Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 20 of 50 Posts

·
Registered
Joined
·
29 Posts
Discussion Starter · #1 ·
This sucks. I got the trojan Winreanimator on my computer. I run ad-aware and it gets rid of it for a short while...but when I re-boot it comes right back! Please, I need someones help. If you can direct me towards a thread that can solve this that would be awesome. The problem is, I cant even run hijackthis or combo fix! I really need someones help!!!
 

·
Registered
Joined
·
29 Posts
Discussion Starter · #2 ·
I downloaded and installed HijackThis and Combofix and its not letting me run any of them. This is extremely frustrating!! The icons showed up on the desktop, but when i double-click on them absolutely nothing happens. :down:
 

·
Administrator
Joined
·
123,574 Posts
Hi and welcome to TSG,

Please don't start more than one thread for the same issue. I've merged them both together here.

Download the file UnHookExec.inf from the following link and save it to your desktop.

http://securityresponse.symantec.com/avcenter/UnHookExec.inf

Note: The tool has an .inf file extension.

Locate the downloaded file on your desktop.

Right-click the UnHookExec.inf file and click install. (This is a small file. It does not display any notice or boxes when you run it.)

Reboot and see if you can scan with HijackThis and post the log.
 

·
Registered
Joined
·
29 Posts
Discussion Starter · #4 ·
Thanks for replying to my post,

Still no luck. When I download Hijackthis, it skips the entire installation process and immediately creates the desktop icon. Then when I try to run it and absolutely nothing happens.
 

·
Administrator
Joined
·
123,574 Posts
See if you can run this tool:

Please download Malwarebytes Anti-Malware form Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
 

·
Registered
Joined
·
29 Posts
Discussion Starter · #12 ·
First off, I just want to say thanks for spending your time trying to help me out.

Yea, thats one thing that has been working. The files that are infected that are listed come back after every reboot.

Here's the log:

Malwarebytes' Anti-Malware 1.05
Database version: 449

Scan type: Quick Scan
Objects scanned: 47830
Time elapsed: 6 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\users32.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\cru629.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\cru629.dat (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winivstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
 

·
Registered
Joined
·
29 Posts
Discussion Starter · #13 ·
Heres the log immediately after the reboot. Now there are only two files infected, but I have scanned before and it's always the same six or seven.

Malwarebytes' Anti-Malware 1.05
Database version: 449

Scan type: Quick Scan
Objects scanned: 47751
Time elapsed: 6 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\users32.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Delete on reboot.
 

·
Administrator
Joined
·
123,574 Posts
Please visit Combofix Guide & Instructions for instructions for installing the Recovery Console and downloading and running ComboFix:

Note: When saving the ComboFix.exe and before running it, it's important that you rename it to Combo-Fix.exe.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Combofix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know.
 

·
Registered
Joined
·
29 Posts
Discussion Starter · #15 ·
Ok, finally!

Here's my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:39 PM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Trend Micro\puppy.exe\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar6.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 6078 bytes
 

·
Registered
Joined
·
29 Posts
Discussion Starter · #16 ·
and here's the combofix:

ComboFix 08-03-10.1 - Brian 2008-03-10 21:35:04.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.339 [GMT -5:00]
Running from: C:\Documents and Settings\Brian\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))
.

2008-03-10 21:00 . 2008-03-10 21:00 d-------- C:\Documents and Settings\John\Application Data\Ahead
2008-03-07 13:15 . 2008-03-07 13:15 d-------- C:\Documents and Settings\Brian\.housecall6.6
2008-03-06 16:38 . 2008-03-07 12:52 d-------- C:\sysclean
2008-03-06 13:18 . 2008-03-06 13:24 d-------- C:\totalcmd
2008-03-06 13:18 . 2008-03-06 13:23 671 --a------ C:\WINDOWS\wincmd.ini
2008-03-06 13:18 . 2007-09-14 08:02 545 --a------ C:\WINDOWS\UC.PIF
2008-03-06 13:18 . 2007-09-14 08:02 545 --a------ C:\WINDOWS\RAR.PIF
2008-03-06 13:18 . 2007-09-14 08:02 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-03-06 13:18 . 2007-09-14 08:02 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-03-06 13:18 . 2007-09-14 08:02 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-03-06 13:18 . 2007-09-14 08:02 545 --a------ C:\WINDOWS\LHA.PIF
2008-03-06 13:18 . 2007-09-14 08:02 545 --a------ C:\WINDOWS\ARJ.PIF
2008-03-06 09:18 . 2007-08-01 17:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-06 09:15 . 2008-03-07 13:44 d-------- C:\Documents and Settings\Brian\Application Data\HouseCall 6.6
2008-03-05 23:41 . 2008-03-10 20:36 d-------- C:\Program Files\Trend Micro
2008-03-05 23:32 . 2008-03-05 23:32 19,165 --a------ C:\Documents and Settings\All Users\Application Data\ofydux.scr
2008-03-05 23:32 . 2008-03-05 23:32 19,061 --a------ C:\WINDOWS\system32\apogisim.scr
2008-03-05 23:32 . 2008-03-05 23:32 18,211 --a------ C:\WINDOWS\system32\ufucupicy.bat
2008-03-05 23:32 . 2008-03-05 23:32 15,449 --a------ C:\Documents and Settings\All Users\Application Data\osixujufi.exe
2008-03-05 23:32 . 2008-03-05 23:32 15,179 --a------ C:\WINDOWS\duci.exe
2008-03-05 23:32 . 2008-03-05 23:32 14,393 --a------ C:\WINDOWS\yrovad.dll
2008-03-05 23:32 . 2008-03-05 23:32 11,884 --a------ C:\WINDOWS\umyb.bin
2008-03-05 23:32 . 2008-03-05 23:32 11,296 --a------ C:\Documents and Settings\Brian\Application Data\fukuxol.reg
2008-03-05 12:08 . 2008-03-05 12:08 d-------- C:\Documents and Settings\Anna\Application Data\Lavasoft
2008-03-05 11:37 . 2008-03-05 11:37 d-------- C:\Documents and Settings\John\Application Data\Sunbelt Software
2008-03-05 11:36 . 2008-03-05 11:36 d-------- C:\Documents and Settings\John\Application Data\Lavasoft
2008-03-05 10:38 . 2008-03-05 10:38 27,499 --a------ C:\VETlog.dmp
2008-03-04 16:58 . 2008-03-04 16:58 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-03-04 16:58 . 2008-03-04 16:58 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-03-04 16:56 . 2008-03-04 16:56 d-------- C:\Documents and Settings\Brian\Application Data\Sunbelt Software
2008-03-04 14:28 . 2008-03-05 23:52 d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-04 14:28 . 2008-03-05 23:52 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-04 13:00 . 2008-03-04 13:00 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-04 13:00 . 2008-03-04 13:00 d-------- C:\Documents and Settings\Brian\Application Data\Malwarebytes
2008-03-04 13:00 . 2008-03-04 13:00 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-04 12:59 . 2008-03-04 12:59 d-------- C:\Program Files\Common Files\Download Manager
2008-03-03 17:41 . 2008-03-03 17:41 19,215 --a------ C:\WINDOWS\cuqop.ban
2008-03-03 17:41 . 2008-03-03 17:41 19,068 --a------ C:\Documents and Settings\Brian\Application Data\vabivixucu.pif
2008-03-03 17:41 . 2008-03-03 17:41 16,325 --a------ C:\Documents and Settings\All Users\Application Data\fugizo.bin
2008-03-03 17:41 . 2008-03-03 17:41 15,558 --a------ C:\WINDOWS\ivuso.inf
2008-03-03 17:41 . 2008-03-03 17:41 11,651 --a------ C:\WINDOWS\ubasaz.bin
2008-03-03 17:41 . 2008-03-03 17:41 11,196 --a------ C:\Program Files\Common Files\qitar.pif
2008-03-03 17:41 . 2008-03-03 17:41 10,878 --a------ C:\WINDOWS\system32\byvebanovu.ban
2008-03-03 17:18 . 2008-03-03 17:18 19,381 --a------ C:\WINDOWS\aremukafa._sy
2008-03-03 17:18 . 2008-03-03 17:18 19,260 --a------ C:\Documents and Settings\Brian\Application Data\sifonyga.vbs
2008-03-03 17:18 . 2008-03-03 17:18 18,764 --a------ C:\WINDOWS\system32\dodi.ban
2008-03-03 17:18 . 2008-03-03 17:18 18,220 --a------ C:\WINDOWS\zipys.dat
2008-03-03 17:18 . 2008-03-03 17:18 16,992 --a------ C:\WINDOWS\system32\yradafeg.lib
2008-03-03 17:18 . 2008-03-03 17:18 16,802 --a------ C:\WINDOWS\system32\wemizedax.db
2008-03-03 17:18 . 2008-03-03 17:18 16,070 --a------ C:\Documents and Settings\Brian\Application Data\gubawiq.pif
2008-03-03 17:18 . 2008-03-03 17:18 14,026 --a------ C:\WINDOWS\system32\otyg.inf
2008-03-03 17:18 . 2008-03-03 17:18 13,751 --a------ C:\Program Files\Common Files\tuzafejevo.bat
2008-03-03 17:18 . 2008-03-03 17:18 13,646 --a------ C:\Documents and Settings\All Users\Application Data\yfujukypoq.exe
2008-03-03 17:18 . 2008-03-03 17:18 12,335 --a------ C:\Documents and Settings\All Users\Application Data\upipupanel.vbs
2008-03-03 17:18 . 2008-03-03 17:18 12,239 --a------ C:\WINDOWS\zaferamys.lib
2008-03-03 17:18 . 2008-03-03 17:18 11,562 --a------ C:\Program Files\Common Files\puwuwolubo.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-10 23:54 94,208 ----a-w C:\WINDOWS\system32\igfxtray.exe
2008-03-10 23:54 77,824 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-03-10 23:54 114,688 ----a-w C:\WINDOWS\system32\igfxpers.exe
2008-03-10 22:21 87,760 -c--a-w C:\Documents and Settings\Brian\Application Data\GDIPFONTCACHEV1.DAT
2008-03-07 06:52 --------- d-----w C:\Documents and Settings\Brian\Application Data\free noun ball
2008-03-03 22:18 19,687 ----a-w C:\Program Files\Common Files\xemyw.inf
2008-03-03 22:18 17,260 ----a-w C:\Program Files\Common Files\azit.lib
2008-03-03 22:18 15,388 ----a-w C:\Program Files\Common Files\uxawypyda.inf
2008-03-03 21:09 --------- d-----w C:\Documents and Settings\Brian\Application Data\uTorrent
2008-03-03 00:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-01 17:01 --------- d-----w C:\Program Files\McAfee
2008-02-10 04:53 7,520 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-03 19:15 --------- d-----w C:\Program Files\Common Files\Intuit
2008-02-03 19:09 --------- d-----w C:\Program Files\BitTorrent
2008-02-03 19:09 --------- d-----w C:\Program Files\Ares
2008-01-27 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-01-27 21:51 --------- d-----w C:\Program Files\uTorrent
2008-01-14 17:29 --------- d-----w C:\Documents and Settings\Brian\Application Data\Ahead
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2006-02-19 08:28 12,288 -c--a-w C:\WINDOWS\Fonts\RandFont.dll
.
Files Infected - Win32.Agent.zb
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-10 18:54 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2008-03-10 18:54 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2008-03-10 18:54 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2008-03-10 18:54 114688]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2008-03-10 18:54 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2008-03-10 18:54 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-03-10 18:54 81920]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-03-30 10:42 36904]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2008-03-10 18:54 582992]
"braviax"="braviax.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 18:15 1634304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Atom City]
C:\DOCUME~1\Brian\APPLIC~1\FREENO~1\Drv Road.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\axis love poll lite]
--a--c--- 2007-08-05 23:08 3618304 C:\Documents and Settings\All Users\Application Data\each new axis love\Face Junk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-03-12 14:49 153136 C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a--c--- 2005-08-31 12:06 106496 C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-02-23 17:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a--c--- 2006-02-20 07:21 169472 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1154494434\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a--c--- 2005-09-08 20:20 8192 C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a--c--- 2005-09-08 20:20 110592 C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 19:53 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a--c--- 2006-11-08 14:27 222208 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-11-09 18:15 1634304 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a--c--- 2006-02-20 07:13 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REF LIES SIXTH LITE]
--a--c--- 2007-07-30 21:18 557056 C:\Documents and Settings\All Users\Application Data\Log Htm Lite Each\Program Acid Beep.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-11-10 13:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-03-10 18:54 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 17:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a------ 2006-07-21 11:43 407032 C:\PROGRA~1\Yahoo!\YOP\yop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 SDVC05;USB SDVC05;C:\WINDOWS\system32\Drivers\SDVC05.sys [2003-07-22 12:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-04 19:24:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-11 02:00:00 C:\WINDOWS\Tasks\B81C62C2963C1252.job"
- c:\docume~1\brian\applic~1\freeno~1\Roamjugspop.exe
"2008-03-08 00:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (JASIU-John).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-02-15 07:10:00 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-03-01 07:00:14 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 21:38:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-10 21:39:02
ComboFix-quarantined-files.txt 2008-03-11 02:38:59
ComboFix2.txt 2008-03-11 02:28:29
.
2008-02-13 09:03:36 --- E O F ---
 

·
Registered
Joined
·
29 Posts
Discussion Starter · #18 ·
sure, here you go!

ComboFix 08-03-10.1 - Brian 2008-03-10 21:20:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.237 [GMT -5:00]
Running from: C:\Documents and Settings\Brian\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\cru629.dat
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\users32.da_
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\winivstr.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))
.

2008-03-10 21:00 . 2008-03-10 21:00 d-------- C:\Documents and Settings\John\Application Data\Ahead
2008-03-07 13:15 . 2008-03-07 13:15 d-------- C:\Documents and Settings\Brian\.housecall6.6
2008-03-06 16:38 . 2008-03-07 12:52 d-------- C:\sysclean
2008-03-06 13:18 . 2008-03-06 13:24 d-------- C:\totalcmd
2008-03-06 13:18 . 2008-03-06 13:23 671 --a------ C:\WINDOWS\wincmd.ini
2008-03-06 13:18 . 2007-09-14 08:02 545 --a------ C:\WINDOWS\UC.PIF
2008-03-06 13:18 . 2007-09-14 08:02 545 --a------ C:\WINDOWS\RAR.PIF
2008-03-06 13:18 . 2007-09-14 08:02 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-03-06 13:18 . 2007-09-14 08:02 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-03-06 13:18 . 2007-09-14 08:02 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-03-06 13:18 . 2007-09-14 08:02 545 --a------ C:\WINDOWS\LHA.PIF
2008-03-06 13:18 . 2007-09-14 08:02 545 --a------ C:\WINDOWS\ARJ.PIF
2008-03-06 09:18 . 2007-08-01 17:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-06 09:15 . 2008-03-07 13:44 d-------- C:\Documents and Settings\Brian\Application Data\HouseCall 6.6
2008-03-05 23:41 . 2008-03-10 20:36 d-------- C:\Program Files\Trend Micro
2008-03-05 23:32 . 2008-03-05 23:32 19,165 --a------ C:\Documents and Settings\All Users\Application Data\ofydux.scr
2008-03-05 23:32 . 2008-03-05 23:32 19,061 --a------ C:\WINDOWS\system32\apogisim.scr
2008-03-05 23:32 . 2008-03-05 23:32 18,211 --a------ C:\WINDOWS\system32\ufucupicy.bat
2008-03-05 23:32 . 2008-03-05 23:32 15,449 --a------ C:\Documents and Settings\All Users\Application Data\osixujufi.exe
2008-03-05 23:32 . 2008-03-05 23:32 15,179 --a------ C:\WINDOWS\duci.exe
2008-03-05 23:32 . 2008-03-05 23:32 14,393 --a------ C:\WINDOWS\yrovad.dll
2008-03-05 23:32 . 2008-03-05 23:32 11,884 --a------ C:\WINDOWS\umyb.bin
2008-03-05 23:32 . 2008-03-05 23:32 11,296 --a------ C:\Documents and Settings\Brian\Application Data\fukuxol.reg
2008-03-05 12:08 . 2008-03-05 12:08 d-------- C:\Documents and Settings\Anna\Application Data\Lavasoft
2008-03-05 11:37 . 2008-03-05 11:37 d-------- C:\Documents and Settings\John\Application Data\Sunbelt Software
2008-03-05 11:36 . 2008-03-05 11:36 d-------- C:\Documents and Settings\John\Application Data\Lavasoft
2008-03-05 10:38 . 2008-03-05 10:38 27,499 --a------ C:\VETlog.dmp
2008-03-04 16:58 . 2008-03-04 16:58 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-03-04 16:58 . 2008-03-04 16:58 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-03-04 16:56 . 2008-03-04 16:56 d-------- C:\Documents and Settings\Brian\Application Data\Sunbelt Software
2008-03-04 14:28 . 2008-03-05 23:52 d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-04 14:28 . 2008-03-05 23:52 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-04 13:00 . 2008-03-04 13:00 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-04 13:00 . 2008-03-04 13:00 d-------- C:\Documents and Settings\Brian\Application Data\Malwarebytes
2008-03-04 13:00 . 2008-03-04 13:00 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-04 12:59 . 2008-03-04 12:59 d-------- C:\Program Files\Common Files\Download Manager
2008-03-03 17:41 . 2008-03-03 17:41 19,215 --a------ C:\WINDOWS\cuqop.ban
2008-03-03 17:41 . 2008-03-03 17:41 19,068 --a------ C:\Documents and Settings\Brian\Application Data\vabivixucu.pif
2008-03-03 17:41 . 2008-03-03 17:41 16,325 --a------ C:\Documents and Settings\All Users\Application Data\fugizo.bin
2008-03-03 17:41 . 2008-03-03 17:41 15,558 --a------ C:\WINDOWS\ivuso.inf
2008-03-03 17:41 . 2008-03-03 17:41 11,651 --a------ C:\WINDOWS\ubasaz.bin
2008-03-03 17:41 . 2008-03-03 17:41 11,196 --a------ C:\Program Files\Common Files\qitar.pif
2008-03-03 17:41 . 2008-03-03 17:41 10,878 --a------ C:\WINDOWS\system32\byvebanovu.ban
2008-03-03 17:18 . 2008-03-03 17:18 19,381 --a------ C:\WINDOWS\aremukafa._sy
2008-03-03 17:18 . 2008-03-03 17:18 19,260 --a------ C:\Documents and Settings\Brian\Application Data\sifonyga.vbs
2008-03-03 17:18 . 2008-03-03 17:18 18,764 --a------ C:\WINDOWS\system32\dodi.ban
2008-03-03 17:18 . 2008-03-03 17:18 18,220 --a------ C:\WINDOWS\zipys.dat
2008-03-03 17:18 . 2008-03-03 17:18 16,992 --a------ C:\WINDOWS\system32\yradafeg.lib
2008-03-03 17:18 . 2008-03-03 17:18 16,802 --a------ C:\WINDOWS\system32\wemizedax.db
2008-03-03 17:18 . 2008-03-03 17:18 16,070 --a------ C:\Documents and Settings\Brian\Application Data\gubawiq.pif
2008-03-03 17:18 . 2008-03-03 17:18 14,026 --a------ C:\WINDOWS\system32\otyg.inf
2008-03-03 17:18 . 2008-03-03 17:18 13,751 --a------ C:\Program Files\Common Files\tuzafejevo.bat
2008-03-03 17:18 . 2008-03-03 17:18 13,646 --a------ C:\Documents and Settings\All Users\Application Data\yfujukypoq.exe
2008-03-03 17:18 . 2008-03-03 17:18 12,335 --a------ C:\Documents and Settings\All Users\Application Data\upipupanel.vbs
2008-03-03 17:18 . 2008-03-03 17:18 12,239 --a------ C:\WINDOWS\zaferamys.lib
2008-03-03 17:18 . 2008-03-03 17:18 11,562 --a------ C:\Program Files\Common Files\puwuwolubo.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-10 22:21 87,760 -c--a-w C:\Documents and Settings\Brian\Application Data\GDIPFONTCACHEV1.DAT
2008-03-07 06:52 --------- d-----w C:\Documents and Settings\Brian\Application Data\free noun ball
2008-03-03 22:18 19,687 ----a-w C:\Program Files\Common Files\xemyw.inf
2008-03-03 22:18 17,260 ----a-w C:\Program Files\Common Files\azit.lib
2008-03-03 22:18 15,388 ----a-w C:\Program Files\Common Files\uxawypyda.inf
2008-03-03 21:09 --------- d-----w C:\Documents and Settings\Brian\Application Data\uTorrent
2008-03-03 00:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-01 17:01 --------- d-----w C:\Program Files\McAfee
2008-02-03 19:15 --------- d-----w C:\Program Files\Common Files\Intuit
2008-02-03 19:09 --------- d-----w C:\Program Files\BitTorrent
2008-02-03 19:09 --------- d-----w C:\Program Files\Ares
2008-01-27 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-01-27 21:51 --------- d-----w C:\Program Files\uTorrent
2008-01-14 17:29 --------- d-----w C:\Documents and Settings\Brian\Application Data\Ahead
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-10 18:54 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2008-03-10 18:54 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2008-03-10 18:54 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2008-03-10 18:54 114688]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2008-03-10 18:54 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2008-03-10 18:54 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-03-10 18:54 81920]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-03-30 10:42 36904]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2008-03-10 18:54 582992]
"braviax"="braviax.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 18:15 1634304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Atom City]
C:\DOCUME~1\Brian\APPLIC~1\FREENO~1\Drv Road.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\axis love poll lite]
--a--c--- 2007-08-05 23:08 3618304 C:\Documents and Settings\All Users\Application Data\each new axis love\Face Junk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-03-12 14:49 153136 C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a--c--- 2005-08-31 12:06 106496 C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-02-23 17:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a--c--- 2006-02-20 07:21 169472 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1154494434\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a--c--- 2005-09-08 20:20 8192 C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a--c--- 2005-09-08 20:20 110592 C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 19:53 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a--c--- 2006-11-08 14:27 222208 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-11-09 18:15 1634304 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a--c--- 2006-02-20 07:13 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REF LIES SIXTH LITE]
--a--c--- 2007-07-30 21:18 557056 C:\Documents and Settings\All Users\Application Data\Log Htm Lite Each\Program Acid Beep.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-11-10 13:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-03-10 18:54 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 17:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a------ 2006-07-21 11:43 407032 C:\PROGRA~1\Yahoo!\YOP\yop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 SDVC05;USB SDVC05;C:\WINDOWS\system32\Drivers\SDVC05.sys [2003-07-22 12:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-04 19:24:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-11 02:00:00 C:\WINDOWS\Tasks\B81C62C2963C1252.job"
- c:\docume~1\brian\applic~1\freeno~1\Roamjugspop.exe
"2008-03-08 00:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (JASIU-John).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-02-15 07:10:00 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-03-01 07:00:14 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 21:25:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-03-10 21:28:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-11 02:28:23
.
2008-02-13 09:03:36 --- E O F ---
 

·
Administrator
Joined
·
123,574 Posts
Run Kaspersky online virus scan Kaspersky Online Scanner.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from the Kaspersky scan
 
1 - 20 of 50 Posts
Status
Not open for further replies.
Top