Author Topic: C:\ ComboFix.txt  (Read 16699 times)

0 Members and 1 Guest are viewing this topic.

Capricho

  • Guest
C:\ ComboFix.txt
« on: April 28, 2008, 04:21:57 PM »
This is the Report after having problems with Win32:Virtumonde-IS (Adw)


Microsoft Windows XP Home Edition  5.1.2600.2.1252.34.1033.18.63 [GMT 2:00]
Running from: C:\Program Files\Combo-Fix.exe
 * Created a new restore point

C:\Program Files\180solutions
C:\Program Files\Common Files\SLMSS
C:\Program Files\ISTsvc
C:\Program Files\screensavers.com
C:\Program Files\screensavers.com\Installer\temp\dm767.tmp
C:\Program Files\screensavers.com\Wallpaper\Blue Bottles.jpg
C:\Program Files\screensavers.com\Wallpaper\Flower Cubes.jpg
C:\Program Files\screensavers.com\Wallpaper\Goldfish.jpg
C:\Program Files\screensavers.com\Wallpaper\swpstart.exe
C:\Program Files\screensavers.com\Wallpaper\Thumbs.db
C:\WINDOWS\system32\csloa.dll
C:\WINDOWS\system32\kdsya.exe

.
(((((((((((((((((((((((((   Files Created from 2008-03-28 to 2008-04-28  )))))))))))))))))))))))))))))))
.

2008-04-28 15:46 . 2008-04-28 15:46   1,778,287   --a------   C:\Program Files\Combo-Fix.exe
2008-04-11 17:35 . 2004-07-13 21:12   69,632   ---------   C:\WINDOWS\erase_SR.exe
2008-04-11 17:08 . 2008-04-11 17:08   <DIR>   d--------   C:\Program Files\XoftSpySE

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-03 13:34   100,208   ----a-w   C:\Documents and Settings\Ana  Hernandez\Application Data\GDIPFONTCACHEV1.DAT
2008-02-28 05:07   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-02-28 05:06   ---------   d-----w   C:\Program Files\Common Files\AVSMedia
2008-02-28 05:05   ---------   d-----w   C:\Program Files\AVS4YOU
2006-03-15 09:32   7,531,962   ----a-w   C:\Program Files\Accesoremoto a Hogskolan.exe
2004-04-18 14:48   1,649,697   ----a-w   C:\Program Files\AWA005XDGI.EXE
2004-04-18 14:33   9,491,469   ----a-w   C:\Program Files\TMQ0003BKM.EXE
2004-04-18 12:28   3,056,430   ----a-w   C:\Program Files\MI-Z32280803CS04US.EXE
2004-04-12 18:36   9,294,960   ----a-w   C:\Program Files\Media Player XP.exe
2005-11-04 16:14   80   --sh--r   C:\WINDOWS\system32\09669F2157.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}]
         C:\PROGRA~1\BARGAI~1\bin2\apuc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [ ]
"Cpusave32"="c:\windows\system32\cpusave32.exe" [ ]
"Sndcompat"="c:\windows\system32\sndcompat.exe" [ ]
"Pwr32ctr"="c:\windows\system32\pwr32ctr.exe" [ ]
"Monitormgt"="c:\windows\system32\monitormgt.exe" [ ]
"Pixelsvr"="c:\windows\system32\pixelsvr.exe" [ ]
"Info32x"="c:\windows\system32\info32x.exe" [ ]
"Pixel32"="c:\windows\system32\pixel32.exe" [ ]
"Sndbass"="c:\windows\system32\sndbass.exe" [ ]
"Imagemgt32"="c:\windows\system32\imagemgt32.exe" [ ]
"Cabchk32"="c:\windows\system32\cabchk32.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56 15360]
"Octoshape Streaming Services"="C:\Program Files\Octoshape Streaming Services\Ana  Hernandez\OctoshapeClient.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-23 06:58 68856]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-06 12:43 23165736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2001-08-03 19:21 1409024]
"Adulteras en directo"="C:\Adulteras en directo\Adulteras en directo.exe" [ ]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-08-27 12:58 684032]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-11-13 15:43 98304]
"Sndcompat"="c:\windows\system32\sndcompat.exe" [ ]
"LWBMOUSE"="C:\PROGRA~1\WHEELM~1\WHEELM~1\3.11\LWB3DAPP.EXE" [ ]
"Pixelsvr"="c:\windows\system32\pixelsvr.exe" [ ]
"Vidcompat"="c:\windows\system32\vidcompat.exe" [ ]
"Sndbass"="c:\windows\system32\sndbass.exe" [ ]
"Dvdcompat"="c:\windows\system32\dvdcompat.exe" [ ]
"Dx8compat"="c:\windows\system32\dx8compat.exe" [ ]
"jqiuax"="ujtcclh.exe" []
"Cabchk32"="c:\windows\system32\cabchk32.exe" [ ]
"Monitormgt"="c:\windows\system32\monitormgt.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-05-06 13:14 98304]
"STOPzilla"="C:\Program Files\STOPzilla!\Stopzilla.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-09 19:24 180269]
"OpwareSE2"="D:\OmnipageSE\OpwareSE2.exe" [2003-05-08 12:00 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VAIO Action Setup (Server).lnk - C:\Program Files\Sony\VAIO Action Setup\VAServ.exe [2001-09-08 12:51:48 40960]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Software Kodak EasyShare.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 02:22:40 757760]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2004-07-13 22:14 24673 C:\WINDOWS\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll
"VIDC.CTRX"= ctrxvid.drv
"MSVideo"= lvfwwdmt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\WINDOWS\\System32\\dpvsetup.exe"=
"C:\\WINDOWS\\System32\\rundll32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Marratech\\Marratech6.1\\bin\\Marratech.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R1 SonyFanC;FAN Control Device Service;C:\WINDOWS\system32\Drivers\SonyFanC.sys [2001-09-06 16:21]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R2 V7;V7;C:\WINDOWS\system32\drivers\V7.sys [2000-03-09 11:24]
S2 STOPzilla NT Service;STOPzilla NT Service;C:\Program Files\STOPzilla!\szntsvc.exe []
S3 adiusbae;USB ADSL LAN Adapter;C:\WINDOWS\system32\DRIVERS\adiusbae.sys [2002-08-15 11:25]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]
S3 Boonty Games;Boonty Games;"C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe" [2005-11-06 20:40]
S3 WrKPoET2000;WrKPoET2000;C:\Program Files\WinPoET Broadband Connection\WrKPoET2000.sys []

.
Contents of the 'Scheduled Tasks' folder
"2002-01-08 17:30:38 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2002-01-08 17:30:40 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 16:03:10
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\QCDriver\\LVCOMS.EXE"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\PROGRAM FILES\CHECKPOINT\SECUREMOTE\BIN\SR_WATCHDOG.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-04-28 16:11:29 - machine was rebooted
ComboFix-quarantined-files.txt  2008-04-28 14:11:12

Pre-Run: 2,204,708,864 bytes free
Post-Run: 3,525,083,136 bytes free

159   --- E O F ---   2008-03-12 08:27:33

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: C:\ ComboFix.txt
« Reply #1 on: April 28, 2008, 04:26:08 PM »
This really should have gone together with your original topic, http://forum.avast.com/index.php?topic=34721.0 to keep everything together.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Capricho

  • Guest
Re: C:\ ComboFix.txt
« Reply #2 on: April 28, 2008, 04:36:44 PM »
Sorry...
« Last Edit: April 28, 2008, 05:31:37 PM by Capricho »

Capricho

  • Guest
Re: C:\ ComboFix.txt
« Reply #3 on: April 28, 2008, 04:57:54 PM »
By the way, after scanning with ComboFix, I still have the problems that i used to have. That is, whenever I search something on Yahoo.com or other servers I am relaunched to other pages by, for example, http://partners.mamma.com (although I have included this site in the restricted zone of Internet Options)

Is that the normal problem when having this type of rootkit?

Thanks
« Last Edit: April 28, 2008, 05:33:42 PM by Capricho »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: C:\ ComboFix.txt
« Reply #4 on: April 28, 2008, 06:21:00 PM »
A rootkit doesn't actually have a specific thing it does, its task is to remain hidden and usually launches other malware (frequently that it also hides).

The redirects are either browser hijack or a modified HOSTS file.

HOSTS file redirect - 127.0.0.1 check your HOSTS file using notepad or a text editor of your choice, C:\WINDOWS\system32\drivers\etc\hosts or do a search for HOSTS to find it if not there. http://en.wikipedia.org/wiki/Hosts_file
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: C:\ ComboFix.txt
« Reply #5 on: April 28, 2008, 06:29:41 PM »
Since there isn't anything relevent in your other thread, please stay iin this one.

Check the Hosts as DavidR suggests, then post a hijackthis log.

Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Capricho

  • Guest
Re: C:\ ComboFix.txt
« Reply #6 on: April 30, 2008, 10:25:33 AM »
Hi!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:06, on 2008-04-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\OmnipageSE\OpwareSE2.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lexin.nada.kth.se/sve-spa.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lexin.nada.kth.se/sve-spa.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: UrlCatcher Class - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin2\apuc.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [Adulteras en directo] C:\Adulteras en directo\Adulteras en directo.exe /nostart
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Sndcompat] c:\windows\system32\sndcompat.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\PROGRA~1\WHEELM~1\WHEELM~1\3.11\LWB3DAPP.EXE
O4 - HKLM\..\Run: [Pixelsvr] c:\windows\system32\pixelsvr.exe
O4 - HKLM\..\Run: [Vidcompat] c:\windows\system32\vidcompat.exe
O4 - HKLM\..\Run: [Sndbass] c:\windows\system32\sndbass.exe
O4 - HKLM\..\Run: [Dvdcompat] c:\windows\system32\dvdcompat.exe
O4 - HKLM\..\Run: [Dx8compat] c:\windows\system32\dx8compat.exe
O4 - HKLM\..\Run: [jqiuax] ujtcclh.exe autorun
O4 - HKLM\..\Run: [Cabchk32] c:\windows\system32\cabchk32.exe
O4 - HKLM\..\Run: [Monitormgt] c:\windows\system32\monitormgt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [OpwareSE2] "D:\OmnipageSE\OpwareSE2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Cpusave32] c:\windows\system32\cpusave32.exe
O4 - HKCU\..\Run: [Sndcompat] c:\windows\system32\sndcompat.exe
O4 - HKCU\..\Run: [Pwr32ctr] c:\windows\system32\pwr32ctr.exe
O4 - HKCU\..\Run: [Monitormgt] c:\windows\system32\monitormgt.exe
O4 - HKCU\..\Run: [Pixelsvr] c:\windows\system32\pixelsvr.exe
O4 - HKCU\..\Run: [Info32x] c:\windows\system32\info32x.exe
O4 - HKCU\..\Run: [Pixel32] c:\windows\system32\pixel32.exe
O4 - HKCU\..\Run: [Sndbass] c:\windows\system32\sndbass.exe
O4 - HKCU\..\Run: [Imagemgt32] c:\windows\system32\imagemgt32.exe
O4 - HKCU\..\Run: [Cabchk32] c:\windows\system32\cabchk32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\Ana  Hernandez\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {4BEDE7F3-2238-4D7D-9F31-38BDDDA2573B} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {4C9FC05C-5889-42E1-B533-A65D02A80101} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra 'Tools' menuitem: JavaScript Console - {4C9FC05C-5889-42E1-B533-A65D02A80101} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - C:\WINDOWS\System32\c_10230.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {DEF0C3FE-F2E5-4FA1-8703-CA94873FA8DB} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra 'Tools' menuitem: JavaScript Console - {DEF0C3FE-F2E5-4FA1-8703-CA94873FA8DB} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Capricho

  • Guest
Re: C:\ ComboFix.txt
« Reply #7 on: April 30, 2008, 10:26:32 AM »
I could not send it in one message, so here is the rest of it

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft® JavaScript® Console - {DEF0C3FE-F2E5-4FA1-8703-CA94873FA8DB} - C:\WINDOWS\System32\COMDLG32.OCX (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {DEF0C3FE-F2E5-4FA1-8703-CA94873FA8DB} - C:\WINDOWS\System32\COMDLG32.OCX (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.www.bibproxy.du.se/lib/dalarna/support/plugins/ebraryRdr.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {73F0FD85-BD47-4A95-86D1-DE38860462C1} (PremiumHTML Class) - http://213.201.69.103/data/dialercab/IberoDialerHTML.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.gamehouse.com/realarcade-webgames/bejeweled2/popcaploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C994046-C3C6-40BF-BE41-D29D92CFAF54}: NameServer = 85.255.114.27,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D16AAF7-3771-4812-9D43-B7ACC4DE414E}: NameServer = 85.255.114.27,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{C76096FF-AFB1-4048-87D7-DE326BB13A93}: NameServer = 85.255.114.27,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{DDCA8A52-9680-44B4-A8E3-47BFD5487E8A}: NameServer = 85.255.114.27,85.255.112.87
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.27 85.255.112.87
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.27 85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.27 85.255.112.87
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Unknown owner - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe (file missing)
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: STOPzilla NT Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.diariodecadiz.es/carnaval/img/agr4.JPG
O24 - Desktop Component 1: (no name) - http://www.free-languages.com/images/t.gif
O24 - Desktop Component 2: (no name) - http://clavecorp.grupo-sm.com/imagen/dicclave.gif
O24 - Desktop Component 3: (no name) - http://us.i1.yimg.com/us.yimg.com/i/fifa/gen/back2.gif
O24 - Desktop Component 4: (no name) - http://www.sedl.org/loteced/images/LOTECED_top_bar.jpg

--
End of file - 13055 bytes

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: C:\ ComboFix.txt
« Reply #8 on: May 01, 2008, 11:57:05 AM »


Open HJT, do a system scan only, check mark the following lines, if present

O2 - BHO: UrlCatcher Class - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin2\apuc.dll (file missing)
O4 - HKLM\..\Run: [Adulteras en directo] C:\Adulteras en directo\Adulteras en directo.exe /nostart
O4 - HKLM\..\Run: [Sndcompat] c:\windows\system32\sndcompat.exe
O4 - HKLM\..\Run: [Pixelsvr] c:\windows\system32\pixelsvr.exe
O4 - HKLM\..\Run: [Vidcompat] c:\windows\system32\vidcompat.exe
O4 - HKLM\..\Run: [Sndbass] c:\windows\system32\sndbass.exe
O4 - HKLM\..\Run: [Dvdcompat] c:\windows\system32\dvdcompat.exe
O4 - HKLM\..\Run: [Dx8compat] c:\windows\system32\dx8compat.exe
O4 - HKLM\..\Run: [jqiuax] ujtcclh.exe autorun
O4 - HKLM\..\Run: [Cabchk32] c:\windows\system32\cabchk32.exe
O4 - HKLM\..\Run: [Monitormgt] c:\windows\system32\monitormgt.exe
O4 - HKCU\..\Run: [Cpusave32] c:\windows\system32\cpusave32.exe
O4 - HKCU\..\Run: [Sndcompat] c:\windows\system32\sndcompat.exe
O4 - HKCU\..\Run: [Pwr32ctr] c:\windows\system32\pwr32ctr.exe
O4 - HKCU\..\Run: [Monitormgt] c:\windows\system32\monitormgt.exe
O4 - HKCU\..\Run: [Pixelsvr] c:\windows\system32\pixelsvr.exe
O4 - HKCU\..\Run: [Info32x] c:\windows\system32\info32x.exe
O4 - HKCU\..\Run: [Pixel32] c:\windows\system32\pixel32.exe
O4 - HKCU\..\Run: [Sndbass] c:\windows\system32\sndbass.exe
O4 - HKCU\..\Run: [Imagemgt32] c:\windows\system32\imagemgt32.exe
O4 - HKCU\..\Run: [Cabchk32] c:\windows\system32\cabchk32.exe
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - C:\WINDOWS\System32\c_10230.dll (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C994046-C3C6-40BF-BE41-D29D92CFAF54}: NameServer = 85.255.114.27,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D16AAF7-3771-4812-9D43-B7ACC4DE414E}: NameServer = 85.255.114.27,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{C76096FF-AFB1-4048-87D7-DE326BB13A93}: NameServer = 85.255.114.27,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{DDCA8A52-9680-44B4-A8E3-47BFD5487E8A}: NameServer = 85.255.114.27,85.255.112.87
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.27 85.255.112.87
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.27 85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.27 85.255.112.87



Close All other browser/windows, click fix. Close HJT

What do you know about these?   They are desktop components.

O24 - Desktop Component 0: (no name) - http://www.diariodecadiz.es/carnaval/img/agr4.JPG
O24 - Desktop Component 1: (no name) - http://www.free-languages.com/images/t.gif
O24 - Desktop Component 2: (no name) - http://clavecorp.grupo-sm.com/imagen/dicclave.gif
O24 - Desktop Component 3: (no name) - http://us.i1.yimg.com/us.yimg.com/i/fifa/gen/back2.gif
O24 - Desktop Component 4: (no name) - http://www.sedl.org/loteced/images/LOTECED_top_bar.jpg




Please download FixWareout from

http://downloads.subratam.org/Fixwareout.exe


Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is NORMAL.



Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Please post the fixwareout results, malwarebytes result and a new HJT log.

Thanks

Capricho

  • Guest
Re: C:\ ComboFix.txt
« Reply #9 on: May 02, 2008, 11:34:22 AM »
Here goes the Fixwareout log



HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{0A89AF12-67AB-45B0-856D-C166FC75D94D}
"DhcpNameServer"="85.255.114.27,85.255.112.87" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{9D16AAF7-3771-4812-9D43-B7ACC4DE414E}
"DhcpNameServer"="85.255.114.27,85.255.112.87" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{DDCA8A52-9680-44B4-A8E3-47BFD5487E8A}
"DhcpNameServer"="85.255.114.27,85.255.112.87" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.
 
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"ZTgServerSwitch"="c:\\program files\\support.com\\client\\bin\\tgcmd.exe /server"
"AdaptecDirectCD"="C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\QCDriver\\LVCOMS.EXE"
"LWBMOUSE"="C:\\PROGRA~1\\WHEELM~1\\WHEELM~1\\3.11\\LWB3DAPP.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"STOPzilla"="\"C:\\Program Files\\STOPzilla!\\Stopzilla.exe\" /autorun"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"OpwareSE2"="\"D:\\OmnipageSE\\OpwareSE2.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Octoshape Streaming Services"="\"C:\\Program Files\\Octoshape Streaming Services\\Ana  Hernandez\\OctoshapeClient.exe\" -inv:bootrun"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

Capricho

  • Guest
Re: C:\ ComboFix.txt
« Reply #10 on: May 02, 2008, 12:02:32 PM »
Malwarebytes' Anti-Malware 1.11
Database version: 707

Scan type: Quick Scan
Objects scanned: 36739
Time elapsed: 18 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\apuc.urlcatcher (Adware.Bargain.Buddy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\apuc.urlcatcher.1 (Adware.Bargain.Buddy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c6906a23-4717-4e1f-b6fd-f06ebed14177} (Adware.Bargain.Buddy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{4eb7bbe8-2e15-424b-9ddb-2cdb9516a2a3} (Adware.Bargain.Buddy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aa4939c3-deca-4a48-a454-97cd587c0ef5} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eee4a2e5-9f56-432f-a6ed-f6f625b551e0} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WSEM Update (Adware.NetOptimizer) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

Capricho

  • Guest
Re: C:\ ComboFix.txt
« Reply #11 on: May 02, 2008, 12:08:19 PM »
The Desktop items are OK, but I do not know  
O24 - Desktop Component 3: (no name) - http://us.i1.yimg.com/us.yimg.com/i/fifa/gen/back2.gif


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:46, on 2008-05-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\OmnipageSE\OpwareSE2.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lexin.nada.kth.se/sve-spa.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lexin.nada.kth.se/sve-spa.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LWBMOUSE] C:\PROGRA~1\WHEELM~1\WHEELM~1\3.11\LWB3DAPP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [OpwareSE2] "D:\OmnipageSE\OpwareSE2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\Ana  Hernandez\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {4BEDE7F3-2238-4D7D-9F31-38BDDDA2573B} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {4C9FC05C-5889-42E1-B533-A65D02A80101} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra 'Tools' menuitem: JavaScript Console - {4C9FC05C-5889-42E1-B533-A65D02A80101} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {DEF0C3FE-F2E5-4FA1-8703-CA94873FA8DB} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra 'Tools' menuitem: JavaScript Console - {DEF0C3FE-F2E5-4FA1-8703-CA94873FA8DB} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft® JavaScript® Console - {DEF0C3FE-F2E5-4FA1-8703-CA94873FA8DB} - C:\WINDOWS\System32\COMDLG32.OCX (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {DEF0C3FE-F2E5-4FA1-8703-CA94873FA8DB} - C:\WINDOWS\System32\COMDLG32.OCX (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.www.bibproxy.du.se/lib/dalarna/support/plugins/ebraryRdr.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {73F0FD85-BD47-4A95-86D1-DE38860462C1} (PremiumHTML Class) - http://213.201.69.103/data/dialercab/IberoDialerHTML.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab

Capricho

  • Guest
Re: C:\ ComboFix.txt
« Reply #12 on: May 02, 2008, 12:08:59 PM »
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Unknown owner - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe (file missing)
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: STOPzilla NT Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.diariodecadiz.es/carnaval/img/agr4.JPG
O24 - Desktop Component 1: (no name) - http://www.free-languages.com/images/t.gif
O24 - Desktop Component 2: (no name) - http://clavecorp.grupo-sm.com/imagen/dicclave.gif
O24 - Desktop Component 3: (no name) - http://us.i1.yimg.com/us.yimg.com/i/fifa/gen/back2.gif
O24 - Desktop Component 4: (no name) - http://www.sedl.org/loteced/images/LOTECED_top_bar.jpg

--
End of file - 10656 bytes

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: C:\ ComboFix.txt
« Reply #13 on: May 02, 2008, 12:48:27 PM »
Hi Capricho,

Here is the analysis of your hjt logfile for three consequent days to be found here:
http://www.hijackthis.de/logfiles/7fceff8825345bd0c3f31a397c0a7a42.html

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: C:\ ComboFix.txt
« Reply #14 on: May 02, 2008, 01:13:02 PM »
Ok, good. We can take care of the 024 line.

This one should go. BOONTY  Reason:

http://www.castlecops.com/o23list-1744.html

Your choice though. Let me know and I'll give you hand.

In windows explorer, navigate to this folder. if present

C:\Program Files\Bargain Buddy

And delete the enire Bargain Buddy folder


You may want to uninstall/reinstall these programs as they have missing files.

STOPzilla!
SecuRemote



Open HJT, run a system scan only, check mark these lines if present

O24 - Desktop Component 3: (no name) - http://us.i1.yimg.com/us.yimg.com/i/fifa/gen/back2.gif
 


Close all other browsers/windows, click fix, close HJT.


How are things at your end?