EN

FORUMS

SEARCH FORUM

MS anti virus, (multiple trojan, maybe?)

Posted 9/3/2008 1:19 AM
#65579
User avatar

Baskanos Member

Date Joined Nov 2016
Total Posts: 5
been dealing with this for a few weeks, just found your site and you guys seem to be my only hope.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:05 PM, on 9/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Documents and Settings\All Users\Application Data\fsxadsbu\tgzudydo.exe
D:\WINDOWS\Mixer.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\WINDOWS\vobwpobw.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\utevadir.exe
D:\WINDOWS\system32\hetshuxa.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\PCHealthCenter\1.exe
D:\Program Files\PCHealthCenter\2.exe
D:\Program Files\PCHealthCenter\3.exe
D:\Program Files\PCHealthCenter\4.exe
D:\Program Files\MSA\MSA.exe
D:\Program Files\PCHealthCenter\7.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\vobwpobw.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Default\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [osCheck] "D:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [UpdatePPShortCut] "D:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "D:\Program Files\CyberLink\PowerProducer" update "Software\CyberLink\PowerProducer\4.0"
O4 - HKLM\..\Run: [hlpchkutil] D:\WINDOWS\vobwpobw.exe
O4 - HKLM\..\Run: [~YÕA~] Ù‹exe
O4 - HKLM\..\Run: [Antivirus] D:\Program Files\MSA\MSA.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [~YÕA~] Ù‹exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [debugpop] D:\DOCUME~1\Default\APPLIC~1\EACHLO~1\drive deaf.exe
O4 - HKCU\..\Run: [SrvProcMon] D:\WINDOWS\system32\utevadir.exe
O4 - HKCU\..\Run: [mntutilapl] D:\WINDOWS\system32\ngxilahw.exe
O4 - HKCU\..\Run: [genactinfo] D:\WINDOWS\system32\tulkfmfw.exe
O4 - HKLM\..\Policies\Explorer\Run: [QcsL60w10k] D:\Documents and Settings\All Users\Application Data\fsxadsbu\tgzudydo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} - https://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - https://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - https://clubgames.pogo.com/online2/pogop/mahjong_escape_ancient_japan/SpinTopGamesLauncher.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: procchkact - {5A8DF54F-3C3A-F718-BF1B-008624137EAF} - D:\Program Files\brwireg\procchkact.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8356 bytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SUPERAntiSpyware Scan Log
https://www.superantispyware.com

Generated 09/02/2008 at 10:45 AM

Application Version : 4.20.1046

Core Rules Database Version : 3554
Trace Rules Database Version: 1542

Scan type : Complete Scan
Total Scan Time : 01:09:17

Memory items scanned : 510
Memory threats detected : 5
Registry items scanned : 6790
Registry threats detected : 14
File items scanned : 49692
File threats detected : 61

Adware.Vundo Variant
D:\WINDOWS\SYSTEM32\APPMGMT.DLL
D:\WINDOWS\SYSTEM32\APPMGMT.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A13649E2-A47E-4D21-8ABB-6DBFBE55483A}
HKCR\CLSID\{A13649E2-A47E-4D21-8ABB-6DBFBE55483A}
HKCR\CLSID\{A13649E2-A47E-4D21-8ABB-6DBFBE55483A}\InprocServer32
HKCR\CLSID\{A13649E2-A47E-4D21-8ABB-6DBFBE55483A}\InprocServer32#ThreadingModel

Rogue.Dropper/Gen
D:\WINDOWS\SYSTEM32\LPHCAQLJ0EC6P.EXE
D:\WINDOWS\SYSTEM32\LPHCAQLJ0EC6P.EXE
D:\WINDOWS\Prefetch\LPHCAQLJ0EC6P.EXE-26913B0F.pf

NotHarmful.Sysinternals Bluescreen Screen Saver
D:\WINDOWS\SYSTEM32\BLPHCAQLJ0EC6P.SCR
D:\WINDOWS\SYSTEM32\BLPHCAQLJ0EC6P.SCR

Rogue.MS AntiVirus
D:\PROGRAM FILES\MSA\MSA.EXE
D:\PROGRAM FILES\MSA\MSA.EXE
[Antivirus] D:\PROGRAM FILES\MSA\MSA.EXE
D:\DOCUMENTS AND SETTINGS\DEFAULT\DESKTOP\MS ANTIVIRUS.LNK
D:\WINDOWS\Prefetch\MSA.EXE-35AD0B56.pf

Rogue.MalwareProtector/Variant
D:\WINDOWS\SYSTEM32\PPHCAQLJ0EC6P.EXE
D:\WINDOWS\SYSTEM32\PPHCAQLJ0EC6P.EXE
D:\WINDOWS\Prefetch\PPHCAQLJ0EC6P.EXE-11E4AE47.pf

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}
HKU\S-1-5-21-1606980848-1532298954-682003330-1003\Software\Classes\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}
HKCR\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}

Adware.Tracking Cookie
D:\Documents and Settings\Default\Cookies\default@st[17].txt
D:\Documents and Settings\Default\Cookies\default@st[26].txt
D:\Documents and Settings\Default\Cookies\default@dtr[1].txt
D:\Documents and Settings\Default\Cookies\default@st[45].txt
D:\Documents and Settings\Default\Cookies\default@st[27].txt
D:\Documents and Settings\Default\Cookies\default@st[2].txt
D:\Documents and Settings\Default\Cookies\default@st[5].txt
D:\Documents and Settings\Default\Cookies\default@cgi-bin[2].txt
D:\Documents and Settings\Default\Cookies\default@st[19].txt
D:\Documents and Settings\Default\Cookies\default@st[3].txt
D:\Documents and Settings\Default\Cookies\default@st[37].txt
D:\Documents and Settings\Default\Cookies\default@st[21].txt
D:\Documents and Settings\Default\Cookies\default@st[44].txt
D:\Documents and Settings\Default\Cookies\default@st[8].txt
D:\Documents and Settings\Default\Cookies\default@st[7].txt

Trojan.Unknown Origin
D:\WINDOWS\mslagent
D:\WINDOWS\SYSTEM32\1.ICO
D:\WINDOWS\SYSTEM32\2.ICO

Trojan.Media-Codec
D:\Program Files\PCHealthCenter\sc.html
D:\Program Files\PCHealthCenter\xe
D:\Program Files\PCHealthCenter\ًexe
D:\Program Files\PCHealthCenter

Trojan.DNSChanger-Codec
HKU\S-1-5-21-1606980848-1532298954-682003330-1003\Software\uninstall

Rogue.WindowsSecurityAdviser
D:\Program Files\Microsoft Security Adviser\msctrl.log
D:\Program Files\Microsoft Security Adviser\msctrl2.exe
D:\Program Files\Microsoft Security Adviser\msctrl2.log
D:\Program Files\Microsoft Security Adviser\mssadv.log
D:\Program Files\Microsoft Security Adviser\mssadv_sp.log
D:\Program Files\Microsoft Security Adviser
D:\WINDOWS\Prefetch\MSCTRL2.EXE-0804B4A3.pf

Rogue.PC-Cleaner
HKU\S-1-5-21-1606980848-1532298954-682003330-1003\Software\mwc

Rogue.AntiVirus 2008
HKU\S-1-5-21-1606980848-1532298954-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Run#Antivirus [ D:\Program Files\MSA\MSA.exe ]
D:\Documents and Settings\Default\Application Data\RHCEQLJ0EC6P
D:\WINDOWS\SYSTEM32\PHCAQLJ0EC6P.BMP
D:\Program Files\RHCEQLJ0EC6P

Rogue.AntiVirus XP 2008
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
D:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk

Trojan.FakeAlert/Desktop
HKU\S-1-5-21-1606980848-1532298954-682003330-1003\CONTROL PANEL\DESKTOP#WALLPAPER
HKU\S-1-5-21-1606980848-1532298954-682003330-1003\CONTROL PANEL\DESKTOP#ORIGINALWALLPAPER
HKU\S-1-5-21-1606980848-1532298954-682003330-1003\CONTROL PANEL\DESKTOP#CONVERTEDWALLPAPER

Trojan.Downloader-SVCHost/Fake
C:\GOOGLE.COM\SVCHOST.EXE
D:\WINDOWS\Prefetch\SVCHOST.EXE-1396A748.pf

Trojan.Aff-YourThumbs
D:\DOCUMENTS AND SETTINGS\DEFAULT\MSSADV.DLL

Trojan.Unclassified/MSCTRL
D:\DOCUMENTS AND SETTINGS\DEFAULT\MSAVSC.DLL
D:\DOCUMENTS AND SETTINGS\DEFAULT\MSCTRL.DLL
D:\DOCUMENTS AND SETTINGS\DEFAULT\MSFW.DLL
D:\DOCUMENTS AND SETTINGS\DEFAULT\MSIEMON.DLL
D:\DOCUMENTS AND SETTINGS\DEFAULT\MSSCAN.DLL

Rogue.MS AntiVirus/A
D:\PROGRAM FILES\MSA\MSA.CPL
D:\WINDOWS\SYSTEM32\MSA.CPL

Adware.Multi-Dropper/Trace
D:\WINDOWS\CROCK+MOCK.CONFIG

Rootkit.Filter-Gen
D:\WINDOWS\SYSTEM32\DRIVERS\LZTQAJOG.DAT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ComboFix 08-09-01.03 - Default 2008-09-02 11:36:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.622 [GMT -4:00]
Running from: D:\Documents and Settings\Default\Desktop\ComboFix.exe

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Program Files\altcmd
D:\Program Files\PCHealthCenter
D:\Program Files\PCHealthCenter\Ù‹exe
D:\Program Files\PCHealthCenter\0.exe
D:\Program Files\PCHealthCenter\0.gif
D:\Program Files\PCHealthCenter\1.exe
D:\Program Files\PCHealthCenter\1.gif
D:\Program Files\PCHealthCenter\1.ico
D:\Program Files\PCHealthCenter\2.exe
D:\Program Files\PCHealthCenter\2.gif
D:\Program Files\PCHealthCenter\2.ico
D:\Program Files\PCHealthCenter\3.exe
D:\Program Files\PCHealthCenter\3.gif
D:\Program Files\PCHealthCenter\4.exe
D:\Program Files\PCHealthCenter\5.exe
D:\Program Files\PCHealthCenter\7.exe
D:\Program Files\PCHealthCenter\xe
D:\WINDOWS\system32\blphcaqlj0ec6p.scr
D:\WINDOWS\system32\ijl11pro.dll
D:\WINDOWS\system32\lphcaqlj0ec6p.exe
D:\WINDOWS\system32\phcaqlj0ec6p.bmp
D:\WINDOWS\winlogon.exe
D:\Documents and Settings\Default\Application Data\~tmp.html . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-08-02 to 2008-09-02 )))))))))))))))))))))))))))))))
.

2008-09-02 11:43 . 2008-09-02 11:46 d-------- D:\Program Files\PCHealthCenter
2008-09-02 11:43 . 2008-09-02 11:43 118,784 --a------ D:\WINDOWS\system32\blphcaqlj0ec6p.scr
2008-09-02 11:43 . 2008-09-02 11:43 98,304 --a------ D:\WINDOWS\system32\ngxilahw.exe
2008-09-02 11:26 . 2008-09-02 11:26 98,304 --a------ D:\WINDOWS\system32\utevadir.exe
2008-09-02 08:59 . 2008-09-02 08:59 d-------- D:\Program Files\CCleaner
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Program Files\SUPERAntiSpyware
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Documents and Settings\Default\Application Data\SUPERAntiSpyware.com
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-02 08:41 . 2008-09-02 08:41 d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-09-02 08:41 . 2008-09-02 00:16 38,528 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-02 08:41 . 2008-09-02 00:16 17,200 --a------ D:\WINDOWS\system32\drivers\mbam.sys
2008-09-02 08:35 . 2008-09-02 11:42 d-------- D:\Program Files\MSA
2008-09-01 20:02 . 2008-09-01 20:02 203,776 --a------ D:\WINDOWS\system32\bwbyxszu.exe
2008-08-22 12:48 . 2008-08-22 12:48 d-------- D:\WINDOWS\system32\xlib254.dll
2008-08-22 12:48 . 2008-08-22 12:48 d-------- D:\WINDOWS\system32\append.dll
2008-08-22 12:19 . 2008-08-22 12:18 40,960 -r-hs---- D:\WINDOWS\system32\6to4svcl.exe
2008-08-22 12:19 . 2008-08-22 12:20 144 --ahs---- D:\WINDOWS\system32\1884727700.dat
2008-08-18 20:12 . 2008-08-18 20:12 d-------- D:\Program Files\Sun
2008-08-18 18:23 . 2008-08-18 20:26 d-------- D:\WINDOWS\system32\CatRoot_bak
2008-08-14 12:51 . 2008-08-14 12:51 53,248 --a------ D:\WINDOWS\vobwpobw.exe
2008-08-04 15:49 . 2008-08-04 15:49 d-------- D:\Documents and Settings\Default\Application Data\Malwarebytes
2008-08-04 15:49 . 2008-08-04 15:49 d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-04 14:37 . 2008-08-04 14:37 d-------- D:\Program Files\brwireg
2008-08-04 14:37 . 2008-08-04 14:37 d-------- D:\Documents and Settings\All Users\Application Data\fsxadsbu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-27 18:54 --------- d-----w D:\Program Files\XoftSpySE
2008-08-23 17:45 --------- d-----w D:\Program Files\MySpace
2008-08-23 17:43 --------- d-----w D:\Program Files\Lavasoft
2008-08-22 16:51 --------- d-----w D:\Program Files\Common Files\Symantec Shared
2008-08-19 14:25 --------- d-----w D:\Program Files\Microsoft Silverlight
2008-08-19 00:11 --------- d-----w D:\Program Files\Java
2008-07-29 02:48 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-07-29 02:48 --------- d-----w D:\Program Files\Logitech
2008-07-29 02:48 --------- d-----w D:\Program Files\Common Files\Logitech
2008-07-22 17:57 --------- d-----w D:\Program Files\RegCure
2008-07-22 16:14 --------- d-----w D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-22 15:13 --------- d-----w D:\Program Files\Norton AntiVirus
2008-07-22 02:27 --------- d-----w D:\Program Files\Diablo II
2008-07-22 01:22 --------- d-----w D:\Program Files\PlayOnline
2008-07-21 23:05 --------- d-----w D:\Program Files\each logo type
2008-07-21 23:05 --------- d-----w D:\Documents and Settings\Default\Application Data\each logo type
2008-07-21 23:05 --------- d-----w D:\Documents and Settings\All Users\Application Data\bat glue time dash
2008-07-21 21:52 --------- d-----w D:\Program Files\LimeWire
2008-07-19 02:10 94,920 ----a-w D:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w D:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w D:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w D:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w D:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w D:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w D:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w D:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w D:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w D:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w D:\WINDOWS\system32\es.dll
2008-07-05 16:04 --------- d-----w D:\Documents and Settings\Default\Application Data\CyberLink
2008-07-05 16:03 --------- d-----w D:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-05 15:52 --------- d-----w D:\Program Files\CyberLink
2008-06-24 16:23 74,240 ----a-w D:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w D:\WINDOWS\system32\wininet.dll
2008-06-22 00:42 21,840 ----a-w D:\WINDOWS\system32\SIntfNT.dll
2008-06-22 00:42 17,212 ----a-w D:\WINDOWS\system32\SIntf32.dll
2008-06-22 00:42 12,067 ----a-w D:\WINDOWS\system32\SIntf16.dll
2008-06-20 17:41 245,248 ----a-w D:\WINDOWS\system32\mswsock.dll
.

------- Sigcheck -------

2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 D:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 D:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 D:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d D:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e D:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 D:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 D:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 D:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"~YÕA~"="Ù‹exe" [X]
"@"="xe" [X]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2002-12-31 15360]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 1576176]
"debugpop"="D:\DOCUME~1\Default\APPLIC~1\EACHLO~1\drive deaf.exe" [2008-07-21 526336]
"SrvProcMon"="D:\WINDOWS\system32\utevadir.exe" [2008-09-02 98304]
"mntutilapl"="D:\WINDOWS\system32\ngxilahw.exe" [2008-09-02 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"~YÕA~"="Ù‹exe" [X]
"@"="xe" [X]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="D:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" [2008-05-27 413696]
"osCheck"="D:\Program Files\Norton AntiVirus\osCheck.exe" [2007-02-07 771704]
"ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="D:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"UpdatePPShortCut"="D:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2007-08-16 218408]
"hlpchkutil"="D:\WINDOWS\vobwpobw.exe" [2008-08-14 53248]
"Antivirus"="D:\Program Files\MSA\MSA.exe" [2008-08-30 412160]
"C-Media Mixer"="Mixer.exe" [2001-11-15 D:\WINDOWS\mixer.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"QcsL60w10k"="D:\Documents and Settings\All Users\Application Data\fsxadsbu\tgzudydo.exe" [2008-08-04 61440]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"procchkact"= {5A8DF54F-3C3A-F718-BF1B-008624137EAF} - D:\Program Files\brwireg\procchkact.dll [2008-08-04 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComAplApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcaqlj0ec6p
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhceqlj0ec6p

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-12-31 08:00 15360 D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2003-08-19 06:43 57344 D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-04-19 13:26 484904 D:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Time Dash Second Regs]
--a------ 2008-09-02 11:46 5051392 D:\Documents and Settings\All Users\Application Data\bat glue time dash\bags bend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2003-12-01 11:38 892928 D:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2006-02-21 21:05 344064 D:\WINDOWS\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"D:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"D:\\Program Files\\Yahoo!\\UPnP\\yupnpsrv.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"D:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"D:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;D:\WINDOWS\system32\drivers\si3112r.sys [2003-05-09 89749]
R0 SiWinAcc;SiWinAcc;D:\WINDOWS\system32\drivers\SiWinAcc.sys [2003-02-12 9600]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};D:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51 13560]
S0 uckkagnh;uckkagnh;D:\WINDOWS\system32\drivers\lztqajog.dat [ ]
S3 LCcfltr;Logitech USB Filter Driver;D:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-11-07 14092]
S3 MBAMSwissArmy;MBAMSwissArmy;D:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-09-02 38528]
S3 XDva020;XDva020;D:\WINDOWS\system32\XDva020.sys [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"D:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-lphcaqlj0ec6p - D:\WINDOWS\system32\lphcaqlj0ec6p.exe
HKLM-Run-SMrhceqlj0ec6p - D:\Program Files\rhceqlj0ec6p\rhceqlj0ec6p.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - D:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\bravk493.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - D:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - D:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF -: plugin - D:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-09-02 11:43:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


D:\WINDOWS\system32\ngxilahw.exe 98304 bytes executable
D:\WINDOWS\system32\blphcaqlj0ec6p.scr 118784 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uckkagnh]
"ImagePath"="system32\drivers\lztqajog.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\D:\Program Files\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\ati2evxx.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Qoobox\Quarantine\D\WINDOWS\system32\lphcaqlj0ec6p.exe.vir
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\PCHealthCenter\0.exe
D:\Program Files\PCHealthCenter\1.exe
D:\Program Files\PCHealthCenter\2.exe
D:\Program Files\PCHealthCenter\3.exe
D:\Program Files\PCHealthCenter\4.exe
D:\Program Files\PCHealthCenter\7.exe
C:\winlo.exe
C:\winlo.exe
.
**************************************************************************
.
Completion time: 2008-09-02 11:56:00 - machine was rebooted [Default]
ComboFix-quarantined-files.txt 2008-09-02 15:55:53

Pre-Run: 122,769,555,456 bytes free
Post-Run: 122,721,222,656 bytes free

270 --- E O F --- 2008-08-19 14:25:12
any thing you suggest will be of great help
Posted 9/3/2008 3:23 AM
#65582
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Hello :smile:





Please download Malwarebytes' Anti-Malware:

[color=#0000ff>https://www.spywarefri.dk/downloads1/mbam-setup.exe[/url]



Or here:

[3] [/3]

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/4/2008 1:15 AM
#65618
User avatar

Baskanos Member

Date Joined Nov 2016
Total Posts: 5
Malwarebytes' Anti-Malware 1.26
Database version: 1110
Windows 5.1.2600 Service Pack 2

9/3/2008 4:46:33 AM
mbam-log-2008-09-03 (04-46-33).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 264322
Time elapsed: 4 hour(s), 26 minute(s), 39 second(s)

Memory Processes Infected: 17
Memory Modules Infected: 6
Registry Keys Infected: 13
Registry Values Infected: 43
Registry Data Items Infected: 4
Folders Infected: 17
Files Infected: 69

Memory Processes Infected:
D:\WINDOWS\runsql.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\WINDOWS\sv.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\WINDOWS\svzip.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\WINDOWS\vlc.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\WINDOWS\wdmon.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\WINDOWS\svx.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\WINDOWS\svw.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\WINDOWS\svc.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\Program Files\Microsoft Security Adviser\msctrl.exe (Trojan.Agent) -> Unloaded process successfully.
D:\Program Files\Microsoft Security Adviser\msavsc.exe (Trojan.Agent) -> Unloaded process successfully.
D:\Program Files\Microsoft Security Adviser\msscan.exe (Trojan.Agent) -> Unloaded process successfully.
D:\Program Files\Microsoft Security Adviser\msiemon.exe (Trojan.Agent) -> Unloaded process successfully.
D:\Program Files\Microsoft Security Adviser\msfw.exe (Trojan.Agent) -> Unloaded process successfully.
D:\Program Files\Microsoft Security Adviser\mssadv.exe (Trojan.Clicker) -> Unloaded process successfully.
D:\Program Files\rhceqlj0ec6p\rhceqlj0ec6p.exe (Rogue.Multiple) -> Unloaded process successfully.
D:\WINDOWS\svhoster.exe (Trojan.Agent) -> Unloaded process successfully.
D:\WINDOWS\system32\pphcaqlj0ec6p.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
D:\Documents and Settings\Default\Local Settings\Temp\wndutl32.dll (Trojan.FakeAlert) -> Delete on reboot.
D:\Program Files\rhceqlj0ec6p\MFC71.dll (Rogue.Multiple) -> Delete on reboot.
D:\Program Files\rhceqlj0ec6p\MFC71ENU.DLL (Rogue.Multiple) -> Delete on reboot.
D:\Program Files\rhceqlj0ec6p\msvcp71.dll (Rogue.Multiple) -> Delete on reboot.
D:\Program Files\rhceqlj0ec6p\msvcr71.dll (Rogue.Multiple) -> Delete on reboot.
D:\WINDOWS\system32\autodis.dll (Spyware.BZub) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{020487cc-fc04-4b1e-863f-d9801796230b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhceqlj0ec6p (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhceqlj0ec6p (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{389992b5-9fad-42a7-a7aa-8cfb256e7676} (Spyware.BZub) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{389992b5-9fad-42a7-a7aa-8cfb256e7676} (Spyware.BZub) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runsql (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netsv32 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netzip (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vlc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdmon (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netx (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netw (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msctrl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msctrl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msavsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msavsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msscan.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msscan.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiemon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiemon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msfw.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msfw.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{020487cc-fc04-4b1e-863f-d9801796230b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\D:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhceqlj0ec6p (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net64 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcaqlj0ec6p (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssadv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssadv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
D:\Program Files\Microsoft Security Adviser (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\append.dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\xlib254.dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Files Infected:
D:\WINDOWS\runsql.exe (Trojan.Downloader) -> Delete on reboot.
D:\WINDOWS\sv.exe (Trojan.Downloader) -> Delete on reboot.
D:\WINDOWS\svzip.exe (Trojan.Downloader) -> Delete on reboot.
D:\WINDOWS\vlc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\WINDOWS\wdmon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\WINDOWS\svx.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\WINDOWS\svw.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\WINDOWS\svc.exe (Trojan.Downloader) -> Delete on reboot.
D:\Program Files\Microsoft Security Adviser\msctrl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Program Files\Microsoft Security Adviser\msavsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Program Files\Microsoft Security Adviser\msscan.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Program Files\Microsoft Security Adviser\msiemon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Program Files\Microsoft Security Adviser\msfw.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Program Files\Microsoft Security Adviser\mssadv.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\wndutl32.dll (Trojan.FakeAlert) -> Delete on reboot.
D:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25caf.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25caa.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cab.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cac.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cad.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cae.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cag.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cah.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cai.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cap.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25caq.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25car.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\blphcaqlj0ec6p.scr.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\blphcaqlj0ec6p.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\0.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\1.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\2.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\3.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\4.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\5.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\7.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\e (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\rhceqlj0ec6p.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\rhceqlj0ec6p.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\MSA\msa0.dat (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
D:\Program Files\MSA\msa1.dat (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
D:\Program Files\MSA\MSA.ooo (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
D:\WINDOWS\svhoster.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\1054j.exe (Backdoor.Bot) -> Delete on reboot.
D:\WINDOWS\system32\autodis.dll (Spyware.BZub) -> Delete on reboot.
D:\WINDOWS\system32\pphcaqlj0ec6p.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\config.cfg (Malware.Trace) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\~tmp.html (Malware.Trace) -> Quarantined and deleted successfully.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ComboFix 08-09-01.03 - Default 2008-09-03 5:05:45.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.642 [GMT -4:00]
Running from: D:\Documents and Settings\Default\Desktop\ComboFix.exe

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Program Files\PCHealthCenter
D:\WINDOWS\system32\ativvax.dll
.
---- Previous Run -------
.
D:\Program Files\PCHealthCenter
D:\Program Files\PCHealthCenter\Ù‹exe
D:\Program Files\PCHealthCenter\0.exe
D:\Program Files\PCHealthCenter\0.gif
D:\Program Files\PCHealthCenter\1.exe
D:\Program Files\PCHealthCenter\1.gif
D:\Program Files\PCHealthCenter\1.ico
D:\Program Files\PCHealthCenter\2.exe
D:\Program Files\PCHealthCenter\2.gif
D:\Program Files\PCHealthCenter\2.ico
D:\Program Files\PCHealthCenter\3.exe
D:\Program Files\PCHealthCenter\3.gif
D:\Program Files\PCHealthCenter\4.exe
D:\Program Files\PCHealthCenter\5.exe
D:\Program Files\PCHealthCenter\7.exe
D:\Program Files\PCHealthCenter\xe
D:\WINDOWS\system32\ati2dvag(3.dll
D:\WINDOWS\system32\blphcaqlj0ec6p.scr
D:\WINDOWS\system32\lphcaqlj0ec6p.exe
D:\WINDOWS\system32\phcaqlj0ec6p.bmp

.
((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 )))))))))))))))))))))))))))))))
.

2008-09-03 05:12 . 2008-09-03 05:12 d-------- D:\Program Files\PCHealthCenter
2008-09-03 05:12 . 2008-09-03 05:12 625,208 --a------ D:\WINDOWS\system32\phcaqlj0ec6p.bmp
2008-09-03 05:12 . 2008-09-03 05:12 203,776 --a------ D:\WINDOWS\system32\lphcaqlj0ec6p.exe
2008-09-03 05:12 . 2008-09-03 05:12 118,784 --a------ D:\WINDOWS\system32\blphcaqlj0ec6p.scr
2008-09-03 05:12 . 2008-09-03 05:12 81,920 --a------ D:\WINDOWS\system32\zovqtqly.exe
2008-09-03 05:02 . 2008-09-03 05:02 81,920 --a------ D:\WINDOWS\system32\wpwlafup.exe
2008-09-03 04:50 . 2008-09-03 04:50 81,920 --a------ D:\WINDOWS\system32\fejsxgpk.exe
2008-09-02 12:15 . 2008-09-02 12:15 203,776 --a------ D:\WINDOWS\system32\xcpmpubi.exe
2008-09-02 12:15 . 2008-09-02 12:15 98,304 --a------ D:\WINDOWS\system32\tulkfmfw.exe
2008-09-02 11:43 . 2008-09-02 11:43 98,304 --a------ D:\WINDOWS\system32\ngxilahw.exe
2008-09-02 11:26 . 2008-09-02 11:26 98,304 --a------ D:\WINDOWS\system32\utevadir.exe
2008-09-02 08:59 . 2008-09-02 08:59 d-------- D:\Program Files\CCleaner
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Program Files\SUPERAntiSpyware
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Documents and Settings\Default\Application Data\SUPERAntiSpyware.com
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-02 08:41 . 2008-09-02 23:13 d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-09-02 08:41 . 2008-09-02 00:16 38,528 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-02 08:41 . 2008-09-02 00:16 17,200 --a------ D:\WINDOWS\system32\drivers\mbam.sys
2008-09-02 08:35 . 2008-09-03 05:12 d-------- D:\Program Files\MSA
2008-09-01 20:02 . 2008-09-01 20:02 203,776 --a------ D:\WINDOWS\system32\bwbyxszu.exe
2008-08-22 12:19 . 2008-08-22 12:18 40,960 -r-hs---- D:\WINDOWS\system32\6to4svcl.exe
2008-08-22 12:19 . 2008-08-22 12:20 144 --ahs---- D:\WINDOWS\system32\1884727700.dat
2008-08-18 20:12 . 2008-08-18 20:12 d-------- D:\Program Files\Sun
2008-08-18 18:23 . 2008-08-18 20:26 d-------- D:\WINDOWS\system32\CatRoot_bak
2008-08-14 12:51 . 2008-08-14 12:51 53,248 --a------ D:\WINDOWS\vobwpobw.exe
2008-08-04 15:49 . 2008-08-04 15:49 d-------- D:\Documents and Settings\Default\Application Data\Malwarebytes
2008-08-04 15:49 . 2008-08-04 15:49 d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-04 14:37 . 2008-08-04 14:37 d-------- D:\Program Files\brwireg
2008-08-04 14:37 . 2008-08-04 14:37 d-------- D:\Documents and Settings\All Users\Application Data\fsxadsbu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-27 18:54 --------- d-----w D:\Program Files\XoftSpySE
2008-08-23 17:45 --------- d-----w D:\Program Files\MySpace
2008-08-23 17:43 --------- d-----w D:\Program Files\Lavasoft
2008-08-22 16:51 --------- d-----w D:\Program Files\Common Files\Symantec Shared
2008-08-19 14:25 --------- d-----w D:\Program Files\Microsoft Silverlight
2008-08-19 00:11 --------- d-----w D:\Program Files\Java
2008-07-29 02:48 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-07-29 02:48 --------- d-----w D:\Program Files\Logitech
2008-07-29 02:48 --------- d-----w D:\Program Files\Common Files\Logitech
2008-07-22 17:57 --------- d-----w D:\Program Files\RegCure
2008-07-22 16:14 --------- d-----w D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-22 15:13 --------- d-----w D:\Program Files\Norton AntiVirus
2008-07-22 02:27 --------- d-----w D:\Program Files\Diablo II
2008-07-22 01:22 --------- d-----w D:\Program Files\PlayOnline
2008-07-21 23:05 --------- d-----w D:\Program Files\each logo type
2008-07-21 23:05 --------- d-----w D:\Documents and Settings\Default\Application Data\each logo type
2008-07-21 23:05 --------- d-----w D:\Documents and Settings\All Users\Application Data\bat glue time dash
2008-07-21 21:52 --------- d-----w D:\Program Files\LimeWire
2008-07-05 16:04 --------- d-----w D:\Documents and Settings\Default\Application Data\CyberLink
2008-07-05 16:03 --------- d-----w D:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-05 15:52 --------- d-----w D:\Program Files\CyberLink
.

------- Sigcheck -------

2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 D:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 D:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 D:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d D:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e D:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 D:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 D:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 D:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-09-02_11.55.30.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-12-31 12:00:00 91,648 ----a-w D:\WINDOWS\system32\certcl.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94250E81-34BF-4A61-B913-8E8FDEBEF855}]
2002-12-31 08:00 91648 --a------ D:\WINDOWS\system32\certcl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"~YÕA~"="Ù‹exe" [X]
"@"="xe" [X]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2002-12-31 15360]
"MonSetAdm"="D:\WINDOWS\system32\fejsxgpk.exe" [2008-09-03 81920]
"smartchk"="D:\WINDOWS\system32\wpwlafup.exe" [2008-09-03 81920]
"hlpstr"="D:\WINDOWS\system32\zovqtqly.exe" [2008-09-03 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"~YÕA~"="Ù‹exe" [X]
"@"="xe" [X]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="D:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" [2008-05-27 413696]
"osCheck"="D:\Program Files\Norton AntiVirus\osCheck.exe" [2007-02-07 771704]
"ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="D:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"UpdatePPShortCut"="D:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2007-08-16 218408]
"hlpchkutil"="D:\WINDOWS\vobwpobw.exe" [2008-08-14 53248]
"lphcaqlj0ec6p"="D:\WINDOWS\system32\lphcaqlj0ec6p.exe" [2008-09-03 203776]
"C-Media Mixer"="Mixer.exe" [2001-11-15 D:\WINDOWS\mixer.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"QcsL60w10k"="D:\Documents and Settings\All Users\Application Data\fsxadsbu\tgzudydo.exe" [2008-08-04 61440]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"procchkact"= {5A8DF54F-3C3A-F718-BF1B-008624137EAF} - D:\Program Files\brwireg\procchkact.dll [2008-08-04 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComAplApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcaqlj0ec6p
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhceqlj0ec6p

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-12-31 08:00 15360 D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2003-08-19 06:43 57344 D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-04-19 13:26 484904 D:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Time Dash Second Regs]
--a------ 2008-09-02 23:01 5051904 D:\Documents and Settings\All Users\Application Data\bat glue time dash\bags bend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2003-12-01 11:38 892928 D:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2006-02-21 21:05 344064 D:\WINDOWS\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"D:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"D:\\Program Files\\Yahoo!\\UPnP\\yupnpsrv.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"D:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"D:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;D:\WINDOWS\system32\drivers\si3112r.sys [2003-05-09 89749]
R0 SiWinAcc;SiWinAcc;D:\WINDOWS\system32\drivers\SiWinAcc.sys [2003-02-12 9600]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};D:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51 13560]
S0 uckkagnh;uckkagnh;D:\WINDOWS\system32\drivers\lztqajog.dat [ ]
S3 LCcfltr;Logitech USB Filter Driver;D:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-11-07 14092]
S3 XDva020;XDva020;D:\WINDOWS\system32\XDva020.sys [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"D:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-IPC Configuration Utility - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - D:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\bravk493.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - D:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - D:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF -: plugin - D:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-09-03 05:12:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


D:\WINDOWS\system32\blphcaqlj0ec6p.scr 118784 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uckkagnh]
"ImagePath"="system32\drivers\lztqajog.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\D:\Program Files\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\ati2evxx.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\Program Files\PCHealthCenter\0.exe
D:\Program Files\PCHealthCenter\1.exe
D:\Program Files\PCHealthCenter\2.exe
D:\Program Files\PCHealthCenter\3.exe
D:\Program Files\PCHealthCenter\4.exe
D:\Program Files\PCHealthCenter\7.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
.
**************************************************************************
.
Completion time: 2008-09-03 5:22:10 - machine was rebooted [Default]
ComboFix-quarantined-files.txt 2008-09-03 09:22:04
ComboFix2.txt 2008-09-02 15:56:01

Pre-Run: 122,723,901,440 bytes free
Post-Run: 122,709,278,720 bytes free

265 --- E O F --- 2008-08-19 14:25:12
Posted 9/4/2008 3:21 AM
#65619
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Just curious - are your antivirus updated ?




Open notepad and copy/paste the text in the quotebox below into it:




Quote:




[table style="BORDER-RIGHT: medium none; BORDER-TOP: medium none; BORDER-LEFT: medium none; BORDER-BOTTOM: medium none; BORDER-COLLAPSE: collapse; mso-border-alt: solid windowtext .75pt; mso-padding-alt: 0cm 3.5pt 0cm 3.5pt" cellSpacing=0 cellPadding=0 border=1]
[tr ][td style="BORDER-RIGHT: windowtext 0.75pt solid; PADDING-RIGHT: 3.5pt; BORDER-TOP: windowtext 0.75pt solid; PADDING-LEFT: 3.5pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: windowtext 0.75pt solid; WIDTH: 488.9pt; PADDING-TOP: 0cm; BORDER-BOTTOM: windowtext 0.75pt solid; BACKGROUND-COLOR: transparent" vAlign=top width=652]Killall::

[1]
"=-
"@"=-
"MonSetAdm"=-
"smartchk"=-
"hlpstr"=-


[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"QcsL60w10k"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"procchkact"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Time Dash Second Regs]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uckkagnh]

[/1]
[/td][/tr][/table]



Save this as:
CFScript



https://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

Then post fresh combofix log.




[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/4/2008 8:48 PM
#65635
User avatar

Baskanos Member

Date Joined Nov 2016
Total Posts: 5
no i had some issues with norton taking extra money and canceled last renewel cycle. can you suggest a good anti virus other than norton. cheaper the better. kinda on a budget.


ComboFix 08-09-03.06 - Default 2008-09-04 0:39:07.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.662 [GMT -4:00]
Running from: D:\Documents and Settings\Default\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Default\Desktop\CFScript.txt
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\All Users\Application Data\bat glue time dash
D:\Documents and Settings\All Users\Application Data\bat glue time dash\bags bend.exe
D:\Documents and Settings\All Users\Application Data\fsxadsbu
D:\Documents and Settings\All Users\Application Data\fsxadsbu\tgzudydo.exe
D:\Program Files\brwireg
D:\Program Files\brwireg\procchkact.dll
D:\Program Files\MSA
D:\Program Files\MSA\MSA.cpl
D:\Program Files\MSA\MSA.exe
D:\Program Files\MSA\MSA.ooo
D:\Program Files\MSA\msa0.dat
D:\Program Files\MSA\msa1.dat
D:\Program Files\PCHealthCenter
D:\Program Files\PCHealthCenter\Ù‹exe
D:\Program Files\PCHealthCenter\0.exe
D:\Program Files\PCHealthCenter\0.gif
D:\Program Files\PCHealthCenter\1.exe
D:\Program Files\PCHealthCenter\1.gif
D:\Program Files\PCHealthCenter\1.ico
D:\Program Files\PCHealthCenter\2.exe
D:\Program Files\PCHealthCenter\2.gif
D:\Program Files\PCHealthCenter\2.ico
D:\Program Files\PCHealthCenter\3.exe
D:\Program Files\PCHealthCenter\3.gif
D:\Program Files\PCHealthCenter\4.exe
D:\Program Files\PCHealthCenter\5.exe
D:\Program Files\PCHealthCenter\7.exe
D:\Program Files\PCHealthCenter\xe
D:\WINDOWS\system32\1884727700.dat
D:\WINDOWS\system32\6to4svcl.exe
D:\WINDOWS\system32\blphcaqlj0ec6p.scr
D:\WINDOWS\system32\bwbyxszu.exe
D:\WINDOWS\system32\certcl.dll
D:\WINDOWS\system32\fejsxgpk.exe
D:\WINDOWS\system32\ngxilahw.exe
D:\WINDOWS\system32\tulkfmfw.exe
D:\WINDOWS\system32\utevadir.exe
D:\WINDOWS\system32\wpwlafup.exe
D:\WINDOWS\system32\xcpmpubi.exe
D:\WINDOWS\system32\zovqtqly.exe
D:\WINDOWS\vobwpobw.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UCKKAGNH
-------\Service_uckkagnh


((((((((((((((((((((((((( Files Created from 2008-08-04 to 2008-09-04 )))))))))))))))))))))))))))))))
.

2008-09-04 00:33 . 2008-09-04 00:33 90,112 --a------ D:\WINDOWS\system32\ozwncpkh.exe
2008-09-02 08:59 . 2008-09-02 08:59 d-------- D:\Program Files\CCleaner
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Program Files\SUPERAntiSpyware
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Documents and Settings\Default\Application Data\SUPERAntiSpyware.com
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-02 08:41 . 2008-09-02 23:13 d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-09-02 08:41 . 2008-09-02 00:16 38,528 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-02 08:41 . 2008-09-02 00:16 17,200 --a------ D:\WINDOWS\system32\drivers\mbam.sys
2008-08-18 20:12 . 2008-08-18 20:12 d-------- D:\Program Files\Sun
2008-08-18 18:23 . 2008-08-18 20:26 d-------- D:\WINDOWS\system32\CatRoot_bak
2008-08-04 15:49 . 2008-08-04 15:49 d-------- D:\Documents and Settings\Default\Application Data\Malwarebytes
2008-08-04 15:49 . 2008-08-04 15:49 d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-27 18:54 --------- d-----w D:\Program Files\XoftSpySE
2008-08-23 17:45 --------- d-----w D:\Program Files\MySpace
2008-08-23 17:43 --------- d-----w D:\Program Files\Lavasoft
2008-08-22 16:51 --------- d-----w D:\Program Files\Common Files\Symantec Shared
2008-08-19 14:25 --------- d-----w D:\Program Files\Microsoft Silverlight
2008-08-19 00:11 --------- d-----w D:\Program Files\Java
2008-07-29 02:48 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-07-29 02:48 --------- d-----w D:\Program Files\Logitech
2008-07-29 02:48 --------- d-----w D:\Program Files\Common Files\Logitech
2008-07-22 17:57 --------- d-----w D:\Program Files\RegCure
2008-07-22 16:14 --------- d-----w D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-22 15:13 --------- d-----w D:\Program Files\Norton AntiVirus
2008-07-22 02:27 --------- d-----w D:\Program Files\Diablo II
2008-07-22 01:22 --------- d-----w D:\Program Files\PlayOnline
2008-07-21 23:05 --------- d-----w D:\Program Files\each logo type
2008-07-21 23:05 --------- d-----w D:\Documents and Settings\Default\Application Data\each logo type
2008-07-21 21:52 --------- d-----w D:\Program Files\LimeWire
2008-07-05 16:04 --------- d-----w D:\Documents and Settings\Default\Application Data\CyberLink
2008-07-05 16:03 --------- d-----w D:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-05 15:52 --------- d-----w D:\Program Files\CyberLink
.

------- Sigcheck -------

2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 D:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 D:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 D:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d D:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e D:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 D:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 D:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 D:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"~YÕA~"="Ù‹exe" [X]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2002-12-31 15360]
"EnAplCom"="D:\WINDOWS\system32\ozwncpkh.exe" [2008-09-04 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"~YÕA~"="Ù‹exe" [X]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="D:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" [2008-05-27 413696]
"osCheck"="D:\Program Files\Norton AntiVirus\osCheck.exe" [2007-02-07 771704]
"ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="D:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"UpdatePPShortCut"="D:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2007-08-16 218408]
"lphcaqlj0ec6p"="D:\WINDOWS\system32\lphcaqlj0ec6p.exe" [BU]
"C-Media Mixer"="Mixer.exe" [2001-11-15 D:\WINDOWS\mixer.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComAplApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcaqlj0ec6p
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhceqlj0ec6p

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-12-31 08:00 15360 D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2003-08-19 06:43 57344 D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-04-19 13:26 484904 D:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2003-12-01 11:38 892928 D:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2006-02-21 21:05 344064 D:\WINDOWS\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"D:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"D:\\Program Files\\Yahoo!\\UPnP\\yupnpsrv.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"D:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"D:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;D:\WINDOWS\system32\drivers\si3112r.sys [2003-05-09 89749]
R0 SiWinAcc;SiWinAcc;D:\WINDOWS\system32\drivers\SiWinAcc.sys [2003-02-12 9600]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};D:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51 13560]
S3 LCcfltr;Logitech USB Filter Driver;D:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-11-07 14092]
S3 XDva020;XDva020;D:\WINDOWS\system32\XDva020.sys [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"D:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-hlpchkutil - D:\WINDOWS\vobwpobw.exe



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-09-04 00:45:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\D:\Program Files\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\ati2evxx.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\CyberLink\Shared Files\RichVideo.exe
.
**************************************************************************
.
Completion time: 2008-09-04 0:54:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-04 04:54:19
ComboFix2.txt 2008-09-03 09:22:11
ComboFix3.txt 2008-09-02 15:56:01

Pre-Run: 122,690,015,232 bytes free
Post-Run: 122,681,810,944 bytes free

221 --- E O F --- 2008-08-19 14:25:12
Posted 9/6/2008 2:00 AM
#65669
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Open notepad and copy/paste the text in the quotebox below into it:




Quote:



[table style="BORDER-RIGHT: medium none; BORDER-TOP: medium none; BORDER-LEFT: medium none; BORDER-BOTTOM: medium none; BORDER-COLLAPSE: collapse; mso-border-alt: solid windowtext .75pt; mso-padding-alt: 0cm 3.5pt 0cm 3.5pt" cellSpacing=0 cellPadding=0 border=1]
[tr style="HEIGHT: 336.25pt"][td style="BORDER-RIGHT: windowtext 0.75pt solid; PADDING-RIGHT: 3.5pt; BORDER-TOP: windowtext 0.75pt solid; PADDING-LEFT: 3.5pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: windowtext 0.75pt solid; WIDTH: 488.9pt; PADDING-TOP: 0cm; BORDER-BOTTOM: windowtext 0.75pt solid; HEIGHT: 336.25pt; BACKGROUND-COLOR: transparent" vAlign=top width=652]Killall::



Snapshot::





File::
D:\WINDOWS\system32\ozwncpkh.exe

D:\WINDOWS\system32\lphcaqlj0ec6p.exe

D:\WINDOWS\vobwpobw.exe



Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"~YÕA~ "=-
"EnAplCom"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"~YÕA~"=-
"lphcaqlj0ec6p"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComAplApp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcaqlj0ec6p]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhceqlj0ec6p]
[/td][/tr][/table]

Save this as:
CFScript



https://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe


Then post fresh combofix log, along with new hijackthis log

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/6/2008 12:08 PM
#65689
User avatar

Baskanos Member

Date Joined Nov 2016
Total Posts: 5
ComboFix 08-09-03.06 - Default 2008-09-05 13:40:10.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.627 [GMT -4:00]
Running from: D:\Documents and Settings\Default\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Default\Desktop\CFScript.txt
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\WINDOWS\system32\ozwncpkh.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-05 to 2008-09-05 )))))))))))))))))))))))))))))))
.

2008-09-02 08:59 . 2008-09-02 08:59 d-------- D:\Program Files\CCleaner
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Program Files\SUPERAntiSpyware
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Documents and Settings\Default\Application Data\SUPERAntiSpyware.com
2008-09-02 08:54 . 2008-09-02 08:54 d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-02 08:41 . 2008-09-02 23:13 d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-09-02 08:41 . 2008-09-02 00:16 38,528 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-02 08:41 . 2008-09-02 00:16 17,200 --a------ D:\WINDOWS\system32\drivers\mbam.sys
2008-08-18 20:12 . 2008-08-18 20:12 d-------- D:\Program Files\Sun
2008-08-18 18:23 . 2008-08-18 20:26 d-------- D:\WINDOWS\system32\CatRoot_bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-04 08:23 --------- d-----w D:\Program Files\XoftSpySE
2008-08-23 17:45 --------- d-----w D:\Program Files\MySpace
2008-08-23 17:43 --------- d-----w D:\Program Files\Lavasoft
2008-08-22 16:51 --------- d-----w D:\Program Files\Common Files\Symantec Shared
2008-08-19 14:25 --------- d-----w D:\Program Files\Microsoft Silverlight
2008-08-19 00:11 --------- d-----w D:\Program Files\Java
2008-08-04 19:49 --------- d-----w D:\Documents and Settings\Default\Application Data\Malwarebytes
2008-08-04 19:49 --------- d-----w D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-29 02:48 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-07-29 02:48 --------- d-----w D:\Program Files\Logitech
2008-07-29 02:48 --------- d-----w D:\Program Files\Common Files\Logitech
2008-07-22 17:57 --------- d-----w D:\Program Files\RegCure
2008-07-22 16:14 --------- d-----w D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-22 15:13 --------- d-----w D:\Program Files\Norton AntiVirus
2008-07-22 02:27 --------- d-----w D:\Program Files\Diablo II
2008-07-22 01:22 --------- d-----w D:\Program Files\PlayOnline
2008-07-21 23:05 --------- d-----w D:\Program Files\each logo type
2008-07-21 23:05 --------- d-----w D:\Documents and Settings\Default\Application Data\each logo type
2008-07-21 21:52 --------- d-----w D:\Program Files\LimeWire
2008-07-05 16:04 --------- d-----w D:\Documents and Settings\Default\Application Data\CyberLink
2008-07-05 16:03 --------- d-----w D:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-05 15:52 --------- d-----w D:\Program Files\CyberLink
.

------- Sigcheck -------

2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 D:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 D:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 D:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d D:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e D:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 D:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 D:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 D:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2002-12-31 15360]
"Yahoo! Pager"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="D:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" [2008-05-27 413696]
"osCheck"="D:\Program Files\Norton AntiVirus\osCheck.exe" [2007-02-07 771704]
"ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="D:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"UpdatePPShortCut"="D:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2007-08-16 218408]
"C-Media Mixer"="Mixer.exe" [2001-11-15 D:\WINDOWS\mixer.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-12-31 08:00 15360 D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2003-08-19 06:43 57344 D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-04-19 13:26 484904 D:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2003-12-01 11:38 892928 D:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2006-02-21 21:05 344064 D:\WINDOWS\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"D:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"D:\\Program Files\\Yahoo!\\UPnP\\yupnpsrv.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"D:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"D:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;D:\WINDOWS\system32\drivers\si3112r.sys [2003-05-09 89749]
R0 SiWinAcc;SiWinAcc;D:\WINDOWS\system32\drivers\SiWinAcc.sys [2003-02-12 9600]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};D:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51 13560]
S3 LCcfltr;Logitech USB Filter Driver;D:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-11-07 14092]
S3 XDva020;XDva020;D:\WINDOWS\system32\XDva020.sys [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"D:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-09-05 15:34:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\D:\Program Files\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\ati2evxx.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-09-05 15:43:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-05 19:43:51
ComboFix2.txt 2008-09-04 04:54:25
ComboFix3.txt 2008-09-03 09:22:11
ComboFix4.txt 2008-09-02 15:56:01

Pre-Run: 122,603,331,584 bytes free
Post-Run: 122,593,607,680 bytes free

170 --- E O F --- 2008-08-19 14:25:12

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:16:59 PM, on 9/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Mixer.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Default\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [osCheck] "D:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [UpdatePPShortCut] "D:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "D:\Program Files\CyberLink\PowerProducer" update "Software\CyberLink\PowerProducer\4.0"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} - https://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - https://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - https://clubgames.pogo.com/online2/pogop/mahjong_escape_ancient_japan/SpinTopGamesLauncher.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7111 bytes
Posted 9/6/2008 1:11 PM
#65692
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Looks clean :smile:




How are things running now ?

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/6/2008 1:20 PM
#65694
User avatar

Baskanos Member

Date Joined Nov 2016
Total Posts: 5
its running great, thank you all very much. what anti-virus would you suggest? have norton currently but not subscribed for about 2 months. thanks again.
Posted 9/6/2008 2:44 PM
#65697
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Sounds good :smile:




Download one of these: . [color=#000000>https://fileforum.betanews.com/detail/Norton_Removal_Tool_for_Windows_2000XPVista/1169144666/1[/url]

[/color]

Reboot, install the antivirus program you´ve choosed




You, ll need a (free) firewall as well:



  • ZoneAlarm
    NOTE: If choosing Zone Alarm be aware that the free version also installs ZoneAlarm Spy Blocker.


  • It is recommended however that you UNcheck this option.


  • Kerio


  • Outpost


  • Comodo

Then post new hijackthis log for a last check



[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Post a reply
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Tuesday, January 18, 2022, 6:11 AM (GMT +1)
There are a total of 61,946 posts in 13,685 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,662 registered members. Please welcome our newest member, Star1.
108 Guest(s), 0 Registered Member(s) are currently online.
×

Just a minute

Privacy has never been so important.

Nearly 50% of online users are now using a VPN to protect their privacy.

Find out why

…and if it grabs you bag yourself a VPN bargain.