|
|
sbroadley
new user
Reg'd: Sat
Posts: 20
|
|
I am receiving a SpyShredder popup each time I login which I dont want. I have tried deleting the folder but it wont let me delete the folder/file.
Additionally since receiving this I have been receiving unrequired pop-ups and also when I google a name I end up going to other sites' listings.
I hope someone can help me - the HijackThis log follows
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:16, on 20/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\webHancer\Programs\whagent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\msiconf.exe
C:\Program Files\SpyShredder\SpyShredder.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mail.yahoo.com/?.redir=ymmapi11&.clntymver=2005.1.1.12&.cldefstat=Def0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {17BEBAF2-267A-425B-AE21-A75109B4B148} - C:\WINDOWS\system32\capico.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: adzgalore - {994B5FB4-0103-44A6-B6B3-C73572B362BC} - C:\WINDOWS\system32\nsw83.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: cpmsky.biz browser optimizer - {BCA95E31-1FBF-4F84-8F23-1BA653007A1E} - C:\WINDOWS\system32\cpmsky.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: MySidesearch Search Assistant - {C17E102B-BD29-4e92-B699-1A21D2CB8E6C} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PostSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\cpmsky.dll" DllStart
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - HKCU\..\Run: [SpyShredder] C:\Program Files\SpyShredder\SpyShredder.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\windows\system32\YPCSER~1.EXE
--
End of file - 12254 bytes
|
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 29029
Loc: belfast
|
|
Can i ask why you failed to respond to the helper HERE
If you don't respond it means we are just wasting our time.
Please download ComboFix from either of these two locations
BleepingComputerComboFix
geeks to go combofix
* Double click combofix.exe & follow the prompts.
* When finished, it shall produce a log for you. Post that log in your next reply
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Post back with the log from ComboFix and a new HJT log please.
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
 
You don't stop laughing when you get old, you get old when you stop laughing! 
Edited by bricat (Thu Mar 20 2008 11:30 AM)
|
sbroadley
new user
Reg'd: Sat
Posts: 20
|
|
Here's the Combofix log - it did say a few times during running "NTVDM CPU encountered illegal instruction" so I just did ignore instead of close.
I will now run HJT and post in a few mins
ComboFix 08-03-18.1 - Spencer 2008-03-20 11:34:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.175 [GMT 0:00]
Running from: C:\Documents and Settings\Spencer\Local Settings\Temporary Internet Files\Content.IE5\EOQNM88L\ComboFix[1].exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Gina\Favorites\.url
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Images\0094C3DC.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\009642CB.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\00964EA6.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\wrkparam.lst
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm.bak
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat.bak
C:\Program Files\PlayMP3z
C:\Program Files\PlayMP3z\PlayMP3.exe
C:\Program Files\PlayMP3z\uninstall.exe
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\license.txt
C:\Program Files\webhancer\Programs\readme.txt
C:\Program Files\webhancer\Programs\sporder.dll
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\webhancer\Programs\whagent.exe
C:\Program Files\webhancer\Programs\whagent.ini
C:\Program Files\webhancer\Programs\whiehlpr.dll
C:\Program Files\webhancer\Programs\whinstaller.exe
C:\WINDOWS\system32\msiconf.exe
C:\WINDOWS\system32\nsw83.dll
.
((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 )))))))))))))))))))))))))))))))
.
2008-03-19 17:55 . 2008-03-19 17:57 <DIR> d-------- C:\Documents and Settings\GOD\Application Data\Yahoo!
2008-03-19 17:54 . 2008-03-19 17:54 <DIR> d-------- C:\Documents and Settings\GOD\Contacts
2008-03-19 14:32 . 2008-03-19 14:37 115,000 --a------ C:\windows\system32\drivers\SYMEVENT.SYS
2008-03-19 14:32 . 2008-03-19 14:37 48,776 --a------ C:\windows\system32\S32EVNT1.DLL
2008-03-19 14:32 . 2008-03-19 14:37 8,014 --a------ C:\windows\system32\drivers\SYMEVENT.CAT
2008-03-19 14:32 . 2008-03-19 14:37 806 --a------ C:\windows\system32\drivers\SYMEVENT.INF
2008-03-19 10:02 . 2008-03-19 13:37 <DIR> d-------- C:\Program Files\SpyShredder
2008-03-18 23:46 . 2008-03-18 23:46 <DIR> d-------- C:\Program Files\Adzgalore Games Collection
2008-03-18 23:46 . 2007-09-12 18:27 88,064 --a------ C:\windows\system32\capico.dll
2008-03-18 23:46 . 2008-03-18 23:46 84,761 --a------ C:\windows\system32\mysidesearch_sidebar_uninstall.exe
2008-03-18 23:46 . 2008-03-18 23:46 80,121 --a------ C:\windows\system32\adzgalore-remove.exe
2008-03-18 23:46 . 2008-03-18 23:46 40,713 --a------ C:\windows\system32\cpmsky-uninst.exe
2008-03-18 12:19 . 2008-03-18 12:19 153,600 --a------ C:\windows\system32\mysidesearch_sidebar.dll
2008-03-15 00:19 . 2008-03-19 11:15 <DIR> d-------- C:\Documents and Settings\Spencer\Application Data\LimeWire
2008-03-07 13:58 . 2008-03-07 13:58 60,416 --a------ C:\windows\system32\cpmsky.dll
2008-03-02 23:49 . 2008-03-18 22:34 <DIR> d-------- C:\Documents and Settings\Spencer\Application Data\Apple Computer
2008-03-02 23:49 . 2008-03-20 11:44 54,156 --ah----- C:\windows\QTFont.qfn
2008-03-02 23:49 . 2008-03-02 23:49 1,409 --a------ C:\windows\QTFont.for
2008-03-02 23:48 . 2008-03-02 23:48 <DIR> d-------- C:\Program Files\iPod
2008-03-02 23:47 . 2008-03-02 23:48 <DIR> d-------- C:\Program Files\iTunes
2008-03-02 23:47 . 2008-03-02 23:47 <DIR> d-------- C:\Program Files\Bonjour
2008-03-02 23:45 . 2008-03-02 23:47 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-03-02 23:39 . 2008-03-02 23:39 <DIR> d-------- C:\Program Files\Apple Software Update
2008-03-02 23:38 . 2008-03-02 23:38 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-03-02 23:38 . 2008-03-02 23:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-03-01 16:51 . 2008-03-01 16:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 11:05 . 2008-03-01 11:05 <DIR> d-------- C:\MWASPI
2008-03-01 11:05 . 1997-06-11 19:01 30,208 --------- C:\windows\system32\WNASPI32.DLL
2008-03-01 11:05 . 2000-03-29 17:11 8,096 --------- C:\windows\system32\drivers\MASPINT.SYS
2008-03-01 11:05 . 1999-10-22 17:58 4,030 --------- C:\windows\system\WINASPI.DLL
2008-03-01 11:05 . 1997-02-28 03:00 2,486 --------- C:\windows\system\AS16POST.BIN
2008-03-01 11:05 . 2008-03-01 11:05 291 --a------ C:\windows\msfsetup.ini
2008-03-01 10:56 . 2008-03-01 10:56 <DIR> d-------- C:\Program Files\PIXELA
2008-03-01 10:53 . 2003-09-03 07:45 274,432 --a------ C:\windows\system32\FFTIFF16.dll
2008-03-01 10:53 . 2003-09-06 07:57 159,744 --a------ C:\windows\system32\FFRAFLIB.DLL
2008-03-01 10:53 . 2001-11-25 11:11 81,924 --------- C:\windows\system32\drivers\VC4CB104.SYS
2008-03-01 10:52 . 2002-02-05 16:33 69,632 --------- C:\windows\system32\FREGSHEX.DLL
2008-03-01 10:52 . 2002-02-27 11:27 65,536 --------- C:\windows\system32\FINFCHECK.dll
2008-03-01 10:52 . 2002-06-25 10:06 45,056 --------- C:\windows\system32\FINFCOPY.dll
2008-03-01 10:52 . 2002-02-13 10:00 45,056 --------- C:\windows\system32\FCLKBTN.DLL
2008-02-27 22:16 . 2008-02-27 22:16 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-02-26 13:29 . 2008-02-26 13:29 <DIR> d-------- C:\Documents and Settings\Gina.HOME-C65E1D5633\Contacts
2008-02-23 03:53 . 2008-02-23 03:53 <DIR> d-------- C:\Program Files\FBrowsingAdvisor
2008-02-23 03:53 . 2008-02-23 03:53 <DIR> d-------- C:\Program Files\FBrowserAdvisor
2008-02-23 03:53 . 2006-04-14 23:05 9,952 --a------ C:\regxpcom.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 18:05 --------- d-----w C:\Program Files\Java
2008-03-19 14:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-19 14:38 --------- d-----w C:\Program Files\Symantec
2008-03-19 14:38 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec
2008-03-19 14:30 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\yahoo!
2008-03-19 14:29 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Google Updater
2008-03-19 11:29 --------- d-----w C:\Program Files\LimeWire
2008-03-11 10:23 --------- d-----w C:\Documents and Settings\Gina.HOME-C65E1D5633\Application Data\Yahoo!
2008-03-02 23:46 --------- d-----w C:\Program Files\QuickTime
2008-03-01 10:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-01 10:53 --------- d-----w C:\Program Files\FinePixViewer
2008-03-01 10:52 --------- d-----w C:\Program Files\REGSHAVE
2008-02-27 22:16 --------- d-----w C:\Program Files\Real
2008-02-27 22:16 --------- d-----w C:\Program Files\Common Files\Real
2008-02-27 16:11 --------- d-----w C:\Program Files\Windows Live
2008-02-26 16:55 --------- d-----w C:\Program Files\MSN Messenger
2008-02-26 16:53 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2008-02-26 16:29 --------- d-----w C:\Documents and Settings\Spencer\Application Data\Yahoo!
2008-02-19 03:11 --------- d-----w C:\Documents and Settings\Spencer\Application Data\Leadertech
2008-02-09 18:30 --------- d-----w C:\Documents and Settings\Spencer\Application Data\MSNInstaller
2008-02-06 10:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-05 21:57 --------- d-----w C:\Program Files\Windows Live Favorites
2008-02-05 21:56 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-01-28 00:55 --------- d-----w C:\Documents and Settings\Administrator.HOME-C65E1D5633\Application Data\InterVideo
2008-01-25 20:19 --------- d-----w C:\Program Files\MSXML 6.0
2008-01-23 22:22 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Motive
2008-01-23 22:15 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-23 22:14 --------- d-----w C:\Program Files\MSBuild
2008-01-23 22:09 --------- d-----w C:\Program Files\Reference Assemblies
2008-01-23 16:00 --------- d-----w C:\Documents and Settings\Administrator.HOME-C65E1D5633\Application Data\Yahoo!
2008-01-23 15:53 --------- d-----w C:\Documents and Settings\Administrator.HOME-C65E1D5633\Application Data\Motive
2008-01-23 15:51 --------- d-----w C:\Program Files\BT Broadband Desktop Help
2008-01-23 15:50 --------- d-----w C:\Program Files\Motive
2008-01-23 15:49 --------- d-----w C:\Program Files\Common Files\Motive
2008-01-22 14:52 --------- d-----w C:\Program Files\Google
2008-01-22 13:41 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-01-22 13:37 --------- d-----w C:\Program Files\BT Broadband Talk Softphone
2008-01-22 13:34 --------- d-----w C:\Program Files\btbb_wcm
2008-01-22 13:21 17,801 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-01-22 13:11 --------- d-----w C:\Program Files\Snapshot Viewer
2008-01-22 13:11 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\SBT
2008-01-22 13:10 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-22 13:03 --------- d-----w C:\Documents and Settings\Administrator.HOME-C65E1D5633\Application Data\Microsoft Web Folders
2008-01-22 10:53 --------- d-----w C:\Program Files\BrowsingAdvisor
2008-01-21 22:45 --------- d-----w C:\Program Files\Enigma Software Group
2008-01-21 21:50 --------- d-----w C:\Program Files\Dcads Games Collection
2008-01-21 15:07 --------- d-----w C:\Documents and Settings\Administrator.SPENCER-2A3E2D2\Application Data\LimeWire
2008-01-20 13:13 --------- d-----w C:\Program Files\Dell
2008-01-20 12:51 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-20 12:40 --------- d-----w C:\Program Files\SigmaTel
2007-08-22 07:15 5,108,880 ----a-w C:\Program Files\bb_help_installer.exe
2007-05-28 13:23 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-03-24 13:50 7,718,504 ----a-w C:\Program Files\winzip110.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17BEBAF2-267A-425B-AE21-A75109B4B148}]
2007-09-12 18:27 88064 --a------ C:\WINDOWS\system32\capico.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCA95E31-1FBF-4F84-8F23-1BA653007A1E}]
2008-03-07 13:58 60416 --a------ C:\WINDOWS\system32\cpmsky.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C17E102B-BD29-4e92-B699-1A21D2CB8E6C}]
2008-03-18 12:19 153600 --a------ C:\WINDOWS\system32\mysidesearch_sidebar.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:18 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"MSI Configuration"="msiconf.exe" []
"SpyShredder"="C:\Program Files\SpyShredder\SpyShredder.exe" [2008-03-19 10:02 408576]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wltray.exe"="C:\WINDOWS\system32\wltray.exe" [2005-03-01 15:44 733292]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-12-07 06:59 935936]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19 129536]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-06-26 13:48 509224]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [2007-08-22 13:34 936960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09 63712]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-27 22:16 185896]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 05:59 115816]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 07:11 771704]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 13:18 15360]
C:\Documents and Settings\Administrator.SPENCER-2A3E2D2\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 21:32:57 147456]
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
BT Broadband Desktop Help.lnk - C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe [2008-01-23 15:50:12 217088]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-11-29 15:58:05 124400]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 04:05:56 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-14 21:46:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-20 11:38:08 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 11:45:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-03-20 11:52:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-20 11:52:37
.
2008-03-12 12:36:07 --- E O F ---
|
sbroadley
new user
Reg'd: Sat
Posts: 20
|
|
HJT log follows
(I forgot to mention that Explorer keeps "not responding" regularly as well but I assume that is part of the same problem)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:05, on 20/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\CF9824.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\SpyShredder\SpyShredder.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mail.yahoo.com/?.redir=ymmapi11&.clntymver=2005.1.1.12&.cldefstat=Def0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {17BEBAF2-267A-425B-AE21-A75109B4B148} - C:\WINDOWS\system32\capico.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A4F7702F-C45B-4B10-9925-6FC28702E68F} - C:\WINDOWS\system32\capico.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: cpmsky.biz browser optimizer - {BCA95E31-1FBF-4F84-8F23-1BA653007A1E} - C:\WINDOWS\system32\cpmsky.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: MySidesearch Search Assistant - {C17E102B-BD29-4e92-B699-1A21D2CB8E6C} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [PostSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\cpmsky.dll" DllStart
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - HKCU\..\Run: [SpyShredder] C:\Program Files\SpyShredder\SpyShredder.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\windows\system32\YPCSER~1.EXE
--
End of file - 11619 bytes
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 29029
Loc: belfast
|
|
Quote:
Can i ask why you failed to respond to the helper HERE
I don't want to be wasting my time if you aren't going to respond.
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
You don't stop laughing when you get old, you get old when you stop laughing!
|
sbroadley
new user
Reg'd: Sat
Posts: 20
|
|
I just never saw the message of the next thing to do - I swhould have checked back to see - I will send apologies now - should I do as advised in the answer still or just continue with your advice.
It is all my fault for not replying - and I assure you I will on this thread.
I was new to asking advice here and didnt realise I should keep checking back then.
Spencer
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 29029
Loc: belfast
|
|
The helpers here give up a lot of free time to help people like yourself, the least they can expect is for you to answer.
Carry on with this thread as it is the latest one.
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Double-click smitfraudfix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
You don't stop laughing when you get old, you get old when you stop laughing!
|
sbroadley
new user
Reg'd: Sat
Posts: 20
|
|
The rapport notepad log is below
SmitFraudFix v2.305
Scan done at 18:43:19.47, 20/03/2008
Run from C:\Documents and Settings\Spencer\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wltray.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\SpyShredder\SpyShredder.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Spencer
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Spencer\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Spencer\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: BT Voyager 1065 Laptop Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7F5F227A-C187-4F7E-AE6A-F600311EB3E0}: DhcpNameServer=192.168.1.254
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 29029
Loc: belfast
|
|
Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:
Quote:
Killall::
Folder
C:\Program Files\SpyShredder
C:\Program Files\Adzgalore Games Collection
File::
C:\windows\system32\capico.dll
C:\windows\system32\cpmsky-uninst.exe
C:\windows\system32\mysidesearch_sidebar.dll
C:\windows\system32\cpmsky.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\BrowserHelperObjects\{17BEBAF2-267A-425B-AE21-A75109B4B148}]
[-HKEY_LOCAL_MACHINE\~\BrowserHelperObjects\{BCA95E31-1FBF-4F84-8F23-1BA653007A1E}]
[-HKEY_LOCAL_MACHINE\~\BrowserHelperObjects\{C17E102B-BD29-4e92-B699-1A21D2CB8E6C}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyShredder"=-
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
Refering to the picture above, drag CFScript.txt into ComboFix.exe
Restart your computer.
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please and
let me know how it is running.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
You don't stop laughing when you get old, you get old when you stop laughing!
|
sbroadley
new user
Reg'd: Sat
Posts: 20
|
|
OK - I hope I have done this correctly - the ComboFix log is below - HJT will follow in a couple of minutes
ComboFix 08-03-18.1 - Spencer 2008-03-20 20:01:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.222 [GMT 0:00]
Running from: C:\Documents and Settings\Spencer\Local Settings\Temporary Internet Files\Content.IE5\8IU5P9MV\ComboFix[1].exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 )))))))))))))))))))))))))))))))
.
2008-03-20 18:43 . 2008-03-20 18:43 3,740 --a------ C:\windows\system32\tmp.reg
2008-03-20 18:41 . 2007-09-05 23:22 289,144 --a------ C:\windows\system32\VCCLSID.exe
2008-03-20 18:41 . 2006-04-27 16:49 288,417 --a------ C:\windows\system32\SrchSTS.exe
2008-03-20 18:41 . 2008-03-14 09:09 86,528 --a------ C:\windows\system32\VACFix.exe
2008-03-20 18:41 . 2008-03-15 17:16 82,432 --a------ C:\windows\system32\IEDFix.exe
2008-03-20 18:41 . 2003-06-05 20:13 53,248 --a------ C:\windows\system32\Process.exe
2008-03-20 18:41 . 2004-07-31 17:50 51,200 --a------ C:\windows\system32\dumphive.exe
2008-03-20 18:41 . 2007-10-03 23:36 25,600 --a------ C:\windows\system32\WS2Fix.exe
2008-03-19 17:55 . 2008-03-19 17:57 <DIR> d-------- C:\Documents and Settings\GOD\Application Data\Yahoo!
2008-03-19 17:54 . 2008-03-19 17:54 <DIR> d-------- C:\Documents and Settings\GOD\Contacts
2008-03-19 14:32 . 2008-03-19 14:37 115,000 --a------ C:\windows\system32\drivers\SYMEVENT.SYS
2008-03-19 14:32 . 2008-03-19 14:37 48,776 --a------ C:\windows\system32\S32EVNT1.DLL
2008-03-19 14:32 . 2008-03-19 14:37 8,014 --a------ C:\windows\system32\drivers\SYMEVENT.CAT
2008-03-19 14:32 . 2008-03-19 14:37 806 --a------ C:\windows\system32\drivers\SYMEVENT.INF
2008-03-19 10:02 . 2008-03-19 13:37 <DIR> d-------- C:\Program Files\SpyShredder
2008-03-18 23:46 . 2008-03-18 23:46 <DIR> d-------- C:\Program Files\Adzgalore Games Collection
2008-03-18 23:46 . 2007-09-12 18:27 88,064 --a------ C:\windows\system32\capico.dll
2008-03-18 23:46 . 2008-03-18 23:46 84,761 --a------ C:\windows\system32\mysidesearch_sidebar_uninstall.exe
2008-03-18 23:46 . 2008-03-18 23:46 80,121 --a------ C:\windows\system32\adzgalore-remove.exe
2008-03-18 23:46 . 2008-03-18 23:46 40,713 --a------ C:\windows\system32\cpmsky-uninst.exe
2008-03-18 12:19 . 2008-03-18 12:19 153,600 --a------ C:\windows\system32\mysidesearch_sidebar.dll
2008-03-15 00:19 . 2008-03-19 11:15 <DIR> d-------- C:\Documents and Settings\Spencer\Application Data\LimeWire
2008-03-07 13:58 . 2008-03-07 13:58 60,416 --a------ C:\windows\system32\cpmsky.dll
2008-03-02 23:49 . 2008-03-18 22:34 <DIR> d-------- C:\Documents and Settings\Spencer\Application Data\Apple Computer
2008-03-02 23:49 . 2008-03-20 19:56 54,156 --ah----- C:\windows\QTFont.qfn
2008-03-02 23:49 . 2008-03-02 23:49 1,409 --a------ C:\windows\QTFont.for
2008-03-02 23:48 . 2008-03-02 23:48 <DIR> d-------- C:\Program Files\iPod
2008-03-02 23:47 . 2008-03-02 23:48 <DIR> d-------- C:\Program Files\iTunes
2008-03-02 23:47 . 2008-03-02 23:47 <DIR> d-------- C:\Program Files\Bonjour
2008-03-02 23:45 . 2008-03-02 23:47 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-03-02 23:39 . 2008-03-02 23:39 <DIR> d-------- C:\Program Files\Apple Software Update
2008-03-02 23:38 . 2008-03-02 23:38 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-03-02 23:38 . 2008-03-02 23:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-03-01 16:51 . 2008-03-01 16:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 11:05 . 2008-03-01 11:05 <DIR> d-------- C:\MWASPI
2008-03-01 11:05 . 1997-06-11 19:01 30,208 --------- C:\windows\system32\WNASPI32.DLL
2008-03-01 11:05 . 2000-03-29 17:11 8,096 --------- C:\windows\system32\drivers\MASPINT.SYS
2008-03-01 11:05 . 1999-10-22 17:58 4,030 --------- C:\windows\system\WINASPI.DLL
2008-03-01 11:05 . 1997-02-28 03:00 2,486 --------- C:\windows\system\AS16POST.BIN
2008-03-01 11:05 . 2008-03-01 11:05 291 --a------ C:\windows\msfsetup.ini
2008-03-01 10:56 . 2008-03-01 10:56 <DIR> d-------- C:\Program Files\PIXELA
2008-03-01 10:53 . 2003-09-03 07:45 274,432 --a------ C:\windows\system32\FFTIFF16.dll
2008-03-01 10:53 . 2003-09-06 07:57 159,744 --a------ C:\windows\system32\FFRAFLIB.DLL
2008-03-01 10:53 . 2001-11-25 11:11 81,924 --------- C:\windows\system32\drivers\VC4CB104.SYS
2008-03-01 10:52 . 2002-02-05 16:33 69,632 --------- C:\windows\system32\FREGSHEX.DLL
2008-03-01 10:52 . 2002-02-27 11:27 65,536 --------- C:\windows\system32\FINFCHECK.dll
2008-03-01 10:52 . 2002-06-25 10:06 45,056 --------- C:\windows\system32\FINFCOPY.dll
2008-03-01 10:52 . 2002-02-13 10:00 45,056 --------- C:\windows\system32\FCLKBTN.DLL
2008-02-27 22:16 . 2008-02-27 22:16 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-02-26 13:29 . 2008-02-26 13:29 <DIR> d-------- C:\Documents and Settings\Gina.HOME-C65E1D5633\Contacts
2008-02-23 03:53 . 2008-02-23 03:53 <DIR> d-------- C:\Program Files\FBrowsingAdvisor
2008-02-23 03:53 . 2008-02-23 03:53 <DIR> d-------- C:\Program Files\FBrowserAdvisor
2008-02-23 03:53 . 2006-04-14 23:05 9,952 --a------ C:\regxpcom.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-20 15:30 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Google Updater
2008-03-19 18:05 --------- d-----w C:\Program Files\Java
2008-03-19 14:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-19 14:38 --------- d-----w C:\Program Files\Symantec
2008-03-19 14:38 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec
2008-03-19 14:30 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\yahoo!
2008-03-19 11:29 --------- d-----w C:\Program Files\LimeWire
2008-03-11 10:23 --------- d-----w C:\Documents and Settings\Gina.HOME-C65E1D5633\Application Data\Yahoo!
2008-03-02 23:46 --------- d-----w C:\Program Files\QuickTime
2008-03-01 10:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-01 10:53 --------- d-----w C:\Program Files\FinePixViewer
2008-03-01 10:52 --------- d-----w C:\Program Files\REGSHAVE
2008-02-27 22:16 348,160 ------w C:\WINDOWS\system32\msvcr71.dll
2008-02-27 22:16 --------- d-----w C:\Program Files\Real
2008-02-27 22:16 --------- d-----w C:\Program Files\Common Files\Real
2008-02-27 16:11 --------- d-----w C:\Program Files\Windows Live
2008-02-26 16:55 --------- d-----w C:\Program Files\MSN Messenger
2008-02-26 16:53 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2008-02-26 16:29 --------- d-----w C:\Documents and Settings\Spencer\Application Data\Yahoo!
2008-02-19 03:11 --------- d-----w C:\Documents and Settings\Spencer\Application Data\Leadertech
2008-02-09 18:30 --------- d-----w C:\Documents and Settings\Spencer\Application Data\MSNInstaller
2008-02-06 10:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-05 21:57 --------- d-----w C:\Program Files\Windows Live Favorites
2008-02-05 21:56 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-01 11:11 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2008-01-28 00:55 --------- d-----w C:\Documents and Settings\Administrator.HOME-C65E1D5633\Application Data\InterVideo
2008-01-25 20:19 --------- d-----w C:\Program Files\MSXML 6.0
2008-01-23 22:22 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Motive
2008-01-23 22:15 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-23 22:14 --------- d-----w C:\Program Files\MSBuild
2008-01-23 22:09 --------- d-----w C:\Program Files\Reference Assemblies
2008-01-23 16:00 --------- d-----w C:\Documents and Settings\Administrator.HOME-C65E1D5633\Application Data\Yahoo!
2008-01-23 15:53 --------- d-----w C:\Documents and Settings\Administrator.HOME-C65E1D5633\Application Data\Motive
2008-01-23 15:51 --------- d-----w C:\Program Files\BT Broadband Desktop Help
2008-01-23 15:50 --------- d-----w C:\Program Files\Motive
2008-01-23 15:49 --------- d-----w C:\Program Files\Common Files\Motive
2008-01-22 14:52 --------- d-----w C:\Program Files\Google
2008-01-22 13:41 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-01-22 13:37 --------- d-----w C:\Program Files\BT Broadband Talk Softphone
2008-01-22 13:34 --------- d-----w C:\Program Files\btbb_wcm
2008-01-22 13:33 155,995 ----a-w C:\WINDOWS\Java\Packages\MYSMGT3B.ZIP
2008-01-22 13:21 17,801 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-01-22 13:11 --------- d-----w C:\Program Files\Snapshot Viewer
2008-01-22 13:11 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\SBT
2008-01-22 13:10 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-22 13:03 --------- d-----w C:\Documents and Settings\Administrator.HOME-C65E1D5633\Application Data\Microsoft Web Folders
2008-01-22 10:53 --------- d-----w C:\Program Files\BrowsingAdvisor
2008-01-21 22:45 --------- d-----w C:\Program Files\Enigma Software Group
2008-01-21 21:50 --------- d-----w C:\Program Files\Dcads Games Collection
2008-01-21 15:07 --------- d-----w C:\Documents and Settings\Administrator.SPENCER-2A3E2D2\Application Data\LimeWire
2008-01-20 13:13 --------- d-----w C:\Program Files\Dell
2008-01-20 12:51 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-20 12:40 --------- d-----w C:\Program Files\SigmaTel
2007-08-22 07:15 5,108,880 ----a-w C:\Program Files\bb_help_installer.exe
2007-05-28 13:23 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-03-24 13:50 7,718,504 ----a-w C:\Program Files\winzip110.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17BEBAF2-267A-425B-AE21-A75109B4B148}]
2007-09-12 18:27 88064 --a------ C:\WINDOWS\system32\capico.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B0A4117-5002-4327-A362-0185DF8CCD3A}]
2007-09-12 18:27 88064 --a------ C:\WINDOWS\system32\capico.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4F7702F-C45B-4B10-9925-6FC28702E68F}]
2007-09-12 18:27 88064 --a------ C:\WINDOWS\system32\capico.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCA95E31-1FBF-4F84-8F23-1BA653007A1E}]
2008-03-07 13:58 60416 --a------ C:\WINDOWS\system32\cpmsky.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C17E102B-BD29-4e92-B699-1A21D2CB8E6C}]
2008-03-18 12:19 153600 --a------ C:\WINDOWS\system32\mysidesearch_sidebar.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:18 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"MSI Configuration"="msiconf.exe" []
"SpyShredder"="C:\Program Files\SpyShredder\SpyShredder.exe" [2008-03-19 10:02 408576]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wltray.exe"="C:\WINDOWS\system32\wltray.exe" [2005-03-01 15:44 733292]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-12-07 06:59 935936]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19 129536]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-06-26 13:48 509224]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [2007-08-22 13:34 936960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09 63712]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-27 22:16 185896]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 05:59 115816]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 07:11 771704]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 13:18 15360]
C:\Documents and Settings\Administrator.SPENCER-2A3E2D2\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 21:32:57 147456]
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
BT Broadband Desktop Help.lnk - C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe [2008-01-23 15:50:12 217088]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-11-29 15:58:05 124400]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 04:05:56 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-14 21:46:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-20 19:38:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 20:05:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-20 20:06:07
ComboFix-quarantined-files.txt 2008-03-20 20:05:51
ComboFix2.txt 2008-03-20 11:52:44
.
2008-03-12 12:36:07 --- E O F ---
|
sbroadley
new user
Reg'd: Sat
Posts: 20
|
|
HJT log -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:09:25, on 20/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\SpyShredder\SpyShredder.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mail.yahoo.com/?.redir=ymmapi11&.clntymver=2005.1.1.12&.cldefstat=Def0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {17BEBAF2-267A-425B-AE21-A75109B4B148} - C:\WINDOWS\system32\capico.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Prog | |
Previous
Index
Next
Threaded
Edit
Reply
Quote
