the following boxes
    • remove found threats
    • scan for unwanted applications
  • Click Start
  • When the scan has ended it should show a report giving details of any threats found
  • The report will be saved as C:/Program Files/esetonlinescanner/log.txt
Please post that report as a reply to this thread.

-------------------------------------------------------

Please post the following, as a reply to this thread:
  • The ESET Online Scan report
  • A new HijackThis log

It's not your fault, but the delay has given me a problem. I go on holiday on Friday and it may be a few days before I can get to a computer. It would, therefore, be good if we could get this sorted out in the next two days. If you have problems with the ESET scan, please let me know as soon as possible (don't just keep on trying).
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Re: Malware Removal

Unread postby loadmaster43 » January 9th, 2008, 8:56 pm

Hope this helps or is what you need:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:41 PM, on 1/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Windows Defender\MsMpEng.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Common Files\LightScribe\LSSrvc.exe
H:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
H:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
h:\program files\common files\mcafee\mna\mcnasvc.exe
H:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
H:\PROGRA~1\McAfee\MSC\mcpromgr.exe
h:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
h:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
H:\WINDOWS\Explorer.EXE
H:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
H:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
H:\Program Files\McAfee\MPF\MPFSrv.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Windows Defender\MSASCui.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
H:\PROGRA~1\McAfee\MPS\mps.exe
H:\Program Files\palmOne\Hotsync.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\Greetings Workshop\GWREMIND.EXE
H:\WINDOWS\system32\PSIService.exe
h:\PROGRA~1\mcafee.com\agent\mcagent.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
H:\Program Files\McAfee\MPS\mpsevh.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\WINDOWS\system32\HPZipm12.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe
H:\WINDOWS\system32\NOTEPAD.EXE
H:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.msnbc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - H:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - h:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: COMCASTTOOLBAR - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - H:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "H:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] H:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] H:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Greetings Workshop Reminders.lnk = H:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: DataViz Inc Messenger.lnk = H:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = H:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://H:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Open with WordPerfect - H:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9819406623
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ProtexisLicensing - Unknown owner - H:\WINDOWS\system32\PSIService.exe
O24 - Desktop Component 0: (no name) - http://www-pao.ksc.nasa.gov/kscpao/imag ... 2750-t.jpg

--
End of file - 5425 bytes

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2779 (20080109)
# vers_arch_module=1.060 (20071228)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=dc867e4cece53647b587dc627a401858
# end=finished
# remove_checked=false
# unwanted_checked=false
# utc_time=2008-01-10 12:49:31
# local_time=2008-01-09 07:49:31 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=290062
# found=0
# scan_time=4393
loadmaster43
Regular Member
 
Posts: 25
Joined: December 29th, 2007, 5:21 pm

Re: Malware Removal

Unread postby beynac » January 10th, 2008, 7:52 am

The ESET scan is clean.

The new HijackThis log is missing a lot of items which were on the earlier ones, including most of the services. The McAfee services are not listed, but the program appears to be running (see Running Processes).

Please let me know, urgently, if you have changed or deleted anything. Please also reboot the computer, run HijackThis and post the log as a reply to this thread.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 330 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware