logs from a friend's computer

dario03 · 06-23-2009, 04:08 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:35:54, on 6/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\OSK.exe
C:\WINDOWS\system32\MSSWCHX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O24 - Desktop Component 0: (no name) - http://images.autotrader.com/images/2007/4/6/220/590/1865919072.220590409.IM1.MAIN.240x180_A.240x160.jp g
O24 - Desktop Component 1: (no name) - http://www.miautos.net/upload/mmcarsales_P1010041.JPG
O24 - Desktop Component 2: (no name) - http://images.craigslist.org/01020801041101030620070530b5bc744abbcfb20431005be8 .jpg
--
End of file - 5410 bytes

************************************************** ******************************************

================================================== ================

************************************************** ******************************************
SMITFRAUDFIX

SmitFraudFix v2.422
Scan done at 17:15:39.65, Mon 06/22/2009
Run from C:\Documents and Settings\Owner\My Documents\virus removal stuff\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{B2C7B2A1-00F3-42BD-F434-00AABA2C8952}"="hs837hiudjgfo9s8gjio4gfd"
[HKEY_CLASSES_ROOT\CLSID\{B2C7B2A1-00F3-42BD-F434-00AABA2C8952}\InProcServer32]
@="C:\WINDOWS\system32\gsf83iujid.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B2C7B2A 1-00F3-42BD-F434-00AABA2C8952}\InProcServer32]
@="C:\WINDOWS\system32\gsf83iujid.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» RK

»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{10820776-CE24-4041-B556-F617E7FBE39F}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{10820776-CE24-4041-B556-F617E7FBE39F}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{10820776-CE24-4041-B556-F617E7FBE39F}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» RK.2

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{B2C7B2A1-00F3-42BD-F434-00AABA2C8952}"="hs837hiudjgfo9s8gjio4gfd"
[HKEY_CLASSES_ROOT\CLSID\{B2C7B2A1-00F3-42BD-F434-00AABA2C8952}\InProcServer32]
@="C:\WINDOWS\system32\gsf83iujid.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B2C7B2A 1-00F3-42BD-F434-00AABA2C8952}\InProcServer32]
@="C:\WINDOWS\system32\gsf83iujid.dll"

»»»»»»»»»»»»»»»»»»»»»»»» End

dario03 · 06-23-2009, 04:12 AM

COMBOFIX

ComboFix 09-06-22.04 - Owner 06/22/2009 19:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.702.421 [GMT -7:00]
Running from: c:\documents and settings\Owner\My Documents\virus removal stuff\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090622-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Common
c:\program files\driver
c:\recycler\S-1-5-21-2369461160-35945199-3371764974-1003
c:\program files\Common\_helper.sig
c:\recycler\S-1-5-21-2369461160-35945199-3371764974-1003\desktop.ini
c:\recycler\S-1-5-21-2369461160-35945199-3371764974-1003\INFO2
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\$NtServicePackUninstall$\proquota.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_DRIVER
-------\Legacy_DRIVERDRV

((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-06-23 )))))))))))))))))))))))))))))))
.
2009-06-23 02:39 . 2004-08-04 12:00 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-06-23 02:39 . 2004-08-04 12:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-22 23:42 . 2005-08-26 08:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-06-22 23:42 . 2006-06-19 20:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-06-22 23:42 . 2006-05-25 22:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-06-22 23:42 . 2003-02-03 03:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-06-22 23:42 . 2002-03-06 08:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-06-22 23:42 . 2009-06-22 23:42 -------- d-----w- c:\program files\Trojan Remover
2009-06-22 23:42 . 2009-06-22 23:42 -------- d-----w- c:\documents and settings\Owner\Application Data\Simply Super Software
2009-06-22 23:42 . 2009-06-22 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-06-22 23:35 . 2009-06-22 23:35 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-06-22 23:35 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-22 23:35 . 2009-06-22 23:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-22 23:35 . 2009-06-22 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-22 23:35 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-22 23:18 . 2009-06-22 23:18 -------- d-----w- c:\program files\Trend Micro
2009-06-22 23:09 . 2009-06-22 23:09 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Identities
2009-06-22 22:14 . 2009-06-22 22:14 -------- d-----w- c:\program files\CCleaner
2009-06-22 21:52 . 2009-06-22 21:53 -------- d-----w- c:\program files\CleanUp!
2009-06-22 21:43 . 2009-06-22 21:43 -------- d-----w- c:\program files\MSConfig CleanUp
2009-06-22 19:34 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-06-22 19:34 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-06-22 19:34 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-06-22 19:34 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-06-22 19:34 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-06-22 19:34 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-06-22 19:34 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-06-22 19:34 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-06-22 19:33 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-06-22 19:33 . 2009-06-22 20:27 -------- d-----w- c:\program files\Avast4
2009-06-19 23:33 . 2009-06-23 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\92789996
2009-06-19 23:33 . 2009-06-23 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\12780004
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-22 23:15 . 2005-11-05 04:09 -------- d-----w- c:\program files\Common Files\AOL
2009-06-22 23:15 . 2005-11-05 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-06-22 20:18 . 2009-01-19 16:59 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-22 19:01 . 2009-01-19 16:58 -------- d-----w- c:\program files\Norton Security Scan
2009-06-22 19:01 . 2005-11-05 02:59 -------- d-----w- c:\program files\TOSHIBA
2009-06-22 18:53 . 2005-11-05 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-05-12 03:22 . 2005-11-07 17:42 -------- d-----w- c:\program files\Google
2009-05-07 15:44 . 2005-11-05 00:52 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-11-05 00:53 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2005-11-05 00:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2005-11-05 00:53 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2005-11-05 00:53 584192 ----a-w- c:\windows\system32\rpcrt4.dll
.
------- Sigcheck -------
[7] 2004-08-04 12:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\svchost.exe
[7] 2004-08-04 12:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\system32\svchost.exe
[7] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[7] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[7] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\user32.dll
[7] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\system32\user32.dll
[7] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\system32\dllcache\user32.dll
[7] 2004-08-04 12:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\ws2_32.dll
[7] 2004-08-04 12:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\system32\ws2_32.dll
[7] 2005-09-02 23:53 660480 97A6FD7CAFD688CF2C78939EBAF0CD0C c:\windows\$hf_mig$\KB896688\SP2QFE\wininet.dll
[7] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[7] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[7] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[7] 2009-03-03 00:17 828416 C8667854873938CA13C986F16B0CD183 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
[7] 2009-04-29 04:49 828928 62CCA075F44015147B8971DAFFBCFF76 c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\wininet.dll
[7] 2008-02-16 09:32 666112 BB1EACD6AB47E78EBCA02EB781550D55 c:\windows\ie7\wininet.dll
[7] 2007-08-14 01:54 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\ie7updates\KB956390-IE7\wininet.dll
[7] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
[7] 2008-10-16 20:38 826368 6741EAF7B7F110E803A6E38F6E5FA6B0 c:\windows\ie7updates\KB961260-IE7\wininet.dll
[7] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\ie7updates\KB963027-IE7\wininet.dll
[7] 2009-03-03 00:18 826368 28775945CCD53DEE280EF58DEA1A94C4 c:\windows\ie7updates\KB969897-IE7\wininet.dll
[-] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\wininet.dll
[7] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\SoftwareDistribution\Download\82c738ec0 0f0f07f8ea182bc95439593\sp3gdr\wininet.dll
[7] 2009-04-29 04:49 828928 62CCA075F44015147B8971DAFFBCFF76 c:\windows\SoftwareDistribution\Download\82c738ec0 0f0f07f8ea182bc95439593\sp3qfe\wininet.dll
[7] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\system32\wininet.dll
[7] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\system32\dllcache\wininet.dll
[7] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[7] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\drivers\tcpip.sys
[7] 2004-08-04 12:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\winlogon.exe
[7] 2004-08-04 12:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\system32\winlogon.exe
[7] 2004-08-04 12:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\ndis.sys
[7] 2004-08-04 12:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\drivers\ndis.sys
[7] 2004-08-04 12:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\ip6fw.sys
[7] 2004-08-04 12:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\system32\drivers\ip6fw.sys
[7] 2005-03-02 00:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[7] 2007-02-28 09:15 2059392 4D3DBDCCBF97F5BA1E74F322B155C3BA c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[7] 2009-02-08 02:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\$hf_mig$\KB956572\SP3GDR\ntkrnlpa.exe
[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 09:18 2062976 63EC865DFF6CCFC7BEF94B5C50297CAD c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe
[7] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[7] 2008-08-14 23:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 09:22 2057728 BA002228743B6824D87F0551DBC86D45 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[7] 2009-02-06 09:49 2062976 9D832AF3FD1917DB0E1E8B2F000A2E3A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\ntkrnlpa.exe
[7] 2009-02-06 09:49 2062976 9D832AF3FD1917DB0E1E8B2F000A2E3A c:\windows\system32\ntkrnlpa.exe
[7] 2009-02-06 09:49 2062976 9D832AF3FD1917DB0E1E8B2F000A2E3A c:\windows\system32\dllcache\ntkrnlpa.exe
[7] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[7] 2007-02-28 09:55 2182144 5A5C8DB4AA962C714C8371FBDF189FC9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\$hf_mig$\KB956572\SP3GDR\ntoskrnl.exe
[7] 2009-02-08 02:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 09:57 2185984 CE69DBD54221F2D40E49FF6DB77C6507 c:\windows\$hf_mig$\KB956841\SP2QFE\ntoskrnl.exe
[7] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
[7] 2008-08-15 00:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 10:00 2180352 21C91DA9CB53AA8A37041BA9684A8458 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[7] 2009-02-06 10:32 2186112 6A936E9D7BADAF3CAAEED1E1966EC1B0 c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\ntoskrnl.exe
[7] 2009-02-06 10:32 2186112 6A936E9D7BADAF3CAAEED1E1966EC1B0 c:\windows\system32\ntoskrnl.exe
[7] 2009-02-06 10:32 2186112 6A936E9D7BADAF3CAAEED1E1966EC1B0 c:\windows\system32\dllcache\ntoskrnl.exe
[7] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\explorer.exe
[7] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[7] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\explorer.exe
[7] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\system32\dllcache\explorer.exe
[7] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\$hf_mig$\KB956572\SP3GDR\services.exe
[7] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2004-08-04 12:00 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\$NtServicePackUninstall$\services.exe
[-] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\services.exe
[7] 2009-02-06 10:22 110592 4712531AB7A01B7EE059853CA17D39BD c:\windows\system32\services.exe
[7] 2009-02-06 10:22 110592 4712531AB7A01B7EE059853CA17D39BD c:\windows\system32\dllcache\services.exe
[7] 2004-08-04 12:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\$NtServicePackUninstall$\lsass.exe
[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\lsass.exe
[7] 2004-08-04 12:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\system32\lsass.exe
[7] 2004-08-04 12:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\ctfmon.exe
[7] 2004-08-04 12:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\system32\ctfmon.exe
[7] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[7] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\spoolsv.exe
[7] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\system32\spoolsv.exe
[-] 2008-04-14 00:12 111104 ED7262E52C31CF1625B65039102BC16C c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\wuauclt.exe
[7] 2008-10-16 22:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\wuauclt.exe
[7] 2008-10-16 22:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\dllcache\wuauclt.exe
[7] 2004-08-04 12:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\userinit.exe
[7] 2004-08-04 12:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\system32\userinit.exe
[7] 2004-08-04 12:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\termsrv.dll
[7] 2004-08-04 12:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\system32\termsrv.dll
[7] 2006-07-05 10:57 985088 0FDD84928A5DDE2510761B7EC76CCEC9 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[7] 2007-04-16 16:07 986112 09F7CB3687F86EDAA4CA081F7AB66C03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[7] 2009-03-21 13:54 989184 80202858D245FF07DAA1739C57A3E19B c:\windows\$hf_mig$\KB959426\SP2QFE\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\$hf_mig$\KB959426\SP3GDR\kernel32.dll
[7] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[7] 2007-04-16 15:52 984576 A01F9CA902A88F7CED06884174D6419D c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\kernel32.dll
[7] 2009-03-21 14:18 986112 B6ACAED7588295129791E0E6A2B0FADE c:\windows\system32\kernel32.dll
[7] 2009-03-21 14:18 986112 B6ACAED7588295129791E0E6A2B0FADE c:\windows\system32\dllcache\kernel32.dll
[7] 2004-08-04 12:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\powrprof.dll
[7] 2004-08-04 12:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\system32\powrprof.dll
[7] 2004-08-04 12:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\$NtServicePackUninstall$\imm32.dll
[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\imm32.dll
[7] 2004-08-04 12:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\system32\imm32.dll
[7] 2004-08-04 12:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\sfcfiles.dll
[7] 2004-08-04 12:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\system32\sfcfiles.dll

[7] 2004-08-04 12:00 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[-] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\kbdclass.sys
[7] 2004-08-04 12:00 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\system32\drivers\kbdclass.sys
.

CONTINUED IN NEXT POST>>>>>>>>>>>>>>>>>>>>>>>>>>>>

dario03 · 06-23-2009, 04:14 AM

<<<<<<<<<<<<<<<<<<<<CONTINUED

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-06-30 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"avast!"="c:\progra~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-06-02 1059720]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MyWebSearchService"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\aolsoftware.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/22/2009 12:34 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswF sBlk.sys [6/22/2009 12:34 PM 20560]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [11/4/2005 5:53 PM 14336]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-06-22 19:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(512)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Avast4\aswUpdSv.exe
c:\program files\Avast4\ashServ.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\osk.exe
c:\windows\system32\msswchx.exe
c:\program files\Avast4\ashMaiSv.exe
c:\program files\Avast4\ashWebSv.exe
.
************************************************** ************************
.
Completion time: 2009-06-23 19:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-23 02:44
Pre-Run: 24,124,260,352 bytes free
Post-Run: 24,045,907,968 bytes free
300 --- E O F --- 2009-06-16 19:10

************************************************** ***********************************

================================================== ==========

************************************************** ***********************************

MALWAREBYTES

Malwarebytes' Anti-Malware 1.38
Database version: 2323
Windows 5.1.2600 Service Pack 2
6/22/2009 7:21:35 PM
mbam-log-2009-06-22 (19-21-35).txt
Scan type: Full Scan (C:\|)
Objects scanned: 144067
Time elapsed: 40 minute(s), 41 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 3
Registry Keys Infected: 43
Registry Values Infected: 7
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 37
Memory Processes Infected:
C:\Documents and Settings\Owner\Local Settings\Temp\setup.exe (Trojan.Agent) -> Unloaded process successfully.
Memory Modules Infected:
C:\WINDOWS\system32\gsf83iujid.dll (Trojan.Ertfor) -> Delete on reboot.
C:\WINDOWS\system32\netcfgx.dll:Zone.Identifier (Spyware.OnlineGames) -> Delete on reboot.
c:\program files\driver\driver.dll (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b2c7b2a1-00f3-42bd-f434-00aaba2c8952} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{b2c7b2a1-00f3-42bd-f434-00aaba2c8952} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{b2c7b2a1-00f3-42bd-f434-00aaba2c8952} (Trojan.Ertfor) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5b035261-40f9-11d1-aaec-00805fc1270e} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d river (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\d river (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\driver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{bbd4551a-9b23-41cd-9bcd-818aa2da7b63} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d riverdrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\d riverdrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\driverdrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QW2010 (Rogue.AntiVirus2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\W MPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler\{b2c7b2a1-00f3-42bd-f434-00aaba2c8952} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\windows system recover! (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\driver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\GloballyOpenPorts\List\8085:tcp (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
c:\documents and settings\Owner\Start Menu\Programs\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\documents and settings\All Users\Start Menu\Programs\AntiVirus 2010 (Rogue.AntiVirus2010) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\gsf83iujid.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\netcfgx.dll:Zone.Identifier (Spyware.OnlineGames) -> Delete on reboot.
c:\program files\driver\driver.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Temp\setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Common\helper.dll (Trojan.BHO) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\105776648.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\debug.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\login.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\services.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\system.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\win.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\12780004\12780004.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\92789996\92789996.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\1231245398.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\mdm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\smss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\spoolsv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\win.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\winamp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\driver\driver.sys (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{cf8a54b3-00de-4aa7-aea8-9eb54c29ea21}\rp107\A0099279.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{cf8a54b3-00de-4aa7-aea8-9eb54c29ea21}\rp107\A0099297.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{cf8a54b3-00de-4aa7-aea8-9eb54c29ea21}\RP107\A0100437.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\start menu\Programs\system security\System Security 2009 Support.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\start menu\Programs\system security\System Security 2009.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Program Files\Common\helper.sig (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\zaponce52597.dat (Worm.Koobface) -> Quarantined and deleted successfully.
c:\WINDOWS\zaponce52621.dat (Worm.Koobface) -> Quarantined and deleted successfully.
c:\WINDOWS\zaponce52689.dat (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\bf23567.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\jmmark2.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\All Users\Documents\gifnoc.xtx (Trojan.Agent) -> Quarantined and deleted successfully.

====================================

Would very much appreciate any help. Thank you.

Notes
1. McAfee was uninstalled before I started through the guide but combofix reports it as active.
2. All the logs came from the scans that were done in the order that the guide says (so I could rescan to see if less things are in there if that would be better)

Osiris · 06-23-2009, 08:27 AM

Can you tell me what order these were ran in?

dario03 · 06-23-2009, 01:17 PM

I ran them in the order that they are listed in the guide, so in order I did Smitfraudthis, Malwarebytes, ComboFix, and then Hijackthis. Would you like me to run them again and repost the logs?

EDIT: heres a new Malwarebytes log that comes up clean

Malwarebytes' Anti-Malware 1.38
Database version: 2323
Windows 5.1.2600 Service Pack 2
6/23/2009 1:59:16 PM
mbam-log-2009-06-23 (13-59-16).txt
Scan type: Full Scan (C:\|)
Objects scanned: 142988
Time elapsed: 23 minute(s), 5 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

Osiris · 06-23-2009, 06:40 PM

ok, run combofix one more and let me see the log.

dario03 · 06-23-2009, 07:41 PM

ComboFix 09-06-22.0E - Owner 06/23/2009 16:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.702.341 [GMT -7:00]
Running from: c:\documents and settings\Owner\My Documents\virus removal stuff\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090623-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-06-23 )))))))))))))))))))))))))))))))
.
2009-06-23 03:02 . 2009-06-23 03:02 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-23 03:02 . 2009-06-23 00:05 3015544 ----a-w- c:\documents and settings\Owner\Application Data\Simply Super Software\Trojan Remover\nbn4.exe
2009-06-23 02:43 . 2009-06-23 02:43 -------- dc----w- c:\windows\system32\dllcache\cache
2009-06-23 02:39 . 2004-08-04 12:00 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-06-23 02:39 . 2004-08-04 12:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-22 23:42 . 2005-08-26 08:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-06-22 23:42 . 2006-06-19 20:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-06-22 23:42 . 2006-05-25 22:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-06-22 23:42 . 2003-02-03 03:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-06-22 23:42 . 2002-03-06 08:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-06-22 23:42 . 2009-06-22 23:42 -------- d-----w- c:\program files\Trojan Remover
2009-06-22 23:42 . 2009-06-22 23:42 -------- d-----w- c:\documents and settings\Owner\Application Data\Simply Super Software
2009-06-22 23:42 . 2009-06-22 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-06-22 23:35 . 2009-06-22 23:35 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-06-22 23:35 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-22 23:35 . 2009-06-22 23:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-22 23:35 . 2009-06-22 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-22 23:35 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-22 23:18 . 2009-06-22 23:18 -------- d-----w- c:\program files\Trend Micro
2009-06-22 23:09 . 2009-06-22 23:09 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Identities
2009-06-22 22:14 . 2009-06-22 22:14 -------- d-----w- c:\program files\CCleaner
2009-06-22 21:52 . 2009-06-22 21:53 -------- d-----w- c:\program files\CleanUp!
2009-06-22 21:43 . 2009-06-22 21:43 -------- d-----w- c:\program files\MSConfig CleanUp
2009-06-22 19:34 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-06-22 19:34 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-06-22 19:34 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-06-22 19:34 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-06-22 19:34 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-06-22 19:34 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-06-22 19:34 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-06-22 19:34 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-06-22 19:33 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-06-22 19:33 . 2009-06-22 20:27 -------- d-----w- c:\program files\Avast4
2009-06-19 23:33 . 2009-06-23 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\92789996
2009-06-19 23:33 . 2009-06-23 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\12780004
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-22 23:15 . 2005-11-05 04:09 -------- d-----w- c:\program files\Common Files\AOL
2009-06-22 23:15 . 2005-11-05 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-06-22 20:18 . 2009-01-19 16:59 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-22 19:01 . 2009-01-19 16:58 -------- d-----w- c:\program files\Norton Security Scan
2009-06-22 19:01 . 2005-11-05 02:59 -------- d-----w- c:\program files\TOSHIBA
2009-06-22 18:53 . 2005-11-05 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-05-12 03:22 . 2005-11-07 17:42 -------- d-----w- c:\program files\Google
2009-05-07 15:44 . 2005-11-05 00:52 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-11-05 00:53 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2005-11-05 00:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2005-11-05 00:53 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2005-11-05 00:53 584192 ----a-w- c:\windows\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-06-23_02.41.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-23 20:30 . 2009-06-23 20:30 16384 c:\windows\Temp\Perflib_Perfdata_5e0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-06-30 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"avast!"="c:\progra~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-06-02 1059720]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MyWebSearchService"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\aolsoftware.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/22/2009 12:34 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswF sBlk.sys [6/22/2009 12:34 PM 20560]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [11/4/2005 5:53 PM 14336]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-06-23 16:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(508)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(1888)
c:\docume~1\Owner\LOCALS~1\Temp\catchme.dll
.
Completion time: 2009-06-23 16:31
ComboFix-quarantined-files.txt 2009-06-23 23:30
ComboFix2.txt 2009-06-23 02:44
Pre-Run: 24,042,643,456 bytes free
Post-Run: 24,024,289,280 bytes free
131 --- E O F --- 2009-06-16 19:10

Osiris · 06-24-2009, 08:16 AM

That looked good.

now lets see the hijackthis log

dario03 · 06-24-2009, 02:14 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:46, on 6/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\osk.exe
C:\WINDOWS\system32\MSSWCHX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Avast4\setup\avast.setup
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O24 - Desktop Component 0: (no name) - http://images.autotrader.com/images/..._A.240x160.jpg
O24 - Desktop Component 1: (no name) - http://www.miautos.net/upload/mmcarsales_P1010041.JPG
O24 - Desktop Component 2: (no name) - http://images.craigslist.org/0102080...0431005be8.jpg
--
End of file - 5765 bytes

Osiris · 06-24-2009, 02:20 PM

Log looks good

Member Login