Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
In the last week and a bit my computer has been acting very very strangley.
I suspect it has been somehow hacked remotely and now keeps doing a variety of scary things. about 2 weeks ago my Windows Defender found a Password Stealer and i removed it and thought nothing more of it.
For the last week i have been getting "add to favourites" windows from IE asking me to add addresses of random foreign sites. For the last 2 days i've been getting many error boxes saying there is an access violation at address 00403A89 of module comsysapp.pif from address 79720000. these strange activities happen when im away from the computer.
I have tried monitering all successful connections to the pc for a day last week, i am going to make another log tonight of connections.
I have been following http://www.computing.net/security/w...
and have just run combofix. Combofix found a hidden process, which is curiously the aforementioned C:\WINDOWS\comsysapp.pif [456] 0x82EF3BE0
worryingly while combofix was working through the stages, obviously bogus, norton antivirus messages popped up claiming that combofix is malicious and should be stopped.
I assume its not as simple as deleting this file so please could i get a helping hand as to how to go about this.
I have logs of Hijack this, combofix and succesful internet connections on requestLastly, Spybot, Ad-Aware, Defender haven't fixed the problem
Thanks In Advance
Please post your Hijack This log.
Please download SmitFraudFix from this link http://siri.urz.free.fr/Fix/Smitfra... Then extract the contents to your desktop.
!!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!!
Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
0 
thanks for getting back to me jabuck. im not at my computer for a few hours but when i get to it i'll put up the log and report.
0
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:14:14, on 15/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Daemon\daemon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\1-Click Answers\answers.exe
C:\Program Files\1-Click Answers\agtserv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Nick\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\NOTEPAD.exe
C:\winace2.5\WinAce.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bafrg.dll/sp.html#23794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bafrg.dll/sp.html#23794
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.ex.ac.uk/resnet.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: 1-Click Answers - {7754C418-F62E-44aa-B169-E719E718BCFD} - C:\PROGRA~1\1-CLIC~1\IEToolbar\AnswersToolbarU.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Daemon\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HE.exe /P31 "EPSON Stylus Photo RX620 Series" /O6 "USB003" /M "Stylus Photo RX620"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [CONNECTScheduler] "C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" /RUN_SCHEDULER
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: 1-Click Answers.lnk = C:\Program Files\1-Click Answers\answers.exe
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: Answers... - file:C:\Program Files\1-Click Answers\Html\atiemenu.htm
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/gam...
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v1...
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interact...
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v1...
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/...
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v1...
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.wow-europe.com/signup/en...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/m...
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewo...
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagame...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v1...
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binar...
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Unknown owner - C:\PROGRA~1\Iomega\System32\AppServices.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.exe (file missing)--
End of file - 13933 bytes
0
Sorry to post another log but i thought i might use run a HJT scan while one of those bogus norton antivirus popups appeared. one appeared twice so far when i ran SmitFraudFix. the window seems to be caused by a process called "cscript.exe" when i have had it before with ComboFix running, "cscript.exe" chewed up almost all of my CPU%.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:26:35, on 15/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Daemon\daemon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\1-Click Answers\answers.exe
C:\Program Files\1-Click Answers\agtserv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cscript.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bafrg.dll/sp.html#23794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bafrg.dll/sp.html#23794
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.ex.ac.uk/resnet.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: 1-Click Answers - {7754C418-F62E-44aa-B169-E719E718BCFD} - C:\PROGRA~1\1-CLIC~1\IEToolbar\AnswersToolbarU.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Daemon\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HE.exe /P31 "EPSON Stylus Photo RX620 Series" /O6 "USB003" /M "Stylus Photo RX620"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [CONNECTScheduler] "C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" /RUN_SCHEDULER
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: 1-Click Answers.lnk = C:\Program Files\1-Click Answers\answers.exe
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: Answers... - file:C:\Program Files\1-Click Answers\Html\atiemenu.htm
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/gam...
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v1...
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interact...
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v1...
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/...
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v1...
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.wow-europe.com/signup/en...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/m...
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewo...
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagame...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v1...
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binar...
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Unknown owner - C:\PROGRA~1\Iomega\System32\AppServices.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.exe (file missing)--
End of file - 13936 bytes
0
heres the smitfraudfix report
SmitFraudFix v2.253Scan done at 1:23:09.27, 15/11/2007
Run from C:\Documents and Settings\Nick\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Daemon\daemon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\1-Click Answers\answers.exe
C:\Program Files\1-Click Answers\agtserv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.exe»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Nick
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Nick\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Nick\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 144.173.6.71
DNS Server Search Order: 144.173.6.6HKLM\SYSTEM\CCS\Services\Tcpip\..\{3D59263F-599D-442F-BBFC-F5D6F6055CD7}: DhcpNameServer=144.173.6.71 144.173.6.6
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3D59263F-599D-442F-BBFC-F5D6F6055CD7}: DhcpNameServer=194.168.8.100 194.168.4.100
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3D59263F-599D-442F-BBFC-F5D6F6055CD7}: DhcpNameServer=144.173.6.71 144.173.6.6
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=144.173.6.71 144.173.6.6
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=144.173.6.71 144.173.6.6
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
0
Go to start> control panel> add/remove programs and uninstall this program:
MessengerPlus3
Run Hijack This, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked":
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bafrg.dll/sp.html#23794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bafrg.dll/sp.html#23794
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
Exit Hijack This
Please download ComboFix to the desktop from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)Please post the log it produces.
0
the two O4 files were removed by Add/Remove so I fixed/removed the seven leftover in HijackThis Scan. about to run combofix
0
ComboFix 07-11-08.1 - Nick 2007-11-15 18:54:06.3 - NTFSx86
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
.((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.2007-11-15 01:35 4,212 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-11-15 01:21 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-11-15 01:21 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-11-15 01:21 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-11-15 01:21 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-11-15 01:21 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-11-15 01:14 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-13 21:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-04 19:38 103,736 --a------ C:\WINDOWS\SYSTEM32\PnkBstrB.exe
2007-11-04 19:38 66,872 --a------ C:\WINDOWS\SYSTEM32\PnkBstrA.exe
2007-11-04 19:38 22,328 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\PnkBstrK.sys
2007-11-03 23:10 <DIR> d-------- C:\Program Files\QuickTime
2007-11-03 22:54 186,880 --------- C:\WINDOWS\comsysapp.pif
2007-11-03 17:43 <DIR> d-------- C:\Program Files\Apophysis 2.0
2007-10-23 00:32 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Apple Computer
2007-10-23 00:28 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Sony
2007-10-23 00:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony
2007-10-23 00:17 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-23 00:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-10-22 23:18 <DIR> d-------- C:\Program Files\Avanquest update
2007-10-22 23:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-10-22 23:17 <DIR> d-------- C:\Program Files\Sony Ericsson
2007-10-22 23:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-10-22 23:16 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\InstallShield.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-09 11:32 --------- d-----w C:\Program Files\Symantec
2007-11-06 15:02 --------- d-----w C:\Program Files\Pontifex II
2007-11-06 11:25 --------- d-----w C:\Documents and Settings\Nick\Application Data\uTorrent
2007-11-03 23:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-22 23:49 --------- d-----w C:\Documents and Settings\Nick\Application Data\My Games
2007-10-22 23:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-08 18:01 --------- d-----w C:\Program Files\Google
2007-10-06 12:21 --------- d-----w C:\Program Files\MSN Messenger
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2004-11-10 22:31:03 577,230 --sh--r C:\WINDOWS\SYSTEM32\pvoi.dll
.((((((((((((((((((((((((((((( snapshot@2007-11-14_ 0.35.28.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-28 05:19:40 18,089,592 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
+ 2007-11-02 07:12:58 18,238,072 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
- 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\SYSTEM32\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\shell32.dll
- 2007-06-19 07:24:36 350,720 ----a-w C:\WINDOWS\SYSTEM32\xpsp3res.dll
+ 2007-10-29 10:04:03 350,720 ----a-w C:\WINDOWS\SYSTEM32\xpsp3res.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2003-02-24 14:35 C:\WINDOWS\SYSTEM32\pctspk.exe]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 09:18]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2003-01-31 10:27]
"DAEMON Tools-1033"="C:\Daemon\daemon.exe" [2004-08-22 16:05]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2002-08-22 18:28]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" []
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 11:28]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" []
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 10:27]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-09-11 13:06]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 00:50]
"igfxtray"="C:\WINDOWS\System32\igfxtray.exe" [2005-09-20 09:35]
"igfxhkcmd"="C:\WINDOWS\System32\hkcmd.exe" [2005-09-20 09:32]
"igfxpers"="C:\WINDOWS\System32\igfxpers.exe" [2005-09-20 09:36]
"EPSON Stylus Photo RX620 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HE.exe" [2004-05-19 18:00]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2005-06-14 12:25]
"CONNECTScheduler"="C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" [2006-03-23 01:00]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.exe" [2004-02-03 13:42]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2007-09-26 14:29][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"MessengerPlusUninstall"=C:\WINDOWS\system32\cmd.exe /C "C:\DOCUME~1\Nick\LOCALS~1\Temp\MsgPlusUninst.bat"[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}]
C:\WINDOWS\comsysapp.pif
.
Contents of the 'Scheduled Tasks' folder
"2007-11-15 01:47:06 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-15 18:31:27 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exe
"2007-11-15 01:16:27 C:\WINDOWS\Tasks\User_Feed_Synchronization-{39E01E4C-FFB5-4048-A860-C361D39568E5}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 19:03:05
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
C:\WINDOWS\SYSTEM32\ctfmon.exe [1224] 0x82FCF3B8
C:\WINDOWS\SYSTEM32\pctspk.exe [1200] 0x82FDB700
C:\WINDOWS\SYSTEM32\DSentry.exe [1632] 0x82E99AB0
C:\Program Files\Dell\QuickSet\quickset.exe [1984] 0x82A7D610
C:\Daemon\daemon.exe [540] 0x82A7EB88
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe [2124] 0x82F28B28
C:\PROGRA~1\NORTON~1\NAVAPW32.exe [2160] 0x82DFE778
C:\Program Files\Microsoft IntelliPoint\point32.exe [2252] 0x82D5FB88
C:\WINDOWS\SYSTEM32\igfxtray.exe [2264] 0x82FF0AE8
C:\WINDOWS\SYSTEM32\hkcmd.exe [2280] 0x82A4BB90
C:\WINDOWS\SYSTEM32\igfxpers.exe [2348] 0x82A27360
C:\WINDOWS\SYSTEM32\igfxsrvc.exe [2352] 0x82A74808
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe [2420] 0x829F7B88
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe [2444] 0x830C35D0
C:\Program Files\Windows Defender\MSASCui.exe [2488] 0x830DA020
C:\Program Files\Microsoft ActiveSync\wcescomm.exe [2556] 0x830C84E8
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe [2580] 0x82A63798
C:\Program Files\1-Click Answers\answers.exe [2692] 0x830BAA50
C:\Program Files\1-Click Answers\agtserv.exe [2708] 0x82A48DA0
C:\WINDOWS\SYSTEM32\cmd.exe [1892] 0x82936BF8
C:\WINDOWS\SYSTEM32\taskmgr.exe [3924] 0x829AF3C8
C:\WINDOWS\catchme.exe [1704] 0xFF446C68
C:\WINDOWS\comsysapp.pif [3152] 0x823DC3A8scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-11-15 19:09:51
C:\ComboFix2.txt ... 2007-11-14 00:38
.
--- E O F ---
0
Go to this link, VirusTotal copy the following files one at the time into the "upload and scan box", click submit then post the results.
C:\WINDOWS\comsysapp.pif
0
Antivirus;Version;Last Update;Result
AhnLab-V3;2007.11.16.0;2007.11.15;Win-Trojan/Xema.variant
AntiVir;7.6.0.34;2007.11.15;TR/Spy.Delf.WH
Authentium;4.93.8;2007.11.15;-
Avast;4.7.1074.0;2007.11.15;Win32:Trojan-gen {Other}
AVG;7.5.0.503;2007.11.15;SHeur.ENJ
BitDefender;7.2;2007.11.16;Trojan.Spy.Delf.WH
CAT-QuickHeal;9.00;2007.11.15;TrojanSpy.Delf.wh
ClamAV;0.91.2;2007.11.15;-
DrWeb;4.44.0.09170;2007.11.16;Trojan.PWS.Myxy
eSafe;7.0.15.0;2007.11.14;Suspicious File
eTrust-Vet;31.2.5299;2007.11.16;-
Ewido;4.0;2007.11.15;Logger.Delf.wh
FileAdvisor;1;2007.11.16;High threat detected
Fortinet;3.11.0.0;2007.10.19;Spy/Generic
F-Prot;4.4.2.54;2007.11.14;-
F-Secure;6.70.13030.0;2007.11.15;Trojan-Spy.Win32.Delf.wh
Ikarus;T3.1.1.12;2007.11.15;Trojan-Spy.Win32.Delf.wh
Kaspersky;7.0.0.125;2007.11.16;Trojan-Spy.Win32.Delf.wh
McAfee;5164;2007.11.15;-
Microsoft;1.3007;2007.11.12;Trojan:Win32/Malagent
NOD32v2;2661;2007.11.15;probably a variant of Win32/Spy.Delf
Norman;5.80.02;2007.11.15;-
Panda;9.0.0.4;2007.11.15;Trj/Downloader.PUR
Prevx1;V2;2007.11.16;-
Rising;20.18.31.00;2007.11.15;AdWare.Win32.Agent.nwb
Sophos;4.23.0;2007.11.15;Mal/Generic-A
Sunbelt;2.2.907.0;2007.11.16;-
Symantec;10;2007.11.15;Trojan Horse
TheHacker;6.2.9.130;2007.11.15;Trojan/Spy.Delf.wh
VBA32;3.12.2.5;2007.11.15;Trojan-Spy.Win32.Delf.wh
VirusBuster;4.3.26:9;2007.11.15;TrojanSpy.Delf.YPB
Webwasher-Gateway;6.0.1;2007.11.15;Trojan.Spy.Delf.WHAdditional information
File size: 186880 bytes
MD5: 4621b3b1eb2eb952694b3885fb52c577
SHA1: b25635379da9fbe35f9a3ad2ad435eb775f5c494
Bit9 info: http://fileadvisor.bit9.com/service...
packers: Aspack
packers: ASPack
0
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\comsysapp.pifRegistry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"MessengerPlusUninstall"=-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe modeEmpty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Post a new Hijack This log and a new Combofix log please.
0
Heres the combofix log when i dragged CFScript.txt onto combofix
___________________________________ComboFix 07-11-08.1 - Nick 2007-11-16 18:25:27.4 - NTFSx86
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nick\Desktop\CFScript.txt
* Created a new restore pointFILE
C:\WINDOWS\comsysapp.pif
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\WINDOWS\comsysapp.pif
G:\Autorun.inf.
((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.2007-11-15 01:35 4,212 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-11-15 01:21 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-11-15 01:21 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-11-15 01:21 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-11-15 01:21 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-11-15 01:21 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-11-15 01:14 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-13 21:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-04 19:38 103,736 --a------ C:\WINDOWS\SYSTEM32\PnkBstrB.exe
2007-11-04 19:38 66,872 --a------ C:\WINDOWS\SYSTEM32\PnkBstrA.exe
2007-11-04 19:38 22,328 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\PnkBstrK.sys
2007-11-03 23:10 <DIR> d-------- C:\Program Files\QuickTime
2007-11-03 17:43 <DIR> d-------- C:\Program Files\Apophysis 2.0
2007-10-23 00:32 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Apple Computer
2007-10-23 00:28 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Sony
2007-10-23 00:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony
2007-10-23 00:17 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-23 00:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-10-22 23:18 <DIR> d-------- C:\Program Files\Avanquest update
2007-10-22 23:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-10-22 23:17 <DIR> d-------- C:\Program Files\Sony Ericsson
2007-10-22 23:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-10-22 23:16 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\InstallShield.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-09 11:32 --------- d-----w C:\Program Files\Symantec
2007-11-06 15:02 --------- d-----w C:\Program Files\Pontifex II
2007-11-06 11:25 --------- d-----w C:\Documents and Settings\Nick\Application Data\uTorrent
2007-11-03 23:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-22 23:49 --------- d-----w C:\Documents and Settings\Nick\Application Data\My Games
2007-10-22 23:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-08 18:01 --------- d-----w C:\Program Files\Google
2007-10-06 12:21 --------- d-----w C:\Program Files\MSN Messenger
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2004-11-10 22:31:03 577,230 --sh--r C:\WINDOWS\SYSTEM32\pvoi.dll
.((((((((((((((((((((((((((((( snapshot@2007-11-14_ 0.35.28.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-28 05:19:40 18,089,592 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
+ 2007-11-02 07:12:58 18,238,072 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
- 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\SYSTEM32\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\shell32.dll
- 2007-06-19 07:24:36 350,720 ----a-w C:\WINDOWS\SYSTEM32\xpsp3res.dll
+ 2007-10-29 10:04:03 350,720 ----a-w C:\WINDOWS\SYSTEM32\xpsp3res.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2003-02-24 14:35 C:\WINDOWS\SYSTEM32\pctspk.exe]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 09:18]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2003-01-31 10:27]
"DAEMON Tools-1033"="C:\Daemon\daemon.exe" [2004-08-22 16:05]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2002-08-22 18:28]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" []
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 11:28]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" []
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 10:27]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-09-11 13:06]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 00:50]
"igfxtray"="C:\WINDOWS\System32\igfxtray.exe" [2005-09-20 09:35]
"igfxhkcmd"="C:\WINDOWS\System32\hkcmd.exe" [2005-09-20 09:32]
"igfxpers"="C:\WINDOWS\System32\igfxpers.exe" [2005-09-20 09:36]
"EPSON Stylus Photo RX620 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HE.exe" [2004-05-19 18:00]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2005-06-14 12:25]
"CONNECTScheduler"="C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" [2006-03-23 01:00]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.exe" [2004-02-03 13:42]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2007-09-26 14:29][HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -tS3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;C:\WINDOWS\system32\drivers\wA301b.sys
S3 CA500AI;Easy Pix Sv Still Image Capture;C:\WINDOWS\system32\Drivers\BULK2NM.sys
S3 CA500AV;Easy Pix Sv WDM Video Capture;C:\WINDOWS\system32\DRIVERS\CA500AV.SYS
S3 mdxgthkn;mdxgthkn;\??\C:\DOCUME~1\Nick\LOCALS~1\Temp\mdxgthkn.sys
S3 NAL;Nal Service ;\??\C:\WINDOWS\System32\Drivers\iqvw32.sys
S3 PentaxUsb;Pentax Digital Camera on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys
S3 PentaxVc;Pentax Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys
S3 s117bus;Sony Ericsson Device 117 driver (WDM);C:\WINDOWS\system32\DRIVERS\s117bus.sys
S3 s117mdfl;Sony Ericsson Device 117 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s117mdfl.sys
S3 s117mdm;Sony Ericsson Device 117 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s117mdm.sys
S3 s117mgmt;Sony Ericsson Device 117 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s117mgmt.sys
S3 s117nd5;Sony Ericsson Device 117 USB Ethernet Emulation SEMC117 (NDIS);C:\WINDOWS\system32\DRIVERS\s117nd5.sys
S3 s117obex;Sony Ericsson Device 117 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s117obex.sys
S3 s117unic;Sony Ericsson Device 117 USB Ethernet Emulation SEMC117 (WDM);C:\WINDOWS\system32\DRIVERS\s117unic.sys
S3 uac4pdt;PDT USB Composite Class Filter Driver;C:\WINDOWS\system32\DRIVERS\uac4pdt.sys.
Contents of the 'Scheduled Tasks' folder
"2007-11-16 01:48:04 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-16 18:22:47 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exe
"2007-11-16 01:34:17 C:\WINDOWS\Tasks\User_Feed_Synchronization-{39E01E4C-FFB5-4048-A860-C361D39568E5}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 18:32:51
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
C:\WINDOWS\explorer.exe [3788] 0x82675720
C:\Program Files\MSN Messenger\msnmsgr.exe [3144] 0xFF347308
C:\Program Files\MSN Messenger\usnsvc.exe [356] 0x828B02E8
C:\Program Files\Mozilla Firefox\firefox.exe [3176] 0x829CAA48
C:\WINDOWS\SYSTEM32\cmd.exe [2968] 0x8252B020
C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe [3784] 0xFEE2ED10
C:\WINDOWS\SYSTEM32\cmd.exe [2580] 0x826DC020
C:\ComboFix\sed.cfexe [2800] 0x8293A020
C:\ComboFix\catchme.cfexe [2508] 0x827F0958scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2007-11-16 18:34:15
C:\ComboFix2.txt ... 2007-11-15 19:10
C:\ComboFix3.txt ... 2007-11-14 00:38
.
--- E O F ---
0
HijackThis log after ATF-Cleaner
_________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:48:46, on 16/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Daemon\daemon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\1-Click Answers\answers.exe
C:\Program Files\1-Click Answers\agtserv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.ex.ac.uk/resnet.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: 1-Click Answers - {7754C418-F62E-44aa-B169-E719E718BCFD} - C:\PROGRA~1\1-CLIC~1\IEToolbar\AnswersToolbarU.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Daemon\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HE.exe /P31 "EPSON Stylus Photo RX620 Series" /O6 "USB003" /M "Stylus Photo RX620"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [CONNECTScheduler] "C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" /RUN_SCHEDULER
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: 1-Click Answers.lnk = C:\Program Files\1-Click Answers\answers.exe
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: Answers... - file:C:\Program Files\1-Click Answers\Html\atiemenu.htm
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/gam...
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v1...
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interact...
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v1...
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/...
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v1...
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.wow-europe.com/signup/en...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/m...
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewo...
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagame...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v1...
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binar...
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Unknown owner - C:\PROGRA~1\Iomega\System32\AppServices.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.exe (file missing)--
End of file - 12825 bytes
0
ComboFix after ATF-Cleaner
____________________________
ComboFix 07-11-08.1 - Nick 2007-11-16 19:56:12.5 - NTFSx86
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
.((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.2007-11-15 01:35 4,212 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-11-15 01:21 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-11-15 01:21 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-11-15 01:21 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-11-15 01:21 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-11-15 01:21 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-11-15 01:14 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-13 21:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-04 19:38 103,736 --a------ C:\WINDOWS\SYSTEM32\PnkBstrB.exe
2007-11-04 19:38 66,872 --a------ C:\WINDOWS\SYSTEM32\PnkBstrA.exe
2007-11-04 19:38 22,328 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\PnkBstrK.sys
2007-11-03 23:10 <DIR> d-------- C:\Program Files\QuickTime
2007-11-03 17:43 <DIR> d-------- C:\Program Files\Apophysis 2.0
2007-10-23 00:32 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Apple Computer
2007-10-23 00:28 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Sony
2007-10-23 00:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony
2007-10-23 00:17 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-23 00:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-10-22 23:18 <DIR> d-------- C:\Program Files\Avanquest update
2007-10-22 23:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-10-22 23:17 <DIR> d-------- C:\Program Files\Sony Ericsson
2007-10-22 23:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-10-22 23:16 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\InstallShield.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-09 11:32 --------- d-----w C:\Program Files\Symantec
2007-11-06 15:02 --------- d-----w C:\Program Files\Pontifex II
2007-11-06 11:25 --------- d-----w C:\Documents and Settings\Nick\Application Data\uTorrent
2007-11-03 23:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-22 23:49 --------- d-----w C:\Documents and Settings\Nick\Application Data\My Games
2007-10-22 23:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-08 18:01 --------- d-----w C:\Program Files\Google
2007-10-06 12:21 --------- d-----w C:\Program Files\MSN Messenger
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2004-11-10 22:31:03 577,230 --sh--r C:\WINDOWS\SYSTEM32\pvoi.dll
.((((((((((((((((((((((((((((( snapshot@2007-11-14_ 0.35.28.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-28 05:19:40 18,089,592 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
+ 2007-11-02 07:12:58 18,238,072 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
- 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\SYSTEM32\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\shell32.dll
- 2007-06-19 07:24:36 350,720 ----a-w C:\WINDOWS\SYSTEM32\xpsp3res.dll
+ 2007-10-29 10:04:03 350,720 ----a-w C:\WINDOWS\SYSTEM32\xpsp3res.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2003-02-24 14:35 C:\WINDOWS\SYSTEM32\pctspk.exe]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 09:18]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2003-01-31 10:27]
"DAEMON Tools-1033"="C:\Daemon\daemon.exe" [2004-08-22 16:05]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2002-08-22 18:28]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" []
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 11:28]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" []
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 10:27]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-09-11 13:06]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 00:50]
"igfxtray"="C:\WINDOWS\System32\igfxtray.exe" [2005-09-20 09:35]
"igfxhkcmd"="C:\WINDOWS\System32\hkcmd.exe" [2005-09-20 09:32]
"igfxpers"="C:\WINDOWS\System32\igfxpers.exe" [2005-09-20 09:36]
"EPSON Stylus Photo RX620 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HE.exe" [2004-05-19 18:00]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2005-06-14 12:25]
"CONNECTScheduler"="C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" [2006-03-23 01:00]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.exe" [2004-02-03 13:42]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2007-09-26 14:29][HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -tS3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;C:\WINDOWS\system32\drivers\wA301b.sys
S3 CA500AI;Easy Pix Sv Still Image Capture;C:\WINDOWS\system32\Drivers\BULK2NM.sys
S3 CA500AV;Easy Pix Sv WDM Video Capture;C:\WINDOWS\system32\DRIVERS\CA500AV.SYS
S3 mdxgthkn;mdxgthkn;\??\C:\DOCUME~1\Nick\LOCALS~1\Temp\mdxgthkn.sys
S3 NAL;Nal Service ;\??\C:\WINDOWS\System32\Drivers\iqvw32.sys
S3 PentaxUsb;Pentax Digital Camera on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys
S3 PentaxVc;Pentax Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys
S3 s117bus;Sony Ericsson Device 117 driver (WDM);C:\WINDOWS\system32\DRIVERS\s117bus.sys
S3 s117mdfl;Sony Ericsson Device 117 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s117mdfl.sys
S3 s117mdm;Sony Ericsson Device 117 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s117mdm.sys
S3 s117mgmt;Sony Ericsson Device 117 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s117mgmt.sys
S3 s117nd5;Sony Ericsson Device 117 USB Ethernet Emulation SEMC117 (NDIS);C:\WINDOWS\system32\DRIVERS\s117nd5.sys
S3 s117obex;Sony Ericsson Device 117 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s117obex.sys
S3 s117unic;Sony Ericsson Device 117 USB Ethernet Emulation SEMC117 (WDM);C:\WINDOWS\system32\DRIVERS\s117unic.sys
S3 uac4pdt;PDT USB Composite Class Filter Driver;C:\WINDOWS\system32\DRIVERS\uac4pdt.sys.
Contents of the 'Scheduled Tasks' folder
"2007-11-16 19:47:15 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-16 18:22:47 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exe
"2007-11-16 01:34:17 C:\WINDOWS\Tasks\User_Feed_Synchronization-{39E01E4C-FFB5-4048-A860-C361D39568E5}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 20:02:39
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-11-16 20:04:17
C:\ComboFix2.txt ... 2007-11-16 18:34
C:\ComboFix3.txt ... 2007-11-15 19:10
.
--- E O F ---
0
Since i removed messengerplus3 and removed those files using HijackThis, my computer seems much faster and i havent got any more strange happenings going on.
0
I just checked now and the bogus norton antivirus popups have stopped showing since the Last ComboFix(they happened during the last ComboFix but not anymore).
In the case that this was the last thing i needed to do: Thank you so very much for all the help Jabuck. my PC has never seemed so fast.
0
jabuck 'glad we could help' !?
WHO ARE YOU? Are you an individual or a group of lads?
Whats with the hijackthis? You are simply, truely and absolutely AMAZING!!
Although you haven't helped me YET!, I do want to send my appreciation with what you do. You really help many people. I feel like i envy YOU!
But you spend so much of time in doing this. You are really great. You don't have to reply this post, I just had to spill it!
HammerSledge
0  |
 Win32/Zonebac.gen!B Won't...
|
Several Malware Threats
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
