Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 19 of 19 Posts

·
Registered
Joined
·
14 Posts
Discussion Starter · #1 ·
i've been getting a warning from AVG free that a lop virus was detected and it keeps poping up. i found a thread here from somebody with a similar problem and realized it would probably be better to have somebody look at this thing from here since although the problem might be similar, it probably isn't identical. i'm running the win xp pro operating system. i've included the Superantispyware log and the HJT log. thanks for all the help.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/12/2008 at 12:45 PM

Application Version : 4.0.1154

Core Rules Database Version : 3417
Trace Rules Database Version: 1409

Scan type : Complete Scan
Total Scan Time : 01:24:12

Memory items scanned : 425
Memory threats detected : 1
Registry items scanned : 4059
Registry threats detected : 23
File items scanned : 12220
File threats detected : 144

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\AWVSS.DLL
C:\WINDOWS\SYSTEM32\AWVSS.DLL

Adware.MyWebSearch
HKLM\Software\Classes\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\InprocServer32
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\InprocServer32#ThreadingModel
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\Programmable
C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
HKLM\Software\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\InprocServer32
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\InprocServer32#ThreadingModel
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\Programmable
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\TypeLib
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{642A9085-CF51-4589-9C3B-A07A5CBE5C99}
HKCR\CLSID\{642A9085-CF51-4589-9C3B-A07A5CBE5C99}
HKCR\CLSID\{642A9085-CF51-4589-9C3B-A07A5CBE5C99}\InprocServer32
HKCR\CLSID\{642A9085-CF51-4589-9C3B-A07A5CBE5C99}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMKHG.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{642A9085-CF51-4589-9C3B-A07A5CBE5C99}

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{64F84CA6-7C55-40CC-BE93-F29E3FA087E6}
HKCR\CLSID\{64F84CA6-7C55-40CC-BE93-F29E3FA087E6}
HKCR\CLSID\{64F84CA6-7C55-40CC-BE93-F29E3FA087E6}\InprocServer32
HKCR\CLSID\{64F84CA6-7C55-40CC-BE93-F29E3FA087E6}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64F84CA6-7C55-40CC-BE93-F29E3FA087E6}

Adware.Tracking Cookie
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected]tarware[2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected]_4z1u[1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected]_serial[1].txt
C:\Documents and Settings\Matt\Cookies\[email protected]_8m6n[1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][4].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected]ssmediaservices[1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected]_9u7v[1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt

Adware.WhenU
C:\DOCUMENTS AND SETTINGS\MATT\LOCAL SETTINGS\TEMP\TEMP.FR10ED\SAVE.EXE
C:\DOCUMENTS AND SETTINGS\MATT\LOCAL SETTINGS\TEMP\VVSNINST.EXE

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\GHKMP.INI

RelevantKnowledge Spyware Component
C:\WINDOWS\SYSTEM32\RK.BIN
C:\WINDOWS\SYSTEM32\RLLS.DLL

Trace.Known Threat Sources
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\MZ6N45YZ\CA0DO1GF.htm
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\05AJ45QR\ajax[1].htm
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\278BVO5C\errorhandler[1].htm
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\C9IFGL23\favicon[1].ico

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:37 PM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
D:\applications\Winamp\winampa.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {FBD29C3C-C642-4843-A627-6E54A947B511} - C:\WINDOWS\system32\wvuspom.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [WinampAgent] D:\applications\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [MSN Messenger] msn.com
O4 - HKLM\..\Run: [BM7bdfc462] Rundll32.exe "C:\WINDOWS\system32\ympbycgc.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-1409082233-2111687655-1202660629-1003\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User '?')
O4 - HKUS\S-1-5-21-1409082233-2111687655-1202660629-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1409082233-2111687655-1202660629-1003\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User '?')
O4 - HKUS\S-1-5-21-1409082233-2111687655-1202660629-1003\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howudodat.com/chatterbox/download/appdl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32651.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://777dragon.microgaming.com/777dragon/FlashAX.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: wvuspom - wvuspom.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
 

·
Registered
Joined
·
14 Posts
Discussion Starter · #2 ·
ComboFix 08-03-10.1 - Matt 2008-03-12 13:37:51.1 - NTFSx86

Running from: C:\Documents and Settings\Matt\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Matt\Application Data\macromedia\Flash Player\#SharedObjects\GUHSCDSC\www.broadcaster.com
C:\Documents and Settings\Matt\Application Data\macromedia\Flash Player\#SharedObjects\GUHSCDSC\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Matt\Application Data\macromedia\Flash Player\#SharedObjects\GUHSCDSC\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Matt\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Matt\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\BM7bdfc462.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cemetrix.dll
C:\WINDOWS\system32\eidwjpgr.dll
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\ghkmp.ini2
C:\WINDOWS\system32\hgggfgg.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qmbcwahr.dll
C:\WINDOWS\system32\ssvwa.ini
C:\WINDOWS\system32\ssvwa.ini2
C:\WINDOWS\system32\tnjdflsy.dll
C:\WINDOWS\system32\ueiqmkhl.dll
C:\WINDOWS\system32\vtuttus.dll
C:\WINDOWS\system32\xlnhycxx.dll
C:\WINDOWS\system32\yecyhyfd.dll
C:\WINDOWS\system32\ympbycgc.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-12 to 2008-03-12 )))))))))))))))))))))))))))))))
.

2008-03-10 19:53 . 2008-03-10 19:53 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-10 19:53 . 2008-03-10 19:53 d-------- C:\Documents and Settings\Matt\Application Data\SUPERAntiSpyware.com
2008-03-10 19:53 . 2008-03-10 19:53 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-10 19:52 . 2008-03-10 19:52 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-10 19:50 . 2008-03-10 19:50 d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 18:12 --------- d-----w C:\Documents and Settings\Matt\Application Data\Skype
2008-03-12 16:19 --------- d-----w C:\Documents and Settings\Matt\Application Data\skypePM
2008-03-12 16:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2008-03-12 13:43 --------- d-----w C:\Program Files\Weather Pulse
2008-03-07 09:40 --------- d-----w C:\Program Files\MSN Messenger
2008-01-16 22:00 --------- d-----w C:\Documents and Settings\Matt\Application Data\Yahoo!
2008-01-03 22:31 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2005-03-16 23:41 278,528 ----a-w C:\Documents and Settings\Matt\Application Data\tizupd.bin
2003-09-08 07:15 126,740 ------w C:\Program Files\SBC Self Support Tool
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 15:08 67160]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-10-26 22:21 4662776]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 16:08 21686568]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 17:19 129536]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 02:52 380928]
"IPInSightMonitor 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 02:52 122880]
"WinampAgent"="D:\applications\Winamp\winampa.exe" [2003-12-12 19:50 33792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 01:35 579072]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 14:30 98304]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 11:43 407032]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-03 10:02 180269]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52 36975]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuspom]
wvuspom.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
C:\Program Files\Ares\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
C:\Program Files\BearShare\BearShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-06-03 03:52 36975 C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-04-03 10:02 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster]
C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather Pulse]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\Program Files\Save\Save.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Downloaded Programs\\mIRC\\mirc.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Documents and Settings\\Matt\\Local Settings\\Temp\\~os106F.tmp\\ossproxy.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"D:\\Matt's Music\\Morpheus\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1755:TCP"= 1755:TCP:for launch

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 13:46:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-03-12 13:55:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-12 18:55:12
.
2008-02-13 09:21:09 --- E O F ---
 

·
Registered
Joined
·
14 Posts
Discussion Starter · #3 ·
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:02 PM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\WINDOWS\system32\devldr32.exe
D:\applications\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [WinampAgent] D:\applications\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-1409082233-2111687655-1202660629-1003\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User '?')
O4 - HKUS\S-1-5-21-1409082233-2111687655-1202660629-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1409082233-2111687655-1202660629-1003\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User '?')
O4 - HKUS\S-1-5-21-1409082233-2111687655-1202660629-1003\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howudodat.com/chatterbox/download/appdl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32651.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://777dragon.microgaming.com/777dragon/FlashAX.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: wvuspom - wvuspom.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9140 bytes
 

·
Registered
Joined
·
14 Posts
Discussion Starter · #4 ·
AVG kept finding lop viruses. i found this site and took a look at a couple of the fixes and determined that it would be better to have this taken care of individually instead of trying to copy previous fixes. i'm sure there are a few other things that need to be removed as well, if you spot them could you let me know??? thanks for the help....here are the logs...

ComboFix 08-03-10.1 - Matt 2008-03-12 13:37:51.1 - NTFSx86

Running from: C:\Documents and Settings\Matt\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Matt\Application Data\macromedia\Flash Player\#SharedObjects\GUHSCDSC\www.broadcaster.com
C:\Documents and Settings\Matt\Application Data\macromedia\Flash Player\#SharedObjects\GUHSCDSC\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Matt\Application Data\macromedia\Flash Player\#SharedObjects\GUHSCDSC\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Matt\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Matt\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\BM7bdfc462.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cemetrix.dll
C:\WINDOWS\system32\eidwjpgr.dll
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\ghkmp.ini2
C:\WINDOWS\system32\hgggfgg.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qmbcwahr.dll
C:\WINDOWS\system32\ssvwa.ini
C:\WINDOWS\system32\ssvwa.ini2
C:\WINDOWS\system32\tnjdflsy.dll
C:\WINDOWS\system32\ueiqmkhl.dll
C:\WINDOWS\system32\vtuttus.dll
C:\WINDOWS\system32\xlnhycxx.dll
C:\WINDOWS\system32\yecyhyfd.dll
C:\WINDOWS\system32\ympbycgc.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-12 to 2008-03-12 )))))))))))))))))))))))))))))))
.

2008-03-10 19:53 . 2008-03-10 19:53 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-10 19:53 . 2008-03-10 19:53 d-------- C:\Documents and Settings\Matt\Application Data\SUPERAntiSpyware.com
2008-03-10 19:53 . 2008-03-10 19:53 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-10 19:52 . 2008-03-10 19:52 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-10 19:50 . 2008-03-10 19:50 d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 18:12 --------- d-----w C:\Documents and Settings\Matt\Application Data\Skype
2008-03-12 16:19 --------- d-----w C:\Documents and Settings\Matt\Application Data\skypePM
2008-03-12 16:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2008-03-12 13:43 --------- d-----w C:\Program Files\Weather Pulse
2008-03-07 09:40 --------- d-----w C:\Program Files\MSN Messenger
2008-01-16 22:00 --------- d-----w C:\Documents and Settings\Matt\Application Data\Yahoo!
2008-01-03 22:31 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2005-03-16 23:41 278,528 ----a-w C:\Documents and Settings\Matt\Application Data\tizupd.bin
2003-09-08 07:15 126,740 ------w C:\Program Files\SBC Self Support Tool
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 15:08 67160]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-10-26 22:21 4662776]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 16:08 21686568]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 17:19 129536]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 02:52 380928]
"IPInSightMonitor 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 02:52 122880]
"WinampAgent"="D:\applications\Winamp\winampa.exe" [2003-12-12 19:50 33792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 01:35 579072]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 14:30 98304]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 11:43 407032]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-03 10:02 180269]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52 36975]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shell executehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuspom]
wvuspom.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
C:\Program Files\Ares\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
C:\Program Files\BearShare\BearShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-06-03 03:52 36975 C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-04-03 10:02 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster]
C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather Pulse]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\Program Files\Save\Save.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Downloaded Programs\\mIRC\\mirc.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Documents and Settings\\Matt\\Local Settings\\Temp\\~os106F.tmp\\ossproxy.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"D:\\Matt's Music\\Morpheus\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"1755:TCP"= 1755:TCP:for launch

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 13:46:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-03-12 13:55:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-12 18:55:12
.
2008-02-13 09:21:09 --- E O F ---
 

·
Retired Moderator
Joined
·
72,109 Posts
Open Notepad and copy and paste the text in the quote box below into it:
Folder::
C:\Program Files\Save
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuspom]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Please perform a scan with Kaspersky Webscan Online Virus Scanner

1. Read the Requirements and Privacy statement, then select "Accept".
2. A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
3. Click "Yes" or select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. When the download is complete it will say ready, click "Next".
5. Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
6. Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
7. Click "OK".
8. Under "Select a target to scan", click on "My Computer".
9. When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.

Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found!
 

·
Registered
Joined
·
14 Posts
Discussion Starter · #6 ·
sorry for the delay, here is the new combo fix log after adding the cfscript.exe. the kaspersky log will follow.

ComboFix 08-03-10.1 - Matt 2008-03-21 12:29:51.2 - NTFSx86
Running from: C:\Documents and Settings\Matt\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Matt\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-21 to 2008-03-21 )))))))))))))))))))))))))))))))
.

2008-03-18 03:04 . 2008-03-18 03:04 d-------- C:\Program Files\MSXML 4.0
2008-03-16 13:37 . 2008-03-16 13:37 d-------- C:\Program Files\Humminbird
2008-03-10 19:53 . 2008-03-16 10:22 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-10 19:53 . 2008-03-10 19:53 d-------- C:\Documents and Settings\Matt\Application Data\SUPERAntiSpyware.com
2008-03-10 19:53 . 2008-03-10 19:53 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-10 19:52 . 2008-03-10 19:52 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-10 19:50 . 2008-03-10 19:50 d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 17:12 --------- d-----w C:\Documents and Settings\Matt\Application Data\Skype
2008-03-21 13:03 --------- d-----w C:\Documents and Settings\Matt\Application Data\skypePM
2008-03-21 08:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2008-03-21 05:07 --------- d-----w C:\Program Files\Weather Pulse
2008-03-07 09:40 --------- d-----w C:\Program Files\MSN Messenger
2008-01-03 22:31 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2005-03-16 23:41 278,528 ----a-w C:\Documents and Settings\Matt\Application Data\tizupd.bin
2003-09-08 07:15 126,740 ------w C:\Program Files\SBC Self Support Tool
.

((((((((((((((((((((((((((((( [email protected]_13.54.42.72 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-18 08:04:10 32,768 ----a-r C:\WINDOWS\Installer\{C04E32E0-0416-434D-AFB9-6969D703A9EF}\icon.exe
- 2008-02-04 23:09:46 18,214,008 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-05-08 20:03:04 1,275,392 ----a-w C:\WINDOWS\system32\msxml4.dll
+ 2003-04-18 21:29:26 82,432 ----a-w C:\WINDOWS\system32\msxml4r.dll
+ 2002-09-21 05:33:28 1,089,536 ----a-w C:\WINDOWS\system32\ROBOEX32.DLL
+ 2008-03-16 18:37:41 1,233,920 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
+ 2007-05-08 20:06:44 1,275,392 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\msxml4.dll
+ 2008-03-16 18:37:42 82,432 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 15:08 67160]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-10-26 22:21 4662776]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 16:08 21686568]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 17:19 129536]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 02:52 380928]
"IPInSightMonitor 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 02:52 122880]
"WinampAgent"="D:\applications\Winamp\winampa.exe" [2003-12-12 19:50 33792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 01:35 579072]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 14:30 98304]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 11:43 407032]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-03 10:02 180269]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52 36975]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
C:\Program Files\Ares\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
C:\Program Files\BearShare\BearShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-06-03 03:52 36975 C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-04-03 10:02 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster]
C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather Pulse]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Downloaded Programs\\mIRC\\mirc.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"D:\\Matt's Music\\Morpheus\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1755:TCP"= 1755:TCP:for launch

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-21 12:39:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-21 12:42:51
ComboFix-quarantined-files.txt 2008-03-21 17:42:43
ComboFix2.txt 2008-03-12 18:55:21
.
2008-03-18 08:04:18 --- E O F ---
 

·
Registered
Joined
·
14 Posts
Discussion Starter · #7 ·
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, March 21, 2008 3:50:51 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/03/2008
Kaspersky Anti-Virus database records: 652047
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 33259
Number of viruses found: 6
Number of infected objects: 14
Number of suspicious objects: 0
Duration of the scan process: 01:40:54

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AVG7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Aim\glrfmjmy\raptorwatcher78\cert8.db Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Aim\glrfmjmy\raptorwatcher78\key3.db Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\kl0asluo.default\cert8.db Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\kl0asluo.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\kl0asluo.default\history.dat Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\kl0asluo.default\key3.db Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\kl0asluo.default\parent.lock Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\kl0asluo.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\kl0asluo.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Skype\ninrugger\call256.dbb Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Skype\ninrugger\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Skype\ninrugger\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Skype\ninrugger\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Skype\ninrugger\index2.dat Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Skype\ninrugger\profile256.dbb Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Skype\ninrugger\user1024.dbb Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Skype\ninrugger\user4096.dbb Object is locked skipped
C:\Documents and Settings\Matt\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-3-16-2008( 10-22-52 ).LOG Object is locked skipped
C:\Documents and Settings\Matt\Application Data\tizupd.bin Infected: not-a-virus:AdWare.Win32.PurityScan.bs skipped
C:\Documents and Settings\Matt\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_B678_ED37_78EC_F751\dfsr.db Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_B678_ED37_78EC_F751\fsr.log Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_B678_ED37_78EC_F751\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_B678_ED37_78EC_F751\tmp.edb Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\kl0asluo.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\kl0asluo.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\kl0asluo.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\kl0asluo.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\History\History.IE5\MSHist012008032120080322\index.dat Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Temp\~DF12B0.tmp Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Temp\~DFCC0E.tmp Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Temp\~DFCC55.tmp Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Matt\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Matt\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hgggfgg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vtuttus.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{61C1E650-9B2B-470F-BD04-D84EA846B993}\RP493\A0028026.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{61C1E650-9B2B-470F-BD04-D84EA846B993}\RP497\A0030140.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{61C1E650-9B2B-470F-BD04-D84EA846B993}\RP497\A0030142.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{61C1E650-9B2B-470F-BD04-D84EA846B993}\RP497\A0030146.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{61C1E650-9B2B-470F-BD04-D84EA846B993}\RP508\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Downloaded Programs\BSINSTALL.exe/WISE0024.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
D:\Downloaded Programs\BSINSTALL.exe WiseSFX: infected - 1 skipped
D:\Downloaded Programs\BSINSTALL.exe WiseSFXDropper: infected - 1 skipped
D:\Downloaded Programs\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
D:\Downloaded Programs\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{61C1E650-9B2B-470F-BD04-D84EA846B993}\RP508\change.log Object is locked skipped

Scan process completed.
 

·
Retired Moderator
Joined
·
72,109 Posts
Your Java is out of date. Use Secunia software inspector & update checker and remove all old versions from add/remove programs.

Open Notepad and copy and paste the text in the quote box below into it:
KILLALL::

File::
C:\Documents and Settings\Matt\Application Data\tizupd.bin
C:\Program Files\MSN Messenger\riched20.dll"
D:\Downloaded Programs\BSINSTALL.exe
Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

Click Exit on the Main menu to close the program.

Download (save and select your desktop to save it to) SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive and all other fixed drives..
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
  • Click Close to exit the program.

Please perform a scan with Kaspersky Webscan Online Virus Scanner

1. Read the Requirements and Privacy statement, then select "Accept".
2. A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
3. Click "Yes" or select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. When the download is complete it will say ready, click "Next".
5. Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
6. Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
7. Click "OK".
8. Under "Select a target to scan", click on "My Computer".
9. When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.

Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found!
 

·
Registered
Joined
·
14 Posts
Discussion Starter · #9 ·
ComboFix 08-03-22.1 - Matt 2008-03-22 20:24:38.3 - NTFSx86

Running from: C:\Documents and Settings\Matt\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Matt\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Matt\Application Data\tizupd.bin
C:\Program Files\MSN Messenger\riched20.dll"
D:\Downloaded Programs\BSINSTALL.exe
.
TimedOut: Windir.dat
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Matt\Application Data\tizupd.bin
C:\Program Files\MSN Messenger\riched20.dll
D:\Downloaded Programs\BSINSTALL.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 )))))))))))))))))))))))))))))))
.

2008-03-22 11:00 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-22 10:57 . 2008-03-22 10:57 d-------- C:\Program Files\Common Files\Java
2008-03-22 08:07 . 2008-03-22 08:07 d-------- C:\Program Files\Common Files\xing shared
2008-03-21 21:29 . 2008-03-21 21:29 d-------- C:\Documents and Settings\Matt\Application Data\acccore
2008-03-21 21:28 . 2008-03-21 21:30 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-21 21:26 . 2008-03-21 21:29 d-------- C:\Program Files\AIM6
2008-03-21 21:26 . 2008-03-21 21:29 445 --ah----- C:\IPH.PH
2008-03-21 13:03 . 2008-03-21 13:03 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-18 03:04 . 2008-03-18 03:04 d-------- C:\Program Files\MSXML 4.0
2008-03-16 13:37 . 2008-03-16 13:37 d-------- C:\Program Files\Humminbird
2008-03-10 19:53 . 2008-03-16 10:22 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-10 19:53 . 2008-03-10 19:53 d-------- C:\Documents and Settings\Matt\Application Data\SUPERAntiSpyware.com
2008-03-10 19:53 . 2008-03-10 19:53 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-10 19:52 . 2008-03-10 19:52 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-10 19:50 . 2008-03-10 19:50 d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 01:24 --------- d-----w C:\Program Files\MSN Messenger
2008-03-22 16:00 --------- d-----w C:\Program Files\Java
2008-03-22 13:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2008-03-22 13:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-22 13:06 --------- d-----w C:\Program Files\Common Files\Real
2008-03-22 12:50 --------- d-----w C:\Program Files\QuickTime
2008-03-22 12:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-22 12:44 --------- d-----w C:\Program Files\Skype
2008-03-22 12:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-03-22 05:07 --------- d-----w C:\Program Files\Weather Pulse
2008-03-22 05:03 --------- d-----w C:\Documents and Settings\Matt\Application Data\skypePM
2008-03-22 02:34 --------- d-----w C:\Documents and Settings\Matt\Application Data\Aim
2008-03-22 02:28 --------- d-----w C:\Program Files\Viewpoint
2008-03-22 02:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-22 02:27 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-03 22:31 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2003-09-08 07:15 126,740 ------w C:\Program Files\SBC Self Support Tool
.

((((((((((((((((((((((((((((( [email protected]_13.54.42.72 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-01-24 01:41:42 841,304 ----a-w C:\WINDOWS\Downloaded Program Files\ampAx3.0.84.2.dll
+ 2008-03-22 02:28:08 38,428 ----a-w C:\WINDOWS\Downloaded Program Files\unagiuninst.exe
+ 2008-03-18 08:04:10 32,768 ----a-r C:\WINDOWS\Installer\{C04E32E0-0416-434D-AFB9-6969D703A9EF}\icon.exe
- 2005-06-03 07:24:06 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 06:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-06-03 07:24:14 49,250 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 06:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-06-03 08:52:56 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-02-22 07:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-11-21 00:52:38 2,884,992 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2007-11-21 00:52:40 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-03-22 13:34:47 70,264 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
- 2008-02-04 23:09:46 18,214,008 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-05-08 20:03:04 1,275,392 ----a-w C:\WINDOWS\system32\msxml4.dll
+ 2003-04-18 21:29:26 82,432 ----a-w C:\WINDOWS\system32\msxml4r.dll
- 2006-04-03 15:03:06 278,528 ----a-w C:\WINDOWS\system32\pncrt.dll
+ 2008-03-22 13:04:17 278,528 ----a-w C:\WINDOWS\system32\pncrt.dll
- 2006-04-03 15:03:28 6,656 ----a-w C:\WINDOWS\system32\pndx5016.dll
+ 2008-03-22 13:04:30 6,656 ----a-w C:\WINDOWS\system32\pndx5016.dll
- 2006-04-03 15:03:28 5,632 ----a-w C:\WINDOWS\system32\pndx5032.dll
+ 2008-03-22 13:04:30 5,632 ----a-w C:\WINDOWS\system32\pndx5032.dll
- 2006-04-03 15:05:00 176,167 ----a-w C:\WINDOWS\system32\rmoc3260.dll
+ 2008-03-22 13:05:39 185,944 ----a-w C:\WINDOWS\system32\rmoc3260.dll
+ 2002-09-21 05:33:28 1,089,536 ----a-w C:\WINDOWS\system32\ROBOEX32.DLL
+ 2008-03-16 18:37:41 1,233,920 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
+ 2007-05-08 20:06:44 1,275,392 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\msxml4.dll
+ 2008-03-16 18:37:42 82,432 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-06 15:50 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 17:19 129536]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 02:52 380928]
"IPInSightMonitor 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 02:52 122880]
"WinampAgent"="D:\applications\Winamp\winampa.exe" [2003-12-12 19:50 33792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 01:35 579072]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 14:30 98304]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 11:43 407032]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-22 08:03 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
C:\Program Files\Ares\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
C:\Program Files\BearShare\BearShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-22 08:03 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster]
C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather Pulse]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Downloaded Programs\\mIRC\\mirc.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"D:\\Matt's Music\\Morpheus\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1755:TCP"= 1755:TCP:for launch

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 20:31:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-03-22 20:42:28 - machine was rebooted [Matt]
ComboFix-quarantined-files.txt 2008-03-23 01:42:21
ComboFix2.txt 2008-03-21 17:42:52
ComboFix3.txt 2008-03-12 18:55:21
.
2008-03-18 08:04:18 --- E O F ---
 

·
Registered
Joined
·
14 Posts
Discussion Starter · #10 ·
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/22/2008 at 10:04 PM

Application Version : 4.0.1154

Core Rules Database Version : 3423
Trace Rules Database Version: 1415

Scan type : Complete Scan
Total Scan Time : 01:13:24

Memory items scanned : 385
Memory threats detected : 0
Registry items scanned : 4283
Registry threats detected : 0
File items scanned : 33312
File threats detected : 1

Trojan.FakeAlert-Gen/Variant
D:\APPLICATIONS\WINAMP\PLUGINS\GEN_TRAY.DLL
 

·
Registered
Joined
·
14 Posts
Discussion Starter · #11 ·
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 23, 2008 3:44:40 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/03/2008
Kaspersky Anti-Virus database records: 655233
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 34238
Number of viruses found 6
Number of infected objects 18
Number of suspicious objects 0
Duration of the scan process 02:15:40

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\AVG7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Matt\Application Data\acccore\nss\cert8.db Object is locked skipped
C:\Documents and Settings\Matt\Application Data\acccore\nss\key3.db Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\kl0asluo.default\cert8.db Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\kl0asluo.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\kl0asluo.default\history.dat Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\kl0asluo.default\key3.db Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\kl0asluo.default\parent.lock Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\kl0asluo.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\kl0asluo.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Matt\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-3-23-2008( 8-33-37 ).LOG Object is locked skipped
C:\Documents and Settings\Matt\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\AOL OCP\AIM\Storage\data\raptorwatcher78\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_B678_ED37_78EC_F751\dfsr.db Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_B678_ED37_78EC_F751\fsr.log Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_B678_ED37_78EC_F751\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_B678_ED37_78EC_F751\tmp.edb Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\kl0asluo.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\kl0asluo.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\kl0asluo.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\kl0asluo.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\History\History.IE5\MSHist012008032320080324\index.dat Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Temp\Perflib_Perfdata_444.dat Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Temp\~DF2E9C.tmp Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Temp\~DF2EB0.tmp Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Temp\~DF573A.tmp Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Temp\~DF5762.tmp Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Temp\~DF6009.tmp Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Matt\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Matt\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_Matt.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_Matt.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_Matt.log Object is locked skipped
C:\QooBox\Quarantine\C\Documents and Settings\Matt\Application Data\tizupd.bin.vir Infected: not-a-virus:AdWare.Win32.PurityScan.bs skipped
C:\QooBox\Quarantine\C\Program Files\MSN Messenger\riched20.dll.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hgggfgg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vtuttus.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{61C1E650-9B2B-470F-BD04-D84EA846B993}\RP493\A0028026.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{61C1E650-9B2B-470F-BD04-D84EA846B993}\RP497\A0030140.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{61C1E650-9B2B-470F-BD04-D84EA846B993}\RP497\A0030142.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{61C1E650-9B2B-470F-BD04-D84EA846B993}\RP497\A0030146.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{61C1E650-9B2B-470F-BD04-D84EA846B993}\RP512\A0031391.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{61C1E650-9B2B-470F-BD04-D84EA846B993}\RP512\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9519AD6B-34A5-44CD-8767-5DC8077E2957}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Downloaded Programs\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
D:\Downloaded Programs\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped
D:\Qoobox\Quarantine\D\Downloaded Programs\BSINSTALL.exe.vir/WISE0024.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
D:\Qoobox\Quarantine\D\Downloaded Programs\BSINSTALL.exe.vir WiseSFX: infected - 1 skipped
D:\Qoobox\Quarantine\D\Downloaded Programs\BSINSTALL.exe.vir WiseSFXDropper: infected - 1 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{61C1E650-9B2B-470F-BD04-D84EA846B993}\RP512\A0031392.exe/WISE0024.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
D:\System Volume Information\_restore{61C1E650-9B2B-470F-BD04-D84EA846B993}\RP512\A0031392.exe WiseSFX: infected - 1 skipped
D:\System Volume Information\_restore{61C1E650-9B2B-470F-BD04-D84EA846B993}\RP512\A0031392.exe WiseSFXDropper: infected - 1 skipped
Scan process completed.
 

·
Registered
Joined
·
14 Posts
Discussion Starter · #13 ·
no, i haven't been having any problems since i ran combofix, SAS, and hijack the first time around.....SAS is still finding stuff though when i run it. is that normal? whats your diagnosis doc? hehe
 

·
Registered
Joined
·
14 Posts
Discussion Starter · #15 ·
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/25/2008 at 06:15 PM

Application Version : 4.0.1154

Core Rules Database Version : 3424
Trace Rules Database Version: 1416

Scan type : Complete Scan
Total Scan Time : 01:56:38

Memory items scanned : 501
Memory threats detected : 0
Registry items scanned : 4285
Registry threats detected : 0
File items scanned : 34874
File threats detected : 14

Adware.Tracking Cookie
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][3].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt

Trojan.FakeAlert-Gen/Variant
D:\SYSTEM VOLUME INFORMATION\_RESTORE{61C1E650-9B2B-470F-BD04-D84EA846B993}\RP512\A0031469.DLL
 

·
Retired Moderator
Joined
·
72,109 Posts
The items in \system volume information\_restore can be removed by flushing the system restore.

cookies are harmless but if you want to control them Open IE, go to Tools, Internet Options, Privacy, Advanced, click in the box "Override automatic cookie handling", First-party Cookies select Prompt, Third-party cookies select Block. When those cookies try to install click block.

You should remove all of the tools I requested you to download and/or folders associated with them now. It is pointless to keep these tools around as they are updated so frequently that the tools can be outdated within a few days, sometimes within just hours.

OTMoveIt2 by OldTimer has a CleanUp! option you can use to remove most of the fixes and associated files and folders.
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

It's a good idea to Flush your System Restore after removing malware:
Turn off system restore and then turn it back on: http://support.microsoft.com/kb/310405

Now you should Clean up your PC

After the clean up the only item I think Kaspersky will find is mirc: http://www.liutilities.com/products/wintaskspro/processlibrary/mirc/

You can remove that in add/remove programs.

Here are some additional links for you to check out to help you with your computer security.

How did I get infected in the first place.

Secunia software inspector & update checker

Good free tools and advice on how to tighten your security settings.

Security Help Tools
 
1 - 19 of 19 Posts
Status
Not open for further replies.
Top