Jump to content

Recommended Posts

1. MBAM Log

Malwarebytes' Anti-Malware 1.31

Database version: 1464

Windows 5.1.2600 Service Pack 3

12/5/2008 7:37:18 PM

mbam-log-2008-12-05 (19-37-18).txt

Scan type: Quick Scan

Objects scanned: 52660

Time elapsed: 5 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

2. Panda

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-12-05 20:48:20

PROTECTIONS: 1

MALWARE: 8

SUSPECTS: 11

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Sophos Antivirus 7.6.0 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Jeremy\Cookies\jeremy@doubleclick[1].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Jeremy\Cookies\jeremy@atdmt[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Jeremy\Cookies\jeremy@atdmt[3].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jeremy\Cookies\jeremy@ad.yieldmanager[2].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Jeremy\Cookies\jeremy@serving-sys[1].txt

00429208 Adware/FBrowsingAdvisor Adware No 0 Yes No C:\Program Files\mozilla.org\Mozilla\regxpcom.exe

01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Jeremy\Cookies\jeremy@adserver.easyad[1].txt

04247549 Trj/Zlob.KH Virus/Trojan No 1 Yes No C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O9QVWDE7\nww32[1].exe

04277170 Generic Trojan Virus/Trojan No 0 Yes No C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\Patch.exe.GE2EGQCSXUITG5TYARUIYIXD6R2C4W4SFFOJAMI.dctmp.000

04277170 Generic Trojan Virus/Trojan No 0 Yes No C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\Patch.exe.GE2EGQCSXUITG5TYARUIYIXD6R2C4W4SFFOJAMI.dctmp.antifrag.000

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location P

;===============================================================================

================================================================================

=

===================

Yes C:\WINDOWS\System32\jacmms.dll P

Yes C:\WINDOWS\system32\jacmms.dll P

Yes C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\eco98IV.exe.000

Yes C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\eco98IV.exe.1.000

Yes C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\RM63TDG.exe.000

Yes C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\RM63TDG.exe.1.000

Yes C:\Documents and Settings\Jeremy\Local Settings\Temp\vrmB09.tmp[NN_Bar77_876984.dll] P

Yes C:\Documents and Settings\Jeremy\My Documents\mirc631.exe[

Link to post
Share on other sites

Hello,

1. Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

3. Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.

>

Using Internet Explorer browser only, go to ESET Online Scanner website:

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://www.eset.com/onlinescan/cac4.php?page=faq

    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

=

Download DDS and save it to your desktop from http://www.techsupportforum.com/sectools/sUBs/dds here or http://download.bleepingcomputer.com/sUBs/dds.scr or

http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then double click dds.scr to run the tool.

When done, DDS.txt will open.

Click Yes at the next prompt for Optional Scan.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop.

Please include the following logs in your next reply:

the Eset scan log

DDS.txt

Attach.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll may need to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Link to post
Share on other sites

ESET Log.txt

# version=4

# OnlineScanner.ocx=1.0.0.635

# OnlineScannerDLLA.dll=1, 0, 0, 79

# OnlineScannerDLLW.dll=1, 0, 0, 78

# OnlineScannerUninstaller.exe=1, 0, 0, 49

# vers_standard_module=3712 (20081222)

# vers_arch_module=1.064 (20080214)

# vers_adv_heur_module=1.064 (20070717)

# EOSSerial=ab2dc541ee72f042bd0838405cb0eb01

# end=finished

# remove_checked=true

# unwanted_checked=false

# utc_time=2008-12-23 06:34:02

# local_time=2008-12-23 01:34:02 (-0500, Eastern Standard Time)

# country="United States"

# osver=5.1.2600 NT Service Pack 3

# scanned=372048

# found=0

# scan_time=6768

While running this, my Sophos Anti-Virus popped up ( I dont know how to disable this thing... it was necessary in order to log in wirelessly to my university's campus.)

Anyway, it popped up and said:

"File C:\Documents and Settings\...\Temp\NOD62C7.tmp belongs to virus/spyware Mal/Behav-181."

"File C:\Documents and Settings\...\Temp\NOD30A7.tmp belongs to virus/spyware Mal/Behav-181."

"File C:\Documents and Settings\...\Temp\NOD31F7.tmp belongs to virus/spyware Mal/Behav-181."

"File C:\Documents and Settings\...\Temp\NOD64CF.tmp belongs to virus/spyware Mal/Behav-181."

Link to post
Share on other sites

DDS.txt

DDS (Version 1.1.0) - NTFSx86

Run by Jeremy at 1:45:49.23 on Tue 12/23/2008

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_05

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.362 [GMT -5:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe

C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

C:\Program Files\Sophos\Remote Management System\RouterNT.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program Files\Rainlendar2\Rainlendar2.exe

C:\Program Files\Sophos\AutoUpdate\ALMon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\mozilla.org\Mozilla\mozilla.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Jeremy\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = https://muss.cis.mcmaster.ca/

uInternet Settings,ProxyOverride = *.local

BHO: Sophos Web Content Scanner: {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll

uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background

uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe

uRun: [scheduler_monitor] c:\program files\reaconverter 5.5 pro\init_scheduler.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [startCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgentLauncher.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll

IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL jacmms.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jeremy\applic~1\mozilla\firefox\profiles\og03m7l0.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.homeword.com/DailyDevotional/DevotionalDetail.aspx

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-5 28544]

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2007-9-24 104704]

R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2007-9-24 35584]

R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]

R2 SAVAdminService;Sophos Anti-Virus status reporter;"c:\program files\sophos\sophos anti-virus\SAVAdminService.exe" [2008-10-23 69632]

R2 SAVService;Sophos Anti-Virus;"c:\program files\sophos\sophos anti-virus\SavService.exe" [2008-9-30 98304]

R2 Sophos Agent;Sophos Agent;"c:\program files\sophos\remote management system\ManagementAgentNT.exe" -service -name Agent [2008-10-23 266240]

R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;"c:\program files\sophos\autoupdate\ALsvc.exe" [2008-9-30 172032]

R2 Sophos Message Router;Sophos Message Router;"c:\program files\sophos\remote management system\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 [2008-10-23 794624]

S0 ati0vcxx;ati0vcxx;c:\windows\system32\drivers\ati0vcxx.sys []

S0 ati6jpxx;ati6jpxx;c:\windows\system32\drivers\ati6jpxx.sys []

S1 dxgthkk;dxgthkk;c:\windows\system32\drivers\dxgthkk.sys []

S3 rcp_service;ReaConverter scheduler service;c:\program files\reaconverter 5.5 pro\rcp_scheduler.exe [2007-11-30 558592]

S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-9-30 14976]

=============== Created Last 30 ================

2008-12-05 20:53 <DIR> --d----- c:\program files\Trend Micro

2008-12-05 18:37 28,544 a------- c:\windows\system32\drivers\pavboot.sys

2008-12-05 18:36 <DIR> --d----- c:\program files\Panda Security

2008-12-05 18:35 <DIR> --d----- c:\program files\EsetOnlineScanner

2008-12-05 15:00 <DIR> --d----- c:\docume~1\jeremy\applic~1\Malwarebytes

2008-12-05 14:59 15,504 a------- c:\windows\system32\drivers\mbam.sys

2008-12-05 14:59 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-05 14:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2008-12-05 14:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2008-12-05 14:51 <DIR> --dsh--- C:\found.000

2008-12-05 13:45 <DIR> --d----- c:\program files\Lavasoft

2008-12-05 13:45 <DIR> --d----- c:\program files\common files\Wise Installation Wizard

2008-12-05 12:18 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)

2008-12-05 12:18 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)

2008-12-05 12:18 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2008-12-05 12:18 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2008-12-05 12:13 <DIR> --dsh--- c:\windows\SmVyZW15IFRhbmc

2008-12-05 12:12 47,598 a------- c:\windows\system32\iawuqolblmdzne.exe

2008-11-27 01:16 244 a---h--- C:\sqmnoopt11.sqm

2008-11-27 01:16 232 a---h--- C:\sqmdata11.sqm

2008-11-27 01:11 232 a---h--- C:\sqmdata10.sqm

2008-11-27 01:11 244 a---h--- C:\sqmnoopt10.sqm

2008-11-26 14:46 <DIR> --d----- c:\program files\Full Tilt Poker

2008-11-25 12:43 244 a---h--- C:\sqmnoopt09.sqm

2008-11-25 12:43 232 a---h--- C:\sqmdata09.sqm

==================== Find3M ====================

2008-12-05 12:27 14,336 a------- c:\windows\system32\svchost.exe

2008-10-14 20:28 25,448 a------- c:\docume~1\jeremy\applic~1\GDIPFONTCACHEV1.DAT

2008-10-14 19:52 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

2008-09-30 05:29 130,104 a------- c:\windows\system32\sdccoinstaller.dll

2008-09-30 05:28 23,552 a------- c:\windows\system32\sophosboottasks.exe

============= FINISH: 1:46:19.26 ===============

-- ATTACH.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 8/10/2007 2:52:34 AM

System Uptime: 12/22/2008 11:02:46 PM (2 hours ago)

Motherboard: Dell Inc. | | 0UW744

Processor: AMD Athlon 64 X2 Dual-Core Processor TK-53 | Socket M2/S1G1 | 1695/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 74 GiB total, 1.785 GiB free.

E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Link to post
Share on other sites

Spybot S & D is a good program. But it's Tea Timer feature can block us from doing some changes. Insure it is NOT enabled or active.

Start Spybot-S&D in Advanced Mode.

If it is not already set to do this Go to the Mode menu select "Advanced Mode"

On the left hand side, Click on Tools

Then click on the Resident Icon in the List

Uncheck "Resident TeaTimer" and OK any prompts.

Restart your computer.

=

This system has an old version of Java Run-time.

Uninstall jre1.6 (or any earlier) + any other (JRE Runtime Environment ) Sun Java package via Add/Remove Programs.

If you see any other Java versions there,

such as

J2SE Runtime Environment 5.0 Update 6

Java

Link to post
Share on other sites

C:\Combofix.txt

ComboFix 08-12-23.01 - Jeremy 2008-12-24 1:06:26.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.488 [GMT -5:00]

Running from: c:\documents and settings\Jeremy\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Jeremy\Local Settings\Temporary Internet Files\fbk.sts

c:\windows\IE4 Error Log.txt

c:\windows\system32\autoexec.bat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_FCI

((((((((((((((((((((((((( Files Created from 2008-11-24 to 2008-12-24 )))))))))))))))))))))))))))))))

.

2008-12-24 00:59 . 2008-12-24 00:59 <DIR> d-------- c:\program files\Java

2008-12-24 00:59 . 2008-12-24 00:59 410,984 --a------ c:\windows\system32\deploytk.dll

2008-12-24 00:59 . 2008-12-24 00:59 73,728 --a------ c:\windows\system32\javacpl.cpl

2008-12-05 20:53 . 2008-12-05 20:53 <DIR> d-------- c:\program files\Trend Micro

2008-12-05 18:37 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-12-05 18:36 . 2008-12-05 18:36 <DIR> d-------- c:\program files\Panda Security

2008-12-05 18:35 . 2008-12-22 23:40 <DIR> d-------- c:\program files\EsetOnlineScanner

2008-12-05 17:39 . 2008-12-05 17:39 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

2008-12-05 17:19 . 2008-12-05 17:19 <DIR> d-------- c:\documents and settings\Administrator

2008-12-05 15:00 . 2008-12-05 15:00 <DIR> d-------- c:\documents and settings\Jeremy\Application Data\Malwarebytes

2008-12-05 14:59 . 2008-12-05 15:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-05 14:59 . 2008-12-05 14:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-05 14:59 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-05 14:59 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-05 14:51 . 2008-12-05 14:51 <DIR> d--hs---- C:\found.000

2008-12-05 13:45 . 2008-12-05 13:45 <DIR> d-------- c:\program files\Lavasoft

2008-12-05 13:45 . 2008-12-05 13:45 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2008-12-05 13:45 . 2008-12-05 13:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2008-12-05 12:18 . 2008-12-05 12:18 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)

2008-12-05 12:18 . 2008-12-05 12:18 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)

2008-12-05 12:18 . 2008-12-05 12:18 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2008-12-05 12:18 . 2008-12-05 12:18 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2008-12-05 12:13 . 2008-12-05 14:52 <DIR> d--hs---- c:\windows\SmVyZW15IFRhbmc

2008-11-27 01:16 . 2008-11-27 01:16 244 --ah----- C:\sqmnoopt11.sqm

2008-11-27 01:16 . 2008-11-27 01:16 232 --ah----- C:\sqmdata11.sqm

2008-11-27 01:11 . 2008-11-27 01:11 244 --ah----- C:\sqmnoopt10.sqm

2008-11-27 01:11 . 2008-11-27 01:11 232 --ah----- C:\sqmdata10.sqm

2008-11-26 14:46 . 2008-11-26 15:05 <DIR> d-------- c:\program files\Full Tilt Poker

2008-11-25 12:43 . 2008-11-25 12:43 244 --ah----- C:\sqmnoopt09.sqm

2008-11-25 12:43 . 2008-11-25 12:43 232 --ah----- C:\sqmdata09.sqm

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-16 16:03 --------- d-----w c:\documents and settings\Jeremy\Application Data\uTorrent

2008-12-05 17:59 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-12-05 16:48 --------- d-----w c:\documents and settings\Jeremy\Application Data\mIRC

2008-12-05 16:35 --------- d-----w c:\program files\mIRC

2008-11-26 20:11 --------- d-----w c:\program files\Steam

2008-11-26 20:05 --------- d--h--w c:\program files\InstallShield Installation Information

2008-11-20 02:52 --------- d-----w c:\documents and settings\Jeremy\Application Data\RCP 5

2008-11-20 02:37 --------- d-----w c:\program files\ReaConverter 5.5 Pro

2008-10-15 01:28 25,448 ----a-w c:\documents and settings\Jeremy\Application Data\GDIPFONTCACHEV1.DAT

2008-10-30 17:54 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2008-10-30 17:54 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2008-10-30 17:54 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2008-10-30 17:54 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2008-10-30 17:54 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2007-07-24 1298432]

"scheduler_monitor"="c:\program files\ReaConverter 5.5 Pro\init_scheduler.exe" [2007-06-15 27136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-24 136600]

"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-03-23 113664]

AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2007-09-24 245760]

Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-07 28672]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.ffds"= ffdshow.ax

"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati0vcxx.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati6jpxx.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]

@="service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Clean Access Agent.lnk

backup=c:\windows\pss\Clean Access Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2007-05-11 02:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]

--a------ 2005-06-08 13:44 196608 c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]

--a------ 2005-06-08 14:24 458752 c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]

--a------ 2005-06-08 14:14 217088 c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]

--a------ 2005-07-19 16:32 221184 c:\windows\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung Common SM]

--------- 2005-07-03 02:20 372736 c:\windows\Samsung\ComSMMgr\SSMMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

--a------ 2006-11-10 11:35 90112 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Documents and Settings\\Jeremy\\Start Menu\\Programs\\DC++\\DCPlusPlus.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Steam\\SteamApps\\ihatestupid@hotmail.com\\counter-strike\\hl.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\SopCast\\sopvod.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Starcraft\\StarCraft.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-05 28544]

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\DRIVERS\savonaccesscontrol.sys [2007-09-24 104704]

R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\DRIVERS\savonaccessfilter.sys [2007-09-24 35584]

R2 SAVAdminService;Sophos Anti-Virus status reporter;"c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe" [2008-10-23 69632]

R2 SAVService;Sophos Anti-Virus;"c:\program files\Sophos\Sophos Anti-Virus\SavService.exe" [2008-09-30 98304]

S0 ati0vcxx;ati0vcxx;c:\windows\system32\Drivers\ati0vcxx.sys []

S0 ati6jpxx;ati6jpxx;c:\windows\system32\Drivers\ati6jpxx.sys []

S1 dxgthkk;dxgthkk;c:\windows\system32\drivers\dxgthkk.sys []

S3 rcp_service;ReaConverter scheduler service;c:\program files\ReaConverter 5.5 Pro\rcp_scheduler.exe [2007-11-30 558592]

S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2008-09-30 14976]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{212077cf-c338-11dd-88aa-001c2383a25a}]

\Shell\Auto\command - sxs2.exe

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs2.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d354e8d0-8604-11dd-8898-001c2383a25a}]

\Shell\Auto\command - D:\sxs2.exe

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs2.exe

.

Contents of the 'Scheduled Tasks' folder

2008-12-23 c:\windows\Tasks\McMaster Scan.job

- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2008-09-30 05:24]

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ATICCC - c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe

.

------- Supplementary Scan -------

.

uStart Page = https://muss.cis.mcmaster.ca/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Jeremy\Application Data\Mozilla\Firefox\Profiles\og03m7l0.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.homeword.com/DailyDevotional/DevotionalDetail.aspx

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-24 01:21:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]

"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\BCMLogon.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\windows\system32\WLTRYSVC.EXE

c:\windows\system32\BCMWLTRY.EXE

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

c:\program files\Sophos\AutoUpdate\ALsvc.exe

c:\program files\Sophos\Remote Management System\RouterNT.exe

c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe

.

**************************************************************************

.

Completion time: 2008-12-24 1:25:01 - machine was rebooted

ComboFix-quarantined-files.txt 2008-12-24 06:24:58

Pre-Run: 1,959,370,752 bytes free

Post-Run: 1,828,921,344 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

220 --- E O F --- 2008-09-02 05:48:37

Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:26:46 AM, on 12/24/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Rainlendar2\Rainlendar2.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Sophos\AutoUpdate\ALMon.exe

C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

C:\Program Files\Sophos\Remote Management System\RouterNT.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\mozilla.org\Mozilla\mozilla.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://muss.cis.mcmaster.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe

O4 - HKCU\..\Run: [scheduler_monitor] C:\Program Files\ReaConverter 5.5 Pro\init_scheduler.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe

O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - C:\Program Files\ReaConverter 5.5 Pro\rcp_scheduler.exe

O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe

O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe

O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 7321 bytes

Link to post
Share on other sites

Place your USB flash drives in-place so that some of these programs will be able to find them.

Please download the OTMoveIt3 by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :reg[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{212077cf-c338-11dd-88aa-001c2383a25a}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d354e8d0-8604-11dd-8898-001c2383a25a}]
    :filesD:\sxs2.exeC:\sxs2.exec:\windows\system32\sxs2.exec:\windows\sxs2.exe
    :commands[EmptyTemp]


  • Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=

Download this INF repair file by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiem...orepolicies.zip

Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install.

Delete the download, the unzipped folder and all contents.

=

I'm going to have you get and run two utilities.

The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices.

Download and Install Microsoft's TweakUI:

http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx

Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.

Expand the My Computer branch, then the AutoPlay branch, and then select Drives.

Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.

http://www.techsupportforum.com/sectools/s...Disinfector.exe

There is no GUI interface or log file produced.

=

Start HijackThis. Do a Scan and Save.

Reply with a copy of the OTMoveIt3 log from above, and the new HJT log.

and tell me, How is your system now ?

Link to post
Share on other sites

OTMoveIt Log

========== REGISTRY ==========

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{212077cf-c338-11dd-88aa-001c2383a25a}\\ deleted successfully.

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d354e8d0-8604-11dd-8898-001c2383a25a}\\ deleted successfully.

========== FILES ==========

File/Folder D:\sxs2.exe not found.

File/Folder C:\sxs2.exe not found.

File/Folder c:\windows\system32\sxs2.exe not found.

File/Folder c:\windows\sxs2.exe not found.

========== COMMANDS ==========

File delete failed. C:\DOCUME~1\Jeremy\LOCALS~1\Temp\~DF7222.tmp scheduled to be deleted on reboot.

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

Local Service Temp folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

Local Service Temporary Internet Files folder emptied.

File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_2c0.dat scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_3e8.dat scheduled to be deleted on reboot.

Windows Temp folder emptied.

Java cache emptied.

FireFox cache emptied.

Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12242008_151842

Files moved on Reboot...

C:\DOCUME~1\Jeremy\LOCALS~1\Temp\~DF7222.tmp moved successfully.

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.

File C:\WINDOWS\temp\Perflib_Perfdata_2c0.dat not found!

File C:\WINDOWS\temp\Perflib_Perfdata_3e8.dat not found!

---

HijackThis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:30:52 PM, on 12/24/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Rainlendar2\Rainlendar2.exe

C:\Program Files\Sophos\AutoUpdate\ALMon.exe

C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe

C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

C:\Program Files\Sophos\Remote Management System\RouterNT.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\mozilla.org\Mozilla\mozilla.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://muss.cis.mcmaster.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe

O4 - HKCU\..\Run: [scheduler_monitor] C:\Program Files\ReaConverter 5.5 Pro\init_scheduler.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe

O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - C:\Program Files\ReaConverter 5.5 Pro\rcp_scheduler.exe

O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe

O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe

O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 7299 bytes

---

when i got infected, my firefox was compromised.. and since then, i have used Mozilla browser to avoid pop ups and all that. So i'm going to restart my computer and then use firefox and reply back soon to tell you if i've noticed anything

Link to post
Share on other sites

The logs look good. As to the pc being clean, one cannot guarantee that. The only way for that is to wipe the system and do a fresh clean install of Windows.

That being said, I believe we have quashed the malware. You are good to do after doing the following.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, (either Combofix or Combo-fix), put that name in the RUN box stated just below. The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

  • Click Start, then click Run.
    In the command box that opens, type or copy/paste combofix /u and then click OK.
    CFuninstall.png
  • Please download OTMoveIt3 by OldTimer: http://oldtimer.geekstogo.com/OTMoveIt3.exe
    1. Save it to your desktop.
    2. Please double-click OTMoveIt3.exe to run it.
    3. Click on the CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
    4. This step removes the files, folders, and shortcuts created by the tools I had you download and run.
  • Run ATF Cleaner, and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.
  • Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
  • Check in at Windows Update and install any Critical Updates offered.
  • Download and Install Windows Defender by Microsoft (free) if you do not already have it:
    http://www.microsoft.com/downloads/details...A4-F7F14E605A0D
  • Make certain that Automatic Updates is enabled.
    • How to configure and use Automatic Updates in WinXP:
    http://support.microsoft.com/kb/306525

[*]Download and install Comodo BOClean (free): http://www.comodo.com/boclean/CBO_download.html

[*]Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times)

[*]I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm

See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm

That would help to keep your browser away from known spyware/malware sites.

[*] Make regular backups of your system to removable media: DVD, USB external hard drive, etc.

On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:

Kaspersky Webscan Online Virus Scanner

ESET Online Scanner

Panda ActiveScan?

Trend Micro Housecall

F-Secure Online Scanner

[*] Read Tony Klein's article How Did I Get Infected In The First Place

[*] Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe !

Finally, spend some time reading about how to keep your computer safe on the Internet: http://www.bleepingcomputer.com/tutorials/tutorial82.html

We are done here. All the best to you. Cheers.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.