Computer Security & Viruses/Questions
Question
QUESTION: Hi Brian. I ran both programs but can't seem to find either file you asked for. I'm now having a problem with my email. It says i'm running a script that's causing it to run super slow and my cpu may become unresponsive.
ANSWER: Hi Ian
You should not be running any programs until we have cleared the malware from your computer. Please download ComboFix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.
Send me that log and a new DSS main log.
Brian
---------- FOLLOW-UP ----------
QUESTION: Here is the new DSS main and the new log at the end.
Deckard's System Scanner v20071014.68
Run by Ian on 2008-04-27 16:37:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Ian.exe) -------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:24 PM, on 4/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Ian\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ian.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [SpyShredder] C:\Program Files\SpyShredder\SpyShredder.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O20 - Winlogon Notify: fccYpmKD - fccYpmKD.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 6952 bytes
-- Files created between 2008-03-27 and 2008-04-27 -----------------------------
2008-04-27 16:30:47 68096 --a------ C:\WINDOWS\zip.exe
2008-04-27 16:30:47 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-27 16:30:47 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-27 16:30:47 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-27 16:30:47 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-27 16:30:47 98816 --a------ C:\WINDOWS\sed.exe
2008-04-27 16:30:47 80412 --a------ C:\WINDOWS\grep.exe
2008-04-27 16:30:47 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-27 12:17:33 0 d-------- C:\Documents and Settings\Ian\DoctorWeb
2008-04-27 12:05:16 3510 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-27 12:04:10 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-27 12:04:10 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-27 12:04:10 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-27 12:04:10 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-27 12:04:10 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-27 12:04:10 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-27 12:04:10 82944 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-27 10:01:55 0 d-------- C:\Program Files\Trend Micro
2008-04-27 09:50:59 0 d-------- C:\Program Files\The KMPlayer
2008-04-27 09:50:59 0 d-------- C:\Program Files\Spyware Doctor
2008-04-26 21:28:54 4186112 --a------ C:\Documents and Settings\Ian\ntuser.dat
2008-04-26 21:23:48 0 d--hs---- C:\Documents and Settings\Ian\!
2008-04-26 21:23:11 0 d-------- C:\WINDOWS\system32\pnVes05
2008-04-26 21:23:11 0 d-------- C:\Temp
2008-04-19 19:55:15 0 d-------- C:\Program Files\Incomplete
2008-04-19 19:49:08 0 d-------- C:\Program Files\Common Files\xing shared
2008-03-29 21:20:12 0 d-------- C:\Documents and Settings\Ian\Application Data\kantaris
2008-03-29 20:52:12 0 d-------- C:\Documents and Settings\Ian\Shared
2008-03-29 20:52:07 0 d-------- C:\Documents and Settings\Ian\Incomplete
2008-03-29 20:51:57 0 d-------- C:\Documents and Settings\Ian\Application Data\FrostWire
2008-03-29 20:19:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Winamp Toolbar
-- Find3M Report ---------------------------------------------------------------
2008-04-27 14:40:03 0 d-------- C:\Documents and Settings\Ian\Application Data\LimeWire
2008-04-27 13:05:05 0 d-------- C:\Program Files\NoAdware5.0
2008-04-26 21:27:59 0 d-------- C:\Program Files\LimeWire
2008-04-19 19:57:19 0 d-------- C:\Documents and Settings\Ian\Application Data\Real
2008-04-19 19:49:08 0 d-------- C:\Program Files\Common Files
2008-04-19 19:49:04 0 d-------- C:\Program Files\Common Files\Real
2008-04-19 19:48:44 0 d-------- C:\Program Files\Real
2008-03-29 21:33:46 0 d-------- C:\Program Files\Java
2008-03-21 17:03:43 0 d-------- C:\Program Files\Google
2008-03-18 10:56:12 0 d-------- C:\Program Files\107.6_Juice_FM
2008-03-03 13:10:53 0 d-------- C:\Program Files\DivX
2008-03-03 13:06:21 0 d-------- C:\Documents and Settings\Ian\Application Data\DivX
2008-03-03 12:31:13 0 d-------- C:\Program Files\SigmaTel
2008-03-03 12:11:57 0 d-------- C:\Program Files\Driver-Soft
2008-03-03 11:56:03 0 d-------- C:\Program Files\SymplisIT
2008-03-03 11:08:18 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-03 09:53:54 0 d-------- C:\Program Files\Lavasoft
2008-03-03 09:53:25 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-02 13:28:42 0 d-------- C:\Documents and Settings\Ian\Application Data\ESTSoft
2008-03-02 13:16:15 38 --a------ C:\WINDOWS\system32\w3url.dll
2008-03-02 13:14:17 0 d-------- C:\Documents and Settings\Ian\Application Data\J River
2008-02-28 11:50:42 0 d-------- C:\Documents and Settings\Ian\Application Data\Creative
2008-02-28 11:37:45 0 d-------- C:\Program Files\Creative
2008-02-28 11:36:42 183 --a------ C:\WINDOWS\setuplog
2008-02-28 11:36:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-02 03:29:21 0 -rahs---- C:\MSDOS.SYS
2008-02-02 03:29:21 0 -rahs---- C:\IO.SYS
2008-02-02 03:29:21 0 --a------ C:\CONFIG.SYS
2008-02-02 03:29:21 0 --a------ C:\AUTOEXEC.BAT
2008-02-02 03:27:18 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-02-01 22:23:54 62 --ahs---- C:\Documents and Settings\Ian\Application Data\desktop.ini
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [11/30/2006 09:50 AM]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [11/17/2006 02:39 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [03/19/2007 08:15 AM]
"nwiz"="nwiz.exe" [03/19/2007 08:15 AM C:\WINDOWS\system32\nwiz.exe]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 06:20 AM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [03/19/2007 08:15 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"SigmatelSysTrayApp"="stsystra.exe" [03/20/2006 05:00 PM C:\WINDOWS\stsystra.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/19/2008 07:48 PM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [03/03/2008 09:27 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"WeatherEye"="C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [02/01/2008 05:17 PM]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [12/02/2004 07:23 PM]
"SpyShredder"="C:\Program Files\SpyShredder\SpyShredder.exe" []
C:\Documents and Settings\Ian\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [10/26/2006 9:24:54 PM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [2/15/2008 11:09:19 AM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [3/3/2008 9:27:19 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccYpmKD]
fccYpmKD.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
-- End of Deckard's System Scanner: finished at 2008-04-27 16:37:38 ------------
ComboFix 08-04-26.5 - Ian 2008-04-27 16:31:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1451 [GMT -4:00]
Running from: C:\Documents and Settings\Ian\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dllcache\spoolsv.exe
C:\WINDOWS\system32\dlolnqcg.dll
C:\WINDOWS\system32\eudllnmj.dll
C:\WINDOWS\system32\fccbCtTL.dll
C:\WINDOWS\system32\fccYpmKD.dll
C:\WINDOWS\system32\gcqnlold.ini
C:\WINDOWS\system32\LTtCbccf.ini
C:\WINDOWS\system32\LTtCbccf.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qgwwlxxr.dll
.
((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.
2008-04-27 16:31 . 2008-04-27 16:31 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-27 14:40 . 2008-04-27 15:18 223,055,073 --a------ C:\Paola Rey - Little Miss Innocent.mpg
2008-04-27 14:40 . 2008-04-27 15:08 116,562,816 --a------ C:\Pornstars like it Big - Shyla Stylez & Nikki Benz.mpg
2008-04-27 14:37 . 2008-04-27 15:51 534,849,540 --a------ C:\Shyla Stylez - Pornstars Like It Big [4_5_07].mpeg
2008-04-27 14:37 . 2008-04-27 15:13 235,318,245 --a------ C:\Cum Swapping Sluts 7 - Teagan Presley, Eva Angelina.mpg
2008-04-27 12:17 . 2008-04-27 12:17 <DIR> d-------- C:\Documents and Settings\Ian\DoctorWeb
2008-04-27 12:05 . 2008-04-27 12:05 3,510 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-27 12:04 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-27 12:04 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-27 12:04 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-27 12:04 . 2008-04-23 22:14 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-27 12:04 . 2008-04-23 22:14 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-04-27 12:04 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-27 12:04 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-27 10:01 . 2008-04-27 10:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-27 09:59 . 2008-04-27 09:59 <DIR> d-------- C:\Deckard
2008-04-27 09:50 . 2008-04-27 09:50 <DIR> d-------- C:\Program Files\The KMPlayer
2008-04-27 09:50 . 2008-04-27 09:50 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-27 09:48 . 2008-04-27 15:22 109,786 --a------ C:\WINDOWS\BMe7f7ba84.xml
2008-04-26 21:23 . 2008-04-26 21:23 <DIR> d-------- C:\WINDOWS\system32\pnVes05
2008-04-26 21:23 . 2008-04-26 21:23 <DIR> d-------- C:\Temp\zvebs14
2008-04-26 21:23 . 2008-04-26 21:23 <DIR> d-------- C:\Temp
2008-04-26 21:23 . 2008-04-27 13:34 <DIR> d--hs---- C:\Documents and Settings\Ian\!
2008-04-19 19:55 . 2008-04-19 19:55 <DIR> d-------- C:\Program Files\Incomplete
2008-04-19 19:49 . 2008-04-19 19:49 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-16 14:38 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-04-16 14:38 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-04-16 14:38 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-04-16 14:38 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-04-16 14:38 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-04-16 14:38 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-04-16 14:38 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-04-16 14:38 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2008-03-29 21:20 . 2008-03-29 21:20 <DIR> d-------- C:\Documents and Settings\Ian\Application Data\kantaris
2008-03-29 20:52 . 2008-03-29 20:53 <DIR> d-------- C:\Documents and Settings\Ian\Shared
2008-03-29 20:52 . 2008-04-19 19:09 <DIR> d-------- C:\Documents and Settings\Ian\Incomplete
2008-03-29 20:51 . 2008-04-27 11:59 <DIR> d-------- C:\Documents and Settings\Ian\Application Data\FrostWire
2008-03-29 20:19 . 2008-03-29 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Winamp Toolbar
2008-03-29 20:19 . 2007-03-07 19:51 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2008-03-29 20:19 . 2007-03-07 19:51 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-03-29 20:19 . 2007-03-07 19:51 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 18:40 --------- d-----w C:\Documents and Settings\Ian\Application Data\LimeWire
2008-04-27 17:05 --------- d-----w C:\Program Files\NoAdware5.0
2008-04-27 01:27 --------- d-----w C:\Program Files\LimeWire
2008-04-26 21:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-19 23:49 --------- d-----w C:\Program Files\Common Files\Real
2008-04-19 23:48 --------- d-----w C:\Program Files\Real
2008-03-30 01:33 --------- d-----w C:\Program Files\Java
2008-03-21 21:03 --------- d-----w C:\Program Files\Google
2008-03-18 14:56 --------- d-----w C:\Program Files\107.6_Juice_FM
2008-03-03 17:10 --------- d-----w C:\Program Files\DivX
2008-03-03 17:06 --------- d-----w C:\Documents and Settings\Ian\Application Data\DivX
2008-03-03 16:31 --------- d-----w C:\Program Files\SigmaTel
2008-03-03 16:11 --------- d-----w C:\Program Files\Driver-Soft
2008-03-03 15:56 --------- d-----w C:\Program Files\SymplisIT
2008-03-03 15:08 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-03 13:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-03 13:53 --------- d-----w C:\Program Files\Lavasoft
2008-03-03 13:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-03 13:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-02 17:28 --------- d-----w C:\Documents and Settings\Ian\Application Data\ESTSoft
2008-03-02 17:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESTsoft
2008-03-02 17:14 --------- d-----w C:\Documents and Settings\Ian\Application Data\J River
2008-02-28 15:50 --------- d-----w C:\Documents and Settings\Ian\Application Data\Creative
2008-02-28 15:37 --------- d-----w C:\Program Files\Creative
2008-02-28 15:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-03 09:27 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"WeatherEye"="C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2008-02-01 17:17 4487064]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 19:23 102400]
"SpyShredder"="C:\Program Files\SpyShredder\SpyShredder.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 09:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 14:39 136768]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-03-19 08:15 7634944]
"nwiz"="nwiz.exe" [2007-03-19 08:15 1622016 C:\WINDOWS\system32\nwiz.exe]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-03-19 08:15 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 17:00 282624 C:\WINDOWS\stsystra.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-19 19:48 185896]
C:\Documents and Settings\Ian\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [2008-02-15 11:09:19 249856]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-03-03 09:27:19 125624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccYpmKD]
fccYpmKD.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 16:33:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
.
**************************************************************************
.
Completion time: 2008-04-27 16:35:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-27 20:34:57
Pre-Run: 234,388,086,784 bytes free
Post-Run: 234,513,002,496 bytes free
166 --- E O F --- 2008-04-11 07:02:05
ANSWER: Hi Ian
Now we're getting somewhere, finally! Alright, I will need you to run Smitfraudfix once again.
* Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
* Double-click SmitfraudFix.exe
* Select 2 and hit Enter to delete infect files.
* You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
* The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
* A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
* Send me that log along with a new DSS main log.
Brian
---------- FOLLOW-UP ----------
QUESTION: Ok. I sent those 2 files as attachments to the email address you sent me earlier.
Hi Ian
I received the files fine. You still have SpyShredder on your system. This is a rogue malware program. Download SuperAntiSpyware free from here:
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quarantining.
Please leave the others unchecked.
Click the Close button to leave the control center screen.
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
To retrieve the removal information for me please do the following:
After reboot, double-click the SUPERAntispyware icon on your desktop.
Click Preferences. Click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
It will open in your default text editor (such as Notepad/Wordpad).
Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.
Please post or email me that log here with a new DSS log.
Brian
Computer Security & Viruses
Answers by Expert:
Brian Benosky
Top Expert on this page
Expertise
I will help you in eradicating malware and all forms of virus/trojans/adware. I can answer all PC-related hardware issues. I can also troubleshoot Windows OS errors (all versions) and other software problems. HijackThis logs are a MUST for virus related help. If you do not know how to do this, I have posted easy-to-follow instructions on the Ask a Question page. Every computer infection is different, so I will give you personal instructions on how to remove the malware, not a 'pat' answer. You can be assured of a prompt, polite, and knowledgeable response in all regards.
Experience
I have over 25 years experience in using, building, and repairing computers. I have helped over two thousand people here on AllExperts, with consistent Top Feedback Scores. Please look at my answers here:
http://en.allexperts.com/q/Computer-Security-Viruses-1737/indexExp_84308.htm
I am also a Top Contributor of General Computing answers in Yahoo! Questions.
Education/Credentials
College Educated
Self-taught Computer Skills
©2012 About.com, a part of The New York Times Company. All rights reserved.