1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

CyberLog-X virus

Discussion in 'Malware and Virus Removal Archive' started by avibuzz, 2008/06/03.

  1. 2008/06/03
    avibuzz

    avibuzz Inactive Thread Starter

    Joined:
    2008/06/02
    Messages:
    22
    Likes Received:
    0
    Just got this the other day when it started with a pop up window telling me I had a vrus called Cyberlog X and that i needed to download an ad aware program ( i had spybot). It has also hijacked my IE contantlly sending me to spam sites. I downloaded HijackThis so I could post the scan results here but it won't let me run it (along with spybot, norton live update, smitfraudfix etc.) I have managed to run Hijack This in the safe mode by remaining the exe but it prevents me from coping to note pad (get Data Execution Prevention error message, then shuts down).

    HELP

    Ok managed to get a hijack this scan results

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 14:21:57, on 6/3/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Safe mode

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\cleanmgr.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
    O3 - Toolbar: Alcohol Toolbar - {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [IEUpdate] C:\WINDOWS\system32\2052d.exe
    O4 - HKLM\..\Run: [88d8f13b] rundll32.exe "C:\WINDOWS\system32\apmvxinp.dll ",b
    O4 - HKLM\..\Run: [BM8bebc2a7] Rundll32.exe "C:\WINDOWS\system32\aycglsiu.dll ",s
    O4 - HKLM\..\RunServices: [IEUpdate] C:\WINDOWS\system32\2052d.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe "
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 6888 bytes
     
    Last edited: 2008/06/03
    avibuzz,
    #1
  2. 2008/06/03
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS avibuzz :)

    Download ComboFix by sUBs from here, saving the file to your desktop.


    Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
     
    noahdfear,
    #2


  3. to hide this advert.

  4. 2008/06/04
    avibuzz

    avibuzz Inactive Thread Starter

    Joined:
    2008/06/02
    Messages:
    22
    Likes Received:
    0
    Thanks, the program you suggested worked. Appears the nasty little bug is gone and my laptop is back to normal
     
    avibuzz,
    #3
  5. 2008/06/04
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Please post the requested logs.
     
    noahdfear,
    #4
  6. 2008/06/04
    avibuzz

    avibuzz Inactive Thread Starter

    Joined:
    2008/06/02
    Messages:
    22
    Likes Received:
    0
    logs

    Here you go

    ComboFix 08-06-01.6 - Administrator 2008-06-03 16:54:27.1 - NTFSx86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.785 [GMT -5:00]
    Running from: C:\Documents and Settings\Administrator\Desktop\fx.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\BM8bebc2a7.xml
    C:\WINDOWS\pskt.ini
    C:\WINDOWS\system32\apmvxinp.dll
    C:\WINDOWS\system32\aycglsiu.dll
    C:\WINDOWS\system32\clbdll.dll
    C:\WINDOWS\system32\clbinit.dll
    C:\WINDOWS\system32\clvdvcvu.dll
    C:\WINDOWS\system32\drivers\clbdriver.sys
    C:\WINDOWS\system32\EOpXxyxx.ini
    C:\WINDOWS\system32\EOpXxyxx.ini2
    C:\WINDOWS\system32\grlkttxs.ini
    C:\WINDOWS\system32\jkkIYpoN.dll
    C:\WINDOWS\system32\pnixvmpa.ini
    C:\WINDOWS\system32\spywarewarning.mht
    C:\WINDOWS\system32\xxyxXpOE.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_CLBDRIVER


    ((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))
    .

    2008-06-03 14:24 . 2008-06-03 14:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
    2008-06-02 20:29 . 2008-06-03 14:17 2,398 --a------ C:\WINDOWS\system32\tmp.reg
    2008-06-02 20:19 . 2008-06-02 20:19 <DIR> d-------- C:\Program Files\Trend Micro
    2008-05-31 09:51 . 2008-05-31 09:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\1Click DVD Copy
    2008-05-30 17:56 . 2008-05-30 17:56 <DIR> d-------- C:\Program Files\QuickPar
    2008-05-29 13:18 . 2008-06-03 08:11 702 --a------ C:\WINDOWS\NewsRover.INI
    2008-05-29 13:17 . 2008-06-03 08:07 <DIR> d-------- C:\Documents and Settings\Chief\Application Data\NewsRover
    2008-05-29 13:16 . 2008-05-29 13:16 <DIR> d-------- C:\Program Files\NewsRover
    2008-05-29 13:16 . 1998-04-24 00:00 1,045,776 --a------ C:\WINDOWS\system32\msjet35.dll
    2008-05-29 13:16 . 1998-04-24 00:00 252,176 --a------ C:\WINDOWS\system32\msrd2x35.dll
    2008-05-29 13:16 . 1998-04-24 00:00 123,664 --a------ C:\WINDOWS\system32\msjint35.dll
    2008-05-29 13:16 . 1998-04-24 00:00 24,848 --a------ C:\WINDOWS\system32\msjter35.dll
    2008-05-29 13:16 . 1996-08-28 17:14 13,312 --a------ C:\WINDOWS\system32\SVRAPI.DLL
    2008-05-24 07:29 . 2008-05-24 07:29 <DIR> d--h----- C:\WINDOWS\PIF
    2008-05-22 18:04 . 2008-05-22 18:04 <DIR> d-------- C:\Documents and Settings\Chief\Application Data\Apple Computer
    2008-05-22 18:03 . 2008-05-30 17:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-05-22 18:03 . 2008-05-22 18:03 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-05-22 17:18 . 2008-05-22 17:18 <DIR> d-------- C:\Program Files\QuickTime
    2008-05-22 17:17 . 2008-05-22 17:17 <DIR> d-------- C:\Program Files\Apple Software Update
    2008-05-22 17:17 . 2008-05-22 17:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-05-22 17:17 . 2008-05-22 17:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
    2008-05-21 17:17 . 2008-05-22 08:12 <DIR> d-------- C:\Documents and Settings\Chief\Application Data\Azureus
    2008-05-21 17:17 . 2008-05-21 17:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
    2008-05-19 16:50 . 2008-05-19 16:50 <DIR> d-------- C:\WINDOWS\system32\Adobe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-06-03 22:12 --------- d-----w C:\Program Files\Symantec AntiVirus
    2008-06-03 19:27 --------- d-----w C:\Program Files\Norton Security Scan
    2008-06-03 02:13 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    2008-06-01 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
    2008-05-31 14:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy Pro
    2008-05-31 14:53 --------- d-----w C:\Documents and Settings\Chief\Application Data\Vso
    2008-05-31 14:50 87,608 ----a-w C:\Documents and Settings\Chief\Application Data\inst.exe
    2008-05-31 14:50 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
    2008-05-31 14:50 47,360 ----a-w C:\Documents and Settings\Chief\Application Data\pcouffin.sys
    2008-05-31 14:28 --------- d-----w C:\Program Files\free-downloads
    2008-05-31 14:24 --------- d-----w C:\Program Files\eMule
    2008-04-08 00:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
    2006-09-06 02:51 81,920 ----a-w C:\Documents and Settings\Chief\Application Data\ezpinst.exe
    2006-08-20 01:45 24 ----a-w C:\Documents and Settings\Chief\mylist.dat
    2007-10-01 21:36 96,768 --sha-r C:\WINDOWS\system32\2052d.exe
    2006-03-24 03:21 56 --sh--r C:\WINDOWS\system32\92843F4AEB.sys
    2006-03-24 03:21 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ----a-w 219,008 2007-07-02 10:22:39 C:\Program Files\Alcohol Soft\Alcohol 52\bak\axcmd.exe

    ----a-w 81,920 2005-06-10 16:44:02 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe

    ----a-w 249,856 2005-06-10 16:44:02 C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe

    ----a-w 68,856 2008-01-31 00:40:08 C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

    ----a-w 385,024 2004-10-30 20:59:54 C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe

    ----a-w 32,881 2003-11-19 23:48:14 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe

    ----a-w 1,670,080 2008-01-23 17:04:14 C:\Program Files\SlySoft\AnyDVD\bak\AnyDVDtray.exe
    ----a-w 1,682,368 2008-02-06 10:06:31 C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe

    ----a-w 15,360 2004-08-10 11:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
    ----a-w 15,360 2004-08-10 11:00:00 C:\WINDOWS\system32\ctfmon.exe

    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
    "AlcoholAutomount "= "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" [ ]
    "swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
    "AnyDVD "= "C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-02-06 05:06 1682368]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
    "Microsoft Windows Installer "= "C:\Documents and Settings\Chief\Application Data\Microsoft\dtsc\24612.exe" [2007-10-01 16:35 121856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched "= "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [ ]
    "IntelWireless "= "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [ ]
    "ISUSPM Startup "= "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ]
    "ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ]
    "QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle "= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme "= C:\WINDOWS\Resources\Themes\Royale.theme

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
    C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.dvacm "= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
    backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
    backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
    backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
    backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
    --a------ 2008-02-06 05:06 1682368 C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    --a------ 2006-03-07 16:02 53408 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
    --a------ 2005-05-15 03:04 332800 C:\Program Files\Dell Support\DSAgnt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    --a------ 2006-02-19 03:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    --a------ 2003-07-13 05:49 155648 C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
    --a------ 2004-11-11 11:26 26112 C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    C:\Program Files\Real\RealPlayer\RealPlay.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
    --a------ 2002-04-17 11:42 69632 c:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
    --a------ 2006-03-17 09:34 124656 C:\PROGRA~1\SYMANT~1\VPTray.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "ehTray "=C:\WINDOWS\ehome\ehtray.exe
    "TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe "=

    S3 Hecehtiodq;Hecehtiodq;C:\WINDOWS\system32\drivers\ndproxy.sys [2004-08-10 06:00]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
    \Shell\AutoRun\command - E:\setup.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-05-30 22:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job "
    - C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
    "2008-05-30 16:58:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-05-31 14:28:02 C:\WINDOWS\Tasks\Norton Security Scan.job "
    - C:\Program Files\Norton Security Scan\Nss.exe
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-03 17:12:37
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\ehome\ehrecvr.exe
    C:\WINDOWS\ehome\ehSched.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINDOWS\ehome\mcrdsvc.exe
    C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\imapi.exe
    .
    **************************************************************************
    .
    Completion time: 2008-06-03 17:19:34 - machine was rebooted [Chief]
    ComboFix-quarantined-files.txt 2008-06-03 22:18:49

    Pre-Run: 16,764,178,432 bytes free
    Post-Run: 15,597,481,984 bytes free

    230 --- E O F --- 2008-05-28 00:50:47


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:45, on 2008-06-04
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\spywarewarning.mht
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Alcohol Toolbar Helper - {8126A4A5-BFD3-46FE-BBDF-BFB5CF78E489} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
    O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
    O3 - Toolbar: Alcohol Toolbar - {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\Chief\Application Data\Microsoft\dtsc\24612.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 9216 bytes
     
    avibuzz,
    #5
  7. 2008/06/05
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    I see signs of another infection. Please download FindAWF
    Save the file to the Desktop
    Double-click the FindAWF icon.

    If a Security Alert shows, allow the program to run.
    As instructed, press any key to continue.
    Use the following option: Press 1 then Enter to scan for bak folders
    The scan may take a while, please be patient.

    When done, awf.txt will open. Please post it's contents here.
     
    noahdfear,
    #6
  8. 2008/06/06
    avibuzz

    avibuzz Inactive Thread Starter

    Joined:
    2008/06/02
    Messages:
    22
    Likes Received:
    0
    Thanks Fear, I will do that tonight when I get off work. again thanks for the time and help
     
    avibuzz,
    #7

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...