Jump to content

nano and sgviralscan popups


Recommended Posts

My internet has slowed down dramatically and I keep getting popups for Nano Antivirus and sgviralscan. I followed all pre-posting steps but was unable to get Panda ActiveScan to work. Below are my other logs:

Hijackthis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:20:29 PM, on 12/28/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\system32\crypserv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\AIM6\aim6.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Sheryl Tonneson\Desktop\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Search - ?p=ZNxmk121YYUS

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer...DataManager.CAB

O16 - DPF: {1E22B80E-0E79-44D4-945D-E601AD0994EC} (MACAddress Control) - https://irise-pe.subscribenet.com/images/ve.../MACAddress.ocx

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1194318966580

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1194318954001

O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://comrcn01bssmwol.mandtbank.com/wolnew/msrdp.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://demos.webex.com/client/v_mywebex-t2...bex/ieatgpc.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: caf33a1509 - C:\WINDOWS\System32\icmui32.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/SHERYL~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--

End of file - 7879 bytes

Malwarebytes

Malwarebytes' Anti-Malware 1.31

Database version: 1563

Windows 5.1.2600 Service Pack 2

12/28/2008 6:55:57 PM

mbam-log-2008-12-28 (18-55-57).txt

Scan type: Quick Scan

Objects scanned: 57406

Time elapsed: 5 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ComboFixComboFix 08-12-28.01 - Sheryl Tonneson 2008-12-28 17:19:40.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.382.118 [GMT -5:00]

Running from: c:\documents and settings\Sheryl Tonneson\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Sheryl Tonneson\Application Data\02000000c9c3fc6c509C.manifest

c:\documents and settings\Sheryl Tonneson\Application Data\02000000c9c3fc6c509O.manifest

c:\documents and settings\Sheryl Tonneson\Application Data\02000000c9c3fc6c509P.manifest

c:\documents and settings\Sheryl Tonneson\Application Data\02000000c9c3fc6c509S.manifest

c:\program files\winupdates

c:\windows\GnuHashes.ini

c:\windows\system32\9.tmp

c:\windows\system32\au3305adc.dll

c:\windows\system32\cmd.com

c:\windows\system32\GroupPolicy000.dat

c:\windows\system32\GroupPolicyManifest

c:\windows\system32\ping.com

c:\windows\system32\tasklist.com

c:\windows\system32\tracert.com

.

((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-28 )))))))))))))))))))))))))))))))

.

2008-12-28 14:18 . 2008-12-28 15:08 <DIR> d-------- c:\program files\QuickTime

2008-12-28 14:16 . 2008-12-28 14:16 <DIR> d-------- c:\program files\InterVideo

2008-12-28 14:15 . 2008-12-28 14:15 <DIR> d-------- c:\program files\Java

2008-12-28 14:14 . 2008-12-28 14:14 <DIR> d-------- c:\program files\WildPackets

2008-12-28 14:14 . 2008-12-28 14:14 <DIR> d-------- c:\program files\Uniblue

2008-12-28 14:14 . 2008-12-28 14:14 <DIR> d-------- c:\program files\TryMedia

2008-12-28 14:14 . 2008-12-28 14:14 <DIR> d-------- c:\program files\Netflix

2008-12-28 14:14 . 2008-12-28 14:14 <DIR> d-------- c:\program files\iRise

2008-12-27 20:16 . 2008-12-28 14:14 <DIR> d-------- c:\program files\QuickTime(2)

2008-12-27 16:29 . 2008-12-28 14:14 <DIR> d-------- C:\RECYCLER(2)

2008-12-27 16:12 . 2008-12-27 16:12 <DIR> d-------- c:\windows\system32\GroupPolicyManifest(2)

2008-12-27 13:26 . 2008-12-27 13:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore

2008-12-26 12:59 . 2008-12-26 12:59 0 --a------ c:\windows\system32\74.tmp

2008-12-26 12:59 . 2008-12-26 12:59 0 --a------ c:\windows\system32\73.tmp

2008-12-25 11:07 . 2008-12-25 11:08 <DIR> d-------- c:\program files\iTunes

2008-12-25 11:07 . 2008-12-25 11:07 <DIR> d-------- c:\program files\iPod

2008-12-25 11:07 . 2008-12-25 11:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-12-25 11:05 . 2008-12-26 20:43 <DIR> d-------- c:\program files\Bonjour

2008-12-25 11:02 . 2008-12-25 11:02 <DIR> d-------- c:\program files\Apple Software Update

2008-12-25 11:01 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys

2008-12-25 11:00 . 2008-12-27 14:50 <DIR> d-------- c:\program files\Common Files\Apple

2008-12-25 10:51 . 2008-12-25 10:51 135,168 --a------ c:\windows\system32\icmui32.dll

2008-12-22 06:28 . 2008-12-25 09:13 54,156 --ah----- c:\windows\QTFont.qfn

2008-12-22 06:28 . 2008-12-22 06:28 1,409 --a------ c:\windows\QTFont.for

2008-12-15 22:11 . 2008-12-15 22:11 <DIR> d-------- c:\program files\Windows Defender

2008-12-15 21:55 . 2008-12-15 21:54 410,984 --a------ c:\windows\system32\deploytk.dll

2008-12-15 20:51 . 2008-12-15 20:51 <DIR> d-------- c:\program files\ACW

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-28 21:40 --------- d-----w c:\program files\Enigma Software Group

2008-12-28 21:40 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-28 20:45 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-12-28 19:15 --------- d-----w c:\program files\Microsoft Works

2008-12-27 19:53 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-27 19:29 --------- d-----w c:\program files\Pinnacle

2008-12-27 18:30 --------- d-----w c:\program files\TaxCut06

2008-12-27 18:28 --------- d-----w c:\program files\AIM6

2008-12-27 18:26 --------- d-----w c:\program files\Viewpoint

2008-12-27 18:26 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint

2008-12-27 18:25 --------- d-----w c:\documents and settings\Sheryl Tonneson\Application Data\Skype

2008-12-27 18:25 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads

2008-12-27 18:24 --------- d-----w c:\documents and settings\Sheryl Tonneson\Application Data\skypePM

2008-12-25 15:56 --------- d-----w c:\documents and settings\Sheryl Tonneson\Application Data\LimeWire

2008-12-16 02:41 --------- d-----w c:\program files\Symantec

2008-12-16 02:40 --------- d-----w c:\program files\Common Files\Symantec Shared

2008-12-16 02:37 --------- d-----w c:\program files\Common Files\WildPackets

2008-12-16 02:36 --------- d-----w c:\program files\Yahoo!

2008-12-16 02:33 --------- d-----w c:\program files\Lavasoft

2008-12-05 01:41 --------- d-----w c:\program files\Lx_cats

2008-11-26 02:37 --------- d-----w c:\program files\Common Files\TiVo Shared

2008-11-10 19:03 --------- d-----w c:\documents and settings\Sheryl Tonneson\Application Data\Apple Computer

2008-11-08 13:52 --------- d--h--w c:\documents and settings\Sheryl Tonneson\Application Data\Move Networks

2008-03-06 12:17 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat

2008-01-30 23:00 89,256 -c--a-w c:\documents and settings\Sheryl Tonneson\Application Data\GDIPFONTCACHEV1.DAT

2007-11-06 00:43 332 -c--a-w c:\documents and settings\Sheryl Tonneson\Application Data\wklnhst.dat

2006-12-30 01:29 254 -c--a-w c:\documents and settings\Sheryl Tonneson\todolist.bak1

2005-09-14 13:55 553 ----a-w c:\program files\Shortcut to Norton Internet Security.lnk

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]

"LXBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-03-17 65536]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegedit"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\caf33a1509]

2008-12-25 10:51 135168 c:\windows\system32\icmui32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk

backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

--a------ 2008-10-31 14:22 50480 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

--a------ 2005-04-11 12:00 339968 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

c:\program files\Common Files\Symantec Shared\ccApp.exe [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]

--a------ 2005-02-17 16:01 233534 c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2004-08-04 03:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]

c:\program files\HPQ\Quick Launch Buttons\EabServr.exe [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2005-02-17 01:11 49152 c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]

--a------ 2005-04-01 17:11 794624 c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5200 series]

--a------ 2004-06-04 05:58 57344 c:\program files\Lexmark 5200 Series\lxbtbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]

--a------ 2004-10-14 15:54 253952 c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NewsUpd]

c:\program files\Creative\News\NewsUpd.EXE [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCLEUSBTip]

c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]

c:\windows\system32\PSDrvCheck.exe [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

-ra------ 2008-02-01 17:22 21898024 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-12-15 21:54 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

--a------ 2005-02-02 07:11 692316 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]

--a------ 2005-02-02 07:12 102492 c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB2Check]

--a------ 2005-12-21 10:14 73728 c:\windows\system32\PCLECoInst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

--a------ 2006-11-03 19:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

--a------ 2007-06-07 13:08 4670968 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]

--a------ 2006-05-10 08:48 94208 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"vsmon"=2 (0x2)

"Viewpoint Manager Service"=2 (0x2)

"ose"=3 (0x3)

"lxbt_device"=3 (0x3)

"LightScribeService"=2 (0x2)

"iPod Service"=3 (0x3)

"DefWatch"=2 (0x2)

"CVPND"=2 (0x2)

"aawservice"=2 (0x2)

"WinDefend"=2 (0x2)

"JavaQuickStarterService"=2 (0x2)

"ccSetMgr"=2 (0x2)

"ccPwdSvc"=3 (0x3)

"ccEvtMgr"=2 (0x2)

"Bonjour Service"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\WINDOWS\\system32\\ftp.exe"=

"c:\\Program Files\\Java\\jdk1.5.0\\bin\\java.exe"=

"c:\\Program Files\\Java\\jdk1.5.0\\bin\\appletviewer.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 LBeepKE;LBeepKE;c:\windows\system32\Drivers\LBeepKE.sys [2006-08-08 3712]

R3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2004-12-15 200192]

S2 pciinfo;HP Pci Information;\??\c:\docume~1\SHERYL~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys []

S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\DRIVERS\A5AGU.sys [2006-05-08 347648]

S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-12-27 24652]

S4 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]

*Newly Created Service* - IPOD_SERVICE

*Newly Created Service* - PROCEXP90

.

Contents of the 'Scheduled Tasks' folder

2008-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2005-12-13 c:\windows\Tasks\Easy Internet Sign-up.job

- c:\program files\Easy Internet signup\HPSdpApp.exe [2005-03-03 13:04]

2008-12-27 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-08-10 c:\windows\Tasks\Uniblue SpyEraser Nag.job

- c:\program files\Uniblue\SpyEraser\SpyEraser.exe []

2008-01-23 c:\windows\Tasks\Uniblue SpyEraser.job

- c:\program files\Uniblue\SpyEraser\SpyEraser.exe []

2008-12-28 c:\windows\Tasks\User_Feed_Synchronization-{0AD3E033-F48A-422F-BE78-D271D4AACECA}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 10:58]

.

.

------- Supplementary Scan -------

.

uStart Page = www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html

IE: &Search - ?p=ZNxmk121YYUS

IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html

IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html

c:\windows\Downloaded Program Files\MACAddress.ocx - O16 -: {1E22B80E-0E79-44D4-945D-E601AD0994EC}

hxxps://irise-pe.subscribenet.com/images/vendors/irip/MACAddress.ocx

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-28 17:21:42

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(932)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\icmui32.dll

.

Completion time: 2008-12-28 17:23:48

ComboFix-quarantined-files.txt 2008-12-28 22:23:00

ComboFix2.txt 2008-12-27 21:05:51

Pre-Run: 15,009,624,064 bytes free

Post-Run: 15,001,796,608 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

261 --- E O F --- 2008-10-25 22:01:24

Thanks in advance for any help that you could provide!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.