help I to have a worm.win32.netboost

squiggs · 06-26-2008, 04:51 AM

well it wasnt till today and it keeps saying that the pages i go to have malicious possablilys i will post new logs

squiggs · 06-26-2008, 04:52 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:46, on 2008-06-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdcser v.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\CallWave\IAM.exe
C:\WINDOWS\system32\cmd.exe
C:\DOCUME~1\Karah\LOCALS~1\Temp\dssec.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://axiaecampus.phoenix.edu/secure/courseList.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll
O3 - Toolbar: (no name) - {266F6829-949E-4645-AAEA-1323B59E826C} - (no file)
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [4a8733d9] rundll32.exe "C:\WINDOWS\system32\wsvgasij.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - Startup: Microsoft Office Groove.lnk = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Karah\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase9563.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - http://web1.shutterfly.com/downloads/Uploader.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O21 - SSODL: xvorfwbd - {3A33E915-BB8D-44CD-9951-059622B33D48} - (no file)
O21 - SSODL: wpvmqosg - {C309CF8C-5771-4F0E-B6A6-2C441F0A3A92} - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdcCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdcse rv.exe
O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 8511 bytes

Briguy · 06-26-2008, 05:38 AM

Quote:

Originally Posted by squiggs

well it wasnt till today and it keeps saying that the pages i go to have malicious possablilys i will post new logs

This is what I found on that. I would do this:

You have unwittingly launched a very nasty Smitfraud program that is falsely reporting "worm.win32.netbooster" as the infection. Smitfraud applications are programs that are used to download rogue security products and change the user's desktop to display false warnings that the computer is infected with spyware.

If your computer has become infected with one of these "spyware removal programs," you probably downloaded an infected codec program when you tried to watch a video online (usually purporting to be an x-rated celebrity video) or you may have been hit by a "drive-by" installation of Smitfraud.

Smitfraud attacks show fake antispyware programs popups on your screen and/or a balloon popup from the windows system tray displaying a warning message that your computer is infected with spyware (here it is falsely calling it worm.win32.netbooster) and telling you to purchase, download & install their program to remove it. Often, it will hijack your desktop and publish a warning message in big letters (with their weblink) on your desktop wallpaper. The infection will usually alter the settings of your current virus protection software (including Norton and McAfee) and render it powerless to delete the infection. The Smitfraud application will also typically disable your ability to launch the task manager with the alt-ctrl-del keys, too.

DO NOT BUY THE ANTISPYWARE PROGRAM THAT IS BEING ADVERTISED ON YOUR WALLPAPER AND IN THE POPUPS. The creator of the bogus popups is an affiliate of the particular antispyware program they are promoting, so each time an unsuspecting user purchases the advertised program in hopes of removing the trojan the person behind the attack gets paid. Not a very ethical way of selling an antispyware, antivirus, or other computer pest removal product.

Here is the 100% FREE solution I found on http://www.bleepingcomputer.com that worked for me:

1. Download and install the Smitfraudfix tool in the link below.
http://siri.urz.free.fr/Fix/SmitfraudFix...

2. Download and install Super Antispyware. Update definitions.
http://www.superantispyware.com/

3. Run both programs (Smitfraudfix first) after you start your operating system is in safe mode. Follow the instructions carefully for Smitfraudfix. Allow Super Antispyware to quarantine whatever it finds.

To learn how to run your operating system in safe mode:
http://www.bleepingcomputer.com/tutorial...

3. Reboot in normal mode. Run the Bit Defender online scan (no download necessary). Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html

4. Download and run RogueRemover. Select "Scan" and follow the steps indicated.
http://www.malwarebytes.org/rogueremover...

You can continue to follow-up with Spybot and AdAware ----I would get these) if you desire. Of course, you should also keep your regular anti-virus software up-to-date and scan regularly; hopefully it will be working well again after the infection is removed. Be sure to restore the settings which the Smitfraud program altered. Smitfraud apps are quite nasty, and it may take a while to remove all traces.

Punk · 06-26-2008, 12:07 PM

Lol at above...

Ok still a few files, I want to see if combofix will get rid of them. If so, good, if not I'll do it manually.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Download this file from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
Then double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

By the way, if you want to get rid of the infection please follow my instructions, that includes the SDFix instruction.

squiggs · 06-27-2008, 10:09 AM

ComboFix 08-06-20.4 - Karah 2008-06-27 3:21:49.9 - NTFSx86
Running from: C:\Documents and Settings\All Users\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Program Files\Antivirus 2008 PRO
C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe
C:\Program Files\Antivirus 2008 PRO\vscan.tsi
C:\Program Files\Antivirus 2008 PRO\zlib.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\enlx.exe
C:\WINDOWS\system32\awtuuvWm.dll
C:\WINDOWS\system32\baHklUvw.ini
C:\WINDOWS\system32\baHklUvw.ini2
C:\WINDOWS\system32\CIPWFfii.ini
C:\WINDOWS\system32\CIPWFfii.ini2
C:\WINDOWS\system32\iapmehrp.ini
C:\WINDOWS\system32\iifFWPIC.dll
C:\WINDOWS\system32\jisagvsw.ini
C:\WINDOWS\system32\kjjklnmp.ini
C:\WINDOWS\system32\kjjklnmp.ini2
C:\WINDOWS\system32\mWvuutwa.ini
C:\WINDOWS\system32\mWvuutwa.ini2
C:\WINDOWS\system32\ooxpdkrv.ini
C:\WINDOWS\system32\pmnlkjjk.dll
C:\WINDOWS\system32\vpjactsw.ini
C:\WINDOWS\system32\wvUlkHab.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-27 to 2008-06-27 )))))))))))))))))))))))))))))))
.

2008-06-27 02:52 . 2008-06-27 02:52 294 ---hs---- C:\WINDOWS\system32\ooxpdkrv.ini
2008-06-27 02:01 . 2008-06-27 02:01 92,032 --a------ C:\WINDOWS\system32\vrkdpxoo.dll
2008-06-26 01:41 . 2008-06-26 01:41 92,544 --a------ C:\WINDOWS\system32\lxmyjpdt.dll
2008-06-26 01:41 . 2008-06-26 01:40 354 --ahs---- C:\WINDOWS\system32\tdpjymxl.ini
2008-06-26 01:30 . 2008-06-26 01:40 354 --ahs---- C:\WINDOWS\system32\vpjactsw.ini
2008-06-25 23:01 . 2008-06-25 23:01 28,800 --a------ C:\WINDOWS\system32\cbXrOGAS.dll
2008-06-25 22:57 . 2008-06-25 18:00 245,760 --a------ C:\WINDOWS\gfetqaxsqsb.dll
2008-06-25 22:57 . 2008-06-25 18:00 229,376 --a------ C:\WINDOWS\pntqkflv.dll
2008-06-25 22:57 . 2008-06-25 18:00 180,224 --a------ C:\WINDOWS\qegbdmwf.dll
2008-06-25 22:57 . 2008-06-25 18:00 151,552 --a------ C:\WINDOWS\gxvpsafm.dll
2008-06-25 22:57 . 2008-06-25 18:00 81,920 --a------ C:\WINDOWS\tovafrnm.exe
2008-06-23 22:06 . 2008-06-27 01:04 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-06-23 20:05 . 2008-06-23 20:05 <DIR> d-------- C:\Deckard
2008-06-23 11:42 . 2008-06-23 11:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-23 10:44 . 2008-06-25 10:48 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-23 10:44 . 2008-06-23 10:44 <DIR> d-------- C:\Documents and Settings\blah\Application Data\PC Tools
2008-06-23 10:44 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-23 10:44 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-23 10:44 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-23 10:44 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-23 10:42 . 2008-06-23 11:34 <DIR> d-------- C:\Documents and Settings\blah\Application Data\U3
2008-06-23 10:24 . 2003-11-12 20:03 <DIR> d-------- C:\Documents and Settings\blah\Application Data\Symantec
2008-06-23 10:24 . 2008-06-23 10:24 <DIR> d-------- C:\Documents and Settings\blah
2008-06-22 21:24 . 2008-06-22 21:24 86 --a------ C:\WINDOWS\wininit.ini
2008-06-22 19:08 . 2008-06-22 19:07 691,545 --a------ C:\WINDOWS\unins002.exe
2008-06-22 19:08 . 2008-06-22 19:08 2,541 --a------ C:\WINDOWS\unins002.dat
2008-06-22 03:07 . 2008-06-22 03:07 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-06-21 21:56 . 2008-06-21 21:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd
2008-06-21 00:47 . 2008-06-21 00:47 <DIR> d-------- C:\bios
2008-06-20 22:24 . 2008-06-20 22:24 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2008-06-20 22:24 . 2008-06-20 22:33 18,340 --a------ C:\WINDOWS\DIIUnin.dat
2008-06-20 22:24 . 2008-06-20 22:24 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2008-06-20 19:08 . 2008-06-20 22:26 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2008-06-20 19:08 . 2008-06-20 22:26 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2008-06-20 19:08 . 2008-06-20 22:26 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2008-06-20 18:47 . 2008-06-26 19:39 <DIR> d-------- C:\Program Files\Diablo II
2008-06-11 18:55 . 2008-06-11 18:55 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-06-26 06:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-26 06:13 --------- d-----w C:\Program Files\CallWave
2008-06-24 05:58 --------- d-sh--w C:\Program Files\WGV
2008-06-23 00:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-23 00:17 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-21 05:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 09:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2008-04-21 07:04 615,936 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2008-04-21 07:04 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-04-21 07:04 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-04-17 10:52 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2005-01-21 16:45 56 -csh--r C:\WINDOWS\system32\E7D092101B.sys
2005-01-21 16:45 1,682 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-23_11.27.21.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-23 16:17:30 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-27 08:17:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-29 13:49:06 456,768 ----a-w C:\WINDOWS\Downloaded Program Files\wlscBase.dll
+ 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2008-06-21 04:42:34 63,386 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-24 02:59:09 63,386 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-21 04:42:34 404,206 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-24 02:59:09 404,206 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39D67F39-6F48-438A-80A2-F86FE363C215}]
2008-06-25 23:01 28800 --a------ C:\WINDOWS\system32\cbXrOGAS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63EE8DD1-D0EB-4A34-B133-E38B41307B27}]
2008-06-25 18:00 245760 --a------ C:\WINDOWS\gfetqaxsqsb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]
2008-06-12 18:29 237056 --a------ c:\program files\peoplepc\toolbar\ppctoolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A8FB8EB3-183B-4598-924D-86F0E5E37085}"= "c:\program files\peoplepc\toolbar\ppctoolbar.dll" [2008-06-12 18:29 237056]

[HKEY_CLASSES_ROOT\clsid\{a8fb8eb3-183b-4598-924d-86f0e5e37085}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{994D628D-4D22-4DB9-B6DB-F7D9F1635817}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A8FB8EB3-183B-4598-924D-86F0E5E37085}"= c:\program files\peoplepc\toolbar\ppctoolbar.dll [2008-06-12 18:29 237056]

[HKEY_CLASSES_ROOT\clsid\{a8fb8eb3-183b-4598-924d-86f0e5e37085}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{994D628D-4D22-4DB9-B6DB-F7D9F1635817}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"NCLaunch"="C:\WINDOWS\NCLAUNCH.EXe" [2007-03-17 14:25 40960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-02-07 01:24 100056]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\M SCONFIG.EXE" [2004-08-04 02:56 158208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-06-01 11:58:00 113664]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{39D67F39-6F48-438A-80A2-F86FE363C215}"= C:\WINDOWS\system32\cbXrOGAS.dll [2008-06-25 23:01 28800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXrOGAS]
cbXrOGAS.dll 2008-06-25 23:01 28800 C:\WINDOWS\system32\cbXrOGAS.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CallWave.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CallWave.lnk
backup=C:\WINDOWS\pss\CallWave.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Karah^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=C:\Documents and Settings\Karah\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=C:\WINDOWS\pss\Microsoft Office Groove.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4a8733d9]
--a------ 2008-06-27 02:01 92032 C:\WINDOWS\system32\vrkdpxoo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
--a------ 2008-06-10 21:22 1163656 C:\Program Files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"SBService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"= C:\\Program Files\\Yahoo!\\Messenger\\YPAGER.EXE
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\WINDOWS\\system32\\lxdccoms.exe"=
"C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"C:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdcpswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdcjswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdctime.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdcwbgw.exe"=
"C:\\Program Files\\CallWave\\IAM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1863:TCP"= 1863:TCP:MSN Messenger
"6891:TCP"= 6891:TCP:Open Port 1
"6892:TCP"= 6892:TCP:Open Port 2
"6893:TCP"= 6893:TCP:Open Port 3
"6894:TCP"= 6894:TCP:Open Port 4
"6895:TCP"= 6895:TCP:Open Port 5

R2 lxdc_device;lxdc_device;C:\WINDOWS\system32\lxdcco ms.exe [2007-04-30 15:03]
R2 lxdcCATSCustConnectService;lxdcCATSCustConnectServ ice;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lx dcserv.exe [2007-04-30 15:04]
S3 naecd;naecd;C:\DOCUME~1\Karah\LOCALS~1\Temp\naecd. sys []
S3 PhDebug32;PhDebug32;c:\bios\hr60\debug32.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{a841e248-9851-11dc-aed3-c724e8a54708}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-02-05 19:32:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-27 05:09:46 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 03:32:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [132] 0x82DE8020

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
-> C:\WINDOWS\system32\cbXrOGAS.dll
.
Completion time: 2008-06-27 4:02:53
ComboFix-quarantined-files.txt 2008-06-27 09:02:35
ComboFix2.txt 2008-06-23 17:37:22
ComboFix3.txt 2008-06-23 16:28:19

Pre-Run: 14,287,036,416 bytes free
Post-Run: 14,270,816,256 bytes free

243 --- E O F --- 2008-06-22 08:07:48

squiggs · 06-27-2008, 10:12 AM

just to let you know it took three hours to finally get the log my computer was bogging down and a nortan script blocker came up and my computer was just flat out acting dumb

Punk · 06-27-2008, 12:32 PM

Download Avenger, and unzip it to your desktop or somewhere you can find it.Â (Do not run it yet).

Note: This program is for use on Windows XP 32 bit systems only, and must be run from an Administrator account.

Open a Notepad file by clicking Start > RunÂ and typing Notepad.exe in the box, click OK.
Click Format, and ensure Word Wrap is unchecked.
Copy and Paste the text in the box below into Notepad.
Now save the file as RemoveFiles.txt in a location where you can find it.

Quote:

Files to delete:
C:\WINDOWS\system32\ooxpdkrv.ini
C:\WINDOWS\system32\vrkdpxoo.dll
C:\WINDOWS\system32\lxmyjpdt.dll
C:\WINDOWS\system32\tdpjymxl.ini
C:\WINDOWS\system32\vpjactsw.ini
C:\WINDOWS\system32\cbXrOGAS.dll
2C:\WINDOWS\gfetqaxsqsb.dll
C:\WINDOWS\pntqkflv.dll
C:\WINDOWS\qegbdmwf.dll
C:\WINDOWS\gxvpsafm.dll
C:\WINDOWS\tovafrnm.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.

Check Load script from file:
Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
Double click it to enter it into Avenger.
Click the green traffic light symbol.
You will be asked if you want to execute the script, answer Yes.
At this point you may get prompts from your protection systems, allow them please.
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
Answer Yes, and allow your computer to re-boot.
Upon re-boot a command window will briefly appear on screen (this is normal).
A Notepad text file will be created C:\avenger.txt.
Copy and Paste it into your next post please.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Please do both, it is important that I see the two logs

squiggs · 06-28-2008, 01:45 AM

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Fri Jun 27 19:39:07 2008

19:39:07: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\ooxpdkrv.ini" deleted successfully.
File "C:\WINDOWS\system32\vrkdpxoo.dll" deleted successfully.
File "C:\WINDOWS\system32\lxmyjpdt.dll" deleted successfully.
File "C:\WINDOWS\system32\tdpjymxl.ini" deleted successfully.
File "C:\WINDOWS\system32\vpjactsw.ini" deleted successfully.
File "C:\WINDOWS\system32\cbXrOGAS.dll" deleted successfully.

Error: could not open file "2C:\WINDOWS\gfetqaxsqsb.dll"
Deletion of file "2C:\WINDOWS\gfetqaxsqsb.dll" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

File "C:\WINDOWS\pntqkflv.dll" deleted successfully.
File "C:\WINDOWS\qegbdmwf.dll" deleted successfully.
File "C:\WINDOWS\gxvpsafm.dll" deleted successfully.

Error: file "C:\WINDOWS\tovafrnm.exe e" not found!
Deletion of file "C:\WINDOWS\tovafrnm.exe e" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

squiggs · 06-28-2008, 02:36 AM

SDFix: Version 1.197
Run by Karah on Fri 06/27/2008 at 20:04

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting

Checking Files :

Trojan Files Found:

C:\Documents and Settings\Karah\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\Karah\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\Karah\Favorites\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\gfetqaxsqsb.dll - Deleted
C:\WINDOWS\tovafrnm.exe - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 20:25:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPAGER.EXE:*:Enabled:Yah oo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Progra m Files\\Yahoo!\\Messenger\\yserver.exe:*:Enabled:Ya hoo! FT Server"
"C:\\WINDOWS\\system32\\mshta.exe"="C:\\WINDOWS\\s ystem32\\mshta.exe:*:Enabled:Microsoft (R) HTML Application host"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS \\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\WINDOWS\\system32\\lxdccoms.exe"="C:\\WINDOWS \\system32\\lxdccoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"="C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe:*:Enabled:Lexmark Device Monitor"
"C:\\Program Files\\Lexmark 1300 Series\\App4R.exe"="C:\\Program Files\\Lexmark 1300 Series\\App4R.exe:*:Enabled:Lexmark Imaging Studio"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdcpswx.exe"="C:\\WINDOWS\\system32\\spool\\driv ers\\w32x86\\3\\lxdcpswx.exe:*:Enabled: "
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdcjswx.exe"="C:\\WINDOWS\\system32\\spool\\driv ers\\w32x86\\3\\lxdcjswx.exe:*:Enabled: "
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdctime.exe"="C:\\WINDOWS\\system32\\spool\\driv ers\\w32x86\\3\\lxdctime.exe:*:Enabled: "
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdcwbgw.exe"="C:\\WINDOWS\\system32\\spool\\driv ers\\w32x86\\3\\lxdcwbgw.exe:*:Enabled: "
"C:\\Program Files\\CallWave\\IAM.exe"="C:\\Program Files\\CallWave\\IAM.exe:*:Enabled:CallWave"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Lexmark 1300 Series\\app4r.exe"="C:\\Program Files\\Lexmark 1300 Series\\app4r.exe:*:Enabled:Lexmark Imaging Studio"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 21 Jan 2005 56 ..SHR --- "C:\WINDOWS\system32\E7D092101B.sys"
Fri 21 Jan 2005 1,682 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sat 20 Nov 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 20 Nov 2004 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv13.bak"
Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c4 06b1d7e0f5c1e6f6d44a3f6e\BIT7.tmp"
Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc 8132a10b438ce6e2b49d4652\BIT5.tmp"
Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111 678c52099a3b3123b12f2325\BIT9.tmp"
Wed 30 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc261 2ebcefc90e7dee4c276ee95e\BIT7.tmp"
Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5 109d0f8b0dee9fab84906813\BIT8.tmp"
Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b 8fed23dd91f50d167cce60d3\BITA.tmp"
Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916b b150f8a929e7a4ffdfbc120f\BIT6.tmp"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\blah\Application Data\U3\temp\Launchpad Removal.exe"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\Karah\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

squiggs · 06-28-2008, 02:38 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:37, on 6/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdcser v.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll
O3 - Toolbar: (no name) - {266F6829-949E-4645-AAEA-1323B59E826C} - (no file)
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [4a8733d9] rundll32.exe "C:\WINDOWS\system32\ahejxcbc.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Karah\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase9563.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - http://web1.shutterfly.com/downloads/Uploader.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: lxdcCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdcse rv.exe
O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 6765 bytes

06-26-2008, 12:07 PM	#24 (permalink)
Punk Diamond Member Join Date: Jan 2007 Location: France Age: 18 Posts: 4,730	Lol at above... Ok still a few files, I want to see if combofix will get rid of them. If so, good, if not I'll do it manually. Download and Run ComboFix If you already have Combofix, please delete this copy and download it again as it's being updated regularly. Download this file from one of the three below listed places : http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://www.forospyware.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe Then double click combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Combofix should never take more that 20 minutes including the reboot if malware is detected. If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue. If that happened we want to know, and also what process you had to end. By the way, if you want to get rid of the infection please follow my instructions, that includes the SDFix instruction. __________________ Punk's anti-hackers website Punk's Website making and registering tutorial! Rise And Fall, Rage And Grace The Offspring! Huck it! I just want to be who I want to be guess that's hard for others to see

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
i got this virus how do i get rid worm.win32.netboost	texaspete	Computer Security	38	05-18-2008 10:01 PM

06-26-2008, 04:51 AM	#21 (permalink)
squiggs New Member Join Date: Jun 2008 Posts: 21	well it wasnt till today and it keeps saying that the pages i go to have malicious possablilys i will post new logs

06-26-2008, 04:52 AM	#22 (permalink)
squiggs New Member Join Date: Jun 2008 Posts: 21	Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:46, on 2008-06-25 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdcser v.exe C:\WINDOWS\system32\lxdccoms.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\NCLAUNCH.EXe C:\Program Files\CallWave\IAM.exe C:\WINDOWS\system32\cmd.exe C:\DOCUME~1\Karah\LOCALS~1\Temp\dssec.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\WINDOWS\System32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://axiaecampus.phoenix.edu/secure/courseList.asp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll O3 - Toolbar: (no name) - {266F6829-949E-4645-AAEA-1323B59E826C} - (no file) O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [4a8733d9] rundll32.exe "C:\WINDOWS\system32\wsvgasij.dll",b O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe O4 - Startup: Microsoft Office Groove.lnk = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE O4 - Global Startup: Adobe Gamma Loader.lnk = ? O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Karah\Start Menu\Programs\IMVU\Run IMVU.lnk O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU) O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - http://lads.myspace.com/upload/MySpaceUploader1005.cab O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase9563.cab O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - http://web1.shutterfly.com/downloads/Uploader.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL O21 - SSODL: xvorfwbd - {3A33E915-BB8D-44CD-9951-059622B33D48} - (no file) O21 - SSODL: wpvmqosg - {C309CF8C-5771-4F0E-B6A6-2C441F0A3A92} - (no file) O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: lxdcCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdcse rv.exe O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE -- End of file - 8511 bytes

06-27-2008, 10:09 AM	#25 (permalink)
squiggs New Member Join Date: Jun 2008 Posts: 21	ComboFix 08-06-20.4 - Karah 2008-06-27 3:21:49.9 - NTFSx86 Running from: C:\Documents and Settings\All Users\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\Program Files\Antivirus 2008 PRO C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe C:\Program Files\Antivirus 2008 PRO\vscan.tsi C:\Program Files\Antivirus 2008 PRO\zlib.dll C:\WINDOWS\cookies.ini C:\WINDOWS\enlx.exe C:\WINDOWS\system32\awtuuvWm.dll C:\WINDOWS\system32\baHklUvw.ini C:\WINDOWS\system32\baHklUvw.ini2 C:\WINDOWS\system32\CIPWFfii.ini C:\WINDOWS\system32\CIPWFfii.ini2 C:\WINDOWS\system32\iapmehrp.ini C:\WINDOWS\system32\iifFWPIC.dll C:\WINDOWS\system32\jisagvsw.ini C:\WINDOWS\system32\kjjklnmp.ini C:\WINDOWS\system32\kjjklnmp.ini2 C:\WINDOWS\system32\mWvuutwa.ini C:\WINDOWS\system32\mWvuutwa.ini2 C:\WINDOWS\system32\ooxpdkrv.ini C:\WINDOWS\system32\pmnlkjjk.dll C:\WINDOWS\system32\vpjactsw.ini C:\WINDOWS\system32\wvUlkHab.dll . ((((((((((((((((((((((((( Files Created from 2008-05-27 to 2008-06-27 ))))))))))))))))))))))))))))))) . 2008-06-27 02:52 . 2008-06-27 02:52 294 ---hs---- C:\WINDOWS\system32\ooxpdkrv.ini 2008-06-27 02:01 . 2008-06-27 02:01 92,032 --a------ C:\WINDOWS\system32\vrkdpxoo.dll 2008-06-26 01:41 . 2008-06-26 01:41 92,544 --a------ C:\WINDOWS\system32\lxmyjpdt.dll 2008-06-26 01:41 . 2008-06-26 01:40 354 --ahs---- C:\WINDOWS\system32\tdpjymxl.ini 2008-06-26 01:30 . 2008-06-26 01:40 354 --ahs---- C:\WINDOWS\system32\vpjactsw.ini 2008-06-25 23:01 . 2008-06-25 23:01 28,800 --a------ C:\WINDOWS\system32\cbXrOGAS.dll 2008-06-25 22:57 . 2008-06-25 18:00 245,760 --a------ C:\WINDOWS\gfetqaxsqsb.dll 2008-06-25 22:57 . 2008-06-25 18:00 229,376 --a------ C:\WINDOWS\pntqkflv.dll 2008-06-25 22:57 . 2008-06-25 18:00 180,224 --a------ C:\WINDOWS\qegbdmwf.dll 2008-06-25 22:57 . 2008-06-25 18:00 151,552 --a------ C:\WINDOWS\gxvpsafm.dll 2008-06-25 22:57 . 2008-06-25 18:00 81,920 --a------ C:\WINDOWS\tovafrnm.exe 2008-06-23 22:06 . 2008-06-27 01:04 <DIR> d-------- C:\Program Files\Windows Live Safety Center 2008-06-23 20:05 . 2008-06-23 20:05 <DIR> d-------- C:\Deckard 2008-06-23 11:42 . 2008-06-23 11:42 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-23 10:44 . 2008-06-25 10:48 <DIR> d-------- C:\Program Files\Spyware Doctor 2008-06-23 10:44 . 2008-06-23 10:44 <DIR> d-------- C:\Documents and Settings\blah\Application Data\PC Tools 2008-06-23 10:44 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2008-06-23 10:44 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2008-06-23 10:44 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2008-06-23 10:44 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2008-06-23 10:42 . 2008-06-23 11:34 <DIR> d-------- C:\Documents and Settings\blah\Application Data\U3 2008-06-23 10:24 . 2003-11-12 20:03 <DIR> d-------- C:\Documents and Settings\blah\Application Data\Symantec 2008-06-23 10:24 . 2008-06-23 10:24 <DIR> d-------- C:\Documents and Settings\blah 2008-06-22 21:24 . 2008-06-22 21:24 86 --a------ C:\WINDOWS\wininit.ini 2008-06-22 19:08 . 2008-06-22 19:07 691,545 --a------ C:\WINDOWS\unins002.exe 2008-06-22 19:08 . 2008-06-22 19:08 2,541 --a------ C:\WINDOWS\unins002.dat 2008-06-22 03:07 . 2008-06-22 03:07 <DIR> d-------- C:\Program Files\MSXML 4.0 2008-06-21 21:56 . 2008-06-21 21:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd 2008-06-21 00:47 . 2008-06-21 00:47 <DIR> d-------- C:\bios 2008-06-20 22:24 . 2008-06-20 22:24 94,208 --a------ C:\WINDOWS\DIIUnin.exe 2008-06-20 22:24 . 2008-06-20 22:33 18,340 --a------ C:\WINDOWS\DIIUnin.dat 2008-06-20 22:24 . 2008-06-20 22:24 2,829 --a------ C:\WINDOWS\DIIUnin.pif 2008-06-20 19:08 . 2008-06-20 22:26 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll 2008-06-20 19:08 . 2008-06-20 22:26 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll 2008-06-20 19:08 . 2008-06-20 22:26 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll 2008-06-20 18:47 . 2008-06-26 19:39 <DIR> d-------- C:\Program Files\Diablo II 2008-06-11 18:55 . 2008-06-11 18:55 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-06-26 06:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-26 06:13 --------- d-----w C:\Program Files\CallWave 2008-06-24 05:58 --------- d-sh--w C:\Program Files\WGV 2008-06-23 00:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-23 00:17 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-06-21 05:10 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-13 09:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll 2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll 2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll 2008-04-21 07:04 615,936 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll 2008-04-21 07:04 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll 2008-04-21 07:04 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll 2008-04-17 10:52 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll 2005-01-21 16:45 56 -csh--r C:\WINDOWS\system32\E7D092101B.sys 2005-01-21 16:45 1,682 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot@2008-06-23_11.27.21.37 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-23 16:17:30 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-27 08:17:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-04-29 13:49:06 456,768 ----a-w C:\WINDOWS\Downloaded Program Files\wlscBase.dll + 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE - 2008-06-21 04:42:34 63,386 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-06-24 02:59:09 63,386 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-06-21 04:42:34 404,206 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-06-24 02:59:09 404,206 ----a-w C:\WINDOWS\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39D67F39-6F48-438A-80A2-F86FE363C215}] 2008-06-25 23:01 28800 --a------ C:\WINDOWS\system32\cbXrOGAS.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63EE8DD1-D0EB-4A34-B133-E38B41307B27}] 2008-06-25 18:00 245760 --a------ C:\WINDOWS\gfetqaxsqsb.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}] 2008-06-12 18:29 237056 --a------ c:\program files\peoplepc\toolbar\ppctoolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{A8FB8EB3-183B-4598-924D-86F0E5E37085}"= "c:\program files\peoplepc\toolbar\ppctoolbar.dll" [2008-06-12 18:29 237056] [HKEY_CLASSES_ROOT\clsid\{a8fb8eb3-183b-4598-924d-86f0e5e37085}] [HKEY_CLASSES_ROOT\PeoplePC.Toolbar.1] [HKEY_CLASSES_ROOT\TypeLib\{994D628D-4D22-4DB9-B6DB-F7D9F1635817}] [HKEY_CLASSES_ROOT\PeoplePC.Toolbar] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{A8FB8EB3-183B-4598-924D-86F0E5E37085}"= c:\program files\peoplepc\toolbar\ppctoolbar.dll [2008-06-12 18:29 237056] [HKEY_CLASSES_ROOT\clsid\{a8fb8eb3-183b-4598-924d-86f0e5e37085}] [HKEY_CLASSES_ROOT\PeoplePC.Toolbar.1] [HKEY_CLASSES_ROOT\TypeLib\{994D628D-4D22-4DB9-B6DB-F7D9F1635817}] [HKEY_CLASSES_ROOT\PeoplePC.Toolbar] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360] "NCLaunch"="C:\WINDOWS\NCLAUNCH.EXe" [2007-03-17 14:25 40960] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-02-07 01:24 100056] "MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\M SCONFIG.EXE" [2004-08-04 02:56 158208] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-06-01 11:58:00 113664] [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks] "{39D67F39-6F48-438A-80A2-F86FE363C215}"= C:\WINDOWS\system32\cbXrOGAS.dll [2008-06-25 23:01 28800] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXrOGAS] cbXrOGAS.dll 2008-06-25 23:01 28800 C:\WINDOWS\system32\cbXrOGAS.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.XFR1"= xfcodec.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CallWave.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CallWave.lnk backup=C:\WINDOWS\pss\CallWave.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Karah^Start Menu^Programs^Startup^Microsoft Office Groove.lnk] path=C:\Documents and Settings\Karah\Start Menu\Programs\Startup\Microsoft Office Groove.lnk backup=C:\WINDOWS\pss\Microsoft Office Groove.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4a8733d9] --a------ 2008-06-27 02:01 92032 C:\WINDOWS\system32\vrkdpxoo.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray] --a------ 2008-06-10 21:22 1163656 C:\Program Files\Spyware Doctor\pctsTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] -rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) "sdCoreService"=2 (0x2) "sdAuxService"=2 (0x2) "Microsoft Office Groove Audit Service"=3 (0x3) "SBService"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"= C:\\Program Files\\Yahoo!\\Messenger\\YPAGER.EXE "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe "C:\\WINDOWS\\system32\\mshta.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\WINDOWS\\system32\\dpvsetup.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\WINDOWS\\system32\\lxdccoms.exe"= "C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"= "C:\\Program Files\\Lexmark 1300 Series\\App4R.exe"= "C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdcpswx.exe"= "C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdcjswx.exe"= "C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdctime.exe"= "C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdcwbgw.exe"= "C:\\Program Files\\CallWave\\IAM.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "1863:TCP"= 1863:TCP:MSN Messenger "6891:TCP"= 6891:TCP:Open Port 1 "6892:TCP"= 6892:TCP:Open Port 2 "6893:TCP"= 6893:TCP:Open Port 3 "6894:TCP"= 6894:TCP:Open Port 4 "6895:TCP"= 6895:TCP:Open Port 5 R2 lxdc_device;lxdc_device;C:\WINDOWS\system32\lxdcco ms.exe [2007-04-30 15:03] R2 lxdcCATSCustConnectService;lxdcCATSCustConnectServ ice;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lx dcserv.exe [2007-04-30 15:04] S3 naecd;naecd;C:\DOCUME~1\Karah\LOCALS~1\Temp\naecd. sys [] S3 PhDebug32;PhDebug32;c:\bios\hr60\debug32.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{a841e248-9851-11dc-aed3-c724e8a54708}] \Shell\AutoRun\command - F:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder "2008-02-05 19:32:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-06-27 05:09:46 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE . ************************************************ ******************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-27 03:32:28 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... C:\WINDOWS\explorer.exe [132] 0x82DE8020 scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************** ********************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\Ati2evxx.dll -> C:\WINDOWS\system32\cbXrOGAS.dll . Completion time: 2008-06-27 4:02:53 ComboFix-quarantined-files.txt 2008-06-27 09:02:35 ComboFix2.txt 2008-06-23 17:37:22 ComboFix3.txt 2008-06-23 16:28:19 Pre-Run: 14,287,036,416 bytes free Post-Run: 14,270,816,256 bytes free 243 --- E O F --- 2008-06-22 08:07:48

06-27-2008, 10:12 AM	#26 (permalink)
squiggs New Member Join Date: Jun 2008 Posts: 21	just to let you know it took three hours to finally get the log my computer was bogging down and a nortan script blocker came up and my computer was just flat out acting dumb

06-28-2008, 01:45 AM	#28 (permalink)
squiggs New Member Join Date: Jun 2008 Posts: 21	////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Platform: Windows XP (build 2600, Service Pack 2) Fri Jun 27 19:39:07 2008 19:39:07: Error: Invalid script. A valid script must begin with a command directive. Aborting execution! ////////////////////////////////////////// Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ***************** Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: Rootkit scan active. No rootkits found! File "C:\WINDOWS\system32\ooxpdkrv.ini" deleted successfully. File "C:\WINDOWS\system32\vrkdpxoo.dll" deleted successfully. File "C:\WINDOWS\system32\lxmyjpdt.dll" deleted successfully. File "C:\WINDOWS\system32\tdpjymxl.ini" deleted successfully. File "C:\WINDOWS\system32\vpjactsw.ini" deleted successfully. File "C:\WINDOWS\system32\cbXrOGAS.dll" deleted successfully. Error: could not open file "2C:\WINDOWS\gfetqaxsqsb.dll" Deletion of file "2C:\WINDOWS\gfetqaxsqsb.dll" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist File "C:\WINDOWS\pntqkflv.dll" deleted successfully. File "C:\WINDOWS\qegbdmwf.dll" deleted successfully. File "C:\WINDOWS\gxvpsafm.dll" deleted successfully. Error: file "C:\WINDOWS\tovafrnm.exe e" not found! Deletion of file "C:\WINDOWS\tovafrnm.exe e" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ***************** Finished! Terminate.

06-28-2008, 02:36 AM	#29 (permalink)
squiggs New Member Join Date: Jun 2008 Posts: 21	SDFix: Version 1.197 Run by Karah on Fri 06/27/2008 at 20:04 Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Restoring Default HomePage Value Restoring Default Desktop Components Value Rebooting Checking Files : Trojan Files Found: C:\Documents and Settings\Karah\Favorites\Error Cleaner.url - Deleted C:\Documents and Settings\Karah\Favorites\Privacy Protector.url - Deleted C:\Documents and Settings\Karah\Favorites\Spyware&Malware Protection.url - Deleted C:\WINDOWS\gfetqaxsqsb.dll - Deleted C:\WINDOWS\tovafrnm.exe - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-27 20:25:26 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPAGER.EXE::Enabled:Yah oo! Messenger" "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Progra m Files\\Yahoo!\\Messenger\\yserver.exe::Enabled:Ya hoo! FT Server" "C:\\WINDOWS\\system32\\mshta.exe"="C:\\WINDOWS\\s ystem32\\mshta.exe::Enabled:Microsoft (R) HTML Application host" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe::Enabled:Windows Messenger" "C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS \\system32\\dpvsetup.exe::Enabled:Microsoft DirectPlay Voice Test" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe::Enabled:iTunes" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)" "C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe::Enabled:Internet Explorer" "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE::Enabled:Microsoft Office Outlook" "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE::Enabled:Microsoft Office Groove" "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE::Enabled:Microsoft Office OneNote" "C:\\WINDOWS\\system32\\lxdccoms.exe"="C:\\WINDOWS \\system32\\lxdccoms.exe::Enabled:Lexmark Communications System" "C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"="C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe::Enabled:Lexmark Device Monitor" "C:\\Program Files\\Lexmark 1300 Series\\App4R.exe"="C:\\Program Files\\Lexmark 1300 Series\\App4R.exe::Enabled:Lexmark Imaging Studio" "C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdcpswx.exe"="C:\\WINDOWS\\system32\\spool\\driv ers\\w32x86\\3\\lxdcpswx.exe::Enabled: " "C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdcjswx.exe"="C:\\WINDOWS\\system32\\spool\\driv ers\\w32x86\\3\\lxdcjswx.exe::Enabled: " "C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdctime.exe"="C:\\WINDOWS\\system32\\spool\\driv ers\\w32x86\\3\\lxdctime.exe::Enabled: " "C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdcwbgw.exe"="C:\\WINDOWS\\system32\\spool\\driv ers\\w32x86\\3\\lxdcwbgw.exe::Enabled: " "C:\\Program Files\\CallWave\\IAM.exe"="C:\\Program Files\\CallWave\\IAM.exe::Enabled:CallWave" [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe::Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe::Enabled:AOL" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)" "C:\\Program Files\\Lexmark 1300 Series\\app4r.exe"="C:\\Program Files\\Lexmark 1300 Series\\app4r.exe::Enabled:Lexmark Imaging Studio" Remaining Files* : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe" Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" Fri 21 Jan 2005 56 ..SHR --- "C:\WINDOWS\system32\E7D092101B.sys" Fri 21 Jan 2005 1,682 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys" Sat 20 Nov 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Sat 20 Nov 2004 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv13.bak" Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c4 06b1d7e0f5c1e6f6d44a3f6e\BIT7.tmp" Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc 8132a10b438ce6e2b49d4652\BIT5.tmp" Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111 678c52099a3b3123b12f2325\BIT9.tmp" Wed 30 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc261 2ebcefc90e7dee4c276ee95e\BIT7.tmp" Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5 109d0f8b0dee9fab84906813\BIT8.tmp" Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b 8fed23dd91f50d167cce60d3\BITA.tmp" Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916b b150f8a929e7a4ffdfbc120f\BIT6.tmp" Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\blah\Application Data\U3\temp\Launchpad Removal.exe" Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\Karah\Application Data\U3\temp\Launchpad Removal.exe" Finished!

06-28-2008, 02:38 AM	#30 (permalink)
squiggs New Member Join Date: Jun 2008 Posts: 21	Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:37, on 6/27/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdcser v.exe C:\WINDOWS\system32\lxdccoms.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\NCLAUNCH.EXe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll O3 - Toolbar: (no name) - {266F6829-949E-4645-AAEA-1323B59E826C} - (no file) O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [4a8733d9] rundll32.exe "C:\WINDOWS\system32\ahejxcbc.dll",b O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe O4 - Global Startup: Adobe Gamma Loader.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Karah\Start Menu\Programs\IMVU\Run IMVU.lnk O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU) O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - http://lads.myspace.com/upload/MySpaceUploader1005.cab O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase9563.cab O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - http://web1.shutterfly.com/downloads/Uploader.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: lxdcCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdcse rv.exe O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE -- End of file - 6765 bytes