Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

requesting help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

requesting help

Unread postby swoop » June 5th, 2008, 3:44 am

i have something trying to open a new tab without my consent. hijack this...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:41:51 AM, on 6/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\Atiptaab.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [7c4e09bc] rundll32.exe "C:\WINDOWS\system32\etdgdsin.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\stacy\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\stacy\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Doyles Room Poker - {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Documents and Settings\stacy\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Registe ... lashax.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 4817 bytes
swoop
Active Member
 
Posts: 14
Joined: June 1st, 2008, 4:41 am
Advertisement
Register to Remove

Re: requesting help

Unread postby chryssi2001 » June 6th, 2008, 1:50 pm

Hello swoop :),

I will be assisting you with your malware issues.

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
IMPORTANT NOTE:
If you are using Windows Vista you must right click on the desktop icon and choose Run as Administrator all tools.
----------------------------------------------
RENAME HIJACKTHIS

There is some infection hiding in your log.

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Right-click on HijackThis.exe & select Rename to scanner.exe.

Do not run it yet.
----------------------------------------------
Please visit this webpage for instructions for downloading ComboFix at your DESKTOP :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.

Additional links to download the tool:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: requesting help

Unread postby swoop » June 8th, 2008, 8:58 am

ComboFix 08-06-06.6 - stacy 2008-06-08 7:09:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.175 [GMT -5:00]
Running from: C:\Documents and Settings\stacy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\stacy\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM7f7d3a20.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bosknnwe.ini
C:\WINDOWS\system32\cgcvforn.dll
C:\WINDOWS\system32\dqyueoky.ini
C:\WINDOWS\system32\eddkrpsp.dll
C:\WINDOWS\system32\efcBtrRH.dll
C:\WINDOWS\system32\fbbpqoxx.ini
C:\WINDOWS\system32\fbgddtor.ini
C:\WINDOWS\system32\geButqPJ.dll
C:\WINDOWS\system32\gjenkwhg.dll
C:\WINDOWS\system32\gvlrcwkm.dll
C:\WINDOWS\system32\hlynxlll.ini
C:\WINDOWS\system32\imgkiutu.dll
C:\WINDOWS\system32\kberlbhf.dll
C:\WINDOWS\system32\kjbdffpi.ini
C:\WINDOWS\system32\kjptrsft.ini
C:\WINDOWS\system32\lllxnylh.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mymqwijq.dll
C:\WINDOWS\system32\neisglhy.dll
C:\WINDOWS\system32\olhlvauu.ini
C:\WINDOWS\system32\qpcmmryn.dll
C:\WINDOWS\system32\utuikgmi.ini
C:\WINDOWS\system32\uyslkrbc.ini
C:\WINDOWS\system32\wbjumbxi.ini
C:\WINDOWS\system32\xdlqqiug.ini
C:\WINDOWS\system32\xxoqpbbf.dll
C:\WINDOWS\system32\yaHQAyay.ini
C:\WINDOWS\system32\yaHQAyay.ini2
C:\WINDOWS\system32\yayAQHay.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-08 to 2008-06-08 )))))))))))))))))))))))))))))))
.

2008-06-06 06:45 . 2008-06-07 03:54 354 --ahs---- C:\WINDOWS\system32\puqkrknm.ini
2008-06-05 01:47 . 2008-06-06 06:40 714 --ahs---- C:\WINDOWS\system32\nisdgdte.ini
2008-06-03 08:45 . 2008-06-05 01:33 594 --ahs---- C:\WINDOWS\system32\qqdxjsbh.ini
2008-06-02 08:40 . 2008-06-03 08:41 474 --ahs---- C:\WINDOWS\system32\erqcnfif.ini
2008-06-01 08:40 . 2008-06-01 10:49 354 --ahs---- C:\WINDOWS\system32\rywdbpno.ini
2008-06-01 06:24 . 2008-06-01 06:24 <DIR> d-------- C:\Program Files\Microprose
2008-06-01 05:25 . 2008-06-01 05:25 <DIR> d-------- C:\_OTMoveIt
2008-06-01 05:06 . 2008-06-01 05:06 <DIR> d-------- C:\Deckard
2008-05-30 08:15 . 2008-05-30 08:15 294 --ahs---- C:\WINDOWS\system32\iuerldgl.ini
2008-05-30 01:19 . 2008-05-03 06:37 414 --ahs---- C:\WINDOWS\system32\oecssvmd.ini
2008-05-29 06:07 . 2008-05-29 06:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-27 12:02 . 2008-05-27 12:02 <DIR> d-------- C:\Documents and Settings\stacy\Application Data\WarZone
2008-05-27 12:01 . 2008-05-27 12:01 <DIR> d-------- C:\Program Files\Common Files\Idu
2008-05-27 12:00 . 2008-06-01 06:13 <DIR> d-------- C:\Program Files\WarZone
2008-05-27 11:44 . 2008-05-27 11:44 <DIR> d-------- C:\Program Files\CCleaner
2008-05-27 11:25 . 2008-05-27 11:25 <DIR> d-------- C:\Program Files\CleanMyPC
2008-05-15 10:01 . 2008-05-15 10:01 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-05-15 10:01 . 2008-01-10 07:15 755,027 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-05-15 10:01 . 2006-09-24 10:11 389,120 --a------ C:\WINDOWS\system32\lameACM.acm
2008-05-15 10:01 . 2004-01-25 11:18 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2008-05-15 10:01 . 2007-09-04 11:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-05-15 10:01 . 2008-01-10 07:16 159,839 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-05-15 10:01 . 2007-09-20 19:52 118,784 --a------ C:\WINDOWS\system32\ac3acm.acm
2008-05-15 10:01 . 2008-03-28 12:41 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-05-15 10:01 . 2007-07-10 11:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-05-15 10:01 . 2007-10-03 10:03 414 --a------ C:\WINDOWS\system32\lame_acm.xml
2008-05-15 05:12 . 2008-06-08 06:42 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-05-15 05:05 . 2008-05-15 05:05 <DIR> d-------- C:\Program Files\uTorrent
2008-05-15 05:05 . 2008-05-23 04:17 <DIR> d-------- C:\Documents and Settings\stacy\Application Data\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-08 12:17 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-08 10:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-07 13:31 --------- d--h--w C:\Documents and Settings\stacy\Application Data\Move Networks
2008-06-01 12:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-29 08:10 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-29 08:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-28 07:59 --------- d-----w C:\Program Files\Apple Software Update
2008-05-26 12:03 --------- d-----w C:\Documents and Settings\stacy\Application Data\Lavasoft
2008-05-17 09:14 --------- d-----w C:\Program Files\PokerStars
2008-05-15 14:34 --------- d-----w C:\Program Files\DivX
2008-05-15 05:54 --------- d-----w C:\Program Files\Full Tilt Poker
2008-05-15 05:11 --------- d-----w C:\Program Files\Absolute Poker
2008-05-14 06:12 --------- d-----w C:\Program Files\UltimateBet
2008-05-09 20:16 --------- d-----w C:\Program Files\Cake Poker
2008-05-09 09:01 --------- d-----w C:\Program Files\Poker.com
2008-05-09 07:25 --------- d-----w C:\Documents and Settings\stacy\Application Data\Microgaming
2008-05-09 07:13 --------- d-----w C:\Program Files\CarbonPoker
2008-05-02 06:32 --------- d-----w C:\Program Files\LimeWire
2008-04-26 07:42 --------- d-----w C:\Program Files\Bodog Poker
2007-04-05 00:04 702,212 ----a-w C:\Program Files\APR2007_d3dx10_33_x64.cab
2007-04-05 00:04 699,465 ----a-w C:\Program Files\APR2007_d3dx10_33_x86.cab
2007-04-05 00:04 56,902 ----a-w C:\Program Files\APR2007_xinput_x86.cab
2007-04-05 00:04 45,305 ----a-w C:\Program Files\dxdllreg_x86.cab
2007-04-05 00:04 199,366 ----a-w C:\Program Files\APR2007_XACT_x64.cab
2007-04-05 00:04 154,825 ----a-w C:\Program Files\APR2007_XACT_x86.cab
2007-04-05 00:04 100,417 ----a-w C:\Program Files\APR2007_xinput_x64.cab
2007-04-05 00:04 1,610,958 ----a-w C:\Program Files\APR2007_d3dx9_33_x64.cab
2007-04-05 00:04 1,609,639 ----a-w C:\Program Files\APR2007_d3dx9_33_x86.cab
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-25 06:36 68856]
"HijackThis startup scan"="C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-03-17 06:34 124656]
"AtiPTA"="Atiptaab.exe" [1999-03-30 15:28 218112 C:\WINDOWS\system32\atiptaab.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\7c4e09bc]
C:\WINDOWS\system32\lgdlreui.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM7f7d3a20]
C:\WINDOWS\system32\gaueosiv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-02-14 05:33 29744 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-04-25 06:36 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Poker.com\\client.exe"=
"C:\\Program Files\\CarbonPoker\\client.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Documents and Settings\\stacy\\My Documents\\pandoras box\\Risk.II.2006\\RISKII.EXE"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=

S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-14 05:33]
S4 ati2mpab;ati2mpab;C:\WINDOWS\system32\DRIVERS\ati2mpab.sys [1999-04-21 18:37]

*Newly Created Service* - PGFILTER
.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 08:48:27 C:\WINDOWS\Tasks\Absolute Poker.job"
- C:\PROGRA~1\ABSOLU~1\MAINCL~1.EXE
"2008-06-08 08:00:03 C:\WINDOWS\Tasks\Bodog Poker.job"
- C:\PROGRA~1\BODOGP~1\BPGame.exe
"2008-05-09 09:23:35 C:\WINDOWS\Tasks\Cake Poker.job"
- C:\PROGRA~1\CAKEPO~1\cake.exe
"2008-05-09 09:12:12 C:\WINDOWS\Tasks\CarbonPoker.job"
- C:\PROGRA~1\CARBON~1\client.exe
"2008-05-09 20:15:53 C:\WINDOWS\Tasks\Full Tilt Poker.job"
- C:\PROGRA~1\FULLTI~1\FULLTI~1.EXE
"2008-05-09 09:27:08 C:\WINDOWS\Tasks\Poker.job"
- C:\PROGRA~1\Poker.com\client.exe
"2008-05-10 02:28:07 C:\WINDOWS\Tasks\PokerStars.job"
- C:\PROGRA~1\POKERS~1\POKERS~4.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-08 07:19:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-08 7:25:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-08 12:25:00

Pre-Run: 10,388,975,616 bytes free
Post-Run: 10,416,680,960 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

210 --- E O F --- 2008-05-16 21:11:05
swoop
Active Member
 
Posts: 14
Joined: June 1st, 2008, 4:41 am

Re: requesting help

Unread postby swoop » June 8th, 2008, 8:59 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:12 AM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\Atiptaab.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\stacy\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\stacy\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Doyles Room Poker - {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Documents and Settings\stacy\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Registe ... lashax.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 4997 bytes
swoop
Active Member
 
Posts: 14
Joined: June 1st, 2008, 4:41 am

Re: requesting help

Unread postby swoop » June 8th, 2008, 11:11 am

hmmm, in the short time since posting those logs, my antivirus picked up vundo and metajuan. i ran combofix and hijack again for the logs.

ComboFix 08-06-06.6 - stacy 2008-06-08 9:52:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.211 [GMT -5:00]
Running from: C:\Documents and Settings\stacy\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-05-08 to 2008-06-08 )))))))))))))))))))))))))))))))
.

2008-06-06 06:45 . 2008-06-07 03:54 354 --ahs---- C:\WINDOWS\system32\puqkrknm.ini
2008-06-05 01:47 . 2008-06-06 06:40 714 --ahs---- C:\WINDOWS\system32\nisdgdte.ini
2008-06-03 08:45 . 2008-06-05 01:33 594 --ahs---- C:\WINDOWS\system32\qqdxjsbh.ini
2008-06-02 08:40 . 2008-06-03 08:41 474 --ahs---- C:\WINDOWS\system32\erqcnfif.ini
2008-06-01 08:40 . 2008-06-01 10:49 354 --ahs---- C:\WINDOWS\system32\rywdbpno.ini
2008-06-01 06:24 . 2008-06-01 06:24 <DIR> d-------- C:\Program Files\Microprose
2008-06-01 05:25 . 2008-06-01 05:25 <DIR> d-------- C:\_OTMoveIt
2008-06-01 05:06 . 2008-06-01 05:06 <DIR> d-------- C:\Deckard
2008-05-30 08:15 . 2008-05-30 08:15 294 --ahs---- C:\WINDOWS\system32\iuerldgl.ini
2008-05-30 01:19 . 2008-05-03 06:37 414 --ahs---- C:\WINDOWS\system32\oecssvmd.ini
2008-05-29 06:07 . 2008-05-29 06:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-27 12:02 . 2008-05-27 12:02 <DIR> d-------- C:\Documents and Settings\stacy\Application Data\WarZone
2008-05-27 12:01 . 2008-05-27 12:01 <DIR> d-------- C:\Program Files\Common Files\Idu
2008-05-27 12:00 . 2008-06-01 06:13 <DIR> d-------- C:\Program Files\WarZone
2008-05-27 11:44 . 2008-05-27 11:44 <DIR> d-------- C:\Program Files\CCleaner
2008-05-27 11:25 . 2008-05-27 11:25 <DIR> d-------- C:\Program Files\CleanMyPC
2008-05-15 10:01 . 2008-05-15 10:01 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-05-15 10:01 . 2008-01-10 07:15 755,027 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-05-15 10:01 . 2006-09-24 10:11 389,120 --a------ C:\WINDOWS\system32\lameACM.acm
2008-05-15 10:01 . 2004-01-25 11:18 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2008-05-15 10:01 . 2007-09-04 11:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-05-15 10:01 . 2008-01-10 07:16 159,839 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-05-15 10:01 . 2007-09-20 19:52 118,784 --a------ C:\WINDOWS\system32\ac3acm.acm
2008-05-15 10:01 . 2008-03-28 12:41 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-05-15 10:01 . 2007-07-10 11:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-05-15 10:01 . 2007-10-03 10:03 414 --a------ C:\WINDOWS\system32\lame_acm.xml
2008-05-15 05:12 . 2008-06-08 09:48 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-05-15 05:05 . 2008-05-15 05:05 <DIR> d-------- C:\Program Files\uTorrent
2008-05-15 05:05 . 2008-05-23 04:17 <DIR> d-------- C:\Documents and Settings\stacy\Application Data\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-08 14:51 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-08 10:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-07 13:31 --------- d--h--w C:\Documents and Settings\stacy\Application Data\Move Networks
2008-06-01 12:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-29 08:10 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-29 08:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-28 07:59 --------- d-----w C:\Program Files\Apple Software Update
2008-05-26 12:03 --------- d-----w C:\Documents and Settings\stacy\Application Data\Lavasoft
2008-05-17 09:14 --------- d-----w C:\Program Files\PokerStars
2008-05-15 14:34 --------- d-----w C:\Program Files\DivX
2008-05-15 05:54 --------- d-----w C:\Program Files\Full Tilt Poker
2008-05-15 05:11 --------- d-----w C:\Program Files\Absolute Poker
2008-05-14 06:12 --------- d-----w C:\Program Files\UltimateBet
2008-05-09 20:16 --------- d-----w C:\Program Files\Cake Poker
2008-05-09 09:01 --------- d-----w C:\Program Files\Poker.com
2008-05-09 07:25 --------- d-----w C:\Documents and Settings\stacy\Application Data\Microgaming
2008-05-09 07:13 --------- d-----w C:\Program Files\CarbonPoker
2008-05-02 06:32 --------- d-----w C:\Program Files\LimeWire
2008-04-26 07:42 --------- d-----w C:\Program Files\Bodog Poker
2008-03-31 21:25 831,488 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2007-04-05 00:04 702,212 ----a-w C:\Program Files\APR2007_d3dx10_33_x64.cab
2007-04-05 00:04 699,465 ----a-w C:\Program Files\APR2007_d3dx10_33_x86.cab
2007-04-05 00:04 56,902 ----a-w C:\Program Files\APR2007_xinput_x86.cab
2007-04-05 00:04 45,305 ----a-w C:\Program Files\dxdllreg_x86.cab
2007-04-05 00:04 199,366 ----a-w C:\Program Files\APR2007_XACT_x64.cab
2007-04-05 00:04 154,825 ----a-w C:\Program Files\APR2007_XACT_x86.cab
2007-04-05 00:04 100,417 ----a-w C:\Program Files\APR2007_xinput_x64.cab
2007-04-05 00:04 1,610,958 ----a-w C:\Program Files\APR2007_d3dx9_33_x64.cab
2007-04-05 00:04 1,609,639 ----a-w C:\Program Files\APR2007_d3dx9_33_x86.cab
.

((((((((((((((((((((((((((((( snapshot@2008-06-08_ 7.24.24.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-08 12:17:26 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-08 14:42:51 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-02-26 11:59:50 294,912 -c----w C:\WINDOWS\system32\dllcache\msctf.dll
- 2004-08-04 07:56:42 294,400 ----a-w C:\WINDOWS\system32\msctf.dll
+ 2008-02-26 11:59:50 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-25 06:36 68856]
"HijackThis startup scan"="C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-03-17 06:34 124656]
"AtiPTA"="Atiptaab.exe" [1999-03-30 15:28 218112 C:\WINDOWS\system32\atiptaab.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\7c4e09bc]
C:\WINDOWS\system32\lgdlreui.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM7f7d3a20]
C:\WINDOWS\system32\gaueosiv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-02-14 05:33 29744 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-04-25 06:36 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Poker.com\\client.exe"=
"C:\\Program Files\\CarbonPoker\\client.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Documents and Settings\\stacy\\My Documents\\pandoras box\\Risk.II.2006\\RISKII.EXE"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=

S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-14 05:33]
S4 ati2mpab;ati2mpab;C:\WINDOWS\system32\DRIVERS\ati2mpab.sys [1999-04-21 18:37]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 08:48:27 C:\WINDOWS\Tasks\Absolute Poker.job"
- C:\PROGRA~1\ABSOLU~1\MAINCL~1.EXE
"2008-06-08 08:00:03 C:\WINDOWS\Tasks\Bodog Poker.job"
- C:\PROGRA~1\BODOGP~1\BPGame.exe
"2008-05-09 09:23:35 C:\WINDOWS\Tasks\Cake Poker.job"
- C:\PROGRA~1\CAKEPO~1\cake.exe
"2008-05-09 09:12:12 C:\WINDOWS\Tasks\CarbonPoker.job"
- C:\PROGRA~1\CARBON~1\client.exe
"2008-05-09 20:15:53 C:\WINDOWS\Tasks\Full Tilt Poker.job"
- C:\PROGRA~1\FULLTI~1\FULLTI~1.EXE
"2008-05-09 09:27:08 C:\WINDOWS\Tasks\Poker.job"
- C:\PROGRA~1\Poker.com\client.exe
"2008-05-10 02:28:07 C:\WINDOWS\Tasks\PokerStars.job"
- C:\PROGRA~1\POKERS~1\POKERS~4.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-08 09:55:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-08 9:57:26
ComboFix-quarantined-files.txt 2008-06-08 14:57:14
ComboFix2.txt 2008-06-08 12:25:19

Pre-Run: 10,402,144,256 bytes free
Post-Run: 10,392,133,632 bytes free

183 --- E O F --- 2008-06-08 13:02:56



-------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:12 AM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\Atiptaab.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\stacy\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\stacy\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Doyles Room Poker - {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Documents and Settings\stacy\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Registe ... lashax.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 4997 bytes
swoop
Active Member
 
Posts: 14
Joined: June 1st, 2008, 4:41 am

Re: requesting help

Unread postby chryssi2001 » June 8th, 2008, 12:55 pm

Hello swoop,

hmmm, in the short time since posting those logs, my antivirus picked up vundo and metajuan

Yes you are infected by Vundo, it's natural for the Anti-Virus to give you those warnings, untill we get your pc cleaned.

Please do not run Combofix again untill i tell you too.
After the first run, the program doesn't remove anything.
I need to create a fix.
----------------------------------------------
P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

LimeWire
uTorrent


I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

If you choose not to remove them, please do not use them until this computer is clean.
----------------------------------------------
Remove Poker programs
From your log I can see you've installed poker programs. A lot of poker programs are infected/can infect you with malware.
I would advise you to go to Add/Remove programs and uninstall your poker programs.

Absolute Poker
Full Tilt Poker
Cake Poker
Poker.com
CarbonPoker
Bodog Poker


I see you use Pokerstars, so keep it, as it's safe.
Here are links to some poker sites regarded as safe for your reference.
1. http://www.pokerstars.net/- This is a free to use/play site with play money.
2. http://www.pokerstars.com/ - This is a free to use/play site with play money and real money.
----------------------------------------------
Let me know what you decided so i will include those in my fix.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: requesting help

Unread postby swoop » June 9th, 2008, 3:55 am

thank you, for your efforts. but i fear it will take more than the threat of maleware to quench my thirst for gambling or the very few programs broadcast today that i deem worthy of my attentions. this infection is the direct result of my arrogance, and my blatant refusal to admit that i cannot solve any problem. i AM willing to admit that this time i bit off more than i could chew. so to directly answer your question, i would rather not uninstall the programs you recommended.

besides, if i quit playing poker then i might do something constructive with my time, like become an accountant, or attend MRU. :mrgreen:
swoop
Active Member
 
Posts: 14
Joined: June 1st, 2008, 4:41 am

Re: requesting help

Unread postby chryssi2001 » June 9th, 2008, 4:44 am

Hello swoop,

hehe you visited my profile :)
or attend MRU
Why not? 8)

Please do not use P2P programs while we clean your pc.

Well as you wish i will not remove any Poker programs for now.
I can understand that you like to play poker so no harm done if you are not underage ;).
We are all human and i also play when i find time, but i use only Pokerstars which is safe.

If during the cleaning, reports show that any of your Poker or P2P programs is infected, i will remove it though, so you will be out of my hands clean.

I am at work now, so i will post a fix for you as soon i'll be home.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: requesting help

Unread postby swoop » June 9th, 2008, 5:47 am

chryssi2001 wrote:
I am at work now,


surly mr. scrooge would cast his glaring eye at the misuse of company time? :evil:

i am honored that you would brave his "wrath".
swoop
Active Member
 
Posts: 14
Joined: June 1st, 2008, 4:41 am

Re: requesting help

Unread postby chryssi2001 » June 9th, 2008, 7:04 am

Hello swoop,

FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Registe ... lashax.cab


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.

The reason i am fixing HijackThis line, is because we don't need it to run on Start-up.
You can locate the program mannually and run a scan when i ask for one.
----------------------------------------------
COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=31334&p=307337#p307337
    
    KILLALL::
    
    Collect::
    C:\WINDOWS\system32\puqkrknm.ini
    C:\WINDOWS\system32\nisdgdte.ini
    C:\WINDOWS\system32\qqdxjsbh.ini
    C:\WINDOWS\system32\erqcnfif.ini
    C:\WINDOWS\system32\rywdbpno.ini
    C:\WINDOWS\system32\iuerldgl.ini
    C:\WINDOWS\system32\oecssvmd.ini
    C:\WINDOWS\system32\etdgdsin.dll
    C:\WINDOWS\system32\lgdlreui.dll
    C:\WINDOWS\system32\gaueosiv.dll
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\7c4e09bc]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM7f7d3a20]
    
    
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.
----------------------------------------------
Post back:
Combofix report.
Malwarebytes' Anti-Malware report.
A new HijackThis log.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: requesting help

Unread postby swoop » June 9th, 2008, 8:44 am

ComboFix 08-06-06.6 - stacy 2008-06-09 7:19:39.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.204 [GMT -5:00]
Running from: C:\Documents and Settings\stacy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\stacy\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\erqcnfif.ini
C:\WINDOWS\system32\iuerldgl.ini
C:\WINDOWS\system32\nisdgdte.ini
C:\WINDOWS\system32\oecssvmd.ini
C:\WINDOWS\system32\puqkrknm.ini
C:\WINDOWS\system32\qqdxjsbh.ini
C:\WINDOWS\system32\rywdbpno.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-01 06:24 . 2008-06-01 06:24 <DIR> d-------- C:\Program Files\Microprose
2008-06-01 05:25 . 2008-06-01 05:25 <DIR> d-------- C:\_OTMoveIt
2008-06-01 05:06 . 2008-06-01 05:06 <DIR> d-------- C:\Deckard
2008-05-29 06:07 . 2008-05-29 06:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-27 12:02 . 2008-05-27 12:02 <DIR> d-------- C:\Documents and Settings\stacy\Application Data\WarZone
2008-05-27 12:01 . 2008-05-27 12:01 <DIR> d-------- C:\Program Files\Common Files\Idu
2008-05-27 12:00 . 2008-06-01 06:13 <DIR> d-------- C:\Program Files\WarZone
2008-05-27 11:44 . 2008-05-27 11:44 <DIR> d-------- C:\Program Files\CCleaner
2008-05-27 11:25 . 2008-05-27 11:25 <DIR> d-------- C:\Program Files\CleanMyPC
2008-05-15 10:01 . 2008-05-15 10:01 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-05-15 10:01 . 2008-01-10 07:15 755,027 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-05-15 10:01 . 2006-09-24 10:11 389,120 --a------ C:\WINDOWS\system32\lameACM.acm
2008-05-15 10:01 . 2004-01-25 11:18 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2008-05-15 10:01 . 2007-09-04 11:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-05-15 10:01 . 2008-01-10 07:16 159,839 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-05-15 10:01 . 2007-09-20 19:52 118,784 --a------ C:\WINDOWS\system32\ac3acm.acm
2008-05-15 10:01 . 2008-03-28 12:41 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-05-15 10:01 . 2007-07-10 11:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-05-15 10:01 . 2007-10-03 10:03 414 --a------ C:\WINDOWS\system32\lame_acm.xml
2008-05-15 05:12 . 2008-06-09 07:15 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-05-15 05:05 . 2008-05-15 05:05 <DIR> d-------- C:\Program Files\uTorrent
2008-05-15 05:05 . 2008-05-23 04:17 <DIR> d-------- C:\Documents and Settings\stacy\Application Data\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-09 12:24 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-09 12:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-07 13:31 --------- d--h--w C:\Documents and Settings\stacy\Application Data\Move Networks
2008-06-01 12:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-29 08:10 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-29 08:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-28 07:59 --------- d-----w C:\Program Files\Apple Software Update
2008-05-26 12:03 --------- d-----w C:\Documents and Settings\stacy\Application Data\Lavasoft
2008-05-17 09:14 --------- d-----w C:\Program Files\PokerStars
2008-05-15 14:34 --------- d-----w C:\Program Files\DivX
2008-05-15 05:54 --------- d-----w C:\Program Files\Full Tilt Poker
2008-05-15 05:11 --------- d-----w C:\Program Files\Absolute Poker
2008-05-14 06:12 --------- d-----w C:\Program Files\UltimateBet
2008-05-09 20:16 --------- d-----w C:\Program Files\Cake Poker
2008-05-09 09:01 --------- d-----w C:\Program Files\Poker.com
2008-05-09 07:25 --------- d-----w C:\Documents and Settings\stacy\Application Data\Microgaming
2008-05-09 07:13 --------- d-----w C:\Program Files\CarbonPoker
2008-05-02 06:32 --------- d-----w C:\Program Files\LimeWire
2008-04-26 07:42 --------- d-----w C:\Program Files\Bodog Poker
2007-04-05 00:04 702,212 ----a-w C:\Program Files\APR2007_d3dx10_33_x64.cab
2007-04-05 00:04 699,465 ----a-w C:\Program Files\APR2007_d3dx10_33_x86.cab
2007-04-05 00:04 56,902 ----a-w C:\Program Files\APR2007_xinput_x86.cab
2007-04-05 00:04 45,305 ----a-w C:\Program Files\dxdllreg_x86.cab
2007-04-05 00:04 199,366 ----a-w C:\Program Files\APR2007_XACT_x64.cab
2007-04-05 00:04 154,825 ----a-w C:\Program Files\APR2007_XACT_x86.cab
2007-04-05 00:04 100,417 ----a-w C:\Program Files\APR2007_xinput_x64.cab
2007-04-05 00:04 1,610,958 ----a-w C:\Program Files\APR2007_d3dx9_33_x64.cab
2007-04-05 00:04 1,609,639 ----a-w C:\Program Files\APR2007_d3dx9_33_x86.cab
.

((((((((((((((((((((((((((((( snapshot@2008-06-08_ 7.24.24.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-08 12:17:26 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-09 12:23:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-02-26 11:59:50 294,912 -c----w C:\WINDOWS\system32\dllcache\msctf.dll
- 2004-08-04 07:56:42 294,400 ----a-w C:\WINDOWS\system32\msctf.dll
+ 2008-02-26 11:59:50 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-25 06:36 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-03-17 06:34 124656]
"AtiPTA"="Atiptaab.exe" [1999-03-30 15:28 218112 C:\WINDOWS\system32\atiptaab.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-02-14 05:33 29744 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-04-25 06:36 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Poker.com\\client.exe"=
"C:\\Program Files\\CarbonPoker\\client.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Documents and Settings\\stacy\\My Documents\\pandoras box\\Risk.II.2006\\RISKII.EXE"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=

S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-14 05:33]
S4 ati2mpab;ati2mpab;C:\WINDOWS\system32\DRIVERS\ati2mpab.sys [1999-04-21 18:37]

*Newly Created Service* - PGFILTER
.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 08:48:27 C:\WINDOWS\Tasks\Absolute Poker.job"
- C:\PROGRA~1\ABSOLU~1\MAINCL~1.EXE
"2008-06-08 08:00:03 C:\WINDOWS\Tasks\Bodog Poker.job"
- C:\PROGRA~1\BODOGP~1\BPGame.exe
"2008-05-09 09:23:35 C:\WINDOWS\Tasks\Cake Poker.job"
- C:\PROGRA~1\CAKEPO~1\cake.exe
"2008-05-09 09:12:12 C:\WINDOWS\Tasks\CarbonPoker.job"
- C:\PROGRA~1\CARBON~1\client.exe
"2008-05-09 20:15:53 C:\WINDOWS\Tasks\Full Tilt Poker.job"
- C:\PROGRA~1\FULLTI~1\FULLTI~1.EXE
"2008-05-09 09:27:08 C:\WINDOWS\Tasks\Poker.job"
- C:\PROGRA~1\Poker.com\client.exe
"2008-05-10 02:28:07 C:\WINDOWS\Tasks\PokerStars.job"
- C:\PROGRA~1\POKERS~1\POKERS~4.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 07:27:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
.
**************************************************************************
.
Completion time: 2008-06-09 7:32:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-09 12:31:58
ComboFix2.txt 2008-06-08 14:57:30
ComboFix3.txt 2008-06-08 12:25:19

Pre-Run: 10,383,196,160 bytes free
Post-Run: 10,373,283,840 bytes free

174 --- E O F --- 2008-06-08 13:02:56
swoop
Active Member
 
Posts: 14
Joined: June 1st, 2008, 4:41 am

Re: requesting help

Unread postby chryssi2001 » June 9th, 2008, 12:01 pm

Hello swoop,

I need these 2 reports please, so we can continue.

Malwarebytes' Anti-Malware report.
A new HijackThis log
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: requesting help

Unread postby swoop » June 10th, 2008, 3:01 am

yea, uh sorry about that. it was late and im thinking i passed out without saving the malware log. it is also not located here C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
swoop
Active Member
 
Posts: 14
Joined: June 1st, 2008, 4:41 am

Re: requesting help

Unread postby chryssi2001 » June 10th, 2008, 4:06 am

swoop wrote:yea, uh sorry about that. it was late and im thinking i passed out without saving the malware log. it is also not located here C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Yes it is located there as usuall.

When you go in this folder:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs, you can't find any reports?
If nothing there, please post a new HijackThis log.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: requesting help

Unread postby swoop » June 10th, 2008, 4:31 am

yes, when i look in that location, there is no log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:23:13 AM, on 6/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\stacy\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\stacy\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Doyles Room Poker - {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Documents and Settings\stacy\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 4334 bytes
swoop
Active Member
 
Posts: 14
Joined: June 1st, 2008, 4:41 am
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 303 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware