jbd55 Posted June 1, 2008 ID:19257 Share Posted June 1, 2008 Hi everybody,I'd be really happy if you can help me find a solution to this annoying problem:spontaneous pop-ups appear every few minutes, they open through ie even tough i use firefox.I'm using nod32 and tried to scan with spybot, adaware and spydoctor but nothing fixed the problem.I couldn't open Malwarebytes' Anti-Malware (it says "error loading database. line: #0.") so i'm posting an hijackthis log only, thanks in advance to anyone who can help me.*****************************************************Logfile of Trend Micro HijackThis v2.0.2Scan saved at 09:16:06, on 01/06/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Babylon\Babylon-Pro\Babylon.exeC:\Program Files\Eset\nod32kui.exeC:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\Program Files\DAEMON Tools\daemon.exeC:\Program Files\Eset\nod32krn.exeC:\Program Files\Common Files\Teleca Shared\Generic.exeC:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\wdfmgr.exeC:\WINDOWS\System32\alg.exeC:\Program Files\Azureus\Azureus.exeC:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXEC:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.ilO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE /tO4 - HKLM\..\Run: [babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStartO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICEO4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptionsO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exeO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\RunOnce: [spybotDeletingA5406] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"O4 - HKLM\..\RunOnce: [spybotDeletingC6627] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorunO4 - HKCU\..\RunOnce: [spybotDeletingB6196] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"O4 - HKCU\..\RunOnce: [spybotDeletingD1873] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"O4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')O4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')O4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun (User '?')O4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\RunOnce: [spybotDeletingB6196] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk" (User '?')O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLLO9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cabO16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{69043674-3390-46E6-A943-F810AFB0CEB6}: NameServer = 10.0.0.138O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe--End of file - 6344 bytes***************************************************** Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 1, 2008 Root Admin ID:19260 Share Posted June 1, 2008 Welcome to MalwarebytesPlease remove the current version of Malwarebytes you have and download a new copy from hereMalwarebytes 1.14Start Hijackthis and do a Scan Only and place a check mark on these itemsO4 - HKLM\..\RunOnce: [spybotDeletingA5406] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"O4 - HKLM\..\RunOnce: [spybotDeletingC6627] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"O4 - HKCU\..\RunOnce: [spybotDeletingB6196] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"O4 - HKCU\..\RunOnce: [spybotDeletingD1873] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"O4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\RunOnce: [spybotDeletingB6196] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk" (User '?')O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)Then click on "Fix selected"Follow these instructions carefully.Download ATF-Cleaner from Snapfiles.com to remove un-needed temporary files from your computer that may contain malware.You can also download it from Majorgeeks.comWhen you run ATF-Cleaner, check the items as shown below for Main.For FireFox, be sure to click on the FireFox tab on top and check the items as shown below for FireFoxNOTE: If you don't have FireFox or Opera installed then they will be grayed out and can be ignoredThen click on "Empty Selected". . Then after a reboot install the new downloaded Malwarebytes 1.14 program and allow it to update.Then do a Quick Scan and allow it to fix any items it finds.Then run Hijackthis and do a Scan Only and copy that log and report back with both the Hijackthis and MB logs.. Link to post Share on other sites More sharing options...
jbd55 Posted June 2, 2008 Author ID:19303 Share Posted June 2, 2008 hifirst of all, thanks for all the help.now, i still couldnt run malewarebytes (same error)i did check the items as described in hijackthis and fixed them and used the atf cleaner.here is the current log of hjt, what should i do next? (the pop-ups didnt stop yet)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 06:58:40, on 02/06/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Babylon\Babylon-Pro\Babylon.exeC:\Program Files\Eset\nod32kui.exeC:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\Program Files\DAEMON Tools\daemon.exeC:\Program Files\Eset\nod32krn.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Teleca Shared\Generic.exeC:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Azureus\Azureus.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.ilO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE /tO4 - HKLM\..\Run: [babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStartO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICEO4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptionsO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exeO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorunO4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')O4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')O4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun (User '?')O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLLO9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cabO16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{69043674-3390-46E6-A943-F810AFB0CEB6}: NameServer = 10.0.0.138O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe--End of file - 5202 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 2, 2008 Root Admin ID:19305 Share Posted June 2, 2008 This is the rootkit culpritC:\WINDOWS\system32\drivers\core.cache.dskMalwarebytes should be able to remove it for you but we need to find out why MB is not running for you.Let me check with one of the programmers and see what we can do. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 2, 2008 Root Admin ID:19361 Share Posted June 2, 2008 Please try starting Windows in a Diagnostic mode and see if you can install, update, and then run Malwarebytes.Click on START - RUN and then type in MSCONFIG then click on the Diagnostic Startup then OK and reboot your computer.Download a new version of MB and install it. Then try to scan your system again. Link to post Share on other sites More sharing options...
jbd55 Posted June 3, 2008 Author ID:19396 Share Posted June 3, 2008 i downloaded it in normal mode then switched to diag. mode, installed mbam and it still didnt run (same error) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 3, 2008 Root Admin ID:19420 Share Posted June 3, 2008 Let's try to rename the program.Browse to this location C:\Program Files\Malwarebytes' Anti-Malware and there you should find mbam.exe rename the file to JBD55.exeThen double-click on JBD55.exe and try to run the program. Link to post Share on other sites More sharing options...
jbd55 Posted June 4, 2008 Author ID:19431 Share Posted June 4, 2008 same thing, i'm attaching a printscreenmbam.bmpmbam.bmp Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 4, 2008 Root Admin ID:19433 Share Posted June 4, 2008 Okay let's try to do some scanning and cleaning with other tools first.Please download ComboFix here how-to-use-combofix and run it.When that's done Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.Close all applications and windows.Double-click on dss.exe to run it, and follow the prompts.When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimizedCopy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post in your replyWhat DSS will do:create a new System Restore point in Windows XP and Vista.clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.Notes: The first time that the Deckard scanner is run, the extra.txt is generated in a minimized window. The second time you will not obtain the extra.txt. You must go to Start=>Run and copy the following "%userprofile%\desktop\dss.exe" /config in the line and click OK You will receive a pop-up box with options to check for the Main log and Extra Log and Options.Then post back the logs from ComboFix and Deckard's System Scanner. Link to post Share on other sites More sharing options...
jbd55 Posted June 4, 2008 Author ID:19447 Share Posted June 4, 2008 i couldnt run combofixi drag the windows file i downloaded onto it and then tried to run combofix. it showed some kind of bar (printscreen attached) and then nothing happend.combofix.bmpcombofix.bmp Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 4, 2008 Root Admin ID:19456 Share Posted June 4, 2008 4. ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.Once the Windows Recovery Console has finished installed, ComboFix will open a prompt stating that it was installed and asking if you would like to proceed with scanning your computer. If you wish to continue, then press the Yes buttonDid you install the Recovery Console? Did you get a message from ComboFix that it was installed?Try running ComboFix now by just double-clicking on it and let it run. Link to post Share on other sites More sharing options...
jbd55 Posted June 5, 2008 Author ID:19502 Share Posted June 5, 2008 **********************combo fix log*************************************ComboFix 08-06-03.4 - Administrator 06/05/2008 1:05:12.1 - NTFSx86Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe * Resident AV is activeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\MN6YBD4S\iforex.comC:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\MN6YBD4S\iforex.com\Emerp\Events\flash_object.swf\user_data.solC:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.comC:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.solC:\temp\tn3C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete.((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 ))))))))))))))))))))))))))))))).No new files created in this timespan.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-06-04 23:10 932 ------w C:\WINDOWS\system32\drivers\core.cache.dsk2008-06-04 23:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Babylon2008-06-04 23:04 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus2008-06-04 22:36 --------- d-----w C:\Program Files\Neo Mule2008-06-04 16:54 --------- d-----w C:\Program Files\m2008-06-04 04:29 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware2008-06-03 15:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes2008-06-01 07:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Malwarebytes2008-06-01 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy2008-05-31 10:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP2008-05-31 10:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy2008-05-31 09:16 --------- d-----w C:\Program Files\Trend Micro2008-05-30 20:21 --------- d-----w C:\Program Files\Spyware Doctor2008-05-17 18:46 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Tools2008-05-17 17:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard2008-05-17 17:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft2008-05-10 10:55 --------- d-----w C:\Program Files\VstPlugins2008-05-10 10:55 --------- d-----w C:\Program Files\Image-Line2008-05-10 10:52 --------- d-----w C:\Program Files\Outsim2008-04-24 19:05 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Babylon2008-04-21 11:38 --------- d-----w C:\Program Files\PFConfig2008-04-21 11:26 --------- d-----w C:\Program Files\Soulseek2008-04-21 05:10 --------- d-----w C:\Program Files\Haali2008-04-21 05:09 --------- d-----w C:\Program Files\AC3Filter2008-04-17 17:06 --------- d-----w C:\Program Files\Azureus2008-04-05 18:00 --------- d-----w C:\Program Files\Full Tilt Poker2007-01-25 04:20 24,192 -c--a-w C:\Documents and Settings\Administrator\usbsermptxp.sys2007-01-25 04:20 22,768 -c--a-w C:\Documents and Settings\Administrator\usbsermpt.sys.<pre>----a-w 2,663,480 2008-02-07 04:26:18 C:\Program Files\Babylon\Babylon-Pro\Babylon .exe----a-w 20,480 2008-02-07 04:25:57 C:\Program Files\Creative\Audio\Program\CTMIX32 .EXE----a-w 165,784 2008-02-07 04:26:24 C:\Program Files\DAEMON Tools\daemon .exe----a-w 1,410,304 2008-02-07 04:26:15 C:\Program Files\ESET\ESET NOD32 Antivirus\egui .exe----a-w 1,694,208 2008-02-07 04:26:28 C:\Program Files\Messenger\msmsgs .exe----a-w 282,624 2008-02-07 04:26:02 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:51 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:56 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:56 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:56 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:57 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:57 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:58 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:58 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:58 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:59 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:59 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:59 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:36:00 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:36:01 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:36:01 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:36:01 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:36:02 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-01-25 12:58:40 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-01-24 06:40:59 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-01-24 06:41:00 C:\Program Files\QuickTime\qttask .exe----a-w 15,360 2008-02-07 04:26:32 C:\WINDOWS\system32\ctfmon .exe</pre>------- Sigcheck -------.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools\daemon.exe" [01/17/2008 06:51 PM 486856]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM 144784]"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [06/13/2007 08:16 AM 528384]"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/24/2008 08:41 AM 282624]"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [02/08/2008 03:53 PM 949376]"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]"CreativeMixer"="C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.exe" [ ]"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [03/04/2008 10:58 PM 3165920]"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [ ][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]"EnsoniqMixer"=C:\WINDOWS\System32\Starter.Exe[HKEY_LOCAL_MACHINE\software\microsoft\security center]"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"C:\\Program Files\\Neo Mule\\emule.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"="C:\\Program Files\\Azureus\\Azureus.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"49578:TCP"= 49578:TCP:azu"49578:UDP"= 49578:UDP:azu1HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcsUxTuneUp.Contents of the 'Scheduled Tasks' folder"2008-05-30 15:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe"2008-06-04 22:00:00 C:\WINDOWS\Tasks\At1.job"- C:\WINDOWS\system32\tWPxlP4s.exe"2008-06-04 07:00:00 C:\WINDOWS\Tasks\At10.job"- C:\WINDOWS\system32\tWPxlP4s.exe"2008-06-04 08:00:00 C:\WINDOWS\Tasks\At11.job"- C:\WINDOWS\system32\tWPxlP4s.exe"2008-06-04 09:00:00 C:\WINDOWS\Tasks\At12.job"- C:\WINDOWS\system32\tWPxlP4s.exe"2008-06-04 10:00:00 C:\WINDOWS\Tasks\At13.job"- C:\WINDOWS\system32\tWPxlP4s.exe"2008-06-04 11:00:00 C:\WINDOWS\Tasks\At14.job"- C:\WINDOWS\system32\tWPxlP4s.exe"2008-06-04 12:00:00 C:\WINDOWS\Tasks\At15.job"- C:\WINDOWS\system32\tWPxlP4s.exe"2008-06-04 13:00:00 C:\WINDOWS\Tasks\At16.job"- C:\WINDOWS\system32\tWPxlP4s.exe"2008-06-04 14:00:00 C:\WINDOWS\Tasks\At17.job"- C:\WINDOWS\system32\tWPxlP4s.exe"2008-06-04 15:00:00 C:\WINDOWS\Tasks\At18.job"- C:\WINDOWS\system32\tWPxlP4s.exe"2008-06-04 16:00:00 C:\WINDOWS\Tasks\At19.job"- C:\WINDOWS\system32\tWPxlP4s.exe"2008-06-04 23:00:01 C:\WINDOWS\Tasks\At2.job"- C:\WINDOWS\system32\tWPxlP4s.exe"2008-06-04 17:00:00 C:\WINDOWS\Tasks\At20.job"- C:\WINDOWS\system32\tWPxlP4s.exe"2008-06-04 18:00:00 C:\WINDOWS\Tasks\At21.job"- C:\WINDOWS\system32\tWPxlP4s.exe"2008-06-04 19:00:00 C:\WINDOWS\Tasks\At22.job"- C:\WINDOWS\system32\tWPxlP4s.exe"2008-06-04 20:00:00 C:\WINDOWS\Tasks\At23.job"- C:\WINDOWS\system32\tWPxlP4s.exe"2008-06-04 21:00:00 C:\WINDOWS\Tasks\At24.job"- C:\WINDOWS\system32\tWPxlP4s.exe"2008-06-03 00:00:00 C:\WINDOWS\Tasks\At3.job"- C:\WINDOWS\system32\tWPxlP4s.exe"2008-06-03 01:00:00 C:\WINDOWS\Tasks\At4.job"- C:\WINDOWS\system32\tWPxlP4s.exe"2008-06-03 02:00:00 C:\WINDOWS\Tasks\At5.job"- C:\WINDOWS\system32\tWPxlP4s.exe"2008-06-03 03:00:00 C:\WINDOWS\Tasks\At6.job"- C:\WINDOWS\system32\tWPxlP4s.exe"2008-06-03 04:00:00 C:\WINDOWS\Tasks\At7.job"- C:\WINDOWS\system32\tWPxlP4s.exe"2008-06-04 05:00:00 C:\WINDOWS\Tasks\At8.job"- C:\WINDOWS\system32\tWPxlP4s.exe"2008-06-04 06:00:00 C:\WINDOWS\Tasks\At9.job"- C:\WINDOWS\system32\tWPxlP4s.exe.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-06-05 01:10:55Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.------------------------ Other Running Processes ------------------------.C:\Program Files\ESET\nod32krn.exeC:\WINDOWS\system32\wdfmgr.exe.**************************************************************************.Completion time: 06/05/2008 1:13:30 - machine was rebootedComboFix-quarantined-files.txt 2008-06-04 23:13:26Pre-Run: 1,487,745,024 bytes freePost-Run: 1,972,273,152 bytes free187****************************DSS logs:****************************************************************EXTRA*************************************Deckard's System Scanner v20071014.68Extra logfile - please post this as an attachment with your post.---------------------------------------------------------------------------------- System Information ----------------------------------------------------------Unable to create WMI object.Architecture: X86; Language: EnglishPercentage of Memory in Use: 59%Physical Memory (total/avail): 383.46 MiB / 155.75 MiBPagefile Memory (total/avail): 921.74 MiB / 753.54 MiBVirtual Memory (total/avail): 2047.88 MiB / 1949.54 MiBA: is Removable (No Media)C: is Fixed (NTFS) - 12.7 GiB total, 1.84 GiB free. D: is Fixed (NTFS) - 6.43 GiB total, 0.08 GiB free. E: is Fixed (NTFS) - 37.26 GiB total, 0.3 GiB free. F: is CDROM (No Media)G: is CDROM (No Media)-- Security Center -------------------------------------------------------------AUOptions is disabled.Windows Internal Firewall is enabled.FirstRunDisabled is set.UpdatesDisableNotify is set.Unable to create WMI object.-- Environment Variables -------------------------------------------------------ALLUSERSPROFILE=C:\Documents and Settings\All UsersAPPDATA=C:\Documents and Settings\Administrator\Application DataCLASSPATH=.;C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zipCLIENTNAME=ConsoleCommonProgramFiles=C:\Program Files\Common FilesCOMPUTERNAME=ZIVComSpec=C:\WINDOWS\system32\cmd.exeDEFAULT_CA_NR=CA8FP_NO_HOST_CHECK=NOHOMEDRIVE=C:HOMEPATH=\Documents and Settings\AdministratorLOGONSERVER=\\ZIVNUMBER_OF_PROCESSORS=1OS=Windows_NTPath=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem;C:\ProgramPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSHPROCESSOR_ARCHITECTURE=x86PROCESSOR_IDENTIFIER=x86 Family 15 Model 0 Stepping 10, GenuineIntelPROCESSOR_LEVEL=15PROCESSOR_REVISION=000aProgramFiles=C:\Program FilesPROMPT=$P$GQTJAVA=C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zipSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WINDOWSTEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\TempTMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\TempUSERDOMAIN=ZIVUSERNAME=AdministratorUSERPROFILE=C:\Documents and Settings\Administratorwindir=C:\WINDOWS-- User Profiles ---------------------------------------------------------------Administrator (admin)-- Add/Remove Programs --------------------------------------------------------- --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\Audio\CTMixer.isu" --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\Uninstall\Installer.isu" --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.infAC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exeAdobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDeleteAdobe Reader 7.0.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}ASIO4ALL --> C:\Program Files\ASIO4ALL v2\uninstall.exeAzureus --> C:\Program Files\Azureus\Uninstall.exeBabylon --> C:\Program Files\Babylon\Babylon-Pro\Utils\uninstbb.exeBabylon Toolbar --> MsiExec.exe /I{67A339E5-D8AA-4E88-9278-A571B397F798}BSPlayer --> "C:\Program Files\Webteh\BSplayerPro\uninstall.exe"Collab --> C:\Program Files\Image-Line\Collab\uninstall.exeCool Edit Pro 2.0 --> C:\Program Files\coolpro2\cep2unin.exeDelete FXP Files --> MsiExec.exe /X{77FB26DF-10D9-45FF-BA74-6278DB55130F}FL Studio 8 --> C:\Program Files\Image-Line\FL Studio 8\uninstall.exeFull Tilt Poker --> "C:\Program Files\InstallShield Installation Information\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}\setup.exe" -runfromtemp -l0x0009 -removeonlyHaali Media Splitter --> "C:\Program Files\Haali\MatroskaSplitter\uninstall.exe"HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstallICQ 5.1 --> C:\Program Files\ICQLite\ICQLiteUninstall.EXEIL Download Manager --> C:\Program Files\Image-Line\Downloader\uninstall.exeJ2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}Java 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.logMicrosoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}mIRC --> "C:\Program Files\mIRC\mirc.exe" -uninstallMotorola Phone Tools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe" -l0x9 -removeonlyMozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exeNeo Mule --> C:\Program Files\Neo Mule\uninstall.exeNero 6 Enterprise Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALLNOD32 antivirus system --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALLNOD32 FiX --> "C:\Program Files\Eset\unins000.exe"Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"PoiZone --> C:\Program Files\Image-Line\PoiZone\uninstall.exeQuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}Sony Ericsson Device Data --> MsiExec.exe /I{C92E7DF1-624A-4D95-A4C4-18CB491B44A4}Sony Ericsson Drivers --> MsiExec.exe /I{C60BA916-9E44-4DA4-B11A-9E27B7624EF5}Sony Ericsson PC Suite --> C:\WINDOWS\Installer\{D6BF6477-8369-489F-8DE6-3731F4B88560}\setup.exe /uninstallSony Ericsson PC Suite --> MsiExec.exe /I{D59AC9E9-FFAE-471B-B1FF-4B311D23417A}SoulSeek Client 156c --> "C:\Program Files\Soulseek\uninstall.exe"Sound Blaster PCI --> C:\Program Files\Creative\Uninstall\CTUNINST.EXE /U:UNINST1.INISpybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOGThe Rosetta Stone --> C:\WINDOWS\unvise32.exe C:\Program Files\The Rosetta Stone\TRS Support\uninstal.logToxic Biohazard --> C:\Program Files\Image-Line\Toxic Biohazard\uninstall.exeTuneUp Utilities 2007 --> MsiExec.exe /I{C8BB4912-12D9-42AE-B571-E580D8CD1B5B}VSO Image Resizer 1.0.11 --> "C:\Program Files\VSO\Image Resizer\unins000.exe"WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exeWinZip 9.0 --> C:\PROGRA~1\Winzip\PROGRA~1\Winzip\UNWISE.EXE C:\PROGRA~1\Winzip\PROGRA~1\Winzip\INSTALL.LOG-- Application Event Log -------------------------------------------------------Event Record #/Type6 / ErrorEvent Submitted/Written: 06/02/2008 00:47:07 AMEvent ID/Source: 1002 / Application HangEvent Description:Hanging application SpybotSD.exe, version 1.5.2.20, hang module hungapp, version 0.0.0.0, hang address 0x00000000.-- Security Event Log ----------------------------------------------------------No Errors/Warnings found.-- System Event Log ------------------------------------------------------------Event Record #/Type12629 / ErrorEvent Submitted/Written: 06/05/2008 01:03:53 AMEvent ID/Source: 9 / atapiEvent Description:The device, \Device\Ide\IdePort0, did not respond within the timeout period.Event Record #/Type12628 / ErrorEvent Submitted/Written: 06/05/2008 01:03:13 AMEvent ID/Source: 9 / atapiEvent Description:The device, \Device\Ide\IdePort0, did not respond within the timeout period.Event Record #/Type12627 / ErrorEvent Submitted/Written: 06/05/2008 01:01:41 AM / 06/05/2008 01:01:42 AMEvent ID/Source: 9 / atapiEvent Description:The device, \Device\Ide\IdePort0, did not respond within the timeout period.Event Record #/Type12626 / ErrorEvent Submitted/Written: 06/05/2008 01:00:02 AMEvent ID/Source: 7901 / ScheduleEvent Description:The At2.job command failed to start due to the following error: %%2147942405Event Record #/Type12625 / ErrorEvent Submitted/Written: 06/05/2008 00:57:45 AM / 06/05/2008 00:57:46 AMEvent ID/Source: 9 / atapiEvent Description:The device, \Device\Ide\IdePort0, did not respond within the timeout period.-- End of Deckard's System Scanner: finished at 2008-06-05 06:08:45 ------------**********************************MAIN*****************************************Deckard's System Scanner v20071014.68Run by Administrator on 2008-06-05 06:07:14Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Unable to create WMI object; The operation completed successfully.Backed up registry hives.Performed disk cleanup.Total Physical Memory: 384 MiB (512 MiB recommended).System Drive C: has 1.84 GiB (less than 15%) free.-- HijackThis (run as Administrator.exe) ---------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 06:08:11, on 05/06/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\Program Files\Eset\nod32kui.exeC:\Program Files\Babylon\Babylon-Pro\Babylon.exeC:\Program Files\DAEMON Tools\daemon.exeC:\Program Files\Eset\nod32krn.exeC:\WINDOWS\system32\svchost.exeC:\Documents and Settings\Administrator\Desktop\dss.exeC:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.ilR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptionsO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICEO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE /tO4 - HKLM\..\Run: [babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStartO4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorunO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')O4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun (User '?')O4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLLO9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cabO16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{69043674-3390-46E6-A943-F810AFB0CEB6}: NameServer = 10.0.0.138O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe--End of file - 5192 bytes-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------backup-20080601-203347-269 O4 - HKCU\..\RunOnce: [spybotDeletingD1873] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"backup-20080601-203347-359 O4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\RunOnce: [spybotDeletingB6196] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk" (User '?')backup-20080601-203347-392 O4 - HKCU\..\RunOnce: [spybotDeletingB6196] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"backup-20080601-203347-557 O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)backup-20080601-203347-919 O4 - HKLM\..\RunOnce: [spybotDeletingA5406] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"backup-20080601-203347-997 O4 - HKLM\..\RunOnce: [spybotDeletingC6627] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"backup-20080601-203348-839 O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)-- File Associations -----------------------------------------------------------All associations okay.-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys (file missing)3 UnlockerDriver4 (UnlockerDriver4 Driver) - c:\windows\system32\unlockerdriver4.sys1 usbhubb - c:\windows\system32\drivers\usbhubb.sys3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------2 UxTuneUp (TuneUp Design Expansion) - c:\windows\system32\svchost.exe-- Device Manager: Disabled ----------------------------------------------------Unable to create WMI object.-- Scheduled Tasks -------------------------------------------------------------2008-06-05 01:00:01 350 --a------ C:\WINDOWS\Tasks\At2.job2008-06-05 00:00:00 350 --a------ C:\WINDOWS\Tasks\At1.job2008-06-04 23:00:00 350 --a------ C:\WINDOWS\Tasks\At24.job2008-06-04 22:00:00 350 --a------ C:\WINDOWS\Tasks\At23.job2008-06-04 21:00:00 350 --a------ C:\WINDOWS\Tasks\At22.job2008-06-04 20:00:00 350 --a------ C:\WINDOWS\Tasks\At21.job2008-06-04 19:00:00 350 --a------ C:\WINDOWS\Tasks\At20.job2008-06-04 18:00:00 350 --a------ C:\WINDOWS\Tasks\At19.job2008-06-04 17:00:00 350 --a------ C:\WINDOWS\Tasks\At18.job2008-06-04 16:00:00 350 --a------ C:\WINDOWS\Tasks\At17.job2008-06-04 15:00:00 350 --a------ C:\WINDOWS\Tasks\At16.job2008-06-04 14:00:00 350 --a------ C:\WINDOWS\Tasks\At15.job2008-06-04 13:00:00 350 --a------ C:\WINDOWS\Tasks\At14.job2008-06-04 12:00:00 350 --a------ C:\WINDOWS\Tasks\At13.job2008-06-04 11:00:00 350 --a------ C:\WINDOWS\Tasks\At12.job2008-06-04 10:00:00 350 --a------ C:\WINDOWS\Tasks\At11.job2008-06-04 09:00:00 350 --a------ C:\WINDOWS\Tasks\At10.job2008-06-04 08:00:00 350 --a------ C:\WINDOWS\Tasks\At9.job2008-06-04 07:00:00 350 --a------ C:\WINDOWS\Tasks\At8.job2008-06-03 06:00:00 350 --a------ C:\WINDOWS\Tasks\At7.job2008-06-03 05:00:00 350 --a------ C:\WINDOWS\Tasks\At6.job2008-06-03 04:00:00 350 --a------ C:\WINDOWS\Tasks\At5.job2008-06-03 03:00:00 350 --a------ C:\WINDOWS\Tasks\At4.job2008-06-03 02:00:00 350 --a------ C:\WINDOWS\Tasks\At3.job2008-05-30 17:15:00 406 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job-- Files created between 2008-05-05 and 2008-06-05 -----------------------------2008-06-05 01:04:23 68096 --a------ C:\WINDOWS\zip.exe2008-06-05 01:04:23 49152 --a------ C:\WINDOWS\VFind.exe2008-06-05 01:04:23 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>2008-06-05 01:04:23 98816 --a------ C:\WINDOWS\sed.exe2008-06-05 01:04:23 80412 --a------ C:\WINDOWS\grep.exe2008-06-05 01:04:23 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >2008-06-05 01:04:22 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>2008-06-05 01:04:22 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>2008-06-04 18:54:22 0 d-------- C:\Program Files\m2008-06-03 17:16:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes2008-06-03 17:16:57 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware2008-06-03 16:55:36 0 d-------- C:\WINDOWS\pss2008-06-01 09:08:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes2008-05-31 12:11:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy2008-05-31 11:16:07 0 d-------- C:\Program Files\Trend Micro2008-05-17 20:46:39 0 d-------- C:\Program Files\Spyware Doctor2008-05-17 20:46:39 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools2008-05-10 12:52:31 0 d-------- C:\Program Files\Outsim-- Find3M Report ---------------------------------------------------------------2008-06-05 01:04:39 0 d-------- C:\Documents and Settings\Administrator\Application Data\Azureus2008-06-05 00:36:18 0 d-------- C:\Program Files\Neo Mule2008-05-17 19:07:06 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard2008-05-10 12:55:30 0 d-------- C:\Program Files\VstPlugins2008-05-10 12:55:22 0 d-------- C:\Program Files\Image-Line2008-04-24 21:05:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\Babylon2008-04-21 13:38:31 0 d-------- C:\Program Files\PFConfig2008-04-21 13:26:45 0 d-------- C:\Program Files\Soulseek2008-04-21 07:10:26 0 d-------- C:\Program Files\Haali2008-04-21 07:09:44 0 d-------- C:\Program Files\AC3Filter2008-04-17 19:06:08 0 d-------- C:\Program Files\Azureus2008-04-05 20:00:17 0 d-------- C:\Program Files\Full Tilt Poker-- Registry Dump ---------------------------------------------------------------*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [06/13/2007 08:16 AM]"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/24/2008 08:41 AM]"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [02/08/2008 03:53 PM]"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" []"CreativeMixer"="C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.exe" []"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [03/04/2008 10:58 PM]"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools\daemon.exe" [01/17/2008 06:51 PM]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"DisableRegistryTools"=0 (0x0)"HideLegacyLogonScripts"=0 (0x0)"HideLogoffScripts"=0 (0x0)"RunLogonScriptSync"=1 (0x1)"RunStartupScriptSync"=0 (0x0)"HideStartupScripts"=0 (0x0)[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]"HideLegacyLogonScripts"=0 (0x0)"HideLogoffScripts"=0 (0x0)"RunLogonScriptSync"=1 (0x1)"RunStartupScriptSync"=0 (0x0)"HideStartupScripts"=0 (0x0)[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]"EnsoniqMixer"=C:\WINDOWS\System32\Starter.ExeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcsUxTuneUp-- End of Deckard's System Scanner: finished at 2008-06-05 06:08:45 ------------ Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 5, 2008 Root Admin ID:19511 Share Posted June 5, 2008 Now we're getting somewhere.Full Tilt Poker has been reported as being malware-related so I strongly recommend you remove it.Full Tilt PokerYou have Azureus , Neo Mule, and Soulseek, P2P file sharing programs installed on your computer. These program do not come bundled with malware as some similar programs do, but peer-to-peer file sharing networks are one of the biggest sources of malware we see. Anything downloaded from them cannot be trusted to be clean, because even if the file appears to be what it claims to be, it can have malware embedded in it.I recommend you remove them, but of course the choice is yours.There have been multiple attacks on Java lately so you need to ensure you have the latest version installed at all times.Please go into Control Panel - Add/Remove and remove the following applications and we'll download and install newer versions after you're cleaned up.J2SE Runtime Environment 5.0 Update 4Java™ 6 Update 5Macromedia Shockwave PlayerStart Hijackthis and do a Scan Only and place a check mark on the following itemsO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cabThen click on "Fix selected"What is in this folder? C:\Program Files\mNotice the files here. They have a SPACE in the name and that is why they won't run correctly.You only need 1 copy but basically you need to do a search for *.EXE and every one that has a SPACE you need to remove the space.EXAMPLE: The file qttask has many versions now with multiple spaces. You can delete all but one of them and for that one that is left make sure it has no spaces and is qttask.exe----a-w 2,663,480 2008-02-07 04:26:18 C:\Program Files\Babylon\Babylon-Pro\Babylon .exe----a-w 20,480 2008-02-07 04:25:57 C:\Program Files\Creative\Audio\Program\CTMIX32 .EXE----a-w 165,784 2008-02-07 04:26:24 C:\Program Files\DAEMON Tools\daemon .exe----a-w 1,410,304 2008-02-07 04:26:15 C:\Program Files\ESET\ESET NOD32 Antivirus\egui .exe----a-w 1,694,208 2008-02-07 04:26:28 C:\Program Files\Messenger\msmsgs .exe----a-w 282,624 2008-02-07 04:26:02 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:51 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:56 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:56 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:56 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:57 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:57 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:58 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:58 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:58 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:59 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:59 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:35:59 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:36:00 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:36:01 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:36:01 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:36:01 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-02-07 05:36:02 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-01-25 12:58:40 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-01-24 06:40:59 C:\Program Files\QuickTime\qttask .exe----a-w 282,624 2008-01-24 06:41:00 C:\Program Files\QuickTime\qttask .exe----a-w 15,360 2008-02-07 04:26:32 C:\WINDOWS\system32\ctfmon .exeNOTE! When saving screen shots please save them as .JPG not .BMP - Thanks.Perform the tasks above and then browse to the folder: C:\Program Files\Malwarebytes' Anti-Malware and ensure all the files do not have spaces in them.changes.rtfcomctl32.ocxLanguageslicense.txtmbam.chmmbam.dllmbam.exembamext.dllmbamservice.exembamtrayctrl.exessubtmr6.dllunins000.datunins000.exeunins000.msgvbalsgrid6.ocxzlib.dllIn the LANGUAGES folder the files should be named:albanian.lngbulgarian.lngcatalan.lngdanish.lngdutch.lngenglish.lngfinnish.lngfrench.lnggerman.lnghungarian.lngitalian.lngnorwegian.lngportugueseBR.lngromanian.lngserbian.lngslovak.lngslovenian.lngspanish.lngswedish.lngGo into Control Panel - Scheduled Tasks and delete ALL the scheduled tasks. We can recreate any that you may want later on.If all looks well then try another scan with the Malwarebytes program or correct any file names and try to scan.Report back how things are going after the above.. Link to post Share on other sites More sharing options...
jbd55 Posted June 5, 2008 Author ID:19559 Share Posted June 5, 2008 well, i've done everything you mentioned, except:1. some files werent shown in the hjt scan, probably because i removed java:O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll2. even after cleaning files with spaces and renaming, i still cant run mbam.i removed all the scheduled tasks, there were many suspicus looking tasks there. I also removed full tilt poker Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 6, 2008 Root Admin ID:19579 Share Posted June 6, 2008 Okay well there is a new version of Malwarebytes that came out today.Please uninstall and fully remove your current version of Malwarebytes and reboot. Then download and install this new version and let me know if it runs or not. Malwarebytes Anti-Malware 1.15 . Link to post Share on other sites More sharing options...
jbd55 Posted June 6, 2008 Author ID:19608 Share Posted June 6, 2008 okay, i've done everything you said. it still doesnt run, now it says : "run-time error '48': file not found: zlib.dll"i checked and the file zlib.dll is okay, im attaching a screenshot of the folder contents.sorry for uploading a .bmp screenshot, but the forums wont let me upload a .jpg....mbam_error.bmpmbam_error.bmp Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 6, 2008 Root Admin ID:19686 Share Posted June 6, 2008 Okay, please click on START - RUN and type in ComboFix /U and remove ComboFix and all backups.Then download a new version ComboFix.exe and double-click on it and run it.Then post back the log from ComboFix. Link to post Share on other sites More sharing options...
jbd55 Posted June 7, 2008 Author ID:19742 Share Posted June 7, 2008 ComboFix 08-06-06.6 - Administrator 06/07/2008 13:20:10.2 - NTFSx86Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe * Resident AV is activeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\temp\tn3C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete.((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 ))))))))))))))))))))))))))))))).No new files created in this timespan.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-06-07 11:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Babylon2008-06-07 11:24 932 ------w C:\WINDOWS\system32\drivers\core.cache.dsk2008-06-06 09:06 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware2008-06-06 09:06 --------- d-----w C:\Program Files\Common Files\Download Manager2008-06-06 09:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes2008-06-05 22:39 --------- d-----w C:\Program Files\QuickTime2008-06-05 22:39 --------- d-----w C:\Program Files\DAEMON Tools2008-06-05 22:33 --------- d-----w C:\Program Files\Java2008-06-05 22:31 --------- d--h--w C:\Program Files\InstallShield Installation Information2008-06-05 22:31 --------- d-----w C:\Program Files\Full Tilt Poker2008-06-05 22:27 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus2008-06-05 14:04 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys2008-06-05 14:04 15,864 ----a-w C:\WINDOWS\system32\drivers\mbam.sys2008-06-05 04:59 --------- d-----w C:\Program Files\Neo Mule2008-06-01 07:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Malwarebytes2008-06-01 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy2008-05-31 10:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP2008-05-31 10:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy2008-05-31 09:16 --------- d-----w C:\Program Files\Trend Micro2008-05-30 20:21 --------- d-----w C:\Program Files\Spyware Doctor2008-05-17 18:46 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Tools2008-05-17 17:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard2008-05-17 17:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft2008-05-10 10:55 --------- d-----w C:\Program Files\VstPlugins2008-05-10 10:55 --------- d-----w C:\Program Files\Image-Line2008-05-10 10:52 --------- d-----w C:\Program Files\Outsim2008-04-24 19:05 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Babylon2008-04-21 11:38 --------- d-----w C:\Program Files\PFConfig2008-04-21 11:26 --------- d-----w C:\Program Files\Soulseek2008-04-21 05:10 --------- d-----w C:\Program Files\Haali2008-04-21 05:09 --------- d-----w C:\Program Files\AC3Filter2008-04-17 17:06 --------- d-----w C:\Program Files\Azureus2007-01-25 04:20 24,192 -c--a-w C:\Documents and Settings\Administrator\usbsermptxp.sys2007-01-25 04:20 22,768 -c--a-w C:\Documents and Settings\Administrator\usbsermpt.sys.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [02/07/2008 06:26 AM 1694208]"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools\daemon.exe" [01/17/2008 06:51 PM 486856]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/07/2008 06:26 AM 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [06/13/2007 08:16 AM 528384]"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [02/08/2008 03:53 PM 949376]"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]"CreativeMixer"="C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.exe" [02/07/2008 06:25 AM 20480]"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [03/04/2008 10:58 PM 3165920]"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [ ][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]"EnsoniqMixer"=C:\WINDOWS\System32\Starter.Exe[HKEY_LOCAL_MACHINE\software\microsoft\security center]"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"C:\\Program Files\\Neo Mule\\emule.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Azureus\\Azureus.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"49578:TCP"= 49578:TCP:azu"49578:UDP"= 49578:UDP:azu1HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcsUxTuneUp.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-06-07 13:25:24Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.------------------------ Other Running Processes ------------------------.C:\Program Files\ESET\nod32krn.exeC:\WINDOWS\system32\wdfmgr.exe.**************************************************************************.Completion time: 06/07/2008 13:27:55 - machine was rebootedComboFix-quarantined-files.txt 2008-06-07 11:27:49ComboFix2.txt 2008-06-04 23:13:31Pre-Run: 2,096,713,728 bytes freePost-Run: 2,116,382,720 bytes free104 Link to post Share on other sites More sharing options...
jbd55 Posted June 10, 2008 Author ID:19957 Share Posted June 10, 2008 ? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 11, 2008 Root Admin ID:20007 Share Posted June 11, 2008 Sorry about the delay JB. You have a bad case of Vundo on your system.Please give me a full listing of the files in your WINDOWS and sub folders. Since some of the other options didn't work we'll look to see if we can unregister some files and then remove all the startups.From DOS you should be able to run something like this.Click on START - RUN and type in CMD and press the Enter key. Then press the ENTER key after each command below as well.DIR C:\WINDOWS /AD /AH /AS /AR /AA /A /O:G /O:N /S >C:\MBALLFILES.TXTWhen completed please please ZIP up this file C:\MBALLFILES.TXT and attach it to your next replyHow To Use Compressed (Zipped) Folders in Windows XPaboutzip Link to post Share on other sites More sharing options...
jbd55 Posted June 12, 2008 Author ID:20090 Share Posted June 12, 2008 ok here it ismballfiles.zipmballfiles.zip Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 12, 2008 Root Admin ID:20126 Share Posted June 12, 2008 Thanks - I've got it and will review it and get back to you. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 13, 2008 Root Admin ID:20152 Share Posted June 13, 2008 I've been asked to have you run SmitFraudFix for this infection.Download SmitfraudFix (by S!Ri) to your DesktopSmitFraudFixDouble Click SmitfraudFix.exe on your Desktop. A folder named SmitfraudFix will be created on your Desktop.Do not run the fix yet.You might want to print out these instructions, as you will be in Safe Mode and unable to refer to them here.Start your computer in Safe Mode.Open the folder on your desktop, SmitFraudFix:Double-click SmitFraudFix.cmd (Marked in Red in the picture above) to start the fix.Choose Option #2 -- Clean by typing 2 and pressing [Enter]. Wait for the tool to complete and disk cleanup to finish.You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit [Enter].Your screen will show .The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit [Enter]. A reboot may be needed to finish the cleaning process. If your computer does not restart automatically when the tool indicates a restart is to occur, please do it yourself manually. Reboot in Safe Mode.The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: . When finished, Reboot your computer back to Normal Mode.Note: This utility contains a helper file called Process.exe that is often identified by antivirus programs as bad. Please do not let your Antivirus software delete this file. It is perfectly safe.Download and Run ComboFix If you have a previous version of Combofix.exe, delete it and download a fresh copy.Download this file to your Desktop ComboFix.exe or from here ComboFix.exeRun ComboFix again.Run HijackThis again, System scan only, and save the log file.Post back to the Forum:The contents of C:\Rapport.txt;The contents of C:\Combofix.txt;Your new HijackThis log.. Link to post Share on other sites More sharing options...
jbd55 Posted June 13, 2008 Author ID:20199 Share Posted June 13, 2008 HJTLogfile of Trend Micro HijackThis v2.0.2Scan saved at 21:07:38, on 13/06/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Eset\nod32krn.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Eset\nod32kui.exeC:\Program Files\Babylon\Babylon-Pro\Babylon.exeC:\Program Files\DAEMON Tools\daemon.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\explorer.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Program Files\Mozilla Firefox\firefox.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptionsO4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICEO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE /tO4 - HKLM\..\Run: [babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStartO4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exeO4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorunO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun (User '?')O4 - HKUS\S-1-5-21-1004336348-1993962763-1343024091-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htmO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLLO9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{69043674-3390-46E6-A943-F810AFB0CEB6}: NameServer = 10.0.0.138O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe--End of file - 4197 bytesSMITFRAUDSmitFraudFix v2.324Scan done at 20:03:48.95, Fri 06/13/2008Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in safe mode Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 14, 2008 Root Admin ID:20238 Share Posted June 14, 2008 Make a new folder on your system C:\TEMPHOLDDownload IceSword English Version 1.22Extract the files to C:\is_en would be the default but it can be extracted where you want as long as you know where it's at.Launch the program - on the left side are 3 panels Functions, Registry, and FileClick on the File panel and browse to this location C:\WINDOWS\system32\drivers\core.cache.dskCopy the file core.cache.dsk to C:\TEMPHOLD using IceSwordClick on the File panel and browse to this location C:\WINDOWS\iun6002.exeCopy the file iun6002.exe to C:\TEMPHOLD using IceSwordBrowse to this location C:\temp\tn3 and see if there are any files there. If so copy and upload them too. Once done use Ice Sword to do a forced delete of C:\temp\tn3Quit IceSwordZip up those files with your name C:\TEMPHOLD\core.cache.dsk and any other files there and upload it to http://uploads.malwarebytes.orgThen download and run the attched batch file. Uzip it and run it. It will make a new folder on your Desktop named malware and copy files from C:\Program Files\Full Tilt PokerC:\Program Files\Neo MuleWhen it is done zip up these files as well and attach them to your next post.If you need help on how to zip files let me knowSorry about the file name. Was working on his post too. This is the correct file to run though.ForJerry.zipForJerry.zip Link to post Share on other sites More sharing options...
Recommended Posts