Jump to content

I have completed all the logs as per your instructions - please help!!


SH99
 Share

Recommended Posts

Hi

My computer has recently been taken over by a load of spyware and I am continually getting pop-ups with ads served by Dcads in the subject box along top. I have read your instructions on what programs I need to run and which logs I need to post on here for you to be able to analyse the problem. I hope you can help!

First the below is the log from the MBAM scan:

Malwarebytes' Anti-Malware 1.02

Database version: 320

Scan type: Full Scan (C:\|)

Objects scanned: 72634

Time elapsed: 36 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\MSN Messenger\riched20.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP377\A0090093.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP377\A0090103.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP377\A0091094.exe (Adware.WebHancer) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP377\A0091095.dll (Adware.WebHancer) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP377\A0091096.dll (Adware.WebHancer) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP377\A0091097.exe (Adware.WebHancer) -> Quarantined and deleted successfully.

C:\Documents and Settings\Sonia Hernandez\Application Data\inst.exe (Heuristics.Malware) -> Quarantined and deleted successfully.

Link to post
Share on other sites

  • Root Admin

A few things we need to do first. Can you open Malwarebytes' Anti-Malware. Click on the Quarantine tab. Select this item:

C:\Program Files\MSN Messenger\riched20.dll (Adware.MyWebSearch)

Click Restore. Navigate to that file, zip it up, and send it to marcin [at] malwarebytes [dot] org. Do not delete the file, it appears legit. After you have sent the file, please post a HijackThis log. Instructions can be found pinned in this forum (in the directions you read).

Link to post
Share on other sites

Hi

I have followed the instructions to locate the file but how do I 'zip it up' to email it to you? Once I will do this I will complete the HIjack Log. Do I still need to do the Panda scan? If so where are the instructions to do this as I tried to do a scan but not sure if it worked properly and didn't really know how to find my way around!

Thanks

Link to post
Share on other sites

  • Root Admin

Hey there,

Right click the file, and click Send to -> Compressed (zipped) folder. A new file will be created that looks like a nice folder with a zipper on it. Send it to me by opening your e-mail client, creating a new e-mail, selecting attachments and attaching the file with the message. Remember, you have to replace [at] with "@" and [dot] with "." so the message will go through. This is to safe guard from spam.

Then simply post a HijackThis log and we will see where to go from there ;)

Link to post
Share on other sites

I have now sent you the requested file.

Below is the log for the Hijack scan:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:48:07, on 05/02/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Virgin Broadband\PCguard\Fws.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Raxco\PerfectDisk\PDAgent.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\System32\Rundll32.exe

C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe

C:\Program Files\BLUENEXT\BN-WD54G\Installer\WINXP\BCU.exe

C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe

C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: browser optimizer superiorads - {8E015787-B1E3-404a-95DE-3E71E1FA0305} - C:\WINDOWS\system32\spads.dll

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Workflow] D:\Workflow.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"

O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe

O4 - HKLM\..\Run: [delcab] C:\drivers\deltreew.exe C:\cabs

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\spads.dll" DllVerify

O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"

O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"

O4 - HKLM\..\Run: [broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon

O4 - Global Startup: BN-WD54G Wireless Client Utility.lnk = C:\Program Files\BLUENEXT\BN-WD54G\Installer\WINXP\BCU.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZUxdm080YYGB

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe

O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

--

End of file - 8499 bytes

Link to post
Share on other sites

Hi there and welcome to Malwarebytes. Marcin has asked me to help you with your malware problem.

Let's begin.

Open HJT and run a scan only. Put a check next to these lines and click fix.

O2 - BHO: browser optimizer superiorads - {8E015787-B1E3-404a-95DE-3E71E1FA0305} - C:\WINDOWS\system32\spads.dll

O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\spads.dll" DllVerify

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZUxdm080YYGB

O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe <====== This is a suspect program from what I'm finding. Did you install it?

O4 - HKLM\..\Run: [delcab] C:\drivers\deltreew.exe C:\cabs <======Also this one. What can you tell me?

[*]Please set your system to show

all files; Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

1. Download this file :

http://download.bleepingcomputer.com/sUBs/combofix.exe

Or from here:

http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe. It will be a red icon with a white X on your desktop.

Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.

3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.

Post that log and a HiJack log in your next reply

Note:

Do not mouseclick combofix's window while its running. That may cause it to stall.

Link to post
Share on other sites

Thank you for your help!

In answer to your questions about knowing what those files are, we have no idea! Should I run the HJT scan again and fix those too?

ComboFix 08-02.05.3 - Sonia Hernandez 2008-02-06 23:00:50.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.49 [GMT 0:00]Running from: C:\Documents and Settings\Sonia Hernandez\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))

.

2008-02-06 22:31 . 2008-02-06 22:31 <DIR> d-------- C:\WINDOWS\LastGood

2008-02-06 13:19 . 2008-02-06 22:30 <DIR> d-------- C:\Program Files\Google

2008-02-05 23:46 . 2008-02-05 23:46 <DIR> d-------- C:\Program Files\Trend Micro

2008-02-05 22:24 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS

2008-02-05 22:21 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\iyfhwfihjwcs.sys

2008-02-05 20:29 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\qplqgbsygiis.sys

2008-02-05 19:51 . 2008-02-05 23:18 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2008-02-05 19:51 . 2008-02-05 22:10 30,590 --a------ C:\WINDOWS\system32\pavas.ico

2008-02-05 19:51 . 2008-02-05 22:10 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico

2008-02-05 19:51 . 2008-02-05 22:10 1,406 --a------ C:\WINDOWS\system32\Help.ico

2008-02-05 19:07 . 2008-02-05 19:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-02-05 19:07 . 2008-02-05 19:07 <DIR> d-------- C:\Documents and Settings\Sonia Hernandez\Application Data\Malwarebytes

2008-02-05 19:07 . 2008-02-05 19:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-02-05 18:05 . 2008-02-05 22:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-02-05 08:38 . 2008-02-05 08:38 <DIR> d-------- C:\Program Files\Enigma Software Group

2008-02-04 21:47 . 2008-02-04 21:47 <DIR> d-------- C:\Documents and Settings\Sonia Hernandez\Application Data\TrojanHunter

2008-02-04 20:54 . 2008-02-05 18:01 <DIR> d-------- C:\Program Files\TrojanHunter 5.0

2008-02-04 10:31 . 2007-03-06 13:24 55,296 --a------ C:\WINDOWS\system32\drivers\rp_skt32.sys

2008-02-04 10:28 . 2008-02-04 10:28 <DIR> d-------- C:\Program Files\Common Files\Authentium

2008-02-04 10:28 . 2007-04-19 11:36 48,384 --a------ C:\WINDOWS\system32\drivers\rp_pkt32.sys

2008-02-04 10:27 . 2008-02-04 10:27 <DIR> d-------- C:\Program Files\Raxco

2008-02-04 10:27 . 2008-02-04 10:27 <DIR> d-------- C:\Program Files\Common Files\Scanner

2008-02-04 10:27 . 2008-02-04 10:27 <DIR> d-------- C:\Program Files\CA

2008-02-04 10:27 . 2008-02-04 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Raxco

2008-02-03 22:43 . 2008-02-03 22:43 40,731 --a------ C:\WINDOWS\system32\superiorads-uninst.exe

2008-02-03 18:53 . 2008-02-03 18:53 <DIR> d-------- C:\Program Files\QuickTime

2008-01-29 23:34 . 2008-01-29 23:34 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2008-01-29 23:34 . 2008-01-29 23:34 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_ggsemc_01005.Wdf

2008-01-29 23:18 . 2008-01-29 23:17 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll

2008-01-29 23:18 . 2008-01-29 23:17 20,520 --a------ C:\WINDOWS\system32\drivers\ggsemc.sys

2008-01-29 23:18 . 2008-01-29 23:17 13,352 --a------ C:\WINDOWS\system32\drivers\ggflt.sys

2008-01-29 22:50 . 2008-01-29 23:13 <DIR> d-------- C:\Program Files\Sony Ericsson

2008-01-29 22:50 . 2008-01-29 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson

2008-01-23 23:09 . 2008-01-04 21:58 129,784 --------- C:\WINDOWS\system32\pxafs.dll

2008-01-23 23:09 . 2008-01-04 21:58 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe

2008-01-23 23:09 . 2008-01-04 21:58 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe

2008-01-23 23:09 . 2008-01-04 21:58 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys

2008-01-23 23:09 . 2008-01-04 21:58 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys

2008-01-23 18:27 . 2008-01-24 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk

2008-01-22 20:48 . 2008-01-22 20:48 <DIR> d-------- C:\Program Files\VSO

2008-01-22 20:48 . 2008-01-31 17:56 <DIR> d-------- C:\Documents and Settings\Sonia Hernandez\Application Data\Vso

2008-01-22 20:48 . 2006-09-29 11:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll

2008-01-22 20:48 . 2006-09-29 11:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll

2008-01-22 20:48 . 2006-09-29 11:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll

2008-01-22 20:48 . 2008-01-22 20:48 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys

2008-01-22 20:48 . 2008-01-22 20:48 47,360 --a------ C:\Documents and Settings\Sonia Hernandez\Application Data\pcouffin.sys

2008-01-18 19:30 . 2008-01-18 19:30 <DIR> d-------- C:\Documents and Settings\Sonia Hernandez\Application Data\InstallShield

2008-01-17 22:58 . 2008-01-23 23:12 69 --a------ C:\WINDOWS\NeroDigital.ini

2008-01-17 17:16 . 2008-01-17 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe

2008-01-17 17:15 . 2008-02-05 22:49 <DIR> d-------- C:\Program Files\Common Files\LightScribe

2008-01-17 17:12 . 2008-01-18 09:38 <DIR> d-------- C:\Documents and Settings\Sonia Hernandez\Application Data\Ahead

2008-01-17 17:08 . 2008-01-24 00:17 <DIR> d-------- C:\Program Files\Common Files\Ahead

2008-01-13 17:48 . 2008-01-13 18:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-01-13 17:39 . 2008-02-04 10:34 <DIR> d-------- C:\Documents and Settings\Sonia Hernandez\Application Data\uTorrent

2008-01-13 16:26 . 2008-01-13 16:26 <DIR> d-------- C:\Documents and Settings\Sonia Hernandez\Application Data\TomTom

2008-01-08 16:03 . 2008-02-05 22:51 <DIR> d-------- C:\Program Files\iTunes

2008-01-08 15:53 . 2008-01-08 15:53 <DIR> d-------- C:\Program Files\Common Files\Apple

2008-01-08 01:16 . 2008-01-08 01:16 630,784 --a------ C:\WINDOWS\system32\divxdec.ax

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-02-06 13:32 --------- d-----w C:\Program Files\Common Files\Adobe

2008-02-05 23:41 --------- d-----w C:\Program Files\MSN Messenger

2008-02-05 19:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-02-05 16:38 --------- d-----w C:\Program Files\Virgin Broadband

2008-02-04 10:33 --------- d-----w C:\Documents and Settings\Sonia Hernandez\Application Data\Virgin Broadband

2008-02-04 10:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Virgin Broadband

2008-02-04 10:17 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-01-23 23:09 --------- d-----w C:\Program Files\DivX

2008-01-22 22:29 --------- d-----w C:\Program Files\Lavasoft

2008-01-18 20:19 --------- d-----w C:\Program Files\Java

2008-01-18 20:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint

2008-01-13 17:27 --------- d-----w C:\Documents and Settings\Sonia Hernandez\Application Data\Lavasoft

2008-01-10 22:42 --------- d-----w C:\Documents and Settings\Sonia Hernandez\Application Data\LimeWire

2008-01-08 16:04 --------- d-----w C:\Program Files\iPod

2008-01-05 15:14 94,688 -c--a-w C:\Documents and Settings\Sonia Hernandez\Application Data\GDIPFONTCACHEV1.DAT

2007-12-31 12:23 --------- d-----w C:\Program Files\Apple Software Update

2007-12-31 12:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple

2007-12-27 22:23 --------- d-----w C:\Documents and Settings\Sonia Hernandez\Application Data\DivX

2007-12-23 16:26 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys

2007-12-23 16:26 --------- d-----w C:\Program Files\BLUENEXT

2007-12-23 16:25 --------- d-----w C:\Program Files\Common Files\InstallShield

2004-10-01 04:27 326 -c-h--w C:\Documents and Settings\All Users\Application Data\mssaru.dat

2004-09-27 17:16 140 -c-ha-w C:\Documents and Settings\Sonia Hernandez\Application Data\ptads.bin

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:56 15360]

"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 13:26 484904]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]

"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2007-10-18 15:42 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-09-21 18:06 151597]

"Workflow"="D:\Workflow.exe" [ ]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-05 18:34 188416]

"VCSPlayer"="C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe" [2002-06-07 11:34 299008]

"CleanEasyImg"="c:\apps\easydvd\cleanall.exe" [ ]

"delcab"="C:\drivers\deltreew.exe" [ ]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-03 18:53 385024]

"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 14:10 310000]

"-FreedomNeedsReboot"="C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 14:10 13552]

"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 18:49 2061552]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

BN-WD54G Wireless Client Utility.lnk - C:\Program Files\BLUENEXT\BN-WD54G\Installer\WINXP\BCU.exe [2007-12-23 16:26:17 593920]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

R1 vcsmpdrv;vcsmpdrv;C:\WINDOWS\system32\DRIVERS\vcsmpdrv.sys [2002-06-07 11:38]

R2 VCSSecS;Virtual CD v4 Security service (SDK - Version);C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe [2002-05-16 11:17]

S2 Ca533av;USB PC Camera;C:\WINDOWS\system32\Drivers\Ca533av.sys []

S3 CA500AI;SPCA500A Still Image Capture, Sunplus Version 1.00;C:\WINDOWS\system32\Drivers\BULKUSB.sys []

S3 CA500AV;Digital Video Camera(Video);C:\WINDOWS\system32\DRIVERS\CA500AV.SYS []

S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-01-29 23:17]

S3 MR97310_VGA_DUAL_CAMERA;Digital Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys []

S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 04:56]

S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 04:56]

S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 04:56]

S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 04:56]

S3 Radialpoint Security Services;Virgin Broadband PCguard;C:\WINDOWS\system32\dllhost.exe [2004-08-04 04:56]

S3 USBCamera;Bulk USB Device;C:\WINDOWS\system32\Drivers\Bulk533.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42a184c0-2abd-11d9-a907-806d6172696f}]

\Shell\AutoRun\command - E:\RunGame.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"

.

Contents of the 'Scheduled Tasks' folder

"2008-01-04 12:58:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2003-12-25 17:28:17 C:\WINDOWS\Tasks\Registration reminder 2.job"

- C:\WINDOWS\System32\OOBE\oobebaln.exe

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-02-06 23:05:32

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-02-06 23:08:40

ComboFix-quarantined-files.txt 2008-02-06 23:08:35

ComboFix2.txt 2008-01-15 19:48:21

.

2008-01-10 08:54:01 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:13:10, on 06/02/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Virgin Broadband\PCguard\Fws.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Raxco\PerfectDisk\PDAgent.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe

C:\Program Files\BLUENEXT\BN-WD54G\Installer\WINXP\BCU.exe

C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Workflow] D:\Workflow.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"

O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe

O4 - HKLM\..\Run: [delcab] C:\drivers\deltreew.exe C:\cabs

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"

O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"

O4 - HKLM\..\Run: [broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon

O4 - Global Startup: BN-WD54G Wireless Client Utility.lnk = C:\Program Files\BLUENEXT\BN-WD54G\Installer\WINXP\BCU.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe

O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

--

End of file - 8330 bytes

Link to post
Share on other sites

Hi Sonja are you sure you posted all of the log from ComboFix?

Yes, let's get these, I'm sure they are not good.

O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe

O4 - HKLM\..\Run: [delcab] C:\drivers\deltreew.exe C:\cabs

I also see a folder for Spyhunter from Engigma, but no indication of it being installed. C:\Program Files\Enigma Software Group It is my opinion that this is a garbage program and should be completely scoured from your system. You have the Panda scan installed so let's get a log from that please. http://www.malwarebytes.org/forums/index.php?showtopic=2306 This is a detailed set of instructions and a link to the scan page. Post the Panda log and a new HJT after that please.

Link to post
Share on other sites

Hi

Yes i think i posted the whole scan but just in case i saved it so here it is again. I am deleting those files you said now and working on the scans which I will post in the next reply.

Edited by JeanInMontana
No need for space taken by dup log.
Link to post
Share on other sites

Oh ok! I deleted the files you said to earlier so wonder why they didnt show!

Also can I just check, about to do the panda scan but I did one on Tues 5th of 'My Computer' and it came back with no viruses found - should I still run another one now?

Thanks

Link to post
Share on other sites

Below are requested scans:

Panda Scan:

Incident Status Location

Adware:adware/powersearch Not disinfected c:\windows\system32\stlb2.xml

Adware:adware/elitebar Not disinfected c:\windows\downloaded program files\v2.dll

Adware:adware/toprebates Not disinfected c:\windows\downloaded program files\WinadX.inf

Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM

Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Sonia Hernandez\Cookies\sonia_hernandez@overture[1].txt

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Sonia Hernandez\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Sonia Hernandez\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]

Possible Virus. Not disinfected C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

Adware:Adware/TrafficSol Not disinfected C:\Program Files\Trend Micro\HijackThis\backups\backup-20080206-224809-335.dll

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL.vir

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL.vir

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL.vir

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL.vir

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL.vir

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL.vir

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL.vir

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL.vir

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL.vir

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL.vir

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL.vir

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\QooBox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL.vir

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\QooBox\Quarantine\catchme2008-01-15_194314.72.zip[F3HTMLMU.DLL]

Spyware:Spyware/Omi Not disinfected C:\WINDOWS\Downloaded Program Files\actsetup.dll

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe

Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\RESTORE.INS[C:/OEMCUST/TOOLS/WIN32/PSKILL.EXE]

Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\system\RESTORE.INS[C:/OEMCUST/TOOLS/WIN32/PSKILL.EXE]

Virus:W32/Sasser.ftp Disinfected C:\WINDOWS\system32\cmd.ftp

Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W5KDSF23\test[1].htm

Adware:Adware/TrafficSol Not disinfected C:\WINDOWS\system32\spads.dll

HJT scan:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:04:06, on 08/02/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Virgin Broadband\PCguard\Fws.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Raxco\PerfectDisk\PDAgent.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\BLUENEXT\BN-WD54G\Installer\WINXP\BCU.exe

C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Workflow] D:\Workflow.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"

O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"

O4 - HKLM\..\Run: [broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\RunOnce: [indexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon

O4 - HKCU\..\RunOnce: [indexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"

O4 - Global Startup: BN-WD54G Wireless Client Utility.lnk = C:\Program Files\BLUENEXT\BN-WD54G\Installer\WINXP\BCU.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe

O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

--

End of file - 8406 bytes

Link to post
Share on other sites

OK, after consultation with one wiser than I, CF did find stuff and it is obvious Panda did too and even removed a well known worm. You have some questionable stuff too a tool bar? http://www.castlecops.com/tk36013-Irocs_Ki..._IROCS_DLL.html

I am going to have someone better versed in how to proceed take over from here on out and he will clean up the rest. TeMerc will get to you tonight and give you instructions.

Link to post
Share on other sites

  • Staff

Ok, it turns out I had some free time between codec scans so here we go.

Please open Notepad then copy & paste the following text located inside the code box.

File::C:\WINDOWS\system32\drivers\iyfhwfihjwcs.sysC:\WINDOWS\system32\drivers\qplqgbsygiis.sysC:\WINDOWS\system32\spads.dllc:\windows\system32\stlb2.xml

Save this as CFScript.txt to your desktop.

Then drag the .txt file into ComboFix as displayed in this screenshot

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Link to post
Share on other sites

  • Staff
About 20mins! Did I just have to click and drag that notepad file into combofix?
Yes, as per the instructions. It's possible that the files it's trying to delete are resisting, but I've never had anyone come back to say it took so long, so not sure what to think on this one.

Let it go a bit seee what happens.

Link to post
Share on other sites

ok finally here is the Combo fix log! When i clicked & dragged the txt file into combofix it worked but then it said that there was an error with windows and re-started my computer. When I was re-started the txt file was no longer on my desktop. I clicked in combofix and the below scan is what was created but several error messages appeared throughout the process saying there were some problems and the process will stop. Is everything I did what I was supposed to?

I am going to do the Hijack scan now!

ComboFix 08-02.05.3 - Sonia Hernandez 2008-02-08 23:38:25.5 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.39 [GMT 0:00]

Running from: C:\Documents and Settings\Sonia Hernandez\Desktop\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))

.

2008-02-08 19:13 . 2008-02-08 19:13 <DIR> d-------- C:\Program Files\7-Zip

2008-02-06 22:54 . 2004-08-04 04:56 388,608 --a------ C:\kmd.exe

2008-02-06 13:19 . 2008-02-06 22:30 <DIR> d-------- C:\Program Files\Google

2008-02-05 23:46 . 2008-02-05 23:46 <DIR> d-------- C:\Program Files\Trend Micro

2008-02-05 22:24 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS

2008-02-05 22:21 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\iyfhwfihjwcs.sys

2008-02-05 20:29 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\qplqgbsygiis.sys

2008-02-05 19:51 . 2008-02-08 00:10 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2008-02-05 19:51 . 2008-02-07 22:50 30,590 --a------ C:\WINDOWS\system32\pavas.ico

2008-02-05 19:51 . 2008-02-07 22:50 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico

2008-02-05 19:51 . 2008-02-07 22:50 1,406 --a------ C:\WINDOWS\system32\Help.ico

2008-02-05 19:07 . 2008-02-05 19:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-02-05 19:07 . 2008-02-05 19:07 <DIR> d-------- C:\Documents and Settings\Sonia Hernandez\Application Data\Malwarebytes

2008-02-05 19:07 . 2008-02-05 19:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-02-05 18:05 . 2008-02-07 23:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-02-04 21:47 . 2008-02-04 21:47 <DIR> d-------- C:\Documents and Settings\Sonia Hernandez\Application Data\TrojanHunter

2008-02-04 20:54 . 2008-02-05 18:01 <DIR> d-------- C:\Program Files\TrojanHunter 5.0

2008-02-04 10:31 . 2007-03-06 13:24 55,296 --a------ C:\WINDOWS\system32\drivers\rp_skt32.sys

2008-02-04 10:28 . 2008-02-04 10:28 <DIR> d-------- C:\Program Files\Common Files\Authentium

2008-02-04 10:28 . 2007-04-19 11:36 48,384 --a------ C:\WINDOWS\system32\drivers\rp_pkt32.sys

2008-02-04 10:27 . 2008-02-04 10:27 <DIR> d-------- C:\Program Files\Raxco

2008-02-04 10:27 . 2008-02-04 10:27 <DIR> d-------- C:\Program Files\Common Files\Scanner

2008-02-04 10:27 . 2008-02-04 10:27 <DIR> d-------- C:\Program Files\CA

2008-02-04 10:27 . 2008-02-04 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Raxco

2008-02-03 22:43 . 2008-02-03 22:43 40,731 --a------ C:\WINDOWS\system32\superiorads-uninst.exe

2008-02-03 18:53 . 2008-02-03 18:53 <DIR> d-------- C:\Program Files\QuickTime

2008-01-29 23:34 . 2008-01-29 23:34 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2008-01-29 23:34 . 2008-01-29 23:34 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_ggsemc_01005.Wdf

2008-01-29 23:18 . 2008-01-29 23:17 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll

2008-01-29 23:18 . 2008-01-29 23:17 20,520 --a------ C:\WINDOWS\system32\drivers\ggsemc.sys

2008-01-29 23:18 . 2008-01-29 23:17 13,352 --a------ C:\WINDOWS\system32\drivers\ggflt.sys

2008-01-29 22:50 . 2008-01-29 23:13 <DIR> d-------- C:\Program Files\Sony Ericsson

2008-01-29 22:50 . 2008-01-29 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson

2008-01-23 23:09 . 2008-01-04 21:58 129,784 --------- C:\WINDOWS\system32\pxafs.dll

2008-01-23 23:09 . 2008-01-04 21:58 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe

2008-01-23 23:09 . 2008-01-04 21:58 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe

2008-01-23 23:09 . 2008-01-04 21:58 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys

2008-01-23 23:09 . 2008-01-04 21:58 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys

2008-01-23 18:27 . 2008-01-24 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk

2008-01-22 20:48 . 2008-01-22 20:48 <DIR> d-------- C:\Program Files\VSO

2008-01-22 20:48 . 2008-01-31 17:56 <DIR> d-------- C:\Documents and Settings\Sonia Hernandez\Application Data\Vso

2008-01-22 20:48 . 2006-09-29 11:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll

2008-01-22 20:48 . 2006-09-29 11:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll

2008-01-22 20:48 . 2006-09-29 11:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll

2008-01-22 20:48 . 2008-01-22 20:48 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys

2008-01-22 20:48 . 2008-01-22 20:48 47,360 --a------ C:\Documents and Settings\Sonia Hernandez\Application Data\pcouffin.sys

2008-01-18 19:30 . 2008-01-18 19:30 <DIR> d-------- C:\Documents and Settings\Sonia Hernandez\Application Data\InstallShield

2008-01-17 22:58 . 2008-01-23 23:12 69 --a------ C:\WINDOWS\NeroDigital.ini

2008-01-17 17:16 . 2008-01-17 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe

2008-01-17 17:15 . 2008-02-07 23:20 <DIR> d-------- C:\Program Files\Common Files\LightScribe

2008-01-17 17:12 . 2008-01-18 09:38 <DIR> d-------- C:\Documents and Settings\Sonia Hernandez\Application Data\Ahead

2008-01-17 17:08 . 2008-01-24 00:17 <DIR> d-------- C:\Program Files\Common Files\Ahead

2008-01-13 17:48 . 2008-01-13 18:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-01-13 17:39 . 2008-02-08 23:03 <DIR> d-------- C:\Documents and Settings\Sonia Hernandez\Application Data\uTorrent

2008-01-13 16:26 . 2008-01-13 16:26 <DIR> d-------- C:\Documents and Settings\Sonia Hernandez\Application Data\TomTom

2008-01-08 16:03 . 2008-02-07 23:24 <DIR> d-------- C:\Program Files\iTunes

2008-01-08 15:53 . 2008-01-08 15:53 <DIR> d-------- C:\Program Files\Common Files\Apple

2008-01-08 01:16 . 2008-01-08 01:16 630,784 --a------ C:\WINDOWS\system32\divxdec.ax

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-02-07 23:32 --------- d-----w C:\Program Files\uTorrent

2008-02-06 13:32 --------- d-----w C:\Program Files\Common Files\Adobe

2008-02-05 23:41 --------- d-----w C:\Program Files\MSN Messenger

2008-02-05 19:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-02-05 16:38 --------- d-----w C:\Program Files\Virgin Broadband

2008-02-04 10:33 --------- d-----w C:\Documents and Settings\Sonia Hernandez\Application Data\Virgin Broadband

2008-02-04 10:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Virgin Broadband

2008-02-04 10:17 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-01-23 23:09 --------- d-----w C:\Program Files\DivX

2008-01-22 22:29 --------- d-----w C:\Program Files\Lavasoft

2008-01-18 20:19 --------- d-----w C:\Program Files\Java

2008-01-18 20:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint

2008-01-13 17:27 --------- d-----w C:\Documents and Settings\Sonia Hernandez\Application Data\Lavasoft

2008-01-10 22:42 --------- d-----w C:\Documents and Settings\Sonia Hernandez\Application Data\LimeWire

2008-01-08 16:04 --------- d-----w C:\Program Files\iPod

2008-01-05 15:14 94,688 -c--a-w C:\Documents and Settings\Sonia Hernandez\Application Data\GDIPFONTCACHEV1.DAT

2007-12-31 12:23 --------- d-----w C:\Program Files\Apple Software Update

2007-12-31 12:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple

2007-12-27 22:23 --------- d-----w C:\Documents and Settings\Sonia Hernandez\Application Data\DivX

2007-12-23 16:26 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys

2007-12-23 16:26 --------- d-----w C:\Program Files\BLUENEXT

2007-12-23 16:25 --------- d-----w C:\Program Files\Common Files\InstallShield

2004-10-01 04:27 326 -c-h--w C:\Documents and Settings\All Users\Application Data\mssaru.dat

2004-09-27 17:16 140 -c-ha-w C:\Documents and Settings\Sonia Hernandez\Application Data\ptads.bin

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:56 15360]

"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 13:26 484904]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]

"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2007-10-18 15:42 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-09-21 18:06 151597]

"Workflow"="D:\Workflow.exe" [ ]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-05 18:34 188416]

"VCSPlayer"="C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe" [2002-06-07 11:34 299008]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-03 18:53 385024]

"-FreedomNeedsReboot"="C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 14:10 13552]

"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 18:49 2061552]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

BN-WD54G Wireless Client Utility.lnk - C:\Program Files\BLUENEXT\BN-WD54G\Installer\WINXP\BCU.exe [2007-12-23 16:26:17 593920]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

R1 vcsmpdrv;vcsmpdrv;C:\WINDOWS\system32\DRIVERS\vcsmpdrv.sys [2002-06-07 11:38]

R2 VCSSecS;Virtual CD v4 Security service (SDK - Version);C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe [2002-05-16 11:17]

S2 Ca533av;USB PC Camera;C:\WINDOWS\system32\Drivers\Ca533av.sys []

S3 CA500AI;SPCA500A Still Image Capture, Sunplus Version 1.00;C:\WINDOWS\system32\Drivers\BULKUSB.sys []

S3 CA500AV;Digital Video Camera(Video);C:\WINDOWS\system32\DRIVERS\CA500AV.SYS []

S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-01-29 23:17]

S3 MR97310_VGA_DUAL_CAMERA;Digital Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys []

S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 04:56]

S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 04:56]

S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 04:56]

S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 04:56]

S3 Radialpoint Security Services;Virgin Broadband PCguard;C:\WINDOWS\system32\dllhost.exe [2004-08-04 04:56]

S3 USBCamera;Bulk USB Device;C:\WINDOWS\system32\Drivers\Bulk533.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42a184c0-2abd-11d9-a907-806d6172696f}]

\Shell\AutoRun\command - E:\RunGame.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"

.

Contents of the 'Scheduled Tasks' folder

"2008-02-08 12:58:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2003-12-25 17:28:17 C:\WINDOWS\Tasks\Registration reminder 2.job"

- C:\WINDOWS\System32\OOBE\oobebaln.exe

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-02-08 23:42:37

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-02-08 23:45:09

ComboFix-quarantined-files.txt 2008-02-08 23:44:58

ComboFix2.txt 2008-02-06 23:08:41

ComboFix3.txt 2008-01-15 19:48:21

.

2008-01-10 08:54:01 --- E O F ---

Link to post
Share on other sites

heres the Hijack This scan:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:50:02, on 08/02/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Virgin Broadband\PCguard\Fws.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Raxco\PerfectDisk\PDAgent.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe

C:\Program Files\BLUENEXT\BN-WD54G\Installer\WINXP\BCU.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Workflow] D:\Workflow.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"

O4 - HKLM\..\Run: [broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon

O4 - Global Startup: BN-WD54G Wireless Client Utility.lnk = C:\Program Files\BLUENEXT\BN-WD54G\Installer\WINXP\BCU.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe

O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

--

End of file - 7989 bytes

Link to post
Share on other sites

I think it worked ok this time.

ComboFix 08-02.05.3 - Sonia Hernandez 2008-02-09 10:34:07.6 - NTFSx86

Running from: C:\Documents and Settings\Sonia Hernandez\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Sonia Hernandez\Desktop\CFScript.txt

* Created a new restore point

FILE

C:\WINDOWS\system32\drivers\iyfhwfihjwcs.sys

C:\WINDOWS\system32\drivers\qplqgbsygiis.sys

C:\WINDOWS\system32\spads.dll

c:\windows\system32\stlb2.xml

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\drivers\iyfhwfihjwcs.sys

C:\WINDOWS\system32\drivers\qplqgbsygiis.sys

C:\WINDOWS\system32\spads.dll

c:\windows\system32\stlb2.xml

.

((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))

.

2008-02-08 23:15 . 2004-08-04 04:56 388,608 --a------ C:\kmd.exe

2008-02-08 19:13 . 2008-02-08 19:13 <DIR> d-------- C:\Program Files\7-Zip

2008-02-06 13:19 . 2008-02-06 22:30 <DIR> d-------- C:\Program Files\Google

2008-02-05 23:46 . 2008-02-05 23:46 <DIR> d-------- C:\Program Files\Trend Micro

2008-02-05 22:24 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS

2008-02-05 19:51 . 2008-02-08 00:10 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2008-02-05 19:51 . 2008-02-07 22:50 30,590 --a------ C:\WINDOWS\system32\pavas.ico

2008-02-05 19:51 . 2008-02-07 22:50 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico

2008-02-05 19:51 . 2008-02-07 22:50 1,406 --a------ C:\WINDOWS\system32\Help.ico

2008-02-05 19:07 . 2008-02-05 19:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-02-05 19:07 . 2008-02-05 19:07 <DIR> d-------- C:\Documents and Settings\Sonia Hernandez\Application Data\Malwarebytes

2008-02-05 19:07 . 2008-02-05 19:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-02-05 18:05 . 2008-02-07 23:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-02-04 21:47 . 2008-02-04 21:47 <DIR> d-------- C:\Documents and Settings\Sonia Hernandez\Application Data\TrojanHunter

2008-02-04 20:54 . 2008-02-05 18:01 <DIR> d-------- C:\Program Files\TrojanHunter 5.0

2008-02-04 10:31 . 2007-03-06 13:24 55,296 --a------ C:\WINDOWS\system32\drivers\rp_skt32.sys

2008-02-04 10:28 . 2008-02-04 10:28 <DIR> d-------- C:\Program Files\Common Files\Authentium

2008-02-04 10:28 . 2007-04-19 11:36 48,384 --a------ C:\WINDOWS\system32\drivers\rp_pkt32.sys

2008-02-04 10:27 . 2008-02-04 10:27 <DIR> d-------- C:\Program Files\Raxco

2008-02-04 10:27 . 2008-02-04 10:27 <DIR> d-------- C:\Program Files\Common Files\Scanner

2008-02-04 10:27 . 2008-02-04 10:27 <DIR> d-------- C:\Program Files\CA

2008-02-04 10:27 . 2008-02-04 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Raxco

2008-02-03 22:43 . 2008-02-03 22:43 40,731 --a------ C:\WINDOWS\system32\superiorads-uninst.exe

2008-02-03 18:53 . 2008-02-03 18:53 <DIR> d-------- C:\Program Files\QuickTime

2008-01-29 23:34 . 2008-01-29 23:34 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2008-01-29 23:34 . 2008-01-29 23:34 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_ggsemc_01005.Wdf

2008-01-29 23:18 . 2008-01-29 23:17 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll

2008-01-29 23:18 . 2008-01-29 23:17 20,520 --a------ C:\WINDOWS\system32\drivers\ggsemc.sys

2008-01-29 23:18 . 2008-01-29 23:17 13,352 --a------ C:\WINDOWS\system32\drivers\ggflt.sys

2008-01-29 22:50 . 2008-01-29 23:13 <DIR> d-------- C:\Program Files\Sony Ericsson

2008-01-29 22:50 . 2008-01-29 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson

2008-01-23 23:09 . 2008-01-04 21:58 129,784 --------- C:\WINDOWS\system32\pxafs.dll

2008-01-23 23:09 . 2008-01-04 21:58 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe

2008-01-23 23:09 . 2008-01-04 21:58 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe

2008-01-23 23:09 . 2008-01-04 21:58 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys

2008-01-23 23:09 . 2008-01-04 21:58 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys

2008-01-23 18:27 . 2008-01-24 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk

2008-01-22 20:48 . 2008-01-22 20:48 <DIR> d-------- C:\Program Files\VSO

2008-01-22 20:48 . 2008-01-31 17:56 <DIR> d-------- C:\Documents and Settings\Sonia Hernandez\Application Data\Vso

2008-01-22 20:48 . 2006-09-29 11:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll

2008-01-22 20:48 . 2006-09-29 11:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll

2008-01-22 20:48 . 2006-09-29 11:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll

2008-01-22 20:48 . 2008-01-22 20:48 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys

2008-01-22 20:48 . 2008-01-22 20:48 47,360 --a------ C:\Documents and Settings\Sonia Hernandez\Application Data\pcouffin.sys

2008-01-18 19:30 . 2008-01-18 19:30 <DIR> d-------- C:\Documents and Settings\Sonia Hernandez\Application Data\InstallShield

2008-01-17 22:58 . 2008-01-23 23:12 69 --a------ C:\WINDOWS\NeroDigital.ini

2008-01-17 17:16 . 2008-01-17 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe

2008-01-17 17:15 . 2008-02-07 23:20 <DIR> d-------- C:\Program Files\Common Files\LightScribe

2008-01-17 17:12 . 2008-01-18 09:38 <DIR> d-------- C:\Documents and Settings\Sonia Hernandez\Application Data\Ahead

2008-01-17 17:08 . 2008-01-24 00:17 <DIR> d-------- C:\Program Files\Common Files\Ahead

2008-01-13 17:48 . 2008-01-13 18:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-01-13 17:39 . 2008-02-09 10:22 <DIR> d-------- C:\Documents and Settings\Sonia Hernandez\Application Data\uTorrent

2008-01-13 16:26 . 2008-01-13 16:26 <DIR> d-------- C:\Documents and Settings\Sonia Hernandez\Application Data\TomTom

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-02-07 23:32 --------- d-----w C:\Program Files\uTorrent

2008-02-07 23:24 --------- d-----w C:\Program Files\iTunes

2008-02-06 13:32 --------- d-----w C:\Program Files\Common Files\Adobe

2008-02-05 23:41 --------- d-----w C:\Program Files\MSN Messenger

2008-02-05 19:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-02-05 16:38 --------- d-----w C:\Program Files\Virgin Broadband

2008-02-04 10:33 --------- d-----w C:\Documents and Settings\Sonia Hernandez\Application Data\Virgin Broadband

2008-02-04 10:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Virgin Broadband

2008-02-04 10:17 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-01-23 23:09 --------- d-----w C:\Program Files\DivX

2008-01-22 22:29 --------- d-----w C:\Program Files\Lavasoft

2008-01-18 20:19 --------- d-----w C:\Program Files\Java

2008-01-18 20:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint

2008-01-13 17:27 --------- d-----w C:\Documents and Settings\Sonia Hernandez\Application Data\Lavasoft

2008-01-10 22:42 --------- d-----w C:\Documents and Settings\Sonia Hernandez\Application Data\LimeWire

2008-01-08 16:04 --------- d-----w C:\Program Files\iPod

2008-01-08 15:53 --------- d-----w C:\Program Files\Common Files\Apple

2008-01-05 15:14 94,688 -c--a-w C:\Documents and Settings\Sonia Hernandez\Application Data\GDIPFONTCACHEV1.DAT

2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe

2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll

2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll

2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll

2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll

2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll

2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll

2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll

2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll

2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll

2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll

2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll

2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll

2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll

2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe

2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll

2007-12-31 12:23 --------- d-----w C:\Program Files\Apple Software Update

2007-12-31 12:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple

2007-12-27 22:23 --------- d-----w C:\Documents and Settings\Sonia Hernandez\Application Data\DivX

2007-12-23 16:26 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys

2007-12-23 16:26 --------- d-----w C:\Program Files\BLUENEXT

2007-12-23 16:25 --------- d-----w C:\Program Files\Common Files\InstallShield

2004-10-01 04:27 326 -c-h--w C:\Documents and Settings\All Users\Application Data\mssaru.dat

2004-09-27 17:16 140 -c-ha-w C:\Documents and Settings\Sonia Hernandez\Application Data\ptads.bin

1998-08-24 12:09 10,000 -c--a-w C:\WINDOWS\inf\unregpn.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:56 15360]

"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 13:26 484904]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]

"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2007-10-18 15:42 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-09-21 18:06 151597]

"Workflow"="D:\Workflow.exe" [ ]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-05 18:34 188416]

"VCSPlayer"="C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe" [2002-06-07 11:34 299008]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-03 18:53 385024]

"-FreedomNeedsReboot"="C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 14:10 13552]

"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 18:49 2061552]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

BN-WD54G Wireless Client Utility.lnk - C:\Program Files\BLUENEXT\BN-WD54G\Installer\WINXP\BCU.exe [2007-12-23 16:26:17 593920]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

R1 vcsmpdrv;vcsmpdrv;C:\WINDOWS\system32\DRIVERS\vcsmpdrv.sys [2002-06-07 11:38]

S2 Ca533av;USB PC Camera;C:\WINDOWS\system32\Drivers\Ca533av.sys []

S3 CA500AI;SPCA500A Still Image Capture, Sunplus Version 1.00;C:\WINDOWS\system32\Drivers\BULKUSB.sys []

S3 CA500AV;Digital Video Camera(Video);C:\WINDOWS\system32\DRIVERS\CA500AV.SYS []

S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-01-29 23:17]

S3 MR97310_VGA_DUAL_CAMERA;Digital Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys []

S3 USBCamera;Bulk USB Device;C:\WINDOWS\system32\Drivers\Bulk533.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42a184c0-2abd-11d9-a907-806d6172696f}]

\Shell\AutoRun\command - E:\RunGame.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"

.

Contents of the 'Scheduled Tasks' folder

"2008-02-08 12:58:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2003-12-25 17:28:17 C:\WINDOWS\Tasks\Registration reminder 2.job"

- C:\WINDOWS\System32\OOBE\oobebaln.exe

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-02-09 10:37:27

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-02-09 10:38:51

ComboFix-quarantined-files.txt 2008-02-09 10:38:28

ComboFix2.txt 2008-02-08 23:45:10

ComboFix3.txt 2008-02-06 23:08:41

ComboFix4.txt 2008-01-15 19:48:21

.

2008-01-10 08:54:01 --- E O F ---

Link to post
Share on other sites

  • Staff

Ok, looks good, please delete the following file, it should go eaisly:

C:\WINDOWS\system32\superiorads-uninst.exe<<<--this one

And I thnk we're done. How are things running?

Link to post
Share on other sites

thanks for all the help. Things seem to be running ok now, no adverts/pop-ups have appeared. I ran a malwarebytes anti-malware scan just to have a check on things and the following 2 files came up with the vendor Adware.MyWebSearch - are they ok?

C:\Program Files\MSNMessenger\riched20.dll

C:\SystemVolumeInformation\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP378\A0092926.dll

I know some checked the messenger one in an earlier post but we dont use msn messenger so is it safe to delete?

Thanks

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.