Solved Win32 and Smitfraud infection

daralee100 · 2008/07/05

[Resolved] Win32 and Smitfraud infection

My (other) laptop has recently been infected by all hell breaking loose. Every two seconds another pop-up, well, pops-up. I ran Spybot, a program I'm fond of, and it told me that I had a win32 infection and the smitfraud toolbar install. It also took over my desktop, but I closed it- however, it left behind a few icons, leading me to believe it's not gone. What step do I need to do first?

EDIT: Upon another view, Zlob.**** is another virus on this computer. Now we can't open anything that's not on the desktop or the quick-access file on the start menu. The time now displays 25:53: Virus Alert and I can't access the task manager. Help.

noahdfear · 2008/07/06

Hi daralee

First, you need to download SmitfraudFix by S!Ri, saving it to the desktop.

Restart the computer in Safe Mode by tapping the F8 key upon startup and selecting Safe Mode from the Advanced Startup Menu. Logon to your account.

Double-click SmitfraudFix.exe to start the tool and press 2, then hit Enter.

You will be prompted 'Do you want to clean the registry?' answer Y (yes) and hit Enter.

If prompted to replace the infected wininet.dll file (if found), answer Y (yes) and hit Enter to restore a clean file.

Reboot to normal mode when the tool completes.

Post the contents of C:\rapport.txt here.

Next, read this topic, install the latest version of Hijackthis, run a scan and save the log (you can close it for now). Then, download and run Deckard's System Scanner and post BOTH the main.txt and extra.txt logs it produces. You may be required to put them in separate posts due to character count limitations.

daralee100 · 2008/07/06

Here's the rapport log.

SmitFraudFix v2.329

Scan done at 0:26:50.56, Sun 07/06/2008
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost
127.0.0.1 www.anyofus.com

daralee100 · 2008/07/06

127.0.0.1 anyofus.com
127.0.0.1 www.cia-trjn.myvnc.com

noahdfear · 2008/07/06

Skip past all those HOSTS entries in the log and post only the remaining part of it.

daralee100 · 2008/07/06

127.0.0.1 cia-trjn.myvnc.com
127.0.0.1 www.encodeinstrument.com

daralee100 · 2008/07/06

127.0.0.1 encodeinstrument.com
127.0.0.1 www.hotelcodec.com

daralee100 · 2008/07/06

Sorry! I missed the middle post, this is what's after it...

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\WINDOWS\kgqfweltmrg.dll deleted.
C:\WINDOWS\nqgpedlr.dll deleted.
C:\WINDOWS\axrfgvek.dll deleted.
C:\WINDOWS\okmdepgb.dll deleted.

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\privacy_danger\ Deleted
C:\DOCUME~1\Owner\Desktop\Error Cleaner.url Deleted
C:\DOCUME~1\Owner\Desktop\Privacy Protector.url Deleted
C:\DOCUME~1\Owner\Desktop\Spyware?Malware Protection.url Deleted
C:\DOCUME~1\Owner\FAVORI~1\Error Cleaner.url Deleted
C:\DOCUME~1\Owner\FAVORI~1\Privacy Protector.url Deleted
C:\DOCUME~1\Owner\FAVORI~1\Spyware?Malware Protection.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{CE7EC22E-7D1B-4F51-B515-48AEEEA5A48D}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D6857A23-80F7-4AB3-860E-DC43A6618631}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CE7EC22E-7D1B-4F51-B515-48AEEEA5A48D}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D6857A23-80F7-4AB3-860E-DC43A6618631}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{CE7EC22E-7D1B-4F51-B515-48AEEEA5A48D}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D6857A23-80F7-4AB3-860E-DC43A6618631}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

noahdfear · 2008/07/06

No problem. You were just posting the log I requested.

daralee100 · 2008/07/06

main.txt

Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-06 00:55:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
82: 2008-07-06 05:56:28 UTC - RP550 - Deckard's System Scanner Restore Point
81: 2008-07-06 04:32:59 UTC - RP549 - Spybot-S&D Spyware removal
80: 2008-07-06 04:17:17 UTC - RP548 - Last known good configuration
79: 2008-07-06 04:16:06 UTC - RP547 - Spybot-S&D Spyware removal
78: 2008-07-06 04:16:05 UTC - RP546 - Installed RGSS-RTP Standard

-- First Restore Point --
1: 2008-07-06 04:14:04 UTC - RP469 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 83% (more than 75%).
Total Physical Memory: 192 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:00:39, on 7/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1FE4BFC2-60DB-461C-B734-1D40F120299A} - C:\WINDOWS\system32\ddcYstTM.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {B4E03E89-8F85-455E-9D46-D1355DD2AD6A} - C:\WINDOWS\system32\iifgdBqQ.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [MW1HelperStartUp] C:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE /partner MW1
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Recordpad] "C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe" -logon
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKLM\..\Run: [DelayLoad] C:\DOCUME~1\Owner\LOCALS~1\Temp\atmadm2.exe
O4 - HKLM\..\Run: [2867d654] rundll32.exe "C:\WINDOWS\system32\tmbactxc.dll ",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe "
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [antivirus-2008pro.exe] C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {836EB4DD-AE34-40C7-B8FD-E8CC9ECC9962} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {836EB4DD-AE34-40C7-B8FD-E8CC9ECC9962} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.bigfishgames.com/online/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4C563F3F-5621-4F23-BAC8-6B84DCA61AB2} (GoonzuGlobal_downloader Control) - http://cdn.goonzu.com/gscdnSkins/GoonzuGlobal_downloader1222.cab
O16 - DPF: {8494B5D2-DA6A-4BB8-9C15-6C18A312387E} (Caymas Secure Tunnel) - https://connect.rehabcare.com/ui/Axt.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.bigfishgames.com/online/feedingfrenzy/Game/SproutLauncher.cab
O20 - AppInit_DLLs: lt81ubddvmx9o4ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O20 - Winlogon Notify: ddcYstTM - C:\WINDOWS\SYSTEM32\ddcYstTM.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8548 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>

S3 dump_wmimmc - c:\program files\bots\gameguard\dump_wmimmc.sys (file missing)
S3 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S3 iPod Service - "c:\program files\ipod\bin\ipodservice.exe" (file missing)

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Files created between 2008-06-06 and 2008-07-06 -----------------------------

2008-07-06 00:53:59 0 d-------- C:\Program Files\Trend Micro
2008-07-06 00:27:20 3710 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-06 00:26:44 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-06 00:26:44 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-07-06 00:26:43 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-06 00:26:43 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-06 00:26:43 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-06 00:26:43 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-06 00:26:43 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-07-06 00:26:43 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-06 00:23:38 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-06 00:23:38 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-07-06 00:23:38 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-06 00:23:38 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-06 00:23:38 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-07-06 00:23:38 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-06 00:23:38 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-07-06 00:23:38 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-06 00:23:38 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-07-06 00:23:38 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-06 00:23:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-07-06 00:23:38 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-06 00:23:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2008-07-06 00:23:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-07-06 00:23:37 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-07-06 00:23:37 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-06 00:23:37 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-06 00:23:37 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-05 23:47:04 691545 --a------ C:\WINDOWS\unins000.exe
2008-07-05 23:47:04 2547 --a------ C:\WINDOWS\unins000.dat
2008-07-05 23:20:05 88576 --a------ C:\WINDOWS\system32\tmbactxc.dll
2008-07-05 23:13:42 5534 --ahs---- C:\WINDOWS\system32\QqBdgfii.ini2
2008-07-05 23:13:30 318720 --a------ C:\WINDOWS\system32\iifgdBqQ.dll
2008-07-05 23:08:59 28288 --a------ C:\WINDOWS\system32\mlJdawWq.dll
2008-07-05 23:08:16 28288 --a------ C:\WINDOWS\system32\ddcYstTM.dll
2008-07-05 23:08:09 0 d-------- C:\Documents and Settings\Owner\Application Data\TmpRecentIcons
2008-07-05 23:04:40 0 d-------- C:\Program Files\VAV
2008-07-05 23:04:38 30720 --a------ C:\WINDOWS\Sys4F0.exe
2008-07-05 23:04:38 30208 --a------ C:\WINDOWS\Sys4EF.exe
2008-07-05 23:04:37 31744 --a------ C:\WINDOWS\Sys4EE.exe
2008-07-05 23:04:36 32256 --a------ C:\WINDOWS\Sys4ED.exe
2008-07-05 23:04:36 86016 --a------ C:\WINDOWS\mrvtdpqe.exe
2008-07-05 23:04:36 94208 --a------ C:\WINDOWS\esrp.exe
2008-07-05 23:04:28 0 d-------- C:\Program Files\PCHealthCenter
2008-07-05 23:03:57 0 d-------- C:\Program Files\Antivirus 2008 PRO
2008-07-05 22:54:09 56 -r-hs---- C:\WINDOWS\system32\6B32D5AF70.sys
2008-07-05 22:54:07 952 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-07-05 22:53:14 0 d-------- C:\Program Files\Common Files\Enterbrain
2008-07-05 22:50:22 0 d-------- C:\Program Files\Enterbrain
2008-07-05 21:00:02 0 d-------- C:\Documents and Settings\Owner\Application Data\NCH Swift Sound
2008-07-05 21:00:01 0 d-------- C:\Documents and Settings\Owner\Application Data\Recordpad
2008-07-05 20:59:42 0 d-------- C:\Program Files\NCH Software
2008-07-05 20:59:12 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-07-05 20:57:01 0 d-------- C:\Program Files\NCH Swift Sound
2008-07-05 13:49:45 0 d-------- C:\Program Files\Common Files\ODBC
2008-07-05 08:06:55 0 d-------- C:\MsSdkTmp
2008-07-04 23:54:02 4 --a------ C:\WINDOWS\system32\msvcf5bf.sys
2008-07-04 23:53:49 0 d-------- C:\Program Files\BlitzPlusDemo
2008-07-04 18:57:28 0 d-------- C:\Documents and Settings\Owner\Application Data\WinRAR
2008-07-03 23:07:48 0 d-------- C:\Program Files\Common Files\Bcgsoft
2008-07-03 23:02:11 0 d-------- C:\Program Files\The Game Creators
2008-07-03 22:53:31 0 d-------- C:\Program Files\MagicISO
2008-07-03 06:45:46 717296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-07-03 06:45:34 0 d-------- C:\Documents and Settings\Owner\Application Data\DAEMON Tools
2008-07-02 20:05:58 0 d-------- C:\Program Files\uTorrent
2008-07-02 20:05:53 0 d-------- C:\Documents and Settings\Owner\Application Data\uTorrent

-- Find3M Report ---------------------------------------------------------------

2008-07-05 22:53:14 0 d-------- C:\Program Files\Common Files
2008-07-05 16:02:21 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-05 09:45:08 0 d-------- C:\Program Files\Tales of Pirates Online
2008-07-01 21:54:10 0 d-------- C:\Program Files\LimeWire
2008-07-01 21:45:20 0 d-------- C:\Program Files\Common Files\AOL
2008-07-01 21:45:20 0 d-------- C:\Documents and Settings\Owner\Application Data\AOL
2008-06-21 18:14:22 0 d-------- C:\Program Files\iPod
2008-06-04 16:20:45 0 d-------- C:\Program Files\Ahead
2008-06-04 16:19:06 0 d-------- C:\Program Files\Microsoft Works
2008-06-04 16:14:17 0 d-------- C:\Program Files\DivX
2008-06-04 16:12:41 0 d-------- C:\Program Files\FontLab
2008-04-14 19:28:32 1291 --a------ C:\WINDOWS\mozver.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1FE4BFC2-60DB-461C-B734-1D40F120299A}]
07/05/2008 23:08 28288 --a------ C:\WINDOWS\system32\ddcYstTM.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4E03E89-8F85-455E-9D46-D1355DD2AD6A}]
07/05/2008 23:13 318720 --a------ C:\WINDOWS\system32\iifgdBqQ.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard "= "C:\WINDOWS\SMINST\RECGUARD.EXE" [09/13/2002 15:42]
"SoundMan "= "SOUNDMAN.EXE" [07/01/2004 21:23 C:\WINDOWS\SOUNDMAN.EXE]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [03/26/2004 20:20]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [03/26/2004 20:20]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 22:42]
"SiSPower "= "SiSPower.dll" [09/02/2004 14:47 C:\WINDOWS\system32\SiSPower.dll]
"SiS Windows KeyHook "= "C:\WINDOWS\system32\keyhook.exe" [09/02/2004 16:44]
"SiSUSBRG "= "C:\WINDOWS\SiSUSBrg.exe" [07/12/2002 19:15]
"MW1HelperStartUp "= "C:\PROGRA~1\MAGICW~1\MW1HEL~1.exe" []
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25]
"KernelFaultCheck "= "C:\WINDOWS\system32\dumprep 0 -k" []
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [02/01/2008 00:13]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 14:10]
"MCUpdateExe "= "C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" []
"Recordpad "= "C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe" [07/05/2008 20:59]
"Antivirus "= "C:\Program Files\VAV\vav.exe" []
"DelayLoad "= "C:\DOCUME~1\Owner\LOCALS~1\Temp\atmadm2.exe" []
"2867d654 "= "C:\WINDOWS\system32\tmbactxc.dll" [07/05/2008 23:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 14:00]
"NBJ "= "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" []
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [11/30/2006 22:49]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43]
"antivirus-2008pro.exe "= "C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe" [07/05/2008 23:03]
"Antivirus "= "C:\Program Files\VAV\vav.exe" []

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [1/20/2008 1:18:08 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2/22/2005 8:20:19 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1FE4BFC2-60DB-461C-B734-1D40F120299A} "= C:\WINDOWS\system32\ddcYstTM.dll [07/05/2008 23:08 28288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcYstTM]
ddcYstTM.dll 07/05/2008 23:08 28288 C:\WINDOWS\system32\ddcYstTM.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=lt81ubddvmx9o4ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\WINDOWS\system32\iifgdBqQ

-- Hosts -----------------------------------------------------------------------

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com

8771 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2008-07-06 01:02:53 ------------

daralee100 · 2008/07/06

extra.exe

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Mobile AMD Sempron(tm) Processor 2800+
Percentage of Memory in Use: 83%
Physical Memory (total/avail): 191.36 MiB / 32.15 MiB
Pagefile Memory (total/avail): 6175.03 MiB / 5883.54 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1891.19 MiB

C: is Fixed (NTFS) - 52.14 GiB total, 29.83 GiB free.
D: is Fixed (FAT32) - 3.74 GiB total, 0.54 GiB free.
E: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - IC25N060ATMR04-0 - 55.89 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 52.14 GiB - C:
\PARTITION1 - Unknown - 3.75 GiB - D:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\America Online 9.0\\waol.exe "= "C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AMERIC~1.0 "
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger 8.0 Beta "
"C:\\Program Files\\MSN Messenger\\msncall.exe "= "C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Messenger 8.0 Beta (Phone) "
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe "= "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL "
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe "= "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL "

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\America Online 9.0\\waol.exe "= "C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AMERIC~1.0 "
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe "= "C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger "
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server "
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader "
"C:\\Program Files\\Common Files\\AOL\\1127864544\\ee\\aolsoftware.exe "= "C:\\Program Files\\Common Files\\AOL\\1127864544\\ee\\aolsoftware.exe:*:Enabled:AOL Services "
"C:\\Program Files\\Common Files\\AOL\\1127864544\\ee\\aim6.exe "= "C:\\Program Files\\Common Files\\AOL\\1127864544\\ee\\aim6.exe:*:Enabled:AIM "
"C:\\Program Files\\Messenger\\msmsgs.exe "= "C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger "
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger 8.0 Beta "
"C:\\Program Files\\MSN Messenger\\msncall.exe "= "C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Messenger 8.0 Beta (Phone) "
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe "= "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL "
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe "= "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL "
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe "= "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed "
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe "= "C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5 "
"C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\nspA37.tmp\\utorrent.exe "= "C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\nspA37.tmp\\utorrent.exe:*:Enabled:µTorrent "
"C:\\Program Files\\LimeWire\\LimeWire.exe "= "C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire "
"C:\\Program Files\\uTorrent\\uTorrent.exe "= "C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent "
"C:\\Program Files\\AIM6\\aim6.exe "= "C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM "
"C:\\Program Files\\iTunes\\iTunes.exe "= "C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes "

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DONNASLAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\DONNASLAPTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\AOL\System Information
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 8 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0802
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=DONNASLAPTOP
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (new local, admin)

-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\mcafee.com\antivirus\uninst.exe" /PopUpMsgBox= "N" /CheckMutx= "N" /S
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E06E4F4E-72D6-4497-BFFD-BCB43077C2F4}\setup.exe" -l0x9 -uninst
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7646-000000000001}
Adobe Shockwave Player --> C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
Benge's Animated Sprite Pack For FPS Creator --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AED21179-5EBE-4737-94B0-37BFFDF8DA66}\Setup.exe" -l0x9
BlitzPlusDemo --> C:\Program Files\BlitzPlusDemo\uninstall.exe
Dark Egypt --> C:\Program Files\The Game Creators\FPS Creator\Dark Egypt Uninstal.exe
Express Burn --> C:\Program Files\NCH Swift Sound\ExpressBurn\uninst.exe
Express Rip --> C:\Program Files\NCH Swift Sound\ExpressRip\uninst.exe
FlashGet(JetCar) --> C:\PROGRA~1\FlashGet\UNWISE.EXE C:\PROGRA~1\FlashGet\INSTALL.LOG
FPS Creator --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B91E4360-298A-4306-9E95-9AD91A0952A1}\setup.exe" -l0x9
FPS Creator Model Pack - 10 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{24EB39DB-B958-413D-818E-C0875101C96B}\Setup.exe" -l0x9
FPS Creator Model Pack - 11 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{15014839-85AF-439E-9C3C-A93BB74957B1}\Setup.exe" -l0x9
FPS Creator Model Pack - 16 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDB48672-B567-4A4B-989E-0A7C2E220B6F}\Setup.exe" -l0x9
FPS Creator Model Pack - 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3B78E403-D116-4C56-9D1E-4C245AFC82D9}\Setup.exe" -l0x9
FPS Creator Model Pack - 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E6342632-BA22-4FE2-A32E-E664684AD659}\Setup.exe" -l0x9
FPS Creator Model Pack - 4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F4BB48A-7F05-4CB8-B8F4-81581DC51090}\Setup.exe" -l0x9
FPS Creator Model Pack - 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{71E13F8B-365D-4FCF-BA69-9209FAF9D680}\Setup.exe" -l0x9
FPS Creator Model Pack - 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F964E0BB-3AD6-4188-B985-453037BE8FFD}\Setup.exe" -l0x9
FPS Creator Model Pack - 7 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F6D05799-9659-48CD-8B8A-1AC424A572A9}\Setup.exe" -l0x9
FPS Creator Model Pack - 9 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{444E3FAE-DC6D-498B-BF98-6B6B61CA46D9}\Setup.exe" -l0x9
Grave Matter --> MsiExec.exe /I{F24C1A1D-7553-43CD-A1D7-2384273FA8F6}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
iTunes --> MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Jasc Paint Shop Pro 8 --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Lexmark Printer Software Uninstall --> C:\Program Files\Lexmark\Install\Uninstall.exe
Microsoft Office FrontPage 2003 --> MsiExec.exe /I{90170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (2.0.0.15) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Recordpad --> C:\Program Files\NCH Swift Sound\Recordpad\uninst.exe
Refresher --> C:\Program Files\Refresher\Uninstal.exe
RGSS-RTP Standard --> MsiExec.exe /I{5A9FE525-8B8F-4701-A937-7F6745A4E9C7}
RPGXP --> MsiExec.exe /I{9B34CAC6-738F-4A20-B428-A115C3E3474C}
SiS 900 PCI Fast Ethernet Adapter Driver --> C:\Progra~1\SiSLan\Uninst.exe
SiS VGA Utilities --> Rundll32 SiSInst.dll,Uninstall VGA,R,oem7.inf
SmartFTP Client --> MsiExec.exe /I{C169D3BB-9A27-43F5-9979-09A0D65FE95C}
SoftK56 Data Fax CARP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_1039&DEV_7013&SUBSYS_2038161F\HXFSETUP.EXE -U -IVEN_1039&DEV_7013&SUBSYS_2038161F
Solid State ION Internet Explorer Plugin --> C:\WINDOWS\system32\SolidStateNetworks\SolidStateION\soliduninstall.exe /Uninstall activex
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe "
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe "
Switch --> C:\Program Files\NCH Swift Sound\Switch\uninst.exe
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll ",standAloneUninstall
Tales of Pirates Online 1.37 --> "D:\TalesOfPirates\Tales of Pirates Online Trainer\unins000.exe "
thesimpsonsmovie1.zip --> C:\PROGRA~1\FILESU~1\THESIM~1.ZIP\UNWISE.EXE C:\PROGRA~1\FILESU~1\THESIM~1.ZIP\INSTALL.LOG
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WavePad Uninstall --> C:\Program Files\NCH Swift Sound\WavePad\uninst.exe
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahtzee 1.1.6 --> "C:\Program Files\Rekenwonder Software\Yahtzee\unins000.exe "

-- Application Event Log -------------------------------------------------------

Event Record #/Type8284 / Error
Event Submitted/Written: 07/06/2008 00:18:15 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16674, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type8283 / Error
Event Submitted/Written: 07/06/2008 00:13:52 AM / 07/06/2008 00:13:53 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16674, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type8282 / Error
Event Submitted/Written: 07/06/2008 00:05:29 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application Sys4EF.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type8278 / Error
Event Submitted/Written: 07/05/2008 11:29:51 PM / 07/05/2008 11:29:52 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16674, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type8277 / Error
Event Submitted/Written: 07/05/2008 11:11:20 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16674, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type5110 / Error
Event Submitted/Written: 07/06/2008 00:36:02 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%iPod Service" attempting to start the service iPod Service with arguments " "
in order to run the server:
{063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Event Record #/Type5109 / Error
Event Submitted/Written: 07/06/2008 00:36:02 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The iPod Service service failed to start due to the following error:
%%2

Event Record #/Type5089 / Error
Event Submitted/Written: 07/06/2008 00:33:01 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments " "
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type5088 / Error
Event Submitted/Written: 07/06/2008 00:32:49 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments " "
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type5087 / Error
Event Submitted/Written: 07/06/2008 00:32:06 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments " "
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

-- End of Deckard's System Scanner: finished at 2008-07-06 01:02:53 ------------

noahdfear · 2008/07/06

Still quite a number of rogue files to remove. Download ComboFix by sUBs from here, saving the file to your desktop.

Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

Close all open programs and windows

Double click combofix.exe and follow the prompts.

It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

daralee100 · 2008/07/06

Here's the combofix log.

ComboFix 08-07-05.1 - Owner 2008-07-06 1:15:00.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus-2008pro.lnk
C:\Documents and Settings\Owner\Desktop\antivirus-2008pro.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Antivirus 2008 PRO
C:\Documents and Settings\Owner\Start Menu\Programs\Antivirus 2008 PRO\antivirus-2008pro.lnk
C:\Program Files\Antivirus 2008 PRO
C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe
C:\Program Files\Antivirus 2008 PRO\vscan.tsi
C:\Program Files\Antivirus 2008 PRO\zlib.dll
C:\Program Files\PCHealthCenter
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.exe
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\2.exe
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\3.exe
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\4.exe
C:\Program Files\PCHealthCenter\5.exe
C:\Program Files\PCHealthCenter\sex1.ico
C:\Program Files\PCHealthCenter\sex2.ico
C:\Program Files\VAV
C:\Program Files\VAV\vav.cpl
C:\Program Files\VAV\vav0.dat
C:\Program Files\VAV\vav1.dat
C:\WINDOWS\esrp.exe
C:\WINDOWS\system32\cxtcabmt.ini
C:\WINDOWS\system32\iifgdBqQ.dll
C:\WINDOWS\system32\msvcf5bf.sys
C:\WINDOWS\system32\QqBdgfii.ini
C:\WINDOWS\system32\QqBdgfii.ini2
C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\system32\sex2.ico

.
((((((((((((((((((((((((( Files Created from 2008-06-06 to 2008-07-06 )))))))))))))))))))))))))))))))
.

2008-07-06 00:55 . 2008-07-06 00:55 <DIR> d-------- C:\Deckard
2008-07-06 00:53 . 2008-07-06 00:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-06 00:27 . 2008-07-06 00:27 3,710 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-06 00:26 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-06 00:26 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-06 00:26 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-06 00:26 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-07-06 00:26 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-07-06 00:26 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-06 00:26 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-06 00:26 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-06 00:26 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-06 00:23 . 2004-08-27 04:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-07-06 00:23 . 2005-02-22 20:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-07-06 00:23 . 2005-02-22 20:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2008-07-06 00:23 . 2008-07-06 00:23 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-05 23:47 . 2008-07-05 23:42 691,545 --a------ C:\WINDOWS\unins000.exe
2008-07-05 23:47 . 2008-07-05 23:47 2,547 --a------ C:\WINDOWS\unins000.dat
2008-07-05 23:20 . 2008-07-05 23:20 88,576 --a------ C:\WINDOWS\system32\tmbactxc.dll
2008-07-05 23:08 . 2008-07-05 23:08 28,288 --a------ C:\WINDOWS\system32\mlJdawWq.dll
2008-07-05 23:08 . 2008-07-05 23:08 28,288 --a------ C:\WINDOWS\system32\ddcYstTM.dll
2008-07-05 23:05 . 2008-07-03 17:09 117,760 --a------ C:\WINDOWS\system32\vav.cpl
2008-07-05 23:04 . 2008-07-05 20:48 86,016 --a------ C:\WINDOWS\mrvtdpqe.exe
2008-07-05 23:04 . 2008-07-03 20:14 32,256 --a------ C:\WINDOWS\Sys4ED.exe
2008-07-05 23:04 . 2008-07-03 20:14 31,744 --a------ C:\WINDOWS\Sys4EE.exe
2008-07-05 23:04 . 2008-07-03 20:14 30,720 --a------ C:\WINDOWS\Sys4F0.exe
2008-07-05 23:04 . 2008-07-03 20:14 30,208 --a------ C:\WINDOWS\Sys4EF.exe
2008-07-05 22:54 . 2008-07-05 22:54 952 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-07-05 22:54 . 2008-07-05 22:54 56 -r-hs---- C:\WINDOWS\system32\6B32D5AF70.sys
2008-07-05 22:53 . 2008-07-05 22:53 <DIR> d-------- C:\Program Files\Common Files\Enterbrain
2008-07-05 22:50 . 2008-07-05 22:50 <DIR> d-------- C:\Program Files\Enterbrain
2008-07-05 21:00 . 2008-07-05 21:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Recordpad
2008-07-05 21:00 . 2008-07-05 21:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\NCH Swift Sound
2008-07-05 20:59 . 2008-07-05 20:59 <DIR> d-------- C:\Program Files\NCH Software
2008-07-05 20:59 . 2008-07-05 21:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-07-05 20:57 . 2008-07-05 21:00 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-07-05 08:06 . 2008-07-05 08:06 <DIR> d-------- C:\MsSdkTmp
2008-07-04 23:53 . 2008-07-04 23:54 <DIR> d-------- C:\Program Files\BlitzPlusDemo
2008-07-03 23:07 . 2008-07-03 23:07 <DIR> d-------- C:\Program Files\Common Files\Bcgsoft
2008-07-03 23:02 . 2008-07-03 23:02 <DIR> d-------- C:\Program Files\The Game Creators
2008-07-03 22:53 . 2008-07-04 16:34 <DIR> d-------- C:\Program Files\MagicISO
2008-07-03 06:45 . 2008-07-03 22:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DAEMON Tools
2008-07-03 06:45 . 2008-07-03 06:45 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-07-02 20:05 . 2008-07-02 20:05 <DIR> d-------- C:\Program Files\uTorrent
2008-07-02 20:05 . 2008-07-05 23:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-06-11 05:55 . 2008-06-13 08:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 05:55 . 2008-06-13 08:10 272,128 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-06 05:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-06 04:59 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-05 21:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-05 14:45 --------- d-----w C:\Program Files\Tales of Pirates Online
2008-07-02 02:54 --------- d-----w C:\Program Files\LimeWire
2008-07-02 02:45 --------- d-----w C:\Program Files\Common Files\AOL
2008-07-02 02:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2008-06-21 23:14 --------- d-----w C:\Program Files\iPod
2008-06-04 21:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-06-04 21:20 --------- d-----w C:\Program Files\Ahead
2008-06-04 21:19 --------- d-----w C:\Program Files\Microsoft Works
2008-06-04 21:14 --------- d-----w C:\Program Files\DivX
2008-06-04 21:12 --------- d-----w C:\Program Files\FontLab
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-06-29 02:23 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2005-04-03 14:24 56 --sh--r C:\WINDOWS\system32\86F63302B7.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1FE4BFC2-60DB-461C-B734-1D40F120299A}]
2008-07-05 23:08 28288 --a------ C:\WINDOWS\system32\ddcYstTM.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3F4C17F-ECB5-474B-8190-93A9ABE91F2B}]
2008-07-06 01:53 318720 --a------ C:\WINDOWS\system32\awtussrQ.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard "= "C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 15:42 212992]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-26 20:20 98304]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-26 20:20 499712]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 22:42 32768]
"SiS Windows KeyHook "= "C:\WINDOWS\system32\keyhook.exe" [2004-09-02 16:44 249856]
"SiSUSBRG "= "C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 19:15 106496]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"Recordpad "= "C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe" [2008-07-05 20:59 577540]
"2867d654 "= "C:\WINDOWS\system32\sekwllhu.dll" [2008-07-06 02:00 88576]
"SoundMan "= "SOUNDMAN.EXE" [2004-07-01 21:23 67584 C:\WINDOWS\SOUNDMAN.EXE]
"SiSPower "= "SiSPower.dll" [2004-09-02 14:47 49152 C:\WINDOWS\system32\SiSPower.dll]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2008-01-20 13:18:08 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-02-22 20:20:19 331776]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{1FE4BFC2-60DB-461C-B734-1D40F120299A} "= "C:\WINDOWS\system32\ddcYstTM.dll" [2008-07-05 23:08 28288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcYstTM]
2008-07-05 23:08 28288 C:\WINDOWS\system32\ddcYstTM.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\awtussrQ

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\America Online 9.0\\waol.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe "=
"C:\\Program Files\\uTorrent\\uTorrent.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP "= 9842:TCP:*isabled:SolidNetworkManager
"9842:UDP "= 9842:UDP:*isabled:SolidNetworkManager

.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - (no file)
HKCU-Run-NBJ - C:\Program Files\Ahead\Nero BackItUp\NBJ.exe
HKLM-Run-MW1HelperStartUp - C:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE
HKLM-Run-MCUpdateExe - C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
HKLM-Run-Antivirus - C:\Program Files\VAV\vav.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-06 01:46:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ddcYstTM.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\sekwllhu.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-07-06 2:04:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-06 07:04:18

Pre-Run: 31,954,292,736 bytes free
Post-Run: 32,814,108,672 bytes free

203 --- E O F --- 2008-06-20 05:12:04

daralee100 · 2008/07/06

And the HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:44:57, on 7/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Recordpad] "C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe" -logon
O4 - HKLM\..\Run: [2867d654] rundll32.exe "C:\WINDOWS\system32\tmbactxc.dll ",b
O4 - HKLM\..\Run: [MW1HelperStartUp] C:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE /partner MW1
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe "
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {836EB4DD-AE34-40C7-B8FD-E8CC9ECC9962} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {836EB4DD-AE34-40C7-B8FD-E8CC9ECC9962} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.bigfishgames.com/online/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4C563F3F-5621-4F23-BAC8-6B84DCA61AB2} (GoonzuGlobal_downloader Control) - http://cdn.goonzu.com/gscdnSkins/GoonzuGlobal_downloader1222.cab
O16 - DPF: {8494B5D2-DA6A-4BB8-9C15-6C18A312387E} (Caymas Secure Tunnel) - https://connect.rehabcare.com/ui/Axt.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.bigfishgames.com/online/feedingfrenzy/Game/SproutLauncher.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7510 bytes

noahdfear · 2008/07/06

What software did you install from Enterbrain (RPG Maker maybe?), and where did it come from, eg; p2p, developer's site, download.com, etc)? I ask only because of some suspicous files that were created at approximately the same time.

Please upload the following files to my submission channel for analysis. Leave a link back to this topic.

C:\WINDOWS\Sys4ED.exe
C:\WINDOWS\Sys4EE.exe
C:\WINDOWS\Sys4F0.exe
C:\WINDOWS\Sys4EF.exe

Thanks!

Once received and analyzed I will post instructions on how to proceed (there's a bit more to clean up).

daralee100 · 2008/07/06

Uploaded.

This computer is one my brother uses daily, and he had installed RPG Maker. He insists the problems started right after he tried to find a serial for it from a random site. That is most likely where we were infected.

noahdfear · 2008/07/06

I'm not at all surprized he got infected looking for a crack. Let him know it's dishonest in addition to inviting infections into his computer.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
http://www.windowsbbs.com/showthread.php?t=74890

Collect::
C:\WINDOWS\system32\sekwllhu.dll
C:\WINDOWS\system32\tmbactxc.dll
C:\WINDOWS\system32\mlJdawWq.dll
C:\WINDOWS\system32\ddcYstTM.dll
C:\WINDOWS\system32\vav.cpl
C:\WINDOWS\mrvtdpqe.exe
C:\WINDOWS\Sys4ED.exe
C:\WINDOWS\Sys4EE.exe
C:\WINDOWS\Sys4F0.exe
C:\WINDOWS\Sys4EF.exe
File::
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\system32\6B32D5AF70.sys
C:\WINDOWS\unins000.exe
C:\WINDOWS\unins000.dat
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe 
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1FE4BFC2-60DB-461C-B734-1D40F120299A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3F4C17F-ECB5-474B-8190-93A9ABE91F2B}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "2867d654 "=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
 "{1FE4BFC2-60DB-461C-B734-1D40F120299A} "=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcYstTM]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
 "Authentication Packages "=hex(7):6d,73,76,31,5f,30,00,00
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Please note that I have instructed CFScript to collect some files. This means that at some point, likely after reboot when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. This will assist the author in adding the files for removal in future updates. Thanks!

You can manually delete the following files. They are leftovers from SmitfraudFix

C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\IEDFix.C.exe
C:\WINDOWS\system32\404Fix.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\WS2Fix.exe

Also delete the SmitfraudFix folder, SmitfraudFix.exe and the C:\rapport.txt log

daralee100 · 2008/07/06

ComboFix 08-07-05.1 - Owner 2008-07-06 22:23:38.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
C:\WINDOWS\system32\6B32D5AF70.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\unins000.dat
C:\WINDOWS\unins000.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Desktop\Vista Antivirus 2008.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
C:\WINDOWS\mrvtdpqe.exe
C:\WINDOWS\Sys4ED.exe
C:\WINDOWS\Sys4EE.exe
C:\WINDOWS\Sys4EF.exe
C:\WINDOWS\Sys4F0.exe
C:\WINDOWS\system32\6B32D5AF70.sys
C:\WINDOWS\system32\awtussrQ.dll
C:\WINDOWS\system32\ddcYstTM.dll
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\system32\mlJdawWq.dll
C:\WINDOWS\system32\Qrssutwa.ini
C:\WINDOWS\system32\Qrssutwa.ini2
C:\WINDOWS\system32\sekwllhu.dll
C:\WINDOWS\system32\tmbactxc.dll
C:\WINDOWS\system32\uhllwkes.ini
C:\WINDOWS\system32\vav.cpl
C:\WINDOWS\system32\wwniexek.ini
C:\WINDOWS\unins000.dat
C:\WINDOWS\unins000.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-07 to 2008-07-07 )))))))))))))))))))))))))))))))
.

2008-07-06 08:03 . 2008-07-06 08:03 89,088 --a------ C:\WINDOWS\system32\kexeinww.dll
2008-07-06 01:50 . 2008-07-06 01:50 294 --ahs---- C:\WINDOWS\system32\cxtcabmt.ini
2008-07-06 00:55 . 2008-07-06 00:55 <DIR> d-------- C:\Deckard
2008-07-06 00:53 . 2008-07-06 00:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-06 00:27 . 2008-07-06 00:27 3,710 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-06 00:26 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-06 00:26 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-06 00:26 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-06 00:26 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-07-06 00:26 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-07-06 00:26 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-06 00:26 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-06 00:26 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-06 00:26 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-06 00:23 . 2004-08-27 04:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-07-06 00:23 . 2005-02-22 20:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-07-06 00:23 . 2005-02-22 20:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2008-07-06 00:23 . 2008-07-06 00:23 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-05 22:53 . 2008-07-05 22:53 <DIR> d-------- C:\Program Files\Common Files\Enterbrain
2008-07-05 22:50 . 2008-07-05 22:50 <DIR> d-------- C:\Program Files\Enterbrain
2008-07-05 21:00 . 2008-07-05 21:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Recordpad
2008-07-05 21:00 . 2008-07-05 21:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\NCH Swift Sound
2008-07-05 20:59 . 2008-07-05 20:59 <DIR> d-------- C:\Program Files\NCH Software
2008-07-05 20:59 . 2008-07-05 21:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-07-05 20:57 . 2008-07-05 21:00 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-07-05 08:06 . 2008-07-05 08:06 <DIR> d-------- C:\MsSdkTmp
2008-07-04 23:53 . 2008-07-04 23:54 <DIR> d-------- C:\Program Files\BlitzPlusDemo
2008-07-03 23:07 . 2008-07-03 23:07 <DIR> d-------- C:\Program Files\Common Files\Bcgsoft
2008-07-03 23:02 . 2008-07-03 23:02 <DIR> d-------- C:\Program Files\The Game Creators
2008-07-03 22:53 . 2008-07-04 16:34 <DIR> d-------- C:\Program Files\MagicISO
2008-07-03 06:45 . 2008-07-03 22:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DAEMON Tools
2008-07-03 06:45 . 2008-07-03 06:45 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-07-02 20:05 . 2008-07-02 20:05 <DIR> d-------- C:\Program Files\uTorrent
2008-07-02 20:05 . 2008-07-06 22:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-06-11 05:55 . 2008-06-13 08:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 05:55 . 2008-06-13 08:10 272,128 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-06 05:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-06 04:59 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-05 21:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-05 14:45 --------- d-----w C:\Program Files\Tales of Pirates Online
2008-07-02 02:54 --------- d-----w C:\Program Files\LimeWire
2008-07-02 02:45 --------- d-----w C:\Program Files\Common Files\AOL
2008-07-02 02:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2008-06-21 23:14 --------- d-----w C:\Program Files\iPod
2008-06-04 21:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-06-04 21:20 --------- d-----w C:\Program Files\Ahead
2008-06-04 21:19 --------- d-----w C:\Program Files\Microsoft Works
2008-06-04 21:14 --------- d-----w C:\Program Files\DivX
2008-06-04 21:12 --------- d-----w C:\Program Files\FontLab
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-06-29 02:23 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2005-04-03 14:24 56 --sh--r C:\WINDOWS\system32\86F63302B7.sys
.

((((((((((((((((((((((((((((( snapshot@2008-07-06_ 2.02.31.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-06 06:44:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-07 03:56:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"NBJ "= "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard "= "C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 15:42 212992]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-26 20:20 98304]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-26 20:20 499712]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 22:42 32768]
"SiS Windows KeyHook "= "C:\WINDOWS\system32\keyhook.exe" [2004-09-02 16:44 249856]
"SiSUSBRG "= "C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 19:15 106496]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"Recordpad "= "C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe" [2008-07-05 20:59 577540]
"MW1HelperStartUp "= "C:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE" [BU]
"MCUpdateExe "= "C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [BU]
"Antivirus "= "C:\Program Files\VAV\vav.exe" [BU]
"SoundMan "= "SOUNDMAN.EXE" [2004-07-01 21:23 67584 C:\WINDOWS\SOUNDMAN.EXE]
"SiSPower "= "SiSPower.dll" [2004-09-02 14:47 49152 C:\WINDOWS\system32\SiSPower.dll]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-02-22 20:20:19 331776]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\America Online 9.0\\waol.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe "=
"C:\\Program Files\\uTorrent\\uTorrent.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP "= 9842:TCP:*isabled:SolidNetworkManager
"9842:UDP "= 9842:UDP:*isabled:SolidNetworkManager

R3 HSFHWSIS;HSFHWSIS;C:\WINDOWS\system32\DRIVERS\HSFHWSIS.sys [2004-09-08 11:38]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Bots\GameGuard\dump_wmimmc.sys []

.
- - - - ORPHANS REMOVED - - - -

BHO-{1FE4BFC2-60DB-461C-B734-1D40F120299A} - (no file)
WebBrowser-{4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-06 22:57:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-07-06 23:12:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-07 04:11:47
ComboFix2.txt 2008-07-06 07:04:59

Pre-Run: 32,830,644,224 bytes free
Post-Run: 32,812,146,688 bytes free

175 --- E O F --- 2008-06-20 05:12:04

daralee100 · 2008/07/06

And the HijackThis log. Not sure if there are still steps left; however, my time is still in Military time...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:22:58, on 7/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Recordpad] "C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe" -logon
O4 - HKLM\..\Run: [MW1HelperStartUp] C:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE /partner MW1
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe "
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {836EB4DD-AE34-40C7-B8FD-E8CC9ECC9962} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {836EB4DD-AE34-40C7-B8FD-E8CC9ECC9962} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.bigfishgames.com/online/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4C563F3F-5621-4F23-BAC8-6B84DCA61AB2} (GoonzuGlobal_downloader Control) - http://cdn.goonzu.com/gscdnSkins/GoonzuGlobal_downloader1222.cab
O16 - DPF: {8494B5D2-DA6A-4BB8-9C15-6C18A312387E} (Caymas Secure Tunnel) - https://connect.rehabcare.com/ui/Axt.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.bigfishgames.com/online/feedingfrenzy/Game/SproutLauncher.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7687 bytes

noahdfear · 2008/07/06

Ugghh ....... picked up a couple new nasties.

Please delete the ComboFix.exe file you currently have and download a fresh copy from here, saving it to your desktop.

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
NoOrphans::
File::
C:\WINDOWS\system32\kexeinww.dll
C:\WINDOWS\system32\cxtcabmt.ini
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "Antivirus "=-
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Log in or Sign up

Solved Win32 and Smitfraud infection

daralee100 Inactive Thread Starter

noahdfear Inactive

daralee100 Inactive Thread Starter

daralee100 Inactive Thread Starter

noahdfear Inactive

daralee100 Inactive Thread Starter

daralee100 Inactive Thread Starter

daralee100 Inactive Thread Starter

noahdfear Inactive

daralee100 Inactive Thread Starter

daralee100 Inactive Thread Starter

noahdfear Inactive

daralee100 Inactive Thread Starter

daralee100 Inactive Thread Starter

noahdfear Inactive

daralee100 Inactive Thread Starter

noahdfear Inactive

daralee100 Inactive Thread Starter

daralee100 Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Solved Win32 and Smitfraud infection

daralee100 Inactive Thread Starter

noahdfear Inactive

daralee100 Inactive Thread Starter

daralee100 Inactive Thread Starter

noahdfear Inactive

daralee100 Inactive Thread Starter

daralee100 Inactive Thread Starter

daralee100 Inactive Thread Starter

noahdfear Inactive

daralee100 Inactive Thread Starter

daralee100 Inactive Thread Starter

noahdfear Inactive

daralee100 Inactive Thread Starter

daralee100 Inactive Thread Starter

noahdfear Inactive

daralee100 Inactive Thread Starter

noahdfear Inactive

daralee100 Inactive Thread Starter

daralee100 Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches