1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: how to get rid of Trojandownloader.xs -- here's my hijackthis log

Discussion in 'Virus & Other Malware Removal' started by sugarbeansmom, Apr 13, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. sugarbeansmom

    sugarbeansmom Thread Starter

    Joined:
    Mar 31, 2007
    Messages:
    14
    hello all -- I have the trojandownloader.xs on my pc and need to get it off... I downloaded hijack this just now & here's my log file... Thanks so much in advance for your help with this.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:47:14 AM, on 4/13/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Documents and Settings\All Users\Application Data\qfypcbat\ixipklcn.exe
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
    C:\WINDOWS\system32\regsvr32.exe
    C:\Program Files\webHancer\Programs\whagent.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\QdrModule\QdrModule15.exe
    C:\Program Files\QdrPack\QdrPack15.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\winself.exe
    C:\Program Files\PhotoWise\quicklnk.exe
    C:\Program Files\Bat\X_Bat.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.peaknet.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Peaknet
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
    O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
    O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
    O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
    O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll
    O2 - BHO: StFlex IE Helper - {8334A30C-49E5-489a-B63D-5B927C1EF46E} - C:\Program Files\QdrDrive\QdrDrive15.dll
    O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
    O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
    O2 - BHO: (no name) - {db41de82-1dd1-11b2-b7fd-fbaf280c36b9} - C:\WINDOWS\ihubmvcf.dll
    O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
    O4 - HKLM\..\Run: [jgpqbodu] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\jgpqbodu.dll"
    O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [SoundMan] C:\WINDOWS\system32\SOUNDMAN.EXE
    O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
    O4 - HKCU\..\Run: [QdrPack15] "C:\Program Files\QdrPack\QdrPack15.exe"
    O4 - HKLM\..\Policies\Explorer\Run: [SpJi7IaAcd] C:\Documents and Settings\All Users\Application Data\qfypcbat\ixipklcn.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
    O4 - S-1-5-18 Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe (User 'Default user')
    O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
    O4 - Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O14 - IERESET.INF: START_PAGE_URL=http://www.peaknet.net/
    O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
    O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.winkflash.com/photo/loaders/ImageUploader4.cab
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1450/ftp.coupons.com/r3302/cpbrkpie.cab
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.winkflash.com/photo/loaders/ImageUploader3.cab
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe
    O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

    --
    End of file - 9057 bytes
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please visit this webpage for instructions on installing recovery console and downloading/running ComboFix.

    Post the log from ComboFix along with a new HijackThis log.
     
  3. sugarbeansmom

    sugarbeansmom Thread Starter

    Joined:
    Mar 31, 2007
    Messages:
    14
    hello -- thanks SO much for your help ... I ran combofix and then re-ran hijackthis... here are the log files. Thanks again!

    ComboFix 08-04-13.3 - Owner 2008-04-14 16:43:37.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.153 [GMT -5:00]
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    ADS - explorer.exe: deleted 42665 bytes in 4 streams.

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor
    C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
    C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
    C:\Program Files\ISM
    C:\Program Files\ISM\ism.exe
    C:\Program Files\ISM\Uninstall.exe
    C:\Program Files\QdrDrive
    C:\Program Files\QdrDrive\QdrDrive15.dll
    C:\Program Files\QdrDrive\qdrloader.exe
    C:\Program Files\QdrModule
    C:\Program Files\QdrModule\dicy.gz
    C:\Program Files\QdrModule\kwdy.gz
    C:\Program Files\QdrModule\pckr.dat
    C:\Program Files\QdrModule\QdrModule15.exe
    C:\Program Files\QdrPack
    C:\Program Files\QdrPack\dicts.gz
    C:\Program Files\QdrPack\QdrPack15.exe
    C:\Program Files\QdrPack\trgts.gz
    C:\Program Files\webhancer
    C:\Program Files\webhancer\Programs\license.txt
    C:\Program Files\webhancer\Programs\readme.txt
    C:\Program Files\webhancer\Programs\sporder.dll
    C:\Program Files\webhancer\Programs\webhdll.dll
    C:\Program Files\webhancer\Programs\whagent.exe
    C:\Program Files\webhancer\Programs\whagent.ini
    C:\Program Files\webhancer\Programs\whiehlpr.dll
    C:\Program Files\webhancer\Programs\whinstaller.exe
    C:\WINDOWS\123messenger.per
    C:\WINDOWS\2020search.dll
    C:\WINDOWS\2020search2.dll
    C:\WINDOWS\apphelp32.dll
    C:\WINDOWS\asferror32.dll
    C:\WINDOWS\asycfilt32.dll
    C:\WINDOWS\athprxy32.dll
    C:\WINDOWS\ati2dvaa32.dll
    C:\WINDOWS\ati2dvag32.dll
    C:\WINDOWS\audiosrv32.dll
    C:\WINDOWS\autodisc32.dll
    C:\WINDOWS\avifile32.dll
    C:\WINDOWS\avisynthex32.dll
    C:\WINDOWS\aviwrap32.dll
    C:\WINDOWS\bjam.dll
    C:\WINDOWS\bokja.exe
    C:\WINDOWS\browserad.dll
    C:\WINDOWS\cdsm32.dll
    C:\WINDOWS\changeurl_30.dll
    C:\WINDOWS\conf.inf
    C:\WINDOWS\default.htm
    C:\WINDOWS\didduid.ini
    C:\WINDOWS\Downloaded Program Files\setup.inf
    C:\WINDOWS\ky.sxc
    C:\WINDOWS\licencia.txt
    C:\WINDOWS\msa64chk.dll
    C:\WINDOWS\msapasrc.dll
    C:\WINDOWS\mscon.sio
    C:\WINDOWS\mspphe.dll
    C:\WINDOWS\mssvr.exe
    C:\WINDOWS\ntnut.exe
    C:\WINDOWS\PerfInfo
    C:\WINDOWS\PerfInfo\SpJi7IaAcdwp.exe
    C:\WINDOWS\saiemod.dll
    C:\WINDOWS\shdocpe.dll
    C:\WINDOWS\shdocpl.dll
    C:\WINDOWS\stcloader.exe
    C:\WINDOWS\swin32.dll
    C:\WINDOWS\system32\000060.exe
    C:\WINDOWS\system32\000090.exe
    C:\WINDOWS\system32\svcp.csv
    C:\WINDOWS\system32\winfrun32.bin
    C:\WINDOWS\system32\winsub.xml
    C:\WINDOWS\telefonos.txt
    C:\WINDOWS\textos.txt
    C:\WINDOWS\voiceip.dll
    C:\WINDOWS\winsb.dll
    C:\WINDOWS\winself.exe
    D:\Autorun.inf

    ----- BITS: Possible infected sites -----

    hxxp://80.93.48.74
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_windev-14f6-297e
    -------\Legacy_MSSysInterv1
    -------\MSSysInterv1


    ((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
    .

    2008-04-14 15:52 . 2008-04-14 15:52 <DIR> d-------- C:\Program Files\RcvSystem
    2008-04-13 06:45 . 2008-04-13 06:45 <DIR> d-------- C:\Program Files\Trend Micro
    2008-04-12 15:35 . 2008-04-12 15:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
    2008-04-12 15:35 . 2008-04-12 15:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\qfypcbat
    2008-04-12 15:34 . 2008-04-12 15:35 <DIR> d-------- C:\WINDOWS\cuawsppw
    2008-04-12 15:34 . 2008-04-12 15:36 <DIR> d-------- C:\Program Files\Bat
    2008-04-12 15:34 . 2008-04-12 15:34 196,096 --a------ C:\WINDOWS\cfmlatuz.dll
    2008-04-12 15:34 . 2008-04-12 15:34 70,144 --a------ C:\WINDOWS\ihubmvcf.dll
    2008-04-12 15:34 . 2008-04-12 15:34 70,144 --a------ C:\Documents and Settings\All Users\Application Data\jgpqbodu.dll
    2008-04-12 15:33 . 2008-04-12 15:33 6,656 --a------ C:\WINDOWS\ictions.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-14 21:29 --------- d-----w C:\Program Files\Lx_cats
    2008-04-14 13:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
    2008-04-12 21:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
    2008-04-05 02:09 8,720 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
    2008-02-22 01:51 --------- d-----w C:\Program Files\Wal-Mart Music Downloads Store
    2008-02-01 17:41 1,032,192 ----a-w C:\WINDOWS\explorer.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
    2008-03-07 21:15 413696 --a------ C:\Program Files\Bat\Bat.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{db41de82-1dd1-11b2-b7fd-fbaf280c36b9}]
    2008-04-12 15:34 70144 --a------ C:\WINDOWS\ihubmvcf.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 10:06 1667584]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 08:14 68856]
    "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40 218032]
    "SoundMan"="C:\WINDOWS\system32\SOUNDMAN.EXE" [ ]
    "QdrModule15"="C:\Program Files\QdrModule\QdrModule15.exe" [ ]
    "QdrPack15"="C:\Program Files\QdrPack\QdrPack15.exe" [ ]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 17:04 135168]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 22:24 32768]
    "VTTimer"="VTTimer.exe" [2005-03-08 05:33 53248 C:\WINDOWS\system32\VTTimer.exe]
    "VTTrayp"="VTtrayp.exe" [2005-03-11 19:33 147456 C:\WINDOWS\system32\VTTrayp.exe]
    "Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
    "Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
    "LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-04-27 09:20 69632]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 09:25 579072]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 12:58 278528]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-12 08:37 155648]
    "EEventManager"="C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 10:30 102400]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 08:34 219136]

    C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
    PhotoWise QuickLink.lnk - C:\Program Files\PhotoWise\quicklnk.exe [2006-01-08 22:00:21 59904]

    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
    Bat - Auto Update.lnk - C:\Program Files\Bat\Bat.exe [2008-04-12 15:34:22 178419]
    PhotoWise QuickLink.lnk - C:\Program Files\PhotoWise\quicklnk.exe [2006-01-08 22:00:21 59904]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
    "SpJi7IaAcd"= C:\Documents and Settings\All Users\Application Data\qfypcbat\ixipklcn.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\WINDOWS\\system32\\lxcfcoms.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
    "%windir%\\explorer.exe"=


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36db705f-3c72-11d8-a150-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4021e6df-0a2a-11da-b762-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dcd886df-1ef9-11da-9a49-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{deff3a65-0821-11da-8b7d-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-14 21:51:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
    - C:\Program Files\Symantec\LiveUpdate\NDetect.exe
    .
    **************************************************************************

    catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-14 16:49:36
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    C:\WINDOWS\system32\pejolyji.exe 102400 bytes executable

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Bat\X_Bat.exe
    .
    **************************************************************************
    .
    Completion time: 2008-04-14 16:53:54 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-04-14 21:53:50

    Pre-Run: 101,550,063,616 bytes free
    Post-Run: 101,516,275,712 bytes free



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:33:20 PM, on 4/14/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\Documents and Settings\All Users\Application Data\qfypcbat\ixipklcn.exe
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\PhotoWise\quicklnk.exe
    C:\Program Files\Bat\X_Bat.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: (no name) - {db41de82-1dd1-11b2-b7fd-fbaf280c36b9} - C:\WINDOWS\ihubmvcf.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [SoundMan] C:\WINDOWS\system32\SOUNDMAN.EXE
    O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
    O4 - HKCU\..\Run: [QdrPack15] "C:\Program Files\QdrPack\QdrPack15.exe"
    O4 - HKLM\..\Policies\Explorer\Run: [SpJi7IaAcd] C:\Documents and Settings\All Users\Application Data\qfypcbat\ixipklcn.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
    O4 - S-1-5-18 Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe (User 'Default user')
    O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
    O4 - Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.peaknet.net/
    O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
    O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.winkflash.com/photo/loaders/ImageUploader4.cab
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1450/ftp.coupons.com/r3302/cpbrkpie.cab
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.winkflash.com/photo/loaders/ImageUploader3.cab
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

    --
    End of file - 7673 bytes
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Open Notepad and copy and paste the text in the quote box below into it:

    Save the file to you desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

    [​IMG]

    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.



    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    • Wait until it has finished scanning and then exit the program.
    • Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Select Files to Delete choose: Select All
    • Click the Empty Selected button.

    Click Exit on the Main menu to close the program.



    Download (save and select your desktop to save it to) SUPERAntiSpyware Free for Home Users
    • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
    • Under "Configuration and Preferences", click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):
      • Close browsers before scanning.
      • Scan for tracking cookies.
      • Terminate memory threats before quarantining.
    • Click the "Close" button to leave the control center screen.
    • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive and all other fixed drives..
    • On the right, under "Complete Scan", choose Perform Complete Scan.
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.
      • Click Preferences, then click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      • Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
    • Click Close to exit the program.


    Please perform a scan with Kaspersky Webscan Online Virus Scanner
    • Read the Requirements and Privacy statement, then select "Accept".
    • A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
    • Click "Yes" or select "Install" to download the ActiveX controls that allows ActiveScan to run.
    • When the download is complete it will say ready, click "Next".
    • Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
    • Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
    • Click "OK".
    • Under "Select a target to scan", click on "My Computer".
    • When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.


    Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found!
     
  5. sugarbeansmom

    sugarbeansmom Thread Starter

    Joined:
    Mar 31, 2007
    Messages:
    14
    thanks so much... the popups have stopped, but the scans you listed still show more problems I think... here are my new logs:

    combofix log:
    ComboFix 08-04-13.3 - Owner 2008-04-19 15:56:05.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.217 [GMT -5:00]
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\Documents and Settings\All Users\Application Data\jgpqbodu.dll
    C:\WINDOWS\cfmlatuz.dll
    C:\WINDOWS\ictions.dll
    C:\WINDOWS\ihubmvcf.dll
    C:\WINDOWS\system32\pejolyji.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\jgpqbodu.dll
    C:\Documents and Settings\All Users\Application Data\qfypcbat
    C:\Documents and Settings\All Users\Application Data\qfypcbat\ixipklcn.exe
    C:\Documents and Settings\All Users\Application Data\Rabio
    C:\Program Files\Bat
    C:\Program Files\Bat\Bat.dll
    C:\Program Files\Bat\Bat.dll.intermediate.manifest
    C:\Program Files\Bat\Bat.exe
    C:\Program Files\Bat\Bat.info
    C:\Program Files\Bat\Bat.original
    C:\Program Files\Bat\Info.dll
    C:\Program Files\Bat\un_BatSetup_15041.exe
    C:\Program Files\Bat\un_BatSetup_15041.txt
    C:\Program Files\Bat\X_Bat.exe
    C:\Program Files\Bat\X_Bat.log
    C:\WINDOWS\cuawsppw
    C:\WINDOWS\cuawsppw\1.png
    C:\WINDOWS\cuawsppw\2.png
    C:\WINDOWS\cuawsppw\3.png
    C:\WINDOWS\cuawsppw\4.png
    C:\WINDOWS\cuawsppw\5.png
    C:\WINDOWS\cuawsppw\6.png
    C:\WINDOWS\cuawsppw\7.png
    C:\WINDOWS\cuawsppw\8.png
    C:\WINDOWS\cuawsppw\9.png
    C:\WINDOWS\cuawsppw\bottom-rc.gif
    C:\WINDOWS\cuawsppw\config.png
    C:\WINDOWS\cuawsppw\content.png
    C:\WINDOWS\cuawsppw\download.gif
    C:\WINDOWS\cuawsppw\frame-bg.gif
    C:\WINDOWS\cuawsppw\frame-bottom-left.gif
    C:\WINDOWS\cuawsppw\frame-h1bg.gif
    C:\WINDOWS\cuawsppw\head.png
    C:\WINDOWS\cuawsppw\icon.png
    C:\WINDOWS\cuawsppw\indexwp.html
    C:\WINDOWS\cuawsppw\main.css
    C:\WINDOWS\cuawsppw\memory-prots.png
    C:\WINDOWS\cuawsppw\net.png
    C:\WINDOWS\cuawsppw\pc-mag.gif
    C:\WINDOWS\cuawsppw\pc.gif
    C:\WINDOWS\cuawsppw\poloska1.png
    C:\WINDOWS\cuawsppw\poloska2.png
    C:\WINDOWS\cuawsppw\poloska3.png
    C:\WINDOWS\cuawsppw\promowp1.html
    C:\WINDOWS\cuawsppw\promowp2.html
    C:\WINDOWS\cuawsppw\promowp3.html
    C:\WINDOWS\cuawsppw\promowp4.html
    C:\WINDOWS\cuawsppw\promowp5.html
    C:\WINDOWS\cuawsppw\reg.png
    C:\WINDOWS\cuawsppw\repair.png
    C:\WINDOWS\cuawsppw\scr-1.png
    C:\WINDOWS\cuawsppw\scr-2.png
    C:\WINDOWS\cuawsppw\start.png
    C:\WINDOWS\cuawsppw\styles.css
    C:\WINDOWS\cuawsppw\Thumbs.db
    C:\WINDOWS\cuawsppw\top-rc.gif
    C:\WINDOWS\cuawsppw\vline.gif
    C:\WINDOWS\cuawsppw\wp.png
    C:\WINDOWS\ictions.dll
    C:\WINDOWS\ihubmvcf.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
    .

    2008-04-19 15:11 . 2008-04-19 15:11 102,400 --a------ C:\WINDOWS\system32\mhchsdez.exe
    2008-04-19 12:10 . 2008-04-19 12:10 102,400 --a------ C:\WINDOWS\system32\ejktmnod.exe
    2008-04-14 15:52 . 2008-04-14 15:52 <DIR> d-------- C:\Program Files\RcvSystem
    2008-04-13 06:45 . 2008-04-13 06:45 <DIR> d-------- C:\Program Files\Trend Micro

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-19 16:52 --------- d-----w C:\Program Files\Lx_cats
    2008-04-19 13:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
    2008-04-12 21:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
    2008-04-05 02:09 8,720 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
    2008-02-22 01:51 --------- d-----w C:\Program Files\Wal-Mart Music Downloads Store
    2008-02-01 17:41 1,032,192 ----a-w C:\WINDOWS\explorer.exe
    .

    ((((((((((((((((((((((((((((( [email protected]_16.53.41.42 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-04-14 21:49:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-04-19 20:59:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 10:06 1667584]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 08:14 68856]
    "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40 218032]
    "SoundMan"="C:\WINDOWS\system32\SOUNDMAN.EXE" [ ]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 17:04 135168]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 22:24 32768]
    "VTTimer"="VTTimer.exe" [2005-03-08 05:33 53248 C:\WINDOWS\system32\VTTimer.exe]
    "VTTrayp"="VTtrayp.exe" [2005-03-11 19:33 147456 C:\WINDOWS\system32\VTTrayp.exe]
    "Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
    "Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
    "LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-04-27 09:20 69632]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-16 08:24 579584]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 12:58 278528]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-12 08:37 155648]
    "EEventManager"="C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 10:30 102400]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 08:34 219136]

    C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
    PhotoWise QuickLink.lnk - C:\Program Files\PhotoWise\quicklnk.exe [2006-01-08 22:00:21 59904]

    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
    Bat - Auto Update.lnk - C:\QooBox\Quarantine\C\Program Files\Bat\Bat.exe.vir [2008-04-12 15:34:22 178419]
    PhotoWise QuickLink.lnk - C:\Program Files\PhotoWise\quicklnk.exe [2006-01-08 22:00:21 59904]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
    "SpJi7IaAcd"= C:\Documents and Settings\All Users\Application Data\qfypcbat\ixipklcn.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\WINDOWS\\system32\\lxcfcoms.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
    "%windir%\\explorer.exe"=


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36db705f-3c72-11d8-a150-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4021e6df-0a2a-11da-b762-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dcd886df-1ef9-11da-9a49-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{deff3a65-0821-11da-8b7d-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-19 21:01:05 C:\WINDOWS\Tasks\Symantec NetDetect.job"
    - C:\Program Files\Symantec\LiveUpdate\NDetect.exe
    .
    **************************************************************************

    catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-19 16:00:28
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\WINDOWS\system32\rundll32.exe
    .
    **************************************************************************
    .
    Completion time: 2008-04-19 16:04:32 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-04-19 21:04:29
    ComboFix2.txt 2008-04-14 21:53:55

    Pre-Run: 101,435,060,224 bytes free
    Post-Run: 101,422,428,160 bytes free



    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 04/19/2008 at 04:58 PM

    Application Version : 4.0.1154

    Core Rules Database Version : 3442
    Trace Rules Database Version: 1434

    Scan type : Complete Scan
    Total Scan Time : 00:19:25

    Memory items scanned : 364
    Memory threats detected : 0
    Registry items scanned : 4613
    Registry threats detected : 0
    File items scanned : 11723
    File threats detected : 14

    Adware.Tracking Cookie
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

    Adware.AdSponsor/ISM
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP825\A0027221.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP825\A0027222.EXE

    Adware.webHancer
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP825\A0027224.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP825\A0027225.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP825\A0027227.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP825\A0027228.EXE

    Rogue.WinPerformance
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP825\A0027229.EXE

    Trojan.Unclassified/Multi-Dropper
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP829\A0027381.EXE
    C:\WINDOWS\SYSTEM32\EJKTMNOD.EXE
    C:\WINDOWS\SYSTEM32\MHCHSDEZ.EXE

    Trojan.Unclassified/Multi-Dropper (Packed)
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP830\A0027399.EXE

    Trojan.Unclassified-Packed/Suspicious
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP830\A0027406.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP830\A0027408.DLL



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:00:57 AM, on 4/20/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\PhotoWise\quicklnk.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\lxcfcoms.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [SoundMan] C:\WINDOWS\system32\SOUNDMAN.EXE
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKLM\..\Policies\Explorer\Run: [SpJi7IaAcd] C:\Documents and Settings\All Users\Application Data\qfypcbat\ixipklcn.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
    O4 - S-1-5-18 Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe (User 'Default user')
    O4 - Startup: Bat - Auto Update.lnk = C:\QooBox\Quarantine\C\Program Files\Bat\Bat.exe.vir
    O4 - Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.peaknet.net/
    O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.winkflash.com/photo/loaders/ImageUploader4.cab
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1450/ftp.coupons.com/r3302/cpbrkpie.cab
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.winkflash.com/photo/loaders/ImageUploader3.cab
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

    --
    End of file - 7622 bytes


    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Sunday, April 20, 2008 6:57:29 AM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 19/04/2008
    Kaspersky Anti-Virus database records: 715802
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\

    Scan Statistics:
    Total number of scanned objects: 69630
    Number of viruses found: 7
    Number of infected objects: 17
    Number of suspicious objects: 6
    Duration of the scan process: 01:06:29

    Infected Object Name / Virus Name / Last Action
    C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-19-2008( 17-2-41 ).LOG Object is locked skipped
    C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Owner\Desktop\backup-12[1].24.2007_20-09-24_psalqtji.tar.gz/packed/backup-12.24.2007_20-09-24_psalqtji/homedir/mail/psalm274.com/eli/new/1184582392.H516731P3620.host01t/[From "SunTrust Bank" <[email protected]>]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
    C:\Documents and Settings\Owner\Desktop\backup-12[1].24.2007_20-09-24_psalqtji.tar.gz/packed/backup-12.24.2007_20-09-24_psalqtji/homedir/mail/psalm274.com/eli/new/1184582392.H516731P3620.host01t Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
    C:\Documents and Settings\Owner\Desktop\backup-12[1].24.2007_20-09-24_psalqtji.tar.gz/packed/backup-12.24.2007_20-09-24_psalqtji/homedir/mail/psalm274.com/eli/new/1184181119.H875715P20674.host0text/[From "SunTrust Bank" <[email protected]>]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
    C:\Documents and Settings\Owner\Desktop\backup-12[1].24.2007_20-09-24_psalqtji.tar.gz/packed/backup-12.24.2007_20-09-24_psalqtji/homedir/mail/psalm274.com/eli/new/1184181119.H875715P20674.host0text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
    C:\Documents and Settings\Owner\Desktop\backup-12[1].24.2007_20-09-24_psalqtji.tar.gz/packed Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
    C:\Documents and Settings\Owner\Desktop\backup-12[1].24.2007_20-09-24_psalqtji.tar.gz GZIP: suspicious - 5 skipped
    C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008041920080420\index.dat Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
    C:\QooBox\Quarantine\C\Program Files\Bat\Bat.dll.vir Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
    C:\QooBox\Quarantine\C\Program Files\Bat\Info.dll.vir Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
    C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule15.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
    C:\QooBox\Quarantine\C\Program Files\QdrPack\QdrPack15.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.x skipped
    C:\QooBox\Quarantine\C\Program Files\webHancer\Programs\webhdll.dll.vir Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
    C:\QooBox\Quarantine\C\Program Files\webHancer\Programs\whiehlpr.dll.vir Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
    C:\QooBox\Quarantine\C\Program Files\webHancer\Programs\whinstaller.exe.vir Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
    C:\QooBox\Quarantine\C\WINDOWS\default.htm.vir Infected: not-virus:Hoax.HTML.Secureinvites.b skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\000090.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\000090.exe.vir/stream Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\000090.exe.vir NSIS: infected - 2 skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP825\A0027266.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP825\A0027266.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP825\A0027266.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP830\A0027400.dll Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP830\A0027403.dll Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP831\A0027465.exe Object is locked skipped
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP831\A0027466.exe Object is locked skipped
    C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP831\change.log Object is locked skipped
    C:\WINDOWS\cpbrkpie.ocx Infected: not-a-virus:AdWare.Win32.Coupons.h skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    D:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped

    Scan process completed.
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Open Notepad and copy and paste the text in the quote box below into it:

    Save the file to you desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

    [​IMG]

    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
     
  7. sugarbeansmom

    sugarbeansmom Thread Starter

    Joined:
    Mar 31, 2007
    Messages:
    14
    thank you ... again...

    here are the new logs:

    ComboFix 08-04-13.3 - Owner 2008-04-21 21:27:39.3 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.153 [GMT -5:00]
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Owner\Desktop\cfscript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\Documents and Settings\Owner\Desktop\backup-12[1].24.2007_20-09-24_psalqtji.tar.gz
    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Bat - Auto Update.lnk
    C:\WINDOWS\cpbrkpie.ocx
    C:\WINDOWS\system32\ejktmnod.exe
    C:\WINDOWS\system32\mhchsdez.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Owner\Desktop\backup-12[1].24.2007_20-09-24_psalqtji.tar.gz
    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Bat - Auto Update.lnk
    C:\WINDOWS\cpbrkpie.ocx

    .
    ((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
    .

    2008-04-19 17:06 . 2008-04-19 17:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2008-04-19 17:06 . 2008-04-19 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-04-19 16:33 . 2008-04-19 16:33 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-04-19 16:33 . 2008-04-19 16:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
    2008-04-19 16:33 . 2008-04-19 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-04-19 16:32 . 2008-04-19 16:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-04-14 15:52 . 2008-04-14 15:52 <DIR> d-------- C:\Program Files\RcvSystem
    2008-04-13 06:45 . 2008-04-13 06:45 <DIR> d-------- C:\Program Files\Trend Micro

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-21 13:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
    2008-04-20 13:16 --------- d-----w C:\Program Files\Lx_cats
    2008-04-12 21:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
    2008-04-05 02:09 8,720 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
    2008-02-22 01:51 --------- d-----w C:\Program Files\Wal-Mart Music Downloads Store
    2008-02-01 17:41 1,032,192 ----a-w C:\WINDOWS\explorer.exe
    .

    ((((((((((((((((((((((((((((( [email protected]_16.53.41.42 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-04-14 21:49:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-04-22 02:31:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-04-19 21:33:11 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
    + 2008-04-19 21:33:11 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
    + 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
    + 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
    + 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 10:06 1667584]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 08:14 68856]
    "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40 218032]
    "SoundMan"="C:\WINDOWS\system32\SOUNDMAN.EXE" [ ]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 17:04 135168]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 22:24 32768]
    "VTTimer"="VTTimer.exe" [2005-03-08 05:33 53248 C:\WINDOWS\system32\VTTimer.exe]
    "VTTrayp"="VTtrayp.exe" [2005-03-11 19:33 147456 C:\WINDOWS\system32\VTTrayp.exe]
    "Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
    "Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
    "LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-04-27 09:20 69632]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-16 08:24 579584]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 12:58 278528]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-12 08:37 155648]
    "EEventManager"="C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 10:30 102400]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 08:34 219136]

    C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
    PhotoWise QuickLink.lnk - C:\Program Files\PhotoWise\quicklnk.exe [2006-01-08 22:00:21 59904]

    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
    PhotoWise QuickLink.lnk - C:\Program Files\PhotoWise\quicklnk.exe [2006-01-08 22:00:21 59904]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
    "SpJi7IaAcd"= C:\Documents and Settings\All Users\Application Data\qfypcbat\ixipklcn.exe

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\WINDOWS\\system32\\lxcfcoms.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
    "%windir%\\explorer.exe"=


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36db705f-3c72-11d8-a150-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4021e6df-0a2a-11da-b762-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dcd886df-1ef9-11da-9a49-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{deff3a65-0821-11da-8b7d-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-22 02:26:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
    - C:\Program Files\Symantec\LiveUpdate\NDetect.exe
    .
    **************************************************************************

    catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-21 21:31:34
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2008-04-21 21:34:50 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-04-22 02:34:47
    ComboFix2.txt 2008-04-19 21:04:33
    ComboFix3.txt 2008-04-14 21:53:55

    Pre-Run: 101,357,355,008 bytes free
    Post-Run: 101,345,636,352 bytes free


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:38:28 PM, on 4/21/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\PhotoWise\quicklnk.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [SoundMan] C:\WINDOWS\system32\SOUNDMAN.EXE
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKLM\..\Policies\Explorer\Run: [SpJi7IaAcd] C:\Documents and Settings\All Users\Application Data\qfypcbat\ixipklcn.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
    O4 - S-1-5-18 Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe (User 'Default user')
    O4 - Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.peaknet.net/
    O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.winkflash.com/photo/loaders/ImageUploader4.cab
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1450/ftp.coupons.com/r3302/cpbrkpie.cab
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.winkflash.com/photo/loaders/ImageUploader3.cab
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

    --
    End of file - 7517 bytes
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    • Wait until it has finished scanning and then exit the program.
    • Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


    Open Notepad and copy and paste the text in the quote box below into it:
    Code:
    KILLALL::
    Folder::
    C:\Documents and Settings\All Users\Application Data\qfypcbat
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
    "SpJi7IaAcd"=- 
    

    Save the file to you desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

    [​IMG]

    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
     
  9. sugarbeansmom

    sugarbeansmom Thread Starter

    Joined:
    Mar 31, 2007
    Messages:
    14
    here are my new logs from today...

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:45:00 AM, on 5/9/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\PhotoWise\quicklnk.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [SoundMan] C:\WINDOWS\system32\SOUNDMAN.EXE
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
    O4 - S-1-5-18 Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe (User 'Default user')
    O4 - Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.peaknet.net/
    O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.winkflash.com/photo/loaders/ImageUploader4.cab
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1450/ftp.coupons.com/r3302/cpbrkpie.cab
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.winkflash.com/photo/loaders/ImageUploader3.cab
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

    --
    End of file - 7467 bytes


    ComboFix 08-05-08.1 - Owner 2008-05-09 9:08:16.4 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.189 [GMT -5:00]
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\Downloaded Program Files\setup.inf

    .
    ((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
    .

    2008-05-07 16:00 . 2008-05-07 16:00 <DIR> d-------- C:\Program Files\Sibelius Software
    2008-05-07 16:00 . 2008-05-07 16:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Sibelius Software
    2008-04-19 17:06 . 2008-04-19 17:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2008-04-19 17:06 . 2008-04-19 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-04-19 16:33 . 2008-04-19 16:33 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-04-19 16:33 . 2008-04-19 16:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
    2008-04-19 16:33 . 2008-04-19 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-04-19 16:32 . 2008-04-19 16:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-04-14 15:52 . 2008-04-14 15:52 <DIR> d-------- C:\Program Files\RcvSystem
    2008-04-13 06:45 . 2008-04-13 06:45 <DIR> d-------- C:\Program Files\Trend Micro

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-05-09 13:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
    2008-05-07 01:47 9,010 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
    2008-05-07 01:15 --------- d-----w C:\Program Files\Lx_cats
    2008-04-12 21:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
    .

    ((((((((((((((((((((((((((((( [email protected]_16.53.41.42 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-04-14 21:49:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-05-09 14:13:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-04-19 21:33:11 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
    + 2008-04-19 21:33:11 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
    - 2005-07-29 13:23:20 153,176 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
    + 2008-05-09 12:25:53 181,832 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
    + 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
    + 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
    + 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
    + 2006-12-02 03:54:32 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
    + 2006-12-02 03:54:34 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
    + 2006-12-02 03:54:32 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 10:06 1667584]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 08:14 68856]
    "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40 218032]
    "SoundMan"="C:\WINDOWS\system32\SOUNDMAN.EXE" [ ]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 17:04 135168]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 22:24 32768]
    "VTTimer"="VTTimer.exe" [2005-03-08 05:33 53248 C:\WINDOWS\system32\VTTimer.exe]
    "VTTrayp"="VTtrayp.exe" [2005-03-11 19:33 147456 C:\WINDOWS\system32\VTTrayp.exe]
    "Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
    "Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
    "LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-04-27 09:20 69632]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-16 08:24 579584]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 12:58 278528]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-12 08:37 155648]
    "EEventManager"="C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 10:30 102400]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 08:34 219136]

    C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
    PhotoWise QuickLink.lnk - C:\Program Files\PhotoWise\quicklnk.exe [2006-01-08 22:00:21 59904]

    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
    PhotoWise QuickLink.lnk - C:\Program Files\PhotoWise\quicklnk.exe [2006-01-08 22:00:21 59904]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 06:44:06 29696]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\WINDOWS\\system32\\lxcfcoms.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
    "%windir%\\explorer.exe"=


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36db705f-3c72-11d8-a150-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4021e6df-0a2a-11da-b762-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dcd886df-1ef9-11da-9a49-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{deff3a65-0821-11da-8b7d-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-05-09 14:16:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
    - C:\Program Files\Symantec\LiveUpdate\NDetect.exe
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-05-09 09:13:36
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2008-05-09 9:17:55 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-05-09 14:17:52
    ComboFix2.txt 2008-04-22 02:34:51
    ComboFix3.txt 2008-04-19 21:04:33
    ComboFix4.txt 2008-04-14 21:53:55

    Pre-Run: 101,021,179,904 bytes free
    Post-Run: 101,296,795,648 bytes free

    133
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
  11. sugarbeansmom

    sugarbeansmom Thread Starter

    Joined:
    Mar 31, 2007
    Messages:
    14
    hi & thanks again for all the help... everything was running fine... but this a.m. I have popups all over again-- just like it started.... not sure why they are back?

    here's new logs from this morning:

    ComboFix 08-05-08.1 - Owner 2008-05-10 9:13:34.5 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.149 [GMT -5:00]
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor
    C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
    C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
    C:\Program Files\ISM
    C:\Program Files\ISM\ism.exe
    C:\Program Files\ISM\Uninstall.exe
    C:\Program Files\QdrDrive
    C:\Program Files\QdrDrive\QdrDrive15.dll
    C:\Program Files\QdrDrive\qdrloader.exe
    C:\Program Files\QdrModule
    C:\Program Files\QdrModule\dicy.gz
    C:\Program Files\QdrModule\kwdy.gz
    C:\Program Files\QdrModule\pckr.dat
    C:\Program Files\QdrModule\QdrModule15.exe
    C:\Program Files\QdrPack
    C:\Program Files\QdrPack\dicts.gz
    C:\Program Files\QdrPack\QdrPack15.exe
    C:\Program Files\QdrPack\trgts.gz
    C:\Program Files\webhancer
    C:\Program Files\webhancer\Programs\license.txt
    C:\Program Files\webhancer\Programs\readme.txt
    C:\Program Files\webhancer\Programs\sporder.dll
    C:\Program Files\webhancer\Programs\webhdll.dll
    C:\Program Files\webhancer\Programs\whagent.exe
    C:\Program Files\webhancer\Programs\whagent.ini
    C:\Program Files\webhancer\Programs\whiehlpr.dll
    C:\Program Files\webhancer\Programs\whinstaller.exe
    C:\WINDOWS\system32\000060.exe
    C:\WINDOWS\system32\000080.exe
    C:\WINDOWS\system32\000090.exe
    C:\WINDOWS\system32\adult.txt
    C:\WINDOWS\system32\finance.txt
    C:\WINDOWS\system32\lt.res
    C:\WINDOWS\system32\other.txt
    C:\WINDOWS\system32\pharma.txt
    C:\WINDOWS\system32\sft.res

    ----- BITS: Possible infected sites -----

    hxxp://80.93.48.89
    .
    ((((((((((((((((((((((((( Files Created from 2008-04-10 to 2008-05-10 )))))))))))))))))))))))))))))))
    .

    2008-05-10 09:00 . 2008-05-10 09:00 57,546 --a------ C:\WINDOWS\promogif3.gif
    2008-05-10 09:00 . 2008-05-10 09:00 24,351 --a------ C:\WINDOWS\promogif1.gif
    2008-05-10 09:00 . 2008-05-10 09:00 24,066 --a------ C:\WINDOWS\promogif2.gif
    2008-05-10 09:00 . 2008-05-10 09:00 1,294 --a------ C:\WINDOWS\homepage.html
    2008-05-10 09:00 . 2008-05-10 09:00 507 --a------ C:\WINDOWS\promo6.html
    2008-05-10 09:00 . 2008-05-10 09:00 500 --a------ C:\WINDOWS\promo4.html
    2008-05-10 09:00 . 2008-05-10 09:00 478 --a------ C:\WINDOWS\promo5.html
    2008-05-10 09:00 . 2008-05-10 09:00 283 --a------ C:\WINDOWS\promo3.html
    2008-05-10 09:00 . 2008-05-10 09:00 283 --a------ C:\WINDOWS\promo2.html
    2008-05-10 09:00 . 2008-05-10 09:00 283 --a------ C:\WINDOWS\promo1.html
    2008-05-10 08:58 . 2008-05-10 08:58 32,768 --a------ C:\WINDOWS\system32\sockins32.dll
    2008-05-10 08:58 . 2008-05-10 08:58 25,728 --a------ C:\WINDOWS\system32\vtUmMeby.dll
    2008-05-10 08:58 . 2008-05-10 09:00 1,906 --a------ C:\WINDOWS\index.html
    2008-05-07 16:00 . 2008-05-07 16:00 <DIR> d-------- C:\Program Files\Sibelius Software
    2008-05-07 16:00 . 2008-05-07 16:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Sibelius Software
    2008-04-19 17:06 . 2008-04-19 17:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2008-04-19 17:06 . 2008-04-19 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-04-19 16:33 . 2008-04-19 16:33 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-04-19 16:33 . 2008-04-19 16:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
    2008-04-19 16:33 . 2008-04-19 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-04-19 16:32 . 2008-04-19 16:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-04-14 15:52 . 2008-04-14 15:52 <DIR> d-------- C:\Program Files\RcvSystem
    2008-04-13 06:45 . 2008-04-13 06:45 <DIR> d-------- C:\Program Files\Trend Micro

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-05-10 13:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
    2008-05-09 14:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
    2008-05-07 01:47 9,010 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
    2008-05-07 01:15 --------- d-----w C:\Program Files\Lx_cats
    .

    ((((((((((((((((((((((((((((( [email protected]_16.53.41.42 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-04-14 21:49:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-05-10 14:17:30 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-04-19 21:33:11 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
    + 2008-04-19 21:33:11 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
    - 2005-07-29 13:23:20 153,176 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
    + 2008-05-09 12:25:53 181,832 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
    + 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
    + 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
    + 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
    + 2006-12-02 03:54:32 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
    + 2006-12-02 03:54:34 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
    + 2006-12-02 03:54:32 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 10:06 1667584]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 08:14 68856]
    "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40 218032]
    "SoundMan"="C:\WINDOWS\system32\SOUNDMAN.EXE" [ ]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 17:04 135168]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 22:24 32768]
    "VTTimer"="VTTimer.exe" [2005-03-08 05:33 53248 C:\WINDOWS\system32\VTTimer.exe]
    "VTTrayp"="VTtrayp.exe" [2005-03-11 19:33 147456 C:\WINDOWS\system32\VTTrayp.exe]
    "Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
    "Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
    "LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-04-27 09:20 69632]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-16 08:24 579584]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 12:58 278528]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-12 08:37 155648]
    "EEventManager"="C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 10:30 102400]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 08:34 219136]

    C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
    PhotoWise QuickLink.lnk - C:\Program Files\PhotoWise\quicklnk.exe [2006-01-08 22:00:21 59904]

    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
    PhotoWise QuickLink.lnk - C:\Program Files\PhotoWise\quicklnk.exe [2006-01-08 22:00:21 59904]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 06:44:06 29696]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"= 1 (0x1)
    "DisableRegistryTools"= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "WebProxy"= {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll [ ]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\WINDOWS\\system32\\lxcfcoms.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
    "%windir%\\explorer.exe"=


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36db705f-3c72-11d8-a150-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4021e6df-0a2a-11da-b762-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dcd886df-1ef9-11da-9a49-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{deff3a65-0821-11da-8b7d-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
    rundll32 sockins32.dll,InitModule
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-05-10 14:21:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
    - C:\Program Files\Symantec\LiveUpdate\NDetect.exe
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-05-10 09:17:48
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2008-05-10 9:22:26 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-05-10 14:22:22
    ComboFix2.txt 2008-05-09 14:17:56
    ComboFix3.txt 2008-04-22 02:34:51
    ComboFix4.txt 2008-04-19 21:04:33
    ComboFix5.txt 2008-04-14 21:53:55

    Pre-Run: 101,215,236,096 bytes free
    Post-Run: 101,285,449,728 bytes free

    192


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:40:44 AM, on 5/10/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\PhotoWise\quicklnk.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [SoundMan] C:\WINDOWS\system32\SOUNDMAN.EXE
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
    O4 - S-1-5-18 Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe (User 'Default user')
    O4 - Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.peaknet.net/
    O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.winkflash.com/photo/loaders/ImageUploader4.cab
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1450/ftp.coupons.com/r3302/cpbrkpie.cab
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.winkflash.com/photo/loaders/ImageUploader3.cab
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

    --
    End of file - 7962 bytes
    thanks again
     
  12. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Download SDFix and save it to your Desktop.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix and remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re-enable the protection again afterwards before connecting to the Internet.

    Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    • Open the c:\SDFix folder and double click RunThis.cmd to start the script.
    • Type Y to begin the script.
    • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • Your system will take longer that normal to restart as the fixtool will be running and removing files.
    • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
    • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back to the thread with a new HijackThis log.
     
  13. sugarbeansmom

    sugarbeansmom Thread Starter

    Joined:
    Mar 31, 2007
    Messages:
    14
    I can't seem to get into safe mode... I'm running on windows xp...

    Here's the latest hijackthis log...

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:35:16 PM, on 5/11/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\PhotoWise\quicklnk.exe
    C:\Documents and Settings\Owner\cftmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\QdrPack\QdrPack15.exe
    C:\Program Files\QdrModule\QdrModule15.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
    O2 - BHO: StFlex IE Helper - {8334A30C-49E5-489a-B63D-5B927C1EF46E} - C:\Program Files\QdrDrive\QdrDrive15.dll
    O2 - BHO: {bba0307b-9764-9ed9-b824-be36d6e27178} - {87172e6d-63eb-428b-9de9-4679b7030abb} - C:\WINDOWS\system32\tdnhpvwh.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\nnnoMEtu.dll
    O2 - BHO: (no name) - {DCA2EF1D-6308-4C2A-BC3F-FDB084B9CE94} - C:\WINDOWS\system32\geBqropP.dll
    O2 - BHO: (no name) - {DE5099D0-5D1E-4EFF-85E1-CB6F2DE7D681} - C:\WINDOWS\system32\hgGywTkj.dll
    O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
    O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
    O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
    O4 - HKLM\..\Run: [BM231aa6fd] Rundll32.exe "C:\WINDOWS\system32\vbuouimx.dll",s
    O4 - HKLM\..\Run: [20299561] rundll32.exe "C:\WINDOWS\system32\xtcfuhww.dll",b
    O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [SoundMan] C:\WINDOWS\system32\SOUNDMAN.EXE
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
    O4 - HKCU\..\Run: [QdrPack15] "C:\Program Files\QdrPack\QdrPack15.exe"
    O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
    O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
    O4 - S-1-5-18 Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe (User 'Default user')
    O4 - Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.peaknet.net/
    O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.winkflash.com/photo/loaders/ImageUploader4.cab
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1450/ftp.coupons.com/r3302/cpbrkpie.cab
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.winkflash.com/photo/loaders/ImageUploader3.cab
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: nnnoMEtu - C:\WINDOWS\SYSTEM32\nnnoMEtu.dll
    O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: Task Scheduler (Schedule) - www.icq-x.ru - C:\WINDOWS\system32\drivers\spools.exe

    --
    End of file - 9229 bytes
     
  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please visit this webpage for instructions on installing recovery console and downloading/running ComboFix.

    Post the log from ComboFix along with a new HijackThis log.
     
  15. sugarbeansmom

    sugarbeansmom Thread Starter

    Joined:
    Mar 31, 2007
    Messages:
    14
    new logs today..........

    ComboFix 08-05-08.1 - Owner 2008-05-12 21:28:08.6 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.166 [GMT -5:00]
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor
    C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
    C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
    C:\Program Files\ISM
    C:\Program Files\ISM\ism.exe
    C:\Program Files\ISM\Uninstall.exe
    C:\Program Files\QdrDrive
    C:\Program Files\QdrDrive\QdrDrive15.dll
    C:\Program Files\QdrDrive\qdrloader.exe
    C:\Program Files\QdrModule
    C:\Program Files\QdrModule\dicy.gz
    C:\Program Files\QdrModule\kwdy.gz
    C:\Program Files\QdrModule\QdrModule15.exe
    C:\Program Files\QdrPack
    C:\Program Files\QdrPack\dicts.gz
    C:\Program Files\QdrPack\QdrPack15.exe
    C:\Program Files\QdrPack\trgts.gz
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\pskt.ini
    C:\WINDOWS\system32\000060.exe
    C:\WINDOWS\system32\drivers\spools.exe
    C:\WINDOWS\system32\iienhrdu.ini
    C:\WINDOWS\system32\jkTwyGgh.ini
    C:\WINDOWS\system32\jkTwyGgh.ini2
    C:\WINDOWS\system32\PporqBeg.ini
    C:\WINDOWS\system32\PporqBeg.ini2
    C:\WINDOWS\system32\pvtwloyf.ini
    C:\WINDOWS\system32\pyfvsccs.ini
    C:\WINDOWS\system32\vpwxqeqn.ini
    C:\WINDOWS\system32\wwhufctx.ini

    ----- BITS: Possible infected sites -----

    hxxp://80.93.48.89
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_Schedule
    -------\Service_Schedule


    ((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
    .

    2008-05-12 21:37 . 2008-05-12 21:37 294 ---hs---- C:\WINDOWS\system32\vpwxqeqn.ini
    2008-05-12 21:36 . 2008-05-12 21:36 22 --a------ C:\WINDOWS\pskt.ini
    2008-05-12 21:25 . 2008-05-12 21:25 5,120 --a------ C:\Documents and Settings\Owner\ftp34.dll
    2008-05-12 21:25 . 2008-05-12 21:25 5,120 --a------ C:\Documents and Settings\LocalService\ftp34.dll
    2008-05-12 20:54 . 2008-05-12 20:54 98,896 --a------ C:\WINDOWS\system32\frghshxp.dll
    2008-05-12 20:54 . 2008-05-12 20:54 83,008 --a------ C:\WINDOWS\system32\nqeqxwpv.dll
    2008-05-12 20:51 . 2008-05-12 20:51 90,176 --a------ C:\WINDOWS\system32\fuyiajfl.dll
    2008-05-12 20:49 . 2008-05-12 20:49 90,176 --a------ C:\WINDOWS\system32\rvncturs.dll
    2008-05-12 15:46 . 2008-05-12 15:46 98,896 --a------ C:\WINDOWS\system32\akywgbyu.dll
    2008-05-12 15:43 . 2008-05-12 15:43 83,008 --a------ C:\WINDOWS\system32\sccsvfyp.dll
    2008-05-12 15:42 . 2008-05-12 15:42 90,176 --a------ C:\WINDOWS\system32\gdbqajbq.dll
    2008-05-11 15:43 . 2008-05-11 15:43 98,912 --a------ C:\WINDOWS\system32\hgnopvfp.dll
    2008-05-11 15:40 . 2008-05-11 15:40 90,208 --a------ C:\WINDOWS\system32\pyqjfgjk.dll
    2008-05-11 14:29 . 2008-05-09 03:59 <DIR> d-------- C:\SDFix
    2008-05-11 14:25 . 2008-05-11 14:25 98,912 --a------ C:\WINDOWS\system32\tdnhpvwh.dll
    2008-05-11 14:23 . 2008-05-11 14:23 90,208 --a------ C:\WINDOWS\system32\vbuouimx.dll
    2008-05-11 14:23 . 2008-05-11 14:23 83,024 --a------ C:\WINDOWS\system32\xtcfuhww.dll
    2008-05-11 14:22 . 2008-05-11 14:22 316,464 --a------ C:\WINDOWS\system32\geBqropP.dll
    2008-05-11 14:16 . 2008-05-10 20:07 17,920 --a------ C:\Documents and Settings\LocalService\cftmon.exe
    2008-05-11 08:08 . 2008-05-12 15:42 109,807 --a------ C:\WINDOWS\BM231aa6fd.xml
    2008-05-11 08:08 . 2008-05-11 08:08 90,208 --a------ C:\WINDOWS\system32\hhravmoj.dll
    2008-05-10 20:07 . 2008-05-10 20:07 17,920 --a------ C:\WINDOWS\system32\~.exe
    2008-05-10 20:07 . 2008-05-11 20:05 17,920 --a------ C:\Sipu.exe
    2008-05-10 20:07 . 2008-05-11 20:05 17,920 --a------ C:\Documents and Settings\Owner\cftmon.exe
    2008-05-10 20:05 . 2008-05-10 20:05 316,480 --a------ C:\WINDOWS\system32\hgGywTkj.dll
    2008-05-10 20:00 . 2008-05-10 20:00 25,728 --a------ C:\WINDOWS\system32\nnnoMEtu.dll
    2008-05-10 19:59 . 2008-05-10 19:59 12,800 --a------ C:\g2pefs.exe
    2008-05-10 09:00 . 2008-05-10 09:00 57,546 --a------ C:\WINDOWS\promogif3.gif
    2008-05-10 09:00 . 2008-05-10 09:00 24,351 --a------ C:\WINDOWS\promogif1.gif
    2008-05-10 09:00 . 2008-05-10 09:00 24,066 --a------ C:\WINDOWS\promogif2.gif
    2008-05-10 09:00 . 2008-05-10 09:00 1,294 --a------ C:\WINDOWS\homepage.html
    2008-05-10 09:00 . 2008-05-10 09:00 507 --a------ C:\WINDOWS\promo6.html
    2008-05-10 09:00 . 2008-05-10 09:00 500 --a------ C:\WINDOWS\promo4.html
    2008-05-10 09:00 . 2008-05-10 09:00 478 --a------ C:\WINDOWS\promo5.html
    2008-05-10 09:00 . 2008-05-10 09:00 283 --a------ C:\WINDOWS\promo3.html
    2008-05-10 09:00 . 2008-05-10 09:00 283 --a------ C:\WINDOWS\promo2.html
    2008-05-10 09:00 . 2008-05-10 09:00 283 --a------ C:\WINDOWS\promo1.html
    2008-05-10 08:58 . 2008-05-10 08:58 32,768 --a------ C:\WINDOWS\system32\sockins32.dll
    2008-05-10 08:58 . 2008-05-10 08:58 25,728 --a------ C:\WINDOWS\system32\vtUmMeby.dll
    2008-05-10 08:58 . 2008-05-10 09:00 1,906 --a------ C:\WINDOWS\index.html
    2008-05-07 16:00 . 2008-05-07 16:00 <DIR> d-------- C:\Program Files\Sibelius Software
    2008-05-07 16:00 . 2008-05-07 16:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Sibelius Software
    2008-04-19 17:06 . 2008-04-19 17:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2008-04-19 17:06 . 2008-04-19 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-04-19 16:33 . 2008-04-19 16:33 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-04-19 16:33 . 2008-04-19 16:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
    2008-04-19 16:33 . 2008-04-19 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-04-19 16:32 . 2008-04-19 16:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-04-14 15:52 . 2008-04-14 15:52 <DIR> d-------- C:\Program Files\RcvSystem
    2008-04-13 06:45 . 2008-04-13 06:45 <DIR> d-------- C:\Program Files\Trend Micro

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-05-12 13:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
    2008-05-11 20:48 --------- d-----w C:\Program Files\Lx_cats
    2008-05-10 15:43 9,010 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
    2008-05-09 14:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
    .

    ((((((((((((((((((((((((((((( [email protected]_16.53.41.42 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-04-14 21:49:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-05-13 02:35:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-04-19 21:33:11 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
    + 2008-04-19 21:33:11 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
    + 2008-05-11 01:07:54 17,920 ----a-w C:\WINDOWS\system32\~.exe
    - 2005-07-29 13:23:20 153,176 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
    + 2008-05-09 12:25:53 181,832 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
    + 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
    + 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
    + 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
    + 2006-12-02 03:54:32 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
    + 2006-12-02 03:54:34 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
    + 2006-12-02 03:54:32 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{456DA228-FDCF-4B07-9282-855BE44E92D9}]
    2008-05-11 14:22 316464 --a------ C:\WINDOWS\system32\geBqropP.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{913953D8-7F3D-42CD-8757-56FE7E0D48D8}]
    2008-05-10 20:05 316480 --a------ C:\WINDOWS\system32\hgGywTkj.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c590615a-781b-4694-9497-4a7cd415975e}]
    2008-05-12 20:54 98896 --a------ C:\WINDOWS\system32\frghshxp.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
    2008-05-10 20:00 25728 --a------ C:\WINDOWS\system32\nnnoMEtu.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 10:06 1667584]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 08:14 68856]
    "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40 218032]
    "SoundMan"="C:\WINDOWS\system32\SOUNDMAN.EXE" [ ]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 17:04 135168]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 22:24 32768]
    "VTTimer"="VTTimer.exe" [2005-03-08 05:33 53248 C:\WINDOWS\system32\VTTimer.exe]
    "VTTrayp"="VTtrayp.exe" [2005-03-11 19:33 147456 C:\WINDOWS\system32\VTTrayp.exe]
    "Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
    "Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-16 08:24 579584]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 12:58 278528]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-12 08:37 155648]
    "EEventManager"="C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 10:30 102400]
    "20299561"="C:\WINDOWS\system32\nqeqxwpv.dll" [2008-05-12 20:54 83008]
    "BM231aa6fd"="C:\WINDOWS\system32\fuyiajfl.dll" [2008-05-12 20:51 90176]
    "LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-04-27 09:20 69632]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 08:34 219136]

    C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
    PhotoWise QuickLink.lnk - C:\Program Files\PhotoWise\quicklnk.exe [2006-01-08 22:00:21 59904]

    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
    PhotoWise QuickLink.lnk - C:\Program Files\PhotoWise\quicklnk.exe [2006-01-08 22:00:21 59904]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 06:44:06 29696]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"= 1 (0x1)
    "DisableRegistryTools"= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
    "{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"= C:\WINDOWS\system32\nnnoMEtu.dll [2008-05-10 20:00 25728]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "WebProxy"= {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll [ ]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnoMEtu]
    nnnoMEtu.dll 2008-05-10 20:00 25728 C:\WINDOWS\system32\nnnoMEtu.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\WINDOWS\\system32\\lxcfcoms.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
    "%windir%\\explorer.exe"=


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36db705f-3c72-11d8-a150-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4021e6df-0a2a-11da-b762-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dcd886df-1ef9-11da-9a49-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{deff3a65-0821-11da-8b7d-806d6172696f}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
    rundll32 sockins32.dll,InitModule
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-05-11 19:11:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
    - C:\Program Files\Symantec\LiveUpdate\NDetect.exe
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-05-12 21:36:32
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    LXCFCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...


    C:\WINDOWS\pskt.ini 22 bytes
    C:\WINDOWS\system32\vpwxqeqn.ini 294 bytes

    scan completed successfully
    hidden files: 2

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\nnnoMEtu.dll

    PROCESS: C:\WINDOWS\explorer.exe
    -> C:\WINDOWS\system32\nqeqxwpv.dll
    -> C:\WINDOWS\system32\fuyiajfl.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2008-05-12 21:41:25 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-05-13 02:41:17
    ComboFix2.txt 2008-05-10 14:22:26
    ComboFix3.txt 2008-05-09 14:17:56
    ComboFix4.txt 2008-04-22 02:34:51
    ComboFix5.txt 2008-04-19 21:04:33

    Pre-Run: 102,041,124,864 bytes free
    Post-Run: 102,564,683,776 bytes free

    244


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:43:33 PM, on 5/12/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\PhotoWise\quicklnk.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
    O2 - BHO: (no name) - {456DA228-FDCF-4B07-9282-855BE44E92D9} - C:\WINDOWS\system32\geBqropP.dll
    O2 - BHO: (no name) - {913953D8-7F3D-42CD-8757-56FE7E0D48D8} - C:\WINDOWS\system32\hgGywTkj.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: {e579514d-c7a4-7949-4964-b187a516095c} - {c590615a-781b-4694-9497-4a7cd415975e} - C:\WINDOWS\system32\frghshxp.dll
    O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\nnnoMEtu.dll
    O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
    O4 - HKLM\..\Run: [20299561] rundll32.exe "C:\WINDOWS\system32\nqeqxwpv.dll",b
    O4 - HKLM\..\Run: [BM231aa6fd] Rundll32.exe "C:\WINDOWS\system32\fuyiajfl.dll",s
    O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [SoundMan] C:\WINDOWS\system32\SOUNDMAN.EXE
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
    O4 - S-1-5-18 Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe (User 'Default user')
    O4 - Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.peaknet.net/
    O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.winkflash.com/photo/loaders/ImageUploader4.cab
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1450/ftp.coupons.com/r3302/cpbrkpie.cab
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.winkflash.com/photo/loaders/ImageUploader3.cab
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: nnnoMEtu - C:\WINDOWS\SYSTEM32\nnnoMEtu.dll
    O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

    --
    End of file - 8407 bytes
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/703218

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice