MS anti virus, (multiple trojan, maybe?)

Posted 9/3/2008 1:19 AM
#65579
User avatar

Baskanos Member

Date Joined Nov 2016
Total Posts: 5
been dealing with this for a few weeks, just found your site and you guys seem to be my only hope.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:05 PM, on 9/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Documents and Settings\All Users\Application Data\fsxadsbu\tgzudydo.exe
D:\WINDOWS\Mixer.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\WINDOWS\vobwpobw.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\utevadir.exe
D:\WINDOWS\system32\hetshuxa.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\PCHealthCenter\1.exe
D:\Program Files\PCHealthCenter\2.exe
D:\Program Files\PCHealthCenter\3.exe
D:\Program Files\PCHealthCenter\4.exe
D:\Program Files\MSA\MSA.exe
D:\Program Files\PCHealthCenter\7.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\vobwpobw.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Default\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [osCheck] "D:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [UpdatePPShortCut] "D:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "D:\Program Files\CyberLink\PowerProducer" update "Software\CyberLink\PowerProducer\4.0"
O4 - HKLM\..\Run: [hlpchkutil] D:\WINDOWS\vobwpobw.exe
O4 - HKLM\..\Run: [~YÕA~] Ù‹exe
O4 - HKLM\..\Run: [Antivirus] D:\Program Files\MSA\MSA.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [~YÕA~] Ù‹exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [debugpop] D:\DOCUME~1\Default\APPLIC~1\EACHLO~1\drive deaf.exe
O4 - HKCU\..\Run: [SrvProcMon] D:\WINDOWS\system32\utevadir.exe
O4 - HKCU\..\Run: [mntutilapl] D:\WINDOWS\system32\ngxilahw.exe
O4 - HKCU\..\Run: [genactinfo] D:\WINDOWS\system32\tulkfmfw.exe
O4 - HKLM\..\Policies\Explorer\Run: [QcsL60w10k] D:\Documents and Settings\All Users\Application Data\fsxadsbu\tgzudydo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} - https://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - https://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - https://clubgames.pogo.com/online2/pogop/mahjong_escape_ancient_japan/SpinTopGamesLauncher.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: procchkact - {5A8DF54F-3C3A-F718-BF1B-008624137EAF} - D:\Program Files\brwireg\procchkact.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8356 bytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SUPERAntiSpyware Scan Log
https://www.superantispyware.com

Generated 09/02/2008 at 10:45 AM

Application Version : 4.20.1046

Core Rules Database Version : 3554
Trace Rules Database Version: 1542

Scan type : Complete Scan
Total Scan Time : 01:09:17

Memory items scanned : 510
Memory threats detected : 5
Registry items scanned : 6790
Registry threats detected : 14
File items scanned : 49692
File threats detected : 61

Adware.Vundo Variant
D:\WINDOWS\SYSTEM32\APPMGMT.DLL
D:\WINDOWS\SYSTEM32\APPMGMT.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A13649E2-A47E-4D21-8ABB-6DBFBE55483A}
HKCR\CLSID\{A13649E2-A47E-4D21-8ABB-6DBFBE55483A}
HKCR\CLSID\{A13649E2-A47E-4D21-8ABB-6DBFBE55483A}\InprocServer32
HKCR\CLSID\{A13649E2-A47E-4D21-8ABB-6DBFBE55483A}\InprocServer32#ThreadingModel

Rogue.Dropper/Gen
D:\WINDOWS\SYSTEM32\LPHCAQLJ0EC6P.EXE
D:\WINDOWS\SYSTEM32\LPHCAQLJ0EC6P.EXE
D:\WINDOWS\Prefetch\LPHCAQLJ0EC6P.EXE-26913B0F.pf

NotHarmful.Sysinternals Bluescreen Screen Saver
D:\WINDOWS\SYSTEM32\BLPHCAQLJ0EC6P.SCR
D:\WINDOWS\SYSTEM32\BLPHCAQLJ0EC6P.SCR

Rogue.MS AntiVirus
D:\PROGRAM FILES\MSA\MSA.EXE
D:\PROGRAM FILES\MSA\MSA.EXE
[Antivirus] D:\PROGRAM FILES\MSA\MSA.EXE
D:\DOCUMENTS AND SETTINGS\DEFAULT\DESKTOP\MS ANTIVIRUS.LNK
D:\WINDOWS\Prefetch\MSA.EXE-35AD0B56.pf

Rogue.MalwareProtector/Variant
D:\WINDOWS\SYSTEM32\PPHCAQLJ0EC6P.EXE
D:\WINDOWS\SYSTEM32\PPHCAQLJ0EC6P.EXE
D:\WINDOWS\Prefetch\PPHCAQLJ0EC6P.EXE-11E4AE47.pf

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}
HKU\S-1-5-21-1606980848-1532298954-682003330-1003\Software\Classes\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}
HKCR\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}

Adware.Tracking Cookie
D:\Documents and Settings\Default\Cookies\default@st[17].txt
D:\Documents and Settings\Default\Cookies\default@st[26].txt
D:\Documents and Settings\Default\Cookies\default@dtr[1].txt
D:\Documents and Settings\Default\Cookies\default@st[45].txt
D:\Documents and Settings\Default\Cookies\default@st[27].txt
D:\Documents and Settings\Default\Cookies\default@st[2].txt
D:\Documents and Settings\Default\Cookies\default@st[5].txt
D:\Documents and Settings\Default\Cookies\default@cgi-bin[2].txt
D:\Documents and Settings\Default\Cookies\default@st[19].txt
D:\Documents and Settings\Default\Cookies\default@st[3].txt
D:\Documents and Settings\Default\Cookies\default@st[37].txt
D:\Documents and Settings\Default\Cookies\default@st[21].txt
D:\Documents and Settings\Default\Cookies\default@st[44].txt
D:\Documents and Settings\Default\Cookies\default@st[8].txt
D:\Documents and Settings\Default\Cookies\default@st[7].txt

Trojan.Unknown Origin
D:\WINDOWS\mslagent
D:\WINDOWS\SYSTEM32\1.ICO
D:\WINDOWS\SYSTEM32\2.ICO

Trojan.Media-Codec
D:\Program Files\PCHealthCenter\sc.html
D:\Program Files\PCHealthCenter\xe
D:\Program Files\PCHealthCenter\ًexe
D:\Program Files\PCHealthCenter

Trojan.DNSChanger-Codec
HKU\S-1-5-21-1606980848-1532298954-682003330-1003\Software\uninstall

Rogue.WindowsSecurityAdviser
D:\Program Files\Microsoft Security Adviser\msctrl.log
D:\Program Files\Microsoft Security Adviser\msctrl2.exe
D:\Program Files\Microsoft Security Adviser\msctrl2.log
D:\Program Files\Microsoft Security Adviser\mssadv.log
D:\Program Files\Microsoft Security Adviser\mssadv_sp.log
D:\Program Files\Microsoft Security Adviser
D:\WINDOWS\Prefetch\MSCTRL2.EXE-0804B4A3.pf

Rogue.PC-Cleaner
HKU\S-1-5-21-1606980848-1532298954-682003330-1003\Software\mwc

Rogue.AntiVirus 2008
HKU\S-1-5-21-1606980848-1532298954-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Run#Antivirus [ D:\Program Files\MSA\MSA.exe ]
D:\Documents and Settings\Default\Application Data\RHCEQLJ0EC6P
D:\WINDOWS\SYSTEM32\PHCAQLJ0EC6P.BMP
D:\Program Files\RHCEQLJ0EC6P

Rogue.AntiVirus XP 2008
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
D:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk

Trojan.FakeAlert/Desktop
HKU\S-1-5-21-1606980848-1532298954-682003330-1003\CONTROL PANEL\DESKTOP#WALLPAPER
HKU\S-1-5-21-1606980848-1532298954-682003330-1003\CONTROL PANEL\DESKTOP#ORIGINALWALLPAPER
HKU\S-1-5-21-1606980848-1532298954-682003330-1003\CONTROL PANEL\DESKTOP#CONVERTEDWALLPAPER

Trojan.Downloader-SVCHost/Fake
C:\GOOGLE.COM\SVCHOST.EXE
D:\WINDOWS\Prefetch\SVCHOST.EXE-1396A748.pf

Trojan.Aff-YourThumbs
D:\DOCUMENTS AND SETTINGS\DEFAULT\MSSADV.DLL

Trojan.Unclassified/MSCTRL
D:\DOCUMENTS AND SETTINGS\DEFAULT\MSAVSC.DLL
D:\DOCUMENTS AND SETTINGS\DEFAULT\MSCTRL.DLL
D:\DOCUMENTS AND SETTINGS\DEFAULT\MSFW.DLL
D:\DOCUMENTS AND SETTINGS\DEFAULT\MSIEMON.DLL
D:\DOCUMENTS AND SETTINGS\DEFAULT\MSSCAN.DLL

Rogue.MS AntiVirus/A
D:\PROGRAM FILES\MSA\MSA.CPL
D:\WINDOWS\SYSTEM32\MSA.CPL

Adware.Multi-Dropper/Trace
D:\WINDOWS\CROCK+MOCK.CONFIG

Rootkit.Filter-Gen
D:\WINDOWS\SYSTEM32\DRIVERS\LZTQAJOG.DAT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ComboFix 08-09-01.03 - Default 2008-09-02 11:36:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.622 [GMT -4:00]
Running from: D:\Documents and Settings\Default\Desktop\ComboFix.exe

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Program Files\altcmd
D:\Program Files\PCHealthCenter
D:\Program Files\PCHealthCenter\Ù‹exe
D:\Program Files\PCHealthCenter\0.exe
D:\Program Files\PCHealthCenter\0.gif
D:\Program Files\PCHealthCenter\1.exe
D:\Program Files\PCHealthCenter\1.gif
D:\Program Files\PCHealthCenter\1.ico
D:\Program Files\PCHealthCenter\2.exe
D:\Program Files\PCHealthCenter\2.gif
D:\Program Files\PCHealthCenter\2.ico
D:\Program Files\PCHealthCenter\3.exe
D:\Program Files\PCHealthCenter\3.gif
D:\Program Files\PCHealthCenter\4.exe
D:\Program Files\PCHealthCenter\5.exe
D:\Program Files\PCHealthCenter\7.exe
D:\Program Files\PCHealthCenter\xe
D:\WINDOWS\system32\blphcaqlj0ec6p.scr
D:\WINDOWS\system32\ijl11pro.dll
D:\WINDOWS\system32\lphcaqlj0ec6p.exe
D:\WINDOWS\system32\phcaqlj0ec6p.bmp
D:\WINDOWS\winlogon.exe
D:\Documents and Settings\Default\Application Data\~tmp.html . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-08-02 to 2008-09-02 )))))))))))))))))))))))))))))))
.

2008-09-02 11:43 . 2008-09-02 11:46 d-------- D:\Program Files\PCHealthCenter
2008-09-02 11:43 . 2008-09-02 11:43 118,784 --a------ D:\WINDOWS\system32\blphcaqlj0ec6p.scr
2008-09-02 11:43 . 2008-09-02 11:43 98,304 --a------ D:\WINDOWS\system32\ngxilahw.exe
2008-09-02 11:26 . 2008-09-02 11:26 98,304 --a------ D:\WINDOWS\system32\utevadir.exe
2008-09-02 08:59 . 2008-09-02 08:59 d-------- D:\Program Files\CCleaner
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Program Files\SUPERAntiSpyware
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Documents and Settings\Default\Application Data\SUPERAntiSpyware.com
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-02 08:41 . 2008-09-02 08:41 d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-09-02 08:41 . 2008-09-02 00:16 38,528 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-02 08:41 . 2008-09-02 00:16 17,200 --a------ D:\WINDOWS\system32\drivers\mbam.sys
2008-09-02 08:35 . 2008-09-02 11:42 d-------- D:\Program Files\MSA
2008-09-01 20:02 . 2008-09-01 20:02 203,776 --a------ D:\WINDOWS\system32\bwbyxszu.exe
2008-08-22 12:48 . 2008-08-22 12:48 d-------- D:\WINDOWS\system32\xlib254.dll
2008-08-22 12:48 . 2008-08-22 12:48 d-------- D:\WINDOWS\system32\append.dll
2008-08-22 12:19 . 2008-08-22 12:18 40,960 -r-hs---- D:\WINDOWS\system32\6to4svcl.exe
2008-08-22 12:19 . 2008-08-22 12:20 144 --ahs---- D:\WINDOWS\system32\1884727700.dat
2008-08-18 20:12 . 2008-08-18 20:12 d-------- D:\Program Files\Sun
2008-08-18 18:23 . 2008-08-18 20:26 d-------- D:\WINDOWS\system32\CatRoot_bak
2008-08-14 12:51 . 2008-08-14 12:51 53,248 --a------ D:\WINDOWS\vobwpobw.exe
2008-08-04 15:49 . 2008-08-04 15:49 d-------- D:\Documents and Settings\Default\Application Data\Malwarebytes
2008-08-04 15:49 . 2008-08-04 15:49 d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-04 14:37 . 2008-08-04 14:37 d-------- D:\Program Files\brwireg
2008-08-04 14:37 . 2008-08-04 14:37 d-------- D:\Documents and Settings\All Users\Application Data\fsxadsbu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-27 18:54 --------- d-----w D:\Program Files\XoftSpySE
2008-08-23 17:45 --------- d-----w D:\Program Files\MySpace
2008-08-23 17:43 --------- d-----w D:\Program Files\Lavasoft
2008-08-22 16:51 --------- d-----w D:\Program Files\Common Files\Symantec Shared
2008-08-19 14:25 --------- d-----w D:\Program Files\Microsoft Silverlight
2008-08-19 00:11 --------- d-----w D:\Program Files\Java
2008-07-29 02:48 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-07-29 02:48 --------- d-----w D:\Program Files\Logitech
2008-07-29 02:48 --------- d-----w D:\Program Files\Common Files\Logitech
2008-07-22 17:57 --------- d-----w D:\Program Files\RegCure
2008-07-22 16:14 --------- d-----w D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-22 15:13 --------- d-----w D:\Program Files\Norton AntiVirus
2008-07-22 02:27 --------- d-----w D:\Program Files\Diablo II
2008-07-22 01:22 --------- d-----w D:\Program Files\PlayOnline
2008-07-21 23:05 --------- d-----w D:\Program Files\each logo type
2008-07-21 23:05 --------- d-----w D:\Documents and Settings\Default\Application Data\each logo type
2008-07-21 23:05 --------- d-----w D:\Documents and Settings\All Users\Application Data\bat glue time dash
2008-07-21 21:52 --------- d-----w D:\Program Files\LimeWire
2008-07-19 02:10 94,920 ----a-w D:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w D:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w D:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w D:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w D:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w D:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w D:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w D:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w D:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w D:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w D:\WINDOWS\system32\es.dll
2008-07-05 16:04 --------- d-----w D:\Documents and Settings\Default\Application Data\CyberLink
2008-07-05 16:03 --------- d-----w D:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-05 15:52 --------- d-----w D:\Program Files\CyberLink
2008-06-24 16:23 74,240 ----a-w D:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w D:\WINDOWS\system32\wininet.dll
2008-06-22 00:42 21,840 ----a-w D:\WINDOWS\system32\SIntfNT.dll
2008-06-22 00:42 17,212 ----a-w D:\WINDOWS\system32\SIntf32.dll
2008-06-22 00:42 12,067 ----a-w D:\WINDOWS\system32\SIntf16.dll
2008-06-20 17:41 245,248 ----a-w D:\WINDOWS\system32\mswsock.dll
.

------- Sigcheck -------

2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 D:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 D:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 D:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d D:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e D:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 D:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 D:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 D:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"~YÕA~"="Ù‹exe" [X]
"@"="xe" [X]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2002-12-31 15360]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 1576176]
"debugpop"="D:\DOCUME~1\Default\APPLIC~1\EACHLO~1\drive deaf.exe" [2008-07-21 526336]
"SrvProcMon"="D:\WINDOWS\system32\utevadir.exe" [2008-09-02 98304]
"mntutilapl"="D:\WINDOWS\system32\ngxilahw.exe" [2008-09-02 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"~YÕA~"="Ù‹exe" [X]
"@"="xe" [X]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="D:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" [2008-05-27 413696]
"osCheck"="D:\Program Files\Norton AntiVirus\osCheck.exe" [2007-02-07 771704]
"ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="D:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"UpdatePPShortCut"="D:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2007-08-16 218408]
"hlpchkutil"="D:\WINDOWS\vobwpobw.exe" [2008-08-14 53248]
"Antivirus"="D:\Program Files\MSA\MSA.exe" [2008-08-30 412160]
"C-Media Mixer"="Mixer.exe" [2001-11-15 D:\WINDOWS\mixer.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"QcsL60w10k"="D:\Documents and Settings\All Users\Application Data\fsxadsbu\tgzudydo.exe" [2008-08-04 61440]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"procchkact"= {5A8DF54F-3C3A-F718-BF1B-008624137EAF} - D:\Program Files\brwireg\procchkact.dll [2008-08-04 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComAplApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcaqlj0ec6p
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhceqlj0ec6p

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-12-31 08:00 15360 D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2003-08-19 06:43 57344 D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-04-19 13:26 484904 D:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Time Dash Second Regs]
--a------ 2008-09-02 11:46 5051392 D:\Documents and Settings\All Users\Application Data\bat glue time dash\bags bend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2003-12-01 11:38 892928 D:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2006-02-21 21:05 344064 D:\WINDOWS\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"D:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"D:\\Program Files\\Yahoo!\\UPnP\\yupnpsrv.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"D:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"D:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;D:\WINDOWS\system32\drivers\si3112r.sys [2003-05-09 89749]
R0 SiWinAcc;SiWinAcc;D:\WINDOWS\system32\drivers\SiWinAcc.sys [2003-02-12 9600]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};D:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51 13560]
S0 uckkagnh;uckkagnh;D:\WINDOWS\system32\drivers\lztqajog.dat [ ]
S3 LCcfltr;Logitech USB Filter Driver;D:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-11-07 14092]
S3 MBAMSwissArmy;MBAMSwissArmy;D:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-09-02 38528]
S3 XDva020;XDva020;D:\WINDOWS\system32\XDva020.sys [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"D:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-lphcaqlj0ec6p - D:\WINDOWS\system32\lphcaqlj0ec6p.exe
HKLM-Run-SMrhceqlj0ec6p - D:\Program Files\rhceqlj0ec6p\rhceqlj0ec6p.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - D:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\bravk493.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - D:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - D:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF -: plugin - D:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-09-02 11:43:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


D:\WINDOWS\system32\ngxilahw.exe 98304 bytes executable
D:\WINDOWS\system32\blphcaqlj0ec6p.scr 118784 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uckkagnh]
"ImagePath"="system32\drivers\lztqajog.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\D:\Program Files\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\ati2evxx.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Qoobox\Quarantine\D\WINDOWS\system32\lphcaqlj0ec6p.exe.vir
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\PCHealthCenter\0.exe
D:\Program Files\PCHealthCenter\1.exe
D:\Program Files\PCHealthCenter\2.exe
D:\Program Files\PCHealthCenter\3.exe
D:\Program Files\PCHealthCenter\4.exe
D:\Program Files\PCHealthCenter\7.exe
C:\winlo.exe
C:\winlo.exe
.
**************************************************************************
.
Completion time: 2008-09-02 11:56:00 - machine was rebooted [Default]
ComboFix-quarantined-files.txt 2008-09-02 15:55:53

Pre-Run: 122,769,555,456 bytes free
Post-Run: 122,721,222,656 bytes free

270 --- E O F --- 2008-08-19 14:25:12
any thing you suggest will be of great help
Posted 9/3/2008 3:23 AM
#65582
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Hello :smile:





Please download Malwarebytes' Anti-Malware:

[color=#0000ff>https://www.spywarefri.dk/downloads1/mbam-setup.exe[/url]



Or here:

[3] [/3]

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/4/2008 1:15 AM
#65618
User avatar

Baskanos Member

Date Joined Nov 2016
Total Posts: 5
Malwarebytes' Anti-Malware 1.26
Database version: 1110
Windows 5.1.2600 Service Pack 2

9/3/2008 4:46:33 AM
mbam-log-2008-09-03 (04-46-33).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 264322
Time elapsed: 4 hour(s), 26 minute(s), 39 second(s)

Memory Processes Infected: 17
Memory Modules Infected: 6
Registry Keys Infected: 13
Registry Values Infected: 43
Registry Data Items Infected: 4
Folders Infected: 17
Files Infected: 69

Memory Processes Infected:
D:\WINDOWS\runsql.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\WINDOWS\sv.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\WINDOWS\svzip.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\WINDOWS\vlc.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\WINDOWS\wdmon.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\WINDOWS\svx.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\WINDOWS\svw.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\WINDOWS\svc.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\Program Files\Microsoft Security Adviser\msctrl.exe (Trojan.Agent) -> Unloaded process successfully.
D:\Program Files\Microsoft Security Adviser\msavsc.exe (Trojan.Agent) -> Unloaded process successfully.
D:\Program Files\Microsoft Security Adviser\msscan.exe (Trojan.Agent) -> Unloaded process successfully.
D:\Program Files\Microsoft Security Adviser\msiemon.exe (Trojan.Agent) -> Unloaded process successfully.
D:\Program Files\Microsoft Security Adviser\msfw.exe (Trojan.Agent) -> Unloaded process successfully.
D:\Program Files\Microsoft Security Adviser\mssadv.exe (Trojan.Clicker) -> Unloaded process successfully.
D:\Program Files\rhceqlj0ec6p\rhceqlj0ec6p.exe (Rogue.Multiple) -> Unloaded process successfully.
D:\WINDOWS\svhoster.exe (Trojan.Agent) -> Unloaded process successfully.
D:\WINDOWS\system32\pphcaqlj0ec6p.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
D:\Documents and Settings\Default\Local Settings\Temp\wndutl32.dll (Trojan.FakeAlert) -> Delete on reboot.
D:\Program Files\rhceqlj0ec6p\MFC71.dll (Rogue.Multiple) -> Delete on reboot.
D:\Program Files\rhceqlj0ec6p\MFC71ENU.DLL (Rogue.Multiple) -> Delete on reboot.
D:\Program Files\rhceqlj0ec6p\msvcp71.dll (Rogue.Multiple) -> Delete on reboot.
D:\Program Files\rhceqlj0ec6p\msvcr71.dll (Rogue.Multiple) -> Delete on reboot.
D:\WINDOWS\system32\autodis.dll (Spyware.BZub) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{020487cc-fc04-4b1e-863f-d9801796230b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhceqlj0ec6p (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhceqlj0ec6p (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{389992b5-9fad-42a7-a7aa-8cfb256e7676} (Spyware.BZub) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{389992b5-9fad-42a7-a7aa-8cfb256e7676} (Spyware.BZub) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runsql (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netsv32 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netzip (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vlc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdmon (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netx (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netw (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msctrl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msctrl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msavsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msavsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msscan.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msscan.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiemon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiemon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msfw.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msfw.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{020487cc-fc04-4b1e-863f-d9801796230b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\D:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhceqlj0ec6p (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net64 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcaqlj0ec6p (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssadv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssadv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
D:\Program Files\Microsoft Security Adviser (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\append.dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\xlib254.dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Files Infected:
D:\WINDOWS\runsql.exe (Trojan.Downloader) -> Delete on reboot.
D:\WINDOWS\sv.exe (Trojan.Downloader) -> Delete on reboot.
D:\WINDOWS\svzip.exe (Trojan.Downloader) -> Delete on reboot.
D:\WINDOWS\vlc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\WINDOWS\wdmon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\WINDOWS\svx.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\WINDOWS\svw.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\WINDOWS\svc.exe (Trojan.Downloader) -> Delete on reboot.
D:\Program Files\Microsoft Security Adviser\msctrl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Program Files\Microsoft Security Adviser\msavsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Program Files\Microsoft Security Adviser\msscan.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Program Files\Microsoft Security Adviser\msiemon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Program Files\Microsoft Security Adviser\msfw.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Program Files\Microsoft Security Adviser\mssadv.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\wndutl32.dll (Trojan.FakeAlert) -> Delete on reboot.
D:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25caf.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25caa.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cab.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cac.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cad.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cae.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cag.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cah.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cai.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cap.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25caq.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25car.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\blphcaqlj0ec6p.scr.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\blphcaqlj0ec6p.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\0.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\1.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\2.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\3.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\4.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\5.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\7.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\e (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\rhceqlj0ec6p.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\rhceqlj0ec6p.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\MSA\msa0.dat (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
D:\Program Files\MSA\msa1.dat (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
D:\Program Files\MSA\MSA.ooo (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
D:\WINDOWS\svhoster.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\1054j.exe (Backdoor.Bot) -> Delete on reboot.
D:\WINDOWS\system32\autodis.dll (Spyware.BZub) -> Delete on reboot.
D:\WINDOWS\system32\pphcaqlj0ec6p.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\config.cfg (Malware.Trace) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\~tmp.html (Malware.Trace) -> Quarantined and deleted successfully.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ComboFix 08-09-01.03 - Default 2008-09-03 5:05:45.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.642 [GMT -4:00]
Running from: D:\Documents and Settings\Default\Desktop\ComboFix.exe

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Program Files\PCHealthCenter
D:\WINDOWS\system32\ativvax.dll
.
---- Previous Run -------
.
D:\Program Files\PCHealthCenter
D:\Program Files\PCHealthCenter\Ù‹exe
D:\Program Files\PCHealthCenter\0.exe
D:\Program Files\PCHealthCenter\0.gif
D:\Program Files\PCHealthCenter\1.exe
D:\Program Files\PCHealthCenter\1.gif
D:\Program Files\PCHealthCenter\1.ico
D:\Program Files\PCHealthCenter\2.exe
D:\Program Files\PCHealthCenter\2.gif
D:\Program Files\PCHealthCenter\2.ico
D:\Program Files\PCHealthCenter\3.exe
D:\Program Files\PCHealthCenter\3.gif
D:\Program Files\PCHealthCenter\4.exe
D:\Program Files\PCHealthCenter\5.exe
D:\Program Files\PCHealthCenter\7.exe
D:\Program Files\PCHealthCenter\xe
D:\WINDOWS\system32\ati2dvag(3.dll
D:\WINDOWS\system32\blphcaqlj0ec6p.scr
D:\WINDOWS\system32\lphcaqlj0ec6p.exe
D:\WINDOWS\system32\phcaqlj0ec6p.bmp

.
((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 )))))))))))))))))))))))))))))))
.

2008-09-03 05:12 . 2008-09-03 05:12 d-------- D:\Program Files\PCHealthCenter
2008-09-03 05:12 . 2008-09-03 05:12 625,208 --a------ D:\WINDOWS\system32\phcaqlj0ec6p.bmp
2008-09-03 05:12 . 2008-09-03 05:12 203,776 --a------ D:\WINDOWS\system32\lphcaqlj0ec6p.exe
2008-09-03 05:12 . 2008-09-03 05:12 118,784 --a------ D:\WINDOWS\system32\blphcaqlj0ec6p.scr
2008-09-03 05:12 . 2008-09-03 05:12 81,920 --a------ D:\WINDOWS\system32\zovqtqly.exe
2008-09-03 05:02 . 2008-09-03 05:02 81,920 --a------ D:\WINDOWS\system32\wpwlafup.exe
2008-09-03 04:50 . 2008-09-03 04:50 81,920 --a------ D:\WINDOWS\system32\fejsxgpk.exe
2008-09-02 12:15 . 2008-09-02 12:15 203,776 --a------ D:\WINDOWS\system32\xcpmpubi.exe
2008-09-02 12:15 . 2008-09-02 12:15 98,304 --a------ D:\WINDOWS\system32\tulkfmfw.exe
2008-09-02 11:43 . 2008-09-02 11:43 98,304 --a------ D:\WINDOWS\system32\ngxilahw.exe
2008-09-02 11:26 . 2008-09-02 11:26 98,304 --a------ D:\WINDOWS\system32\utevadir.exe
2008-09-02 08:59 . 2008-09-02 08:59 d-------- D:\Program Files\CCleaner
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Program Files\SUPERAntiSpyware
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Documents and Settings\Default\Application Data\SUPERAntiSpyware.com
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-02 08:41 . 2008-09-02 23:13 d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-09-02 08:41 . 2008-09-02 00:16 38,528 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-02 08:41 . 2008-09-02 00:16 17,200 --a------ D:\WINDOWS\system32\drivers\mbam.sys
2008-09-02 08:35 . 2008-09-03 05:12 d-------- D:\Program Files\MSA
2008-09-01 20:02 . 2008-09-01 20:02 203,776 --a------ D:\WINDOWS\system32\bwbyxszu.exe
2008-08-22 12:19 . 2008-08-22 12:18 40,960 -r-hs---- D:\WINDOWS\system32\6to4svcl.exe
2008-08-22 12:19 . 2008-08-22 12:20 144 --ahs---- D:\WINDOWS\system32\1884727700.dat
2008-08-18 20:12 . 2008-08-18 20:12 d-------- D:\Program Files\Sun
2008-08-18 18:23 . 2008-08-18 20:26 d-------- D:\WINDOWS\system32\CatRoot_bak
2008-08-14 12:51 . 2008-08-14 12:51 53,248 --a------ D:\WINDOWS\vobwpobw.exe
2008-08-04 15:49 . 2008-08-04 15:49 d-------- D:\Documents and Settings\Default\Application Data\Malwarebytes
2008-08-04 15:49 . 2008-08-04 15:49 d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-04 14:37 . 2008-08-04 14:37 d-------- D:\Program Files\brwireg
2008-08-04 14:37 . 2008-08-04 14:37 d-------- D:\Documents and Settings\All Users\Application Data\fsxadsbu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-27 18:54 --------- d-----w D:\Program Files\XoftSpySE
2008-08-23 17:45 --------- d-----w D:\Program Files\MySpace
2008-08-23 17:43 --------- d-----w D:\Program Files\Lavasoft
2008-08-22 16:51 --------- d-----w D:\Program Files\Common Files\Symantec Shared
2008-08-19 14:25 --------- d-----w D:\Program Files\Microsoft Silverlight
2008-08-19 00:11 --------- d-----w D:\Program Files\Java
2008-07-29 02:48 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-07-29 02:48 --------- d-----w D:\Program Files\Logitech
2008-07-29 02:48 --------- d-----w D:\Program Files\Common Files\Logitech
2008-07-22 17:57 --------- d-----w D:\Program Files\RegCure
2008-07-22 16:14 --------- d-----w D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-22 15:13 --------- d-----w D:\Program Files\Norton AntiVirus
2008-07-22 02:27 --------- d-----w D:\Program Files\Diablo II
2008-07-22 01:22 --------- d-----w D:\Program Files\PlayOnline
2008-07-21 23:05 --------- d-----w D:\Program Files\each logo type
2008-07-21 23:05 --------- d-----w D:\Documents and Settings\Default\Application Data\each logo type
2008-07-21 23:05 --------- d-----w D:\Documents and Settings\All Users\Application Data\bat glue time dash
2008-07-21 21:52 --------- d-----w D:\Program Files\LimeWire
2008-07-05 16:04 --------- d-----w D:\Documents and Settings\Default\Application Data\CyberLink
2008-07-05 16:03 --------- d-----w D:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-05 15:52 --------- d-----w D:\Program Files\CyberLink
.

------- Sigcheck -------

2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 D:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 D:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 D:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d D:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e D:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 D:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 D:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 D:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-09-02_11.55.30.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-12-31 12:00:00 91,648 ----a-w D:\WINDOWS\system32\certcl.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94250E81-34BF-4A61-B913-8E8FDEBEF855}]
2002-12-31 08:00 91648 --a------ D:\WINDOWS\system32\certcl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"~YÕA~"="Ù‹exe" [X]
"@"="xe" [X]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2002-12-31 15360]
"MonSetAdm"="D:\WINDOWS\system32\fejsxgpk.exe" [2008-09-03 81920]
"smartchk"="D:\WINDOWS\system32\wpwlafup.exe" [2008-09-03 81920]
"hlpstr"="D:\WINDOWS\system32\zovqtqly.exe" [2008-09-03 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"~YÕA~"="Ù‹exe" [X]
"@"="xe" [X]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="D:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" [2008-05-27 413696]
"osCheck"="D:\Program Files\Norton AntiVirus\osCheck.exe" [2007-02-07 771704]
"ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="D:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"UpdatePPShortCut"="D:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2007-08-16 218408]
"hlpchkutil"="D:\WINDOWS\vobwpobw.exe" [2008-08-14 53248]
"lphcaqlj0ec6p"="D:\WINDOWS\system32\lphcaqlj0ec6p.exe" [2008-09-03 203776]
"C-Media Mixer"="Mixer.exe" [2001-11-15 D:\WINDOWS\mixer.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"QcsL60w10k"="D:\Documents and Settings\All Users\Application Data\fsxadsbu\tgzudydo.exe" [2008-08-04 61440]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"procchkact"= {5A8DF54F-3C3A-F718-BF1B-008624137EAF} - D:\Program Files\brwireg\procchkact.dll [2008-08-04 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComAplApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcaqlj0ec6p
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhceqlj0ec6p

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-12-31 08:00 15360 D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2003-08-19 06:43 57344 D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-04-19 13:26 484904 D:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Time Dash Second Regs]
--a------ 2008-09-02 23:01 5051904 D:\Documents and Settings\All Users\Application Data\bat glue time dash\bags bend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2003-12-01 11:38 892928 D:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2006-02-21 21:05 344064 D:\WINDOWS\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"D:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"D:\\Program Files\\Yahoo!\\UPnP\\yupnpsrv.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"D:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"D:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;D:\WINDOWS\system32\drivers\si3112r.sys [2003-05-09 89749]
R0 SiWinAcc;SiWinAcc;D:\WINDOWS\system32\drivers\SiWinAcc.sys [2003-02-12 9600]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};D:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51 13560]
S0 uckkagnh;uckkagnh;D:\WINDOWS\system32\drivers\lztqajog.dat [ ]
S3 LCcfltr;Logitech USB Filter Driver;D:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-11-07 14092]
S3 XDva020;XDva020;D:\WINDOWS\system32\XDva020.sys [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"D:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-IPC Configuration Utility - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - D:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\bravk493.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - D:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - D:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF -: plugin - D:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-09-03 05:12:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


D:\WINDOWS\system32\blphcaqlj0ec6p.scr 118784 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uckkagnh]
"ImagePath"="system32\drivers\lztqajog.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\D:\Program Files\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\ati2evxx.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\Program Files\PCHealthCenter\0.exe
D:\Program Files\PCHealthCenter\1.exe
D:\Program Files\PCHealthCenter\2.exe
D:\Program Files\PCHealthCenter\3.exe
D:\Program Files\PCHealthCenter\4.exe
D:\Program Files\PCHealthCenter\7.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
.
**************************************************************************
.
Completion time: 2008-09-03 5:22:10 - machine was rebooted [Default]
ComboFix-quarantined-files.txt 2008-09-03 09:22:04
ComboFix2.txt 2008-09-02 15:56:01

Pre-Run: 122,723,901,440 bytes free
Post-Run: 122,709,278,720 bytes free

265 --- E O F --- 2008-08-19 14:25:12
Posted 9/4/2008 3:21 AM
#65619
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Just curious - are your antivirus updated ?




Open notepad and copy/paste the text in the quotebox below into it:




Quote:




[table style="BORDER-RIGHT: medium none; BORDER-TOP: medium none; BORDER-LEFT: medium none; BORDER-BOTTOM: medium none; BORDER-COLLAPSE: collapse; mso-border-alt: solid windowtext .75pt; mso-padding-alt: 0cm 3.5pt 0cm 3.5pt" cellSpacing=0 cellPadding=0 border=1]
[tr ][td style="BORDER-RIGHT: windowtext 0.75pt solid; PADDING-RIGHT: 3.5pt; BORDER-TOP: windowtext 0.75pt solid; PADDING-LEFT: 3.5pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: windowtext 0.75pt solid; WIDTH: 488.9pt; PADDING-TOP: 0cm; BORDER-BOTTOM: windowtext 0.75pt solid; BACKGROUND-COLOR: transparent" vAlign=top width=652]Killall::

[1]
"=-
"@"=-
"MonSetAdm"=-
"smartchk"=-
"hlpstr"=-



[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"QcsL60w10k"=-


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"procchkact"=-


[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Time Dash Second Regs]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uckkagnh]

[/1]
[/td][/tr][/table]



Save this as:
CFScript



https://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

Then post fresh combofix log.




[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/4/2008 8:48 PM
#65635
User avatar

Baskanos Member

Date Joined Nov 2016
Total Posts: 5
no i had some issues with norton taking extra money and canceled last renewel cycle. can you suggest a good anti virus other than norton. cheaper the better. kinda on a budget.


ComboFix 08-09-03.06 - Default 2008-09-04 0:39:07.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.662 [GMT -4:00]
Running from: D:\Documents and Settings\Default\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Default\Desktop\CFScript.txt
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\All Users\Application Data\bat glue time dash
D:\Documents and Settings\All Users\Application Data\bat glue time dash\bags bend.exe
D:\Documents and Settings\All Users\Application Data\fsxadsbu
D:\Documents and Settings\All Users\Application Data\fsxadsbu\tgzudydo.exe
D:\Program Files\brwireg
D:\Program Files\brwireg\procchkact.dll
D:\Program Files\MSA
D:\Program Files\MSA\MSA.cpl
D:\Program Files\MSA\MSA.exe
D:\Program Files\MSA\MSA.ooo
D:\Program Files\MSA\msa0.dat
D:\Program Files\MSA\msa1.dat
D:\Program Files\PCHealthCenter
D:\Program Files\PCHealthCenter\Ù‹exe
D:\Program Files\PCHealthCenter\0.exe
D:\Program Files\PCHealthCenter\0.gif
D:\Program Files\PCHealthCenter\1.exe
D:\Program Files\PCHealthCenter\1.gif
D:\Program Files\PCHealthCenter\1.ico
D:\Program Files\PCHealthCenter\2.exe
D:\Program Files\PCHealthCenter\2.gif
D:\Program Files\PCHealthCenter\2.ico
D:\Program Files\PCHealthCenter\3.exe
D:\Program Files\PCHealthCenter\3.gif
D:\Program Files\PCHealthCenter\4.exe
D:\Program Files\PCHealthCenter\5.exe
D:\Program Files\PCHealthCenter\7.exe
D:\Program Files\PCHealthCenter\xe
D:\WINDOWS\system32\1884727700.dat
D:\WINDOWS\system32\6to4svcl.exe
D:\WINDOWS\system32\blphcaqlj0ec6p.scr
D:\WINDOWS\system32\bwbyxszu.exe
D:\WINDOWS\system32\certcl.dll
D:\WINDOWS\system32\fejsxgpk.exe
D:\WINDOWS\system32\ngxilahw.exe
D:\WINDOWS\system32\tulkfmfw.exe
D:\WINDOWS\system32\utevadir.exe
D:\WINDOWS\system32\wpwlafup.exe
D:\WINDOWS\system32\xcpmpubi.exe
D:\WINDOWS\system32\zovqtqly.exe
D:\WINDOWS\vobwpobw.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UCKKAGNH
-------\Service_uckkagnh


((((((((((((((((((((((((( Files Created from 2008-08-04 to 2008-09-04 )))))))))))))))))))))))))))))))
.

2008-09-04 00:33 . 2008-09-04 00:33 90,112 --a------ D:\WINDOWS\system32\ozwncpkh.exe
2008-09-02 08:59 . 2008-09-02 08:59 d-------- D:\Program Files\CCleaner
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Program Files\SUPERAntiSpyware
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Documents and Settings\Default\Application Data\SUPERAntiSpyware.com
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-02 08:41 . 2008-09-02 23:13 d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-09-02 08:41 . 2008-09-02 00:16 38,528 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-02 08:41 . 2008-09-02 00:16 17,200 --a------ D:\WINDOWS\system32\drivers\mbam.sys
2008-08-18 20:12 . 2008-08-18 20:12 d-------- D:\Program Files\Sun
2008-08-18 18:23 . 2008-08-18 20:26 d-------- D:\WINDOWS\system32\CatRoot_bak
2008-08-04 15:49 . 2008-08-04 15:49 d-------- D:\Documents and Settings\Default\Application Data\Malwarebytes
2008-08-04 15:49 . 2008-08-04 15:49 d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-27 18:54 --------- d-----w D:\Program Files\XoftSpySE
2008-08-23 17:45 --------- d-----w D:\Program Files\MySpace
2008-08-23 17:43 --------- d-----w D:\Program Files\Lavasoft
2008-08-22 16:51 --------- d-----w D:\Program Files\Common Files\Symantec Shared
2008-08-19 14:25 --------- d-----w D:\Program Files\Microsoft Silverlight
2008-08-19 00:11 --------- d-----w D:\Program Files\Java
2008-07-29 02:48 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-07-29 02:48 --------- d-----w D:\Program Files\Logitech
2008-07-29 02:48 --------- d-----w D:\Program Files\Common Files\Logitech
2008-07-22 17:57 --------- d-----w D:\Program Files\RegCure
2008-07-22 16:14 --------- d-----w D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-22 15:13 --------- d-----w D:\Program Files\Norton AntiVirus
2008-07-22 02:27 --------- d-----w D:\Program Files\Diablo II
2008-07-22 01:22 --------- d-----w D:\Program Files\PlayOnline
2008-07-21 23:05 --------- d-----w D:\Program Files\each logo type
2008-07-21 23:05 --------- d-----w D:\Documents and Settings\Default\Application Data\each logo type
2008-07-21 21:52 --------- d-----w D:\Program Files\LimeWire
2008-07-05 16:04 --------- d-----w D:\Documents and Settings\Default\Application Data\CyberLink
2008-07-05 16:03 --------- d-----w D:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-05 15:52 --------- d-----w D:\Program Files\CyberLink
.

------- Sigcheck -------

2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 D:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 D:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 D:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d D:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e D:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 D:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 D:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 D:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"~YÕA~"="Ù‹exe" [X]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2002-12-31 15360]
"EnAplCom"="D:\WINDOWS\system32\ozwncpkh.exe" [2008-09-04 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"~YÕA~"="Ù‹exe" [X]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="D:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" [2008-05-27 413696]
"osCheck"="D:\Program Files\Norton AntiVirus\osCheck.exe" [2007-02-07 771704]
"ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="D:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"UpdatePPShortCut"="D:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2007-08-16 218408]
"lphcaqlj0ec6p"="D:\WINDOWS\system32\lphcaqlj0ec6p.exe" [BU]
"C-Media Mixer"="Mixer.exe" [2001-11-15 D:\WINDOWS\mixer.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComAplApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcaqlj0ec6p
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhceqlj0ec6p

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-12-31 08:00 15360 D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2003-08-19 06:43 57344 D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-04-19 13:26 484904 D:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2003-12-01 11:38 892928 D:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2006-02-21 21:05 344064 D:\WINDOWS\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"D:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"D:\\Program Files\\Yahoo!\\UPnP\\yupnpsrv.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"D:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"D:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;D:\WINDOWS\system32\drivers\si3112r.sys [2003-05-09 89749]
R0 SiWinAcc;SiWinAcc;D:\WINDOWS\system32\drivers\SiWinAcc.sys [2003-02-12 9600]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};D:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51 13560]
S3 LCcfltr;Logitech USB Filter Driver;D:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-11-07 14092]
S3 XDva020;XDva020;D:\WINDOWS\system32\XDva020.sys [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"D:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-hlpchkutil - D:\WINDOWS\vobwpobw.exe



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-09-04 00:45:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\D:\Program Files\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\ati2evxx.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\CyberLink\Shared Files\RichVideo.exe
.
**************************************************************************
.
Completion time: 2008-09-04 0:54:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-04 04:54:19
ComboFix2.txt 2008-09-03 09:22:11
ComboFix3.txt 2008-09-02 15:56:01

Pre-Run: 122,690,015,232 bytes free
Post-Run: 122,681,810,944 bytes free

221 --- E O F --- 2008-08-19 14:25:12
Posted 9/6/2008 2:00 AM
#65669
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Open notepad and copy/paste the text in the quotebox below into it:




Quote:



[table style="BORDER-RIGHT: medium none; BORDER-TOP: medium none; BORDER-LEFT: medium none; BORDER-BOTTOM: medium none; BORDER-COLLAPSE: collapse; mso-border-alt: solid windowtext .75pt; mso-padding-alt: 0cm 3.5pt 0cm 3.5pt" cellSpacing=0 cellPadding=0 border=1]
[tr style="HEIGHT: 336.25pt"][td style="BORDER-RIGHT: windowtext 0.75pt solid; PADDING-RIGHT: 3.5pt; BORDER-TOP: windowtext 0.75pt solid; PADDING-LEFT: 3.5pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: windowtext 0.75pt solid; WIDTH: 488.9pt; PADDING-TOP: 0cm; BORDER-BOTTOM: windowtext 0.75pt solid; HEIGHT: 336.25pt; BACKGROUND-COLOR: transparent" vAlign=top width=652]Killall::



Snapshot::





File::
D:\WINDOWS\system32\ozwncpkh.exe


D:\WINDOWS\system32\lphcaqlj0ec6p.exe

D:\WINDOWS\vobwpobw.exe



Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"~YÕA~ "=-
"EnAplCom"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"~YÕA~"=-
"lphcaqlj0ec6p"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComAplApp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcaqlj0ec6p]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhceqlj0ec6p]

[/td][/tr][/table]

Save this as:
CFScript



https://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe


Then post fresh combofix log, along with new hijackthis log

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/6/2008 12:08 PM
#65689
User avatar

Baskanos Member

Date Joined Nov 2016
Total Posts: 5
ComboFix 08-09-03.06 - Default 2008-09-05 13:40:10.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.627 [GMT -4:00]
Running from: D:\Documents and Settings\Default\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Default\Desktop\CFScript.txt
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\WINDOWS\system32\ozwncpkh.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-05 to 2008-09-05 )))))))))))))))))))))))))))))))
.

2008-09-02 08:59 . 2008-09-02 08:59 d-------- D:\Program Files\CCleaner
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Program Files\SUPERAntiSpyware
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Documents and Settings\Default\Application Data\SUPERAntiSpyware.com
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-02 08:41 . 2008-09-02 23:13 d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-09-02 08:41 . 2008-09-02 00:16 38,528 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-02 08:41 . 2008-09-02 00:16 17,200 --a------ D:\WINDOWS\system32\drivers\mbam.sys
2008-08-18 20:12 . 2008-08-18 20:12 d-------- D:\Program Files\Sun
2008-08-18 18:23 . 2008-08-18 20:26 d-------- D:\WINDOWS\system32\CatRoot_bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-04 08:23 --------- d-----w D:\Program Files\XoftSpySE
2008-08-23 17:45 --------- d-----w D:\Program Files\MySpace
2008-08-23 17:43 --------- d-----w D:\Program Files\Lavasoft
2008-08-22 16:51 --------- d-----w D:\Program Files\Common Files\Symantec Shared
2008-08-19 14:25 --------- d-----w D:\Program Files\Microsoft Silverlight
2008-08-19 00:11 --------- d-----w D:\Program Files\Java
2008-08-04 19:49 --------- d-----w D:\Documents and Settings\Default\Application Data\Malwarebytes
2008-08-04 19:49 --------- d-----w D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-29 02:48 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-07-29 02:48 --------- d-----w D:\Program Files\Logitech
2008-07-29 02:48 --------- d-----w D:\Program Files\Common Files\Logitech
2008-07-22 17:57 --------- d-----w D:\Program Files\RegCure
2008-07-22 16:14 --------- d-----w D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-22 15:13 --------- d-----w D:\Program Files\Norton AntiVirus
2008-07-22 02:27 --------- d-----w D:\Program Files\Diablo II
2008-07-22 01:22 --------- d-----w D:\Program Files\PlayOnline
2008-07-21 23:05 --------- d-----w D:\Program Files\each logo type
2008-07-21 23:05 --------- d-----w D:\Documents and Settings\Default\Application Data\each logo type
2008-07-21 21:52 --------- d-----w D:\Program Files\LimeWire
2008-07-05 16:04 --------- d-----w D:\Documents and Settings\Default\Application Data\CyberLink
2008-07-05 16:03 --------- d-----w D:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-05 15:52 --------- d-----w D:\Program Files\CyberLink
.

------- Sigcheck -------

2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 D:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 D:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 D:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d D:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e D:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 D:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 D:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 D:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2002-12-31 15360]
"Yahoo! Pager"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="D:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" [2008-05-27 413696]
"osCheck"="D:\Program Files\Norton AntiVirus\osCheck.exe" [2007-02-07 771704]
"ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="D:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"UpdatePPShortCut"="D:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2007-08-16 218408]
"C-Media Mixer"="Mixer.exe" [2001-11-15 D:\WINDOWS\mixer.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-12-31 08:00 15360 D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2003-08-19 06:43 57344 D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-04-19 13:26 484904 D:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2003-12-01 11:38 892928 D:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2006-02-21 21:05 344064 D:\WINDOWS\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"D:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"D:\\Program Files\\Yahoo!\\UPnP\\yupnpsrv.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"D:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"D:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;D:\WINDOWS\system32\drivers\si3112r.sys [2003-05-09 89749]
R0 SiWinAcc;SiWinAcc;D:\WINDOWS\system32\drivers\SiWinAcc.sys [2003-02-12 9600]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};D:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51 13560]
S3 LCcfltr;Logitech USB Filter Driver;D:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-11-07 14092]
S3 XDva020;XDva020;D:\WINDOWS\system32\XDva020.sys [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"D:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-09-05 15:34:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\D:\Program Files\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\ati2evxx.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-09-05 15:43:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-05 19:43:51
ComboFix2.txt 2008-09-04 04:54:25
ComboFix3.txt 2008-09-03 09:22:11
ComboFix4.txt 2008-09-02 15:56:01

Pre-Run: 122,603,331,584 bytes free
Post-Run: 122,593,607,680 bytes free

170 --- E O F --- 2008-08-19 14:25:12

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:16:59 PM, on 9/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Mixer.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Default\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [osCheck] "D:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [UpdatePPShortCut] "D:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "D:\Program Files\CyberLink\PowerProducer" update "Software\CyberLink\PowerProducer\4.0"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} - https://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - https://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - https://clubgames.pogo.com/online2/pogop/mahjong_escape_ancient_japan/SpinTopGamesLauncher.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7111 bytes
Posted 9/6/2008 1:11 PM
#65692
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Looks clean :smile:




How are things running now ?

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/6/2008 1:20 PM
#65694
User avatar

Baskanos Member

Date Joined Nov 2016
Total Posts: 5
its running great, thank you all very much. what anti-virus would you suggest? have norton currently but not subscribed for about 2 months. thanks again.
Posted 9/6/2008 2:44 PM
#65697
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Sounds good :smile:




Download one of these: . [color=#000000>https://fileforum.betanews.com/detail/Norton_Removal_Tool_for_Windows_2000XPVista/1169144666/1
[/url]

[/color]

Reboot, install the antivirus program you´ve choosed




You, ll need a (free) firewall as well:



  • ZoneAlarm
    NOTE: If choosing Zone Alarm be aware that the free version also installs ZoneAlarm Spy Blocker.


  • It is recommended however that you UNcheck this option.


  • Kerio


  • Outpost


  • Comodo

Then post new hijackthis log for a last check



[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Wednesday, December 11, 2019, 7:41 AM (GMT +1)
There are a total of 61,750 posts in 13,625 threads.
In the last 3 days there were 0 new threads and 2 reply posts.

Who's online

This forum has 38,552 registered members. Please welcome our newest member, joshep.
There are currently no users on-line.
We use cookies to ensure that we give you the best experience on our website. By continuing to browse, we are assuming that you have no objection in accepting cookies. You can change your cookie settings at any time.