1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

2 issues: tt1.tmp.vbs missing / "Spyware detected" desktop

Discussion in 'Windows - Virus and spyware problems' started by whiteshoe, Aug 12, 2008.

  1. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    @Oukeef,


    All Right!

    I missed one Trojan and the root kit in the first ComboFix Log.
    BOClean got enough of it that I could see it in the last Log.

    Let’s evict that sucker!
    Turn BOClean off. Right click the tray icon and click Shut down BOClean. Then:


    Open Notepad - it must be Notepad, not Wordpad.
    Copy the text below in the quote box by highlighting all the text with your mouse and pressing Ctrl+C

    Go to the Notepad window and click Edit > Paste
    Then click File > Save
    Name the file "CFScript.txt" (including the quotes)
    Save the file to your Desktop


    [​IMG]


    Referring to the picture above, drag CFScript into ComboFix.exe

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    2OG
     
  2. Oukeef

    Oukeef Member

    Joined:
    Aug 19, 2008
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    11
    ComboFix 08-08-21.01 - Sean 2008-08-21 20:15:49.5 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.409 [GMT -4:00]
    Running from: C:\Documents and Settings\Sean\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Sean\Desktop\CFScript.txt
    * Created a new restore point
    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\Documents and Settings\All Users\Application Data\buvqvsjo
    .

    ((((((((((((((((((((((((( Files Created from 2008-07-22 to 2008-08-22 )))))))))))))))))))))))))))))))
    .

    2008-08-21 17:38 . 2008-08-21 17:38 <DIR> d-------- C:\Program Files\Comodo
    2008-08-21 17:38 . 2008-08-21 17:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC427
    2008-08-21 17:38 . 2008-07-14 05:09 212,728 --a------ C:\WINDOWS\CMDLIC.DLL
    2008-08-21 17:38 . 2008-07-14 05:09 205,560 --a------ C:\WINDOWS\UNBOC.EXE
    2008-08-21 17:38 . 2004-08-04 03:56 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
    2008-08-21 17:38 . 2008-08-21 20:20 9,857 --a------ C:\WINDOWS\BOC427.INI
    2008-08-21 16:04 . 2008-08-21 20:24 1,388,576 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2008-08-21 16:04 . 2008-08-21 20:19 17,276 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2008-08-21 16:01 . 2008-08-21 16:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
    2008-08-21 16:01 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
    2008-08-21 16:01 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
    2008-08-21 16:01 . 2008-08-21 16:02 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
    2008-08-21 16:00 . 2008-08-21 16:00 <DIR> d-------- C:\Program Files\Zone Labs
    2008-08-21 15:59 . 2008-08-21 20:07 <DIR> d-------- C:\WINDOWS\Internet Logs
    2008-08-20 19:00 . 2008-08-20 19:00 <DIR> d--hs---- C:\Documents and Settings\Sean\UserData
    2008-08-19 19:35 . 2008-08-19 19:35 0 --a------ C:\WINDOWS\LCDMedia.INI
    2008-08-19 17:37 . 2008-08-19 17:37 <DIR> d-------- C:\Program Files\Trend Micro
    2008-08-19 16:23 . 2008-08-19 16:23 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-19 16:23 . 2008-08-19 16:23 <DIR> d-------- C:\Documents and Settings\Sean\Application Data\Malwarebytes
    2008-08-19 16:23 . 2008-08-19 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-19 16:23 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-08-19 16:23 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-08-19 16:13 . 2008-08-19 16:50 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
    2008-08-18 19:10 . 2008-08-18 19:11 <DIR> d-------- C:\WINDOWS\system32\NtmsData
    2008-08-18 18:56 . 2008-08-18 18:56 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-08-18 17:45 . 2008-08-18 17:45 <DIR> d-------- C:\Program Files\ESET
    2008-08-18 17:45 . 2008-08-18 17:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
    2008-08-18 16:36 . 2008-08-18 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\buvqvsjo
    2008-08-14 16:01 . 2008-05-01 10:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
    2008-08-13 11:43 . 2008-08-13 11:44 <DIR> d-------- C:\Program Files\Launchpad Enhanced
    2008-08-09 14:13 . 2008-08-09 14:13 <DIR> d-------- C:\Program Files\Safari
    2008-08-09 12:32 . 2008-08-09 12:37 8 --a------ C:\WINDOWS\system32\nvModes.dat
    2008-08-07 16:55 . 2008-08-07 16:55 <DIR> d-------- C:\Program Files\StarWarsGalaxiesEmumusic

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-22 00:20 --------- d-----w C:\Program Files\Steam
    2008-08-21 21:46 --------- d-----w C:\Program Files\mIRC
    2008-08-18 21:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
    2008-08-18 21:31 --------- d-----w C:\Documents and Settings\Sean\Application Data\AVG7
    2008-08-13 17:42 --------- d-----w C:\Program Files\StarWarsGalaxiesEmu
    2008-08-10 19:33 --------- d-----w C:\Program Files\Apple Software Update
    2008-08-09 18:16 --------- d-----w C:\Program Files\iTunes
    2008-08-09 18:16 --------- d-----w C:\Program Files\iPod
    2008-08-08 20:18 --------- d-----w C:\Program Files\Jasc Software Inc
    2008-08-08 20:15 --------- d-----w C:\Program Files\Viewpoint
    2008-08-08 20:15 --------- d-----w C:\Documents and Settings\Sean\Application Data\Viewpoint
    2008-08-08 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
    2008-08-05 23:08 --------- d-----w C:\Program Files\Full Tilt Poker
    2008-08-02 14:22 --------- d-----w C:\Program Files\AIMTunes
    2008-07-30 14:37 137,840 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
    2008-07-30 14:37 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
    2008-07-30 14:16 --------- d-----w C:\Documents and Settings\Sean\Application Data\Apple Computer
    2008-07-25 22:43 --------- d-----w C:\Program Files\QuickTime
    2008-07-20 16:16 --------- d-----w C:\Documents and Settings\Sean\Application Data\AdobeUM
    2008-07-19 02:24 --------- d-----w C:\Program Files\Semagic
    2008-07-10 13:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
    2008-07-09 13:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
    2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
    2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
    2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
    2008-02-12 22:59 27 ----a-w C:\Program Files\user.cfg
    .

    ((((((((((((((((((((((((((((( snapshot@2008-08-21_17.45.02.29 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-08-22 00:23:51 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_47c.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ResChanger 2005"="C:\Program Files\ResChanger 2005\ResChanger2005.exe" [2005-05-26 19:30 885248]
    "Steam"="c:\program files\steam\steam.exe" [2008-03-27 20:02 1271032]
    "Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 12:15 50528]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
    "Launch LGDCore"="C:\Program Files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 11:31 1122304]
    "Launch LCDMon"="C:\Program Files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 11:14 497152]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 22:34 49152]
    "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-03-28 01:07 593920]
    "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
    "egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 18:52 1447168]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
    "BOC-427"="C:\PROGRA~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 05:09 351480]
    "SoundMan"="SOUNDMAN.EXE" [2005-07-22 03:00 81920 C:\WINDOWS\SOUNDMAN.EXE]
    "nwiz"="nwiz.exe" [2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-01 20:03:29 113664]
    CoreCenter.lnk - C:\Program Files\MSI\Core Center\CoreCenter.exe [2006-10-22 21:11:35 928256]
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520]
    Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-05-18 00:13:58 91440]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\Program Files\\AIM6\\aim6.exe"=
    "C:\\Program Files\\AIM\\aim.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
    "C:\\Program Files\\BitComet\\BitComet.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\Steam\\steamapps\\thrasher529\\half-life\\hl.exe"=
    "C:\\Program Files\\Steam\\steamapps\\thrasher11@thrasher1.com\\half-life\\hl.exe"=
    "C:\\Program Files\\Steam\\steamapps\\thrasher11@thrasher1.com\\day of defeat source\\hl2.exe"=
    "C:\\Program Files\\Steam\\steamapps\\thrasher11@thrasher1.com\\counter-strike source\\hl2.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
    "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "C:\\Program Files\\mIRC\\mirc.exe"=
    "C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
    "C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\WINDOWS\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Steam\\steam.exe"=
    "C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
    "C:\\Program Files\\PopCap Games\\Zuma Deluxe\\Zuma.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "13052:TCP"= 13052:TCP:*:Disabled:BitComet 13052 TCP
    "13052:UDP"= 13052:UDP:*:Disabled:BitComet 13052 UDP

    R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 18:56]
    R2 IOPort;IOPort;C:\WINDOWS\system32\IOPORT.SYS [1998-11-27 19:57]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
    R3 PCAlertDriver;PCAlertDriver;C:\Program Files\MSI\Core Center\NTGLM7X.sys [2006-05-25 11:07]
    R3 RushTopDevice;RushTopDevice;C:\Program Files\MSI\Core Center\RushTop.sys [2006-05-23 15:05]
    S3 se59bus;Sony Ericsson Device 089 driver (WDM);C:\WINDOWS\system32\DRIVERS\se59bus.sys [2006-09-05 20:07]
    S3 se59mdfl;Sony Ericsson Device 089 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se59mdfl.sys [2006-09-05 20:07]
    S3 se59mdm;Sony Ericsson Device 089 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se59mdm.sys [2006-09-05 20:07]
    S3 se59mgmt;Sony Ericsson Device 089 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se59mgmt.sys [2006-09-05 20:08]
    S3 se59nd5;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (NDIS);C:\WINDOWS\system32\DRIVERS\se59nd5.sys [2006-09-05 20:06]
    S3 se59obex;Sony Ericsson Device 089 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se59obex.sys [2006-09-05 20:09]
    S3 se59unic;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (WDM);C:\WINDOWS\system32\DRIVERS\se59unic.sys [2006-09-05 20:06]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

    *Newly Created Service* - PCALERTDRIVER
    .
    Contents of the 'Scheduled Tasks' folder

    2008-08-09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-21 20:20:58
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Comodo\CBOClean\BOCore.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
    C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
    C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
    C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    .
    **************************************************************************
    .
    Completion time: 2008-08-21 20:27:43 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-08-22 00:27:31
    ComboFix2.txt 2008-08-21 21:45:31

    Pre-Run: 148,097,703,936 bytes free
    Post-Run: 148,077,924,352 bytes free

    215 --- E O F --- 2008-08-14 21:31:11


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:29:17 PM, on 8/21/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Comodo\CBOClean\BOCORE.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\Program Files\Logitech\G-series Software\LGDCore.exe
    C:\Program Files\Logitech\G-series Software\LCDMon.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
    C:\Program Files\ResChanger 2005\ResChanger2005.exe
    C:\program files\steam\steam.exe
    C:\Program Files\AIM6\aim6.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\MSI\Core Center\CoreCenter.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
    C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
    C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
    C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\rundll32.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
    O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
    O4 - HKCU\..\Run: [ResChanger 2005] C:\Program Files\ResChanger 2005\ResChanger2005.exe
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
    O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
    O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161566314718
    O16 - DPF: {6697AFA6-1CD3-462E-AC0A-363EF8BCD102} (SyScan2 Control) - http://www.evga.com/Support/SyScan/SyScan.cab
    O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
    O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://drm1.reelsurvey.com/ePlayer/V3_2_0_0/ACNePlayer.cab
    O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 10142 bytes
     
  3. Oukeef

    Oukeef Member

    Joined:
    Aug 19, 2008
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    11
    also, some of quite a bit of the stuff that opens and has an icon by the clock in the bottom right corner arent there, and the clock didnt get put back to 12 hour mode again
     
  4. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    @Oukeef,

    Please run this again, the last one didn’t take. I flubbed up ;(

    The clock will get straightened out later…

    Open Notepad - it must be Notepad, not Wordpad.
    Copy the text below in the quote box by highlighting all the text with your mouse and pressing Ctrl+C

    Go to the Notepad window and click Edit > Paste
    Then click File > Save
    Name the file "CFScript.txt" (including the quotes)
    Save the file to your Desktop


    [​IMG]


    Referring to the picture above, drag CFScript into ComboFix.exe

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    2OG
     
  5. Oukeef

    Oukeef Member

    Joined:
    Aug 19, 2008
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    11
    clock still isnt back, some of the stuff still isnt loading.
    and i got a fatal error or reboot "fatal error: failed to load platform modules"




    ComboFix 08-08-21.01 - Sean 2008-08-21 21:04:07.6 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.415 [GMT -4:00]
    Running from: C:\Documents and Settings\Sean\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Sean\Desktop\CFScript.txt
    * Created a new restore point
    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\Documents and Settings\All Users\Application Data\buvqvsjo
    .

    ((((((((((((((((((((((((( Files Created from 2008-07-22 to 2008-08-22 )))))))))))))))))))))))))))))))
    .

    2008-08-21 17:38 . 2008-08-21 17:38 <DIR> d-------- C:\Program Files\Comodo
    2008-08-21 17:38 . 2008-08-21 17:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC427
    2008-08-21 17:38 . 2008-07-14 05:09 212,728 --a------ C:\WINDOWS\CMDLIC.DLL
    2008-08-21 17:38 . 2008-07-14 05:09 205,560 --a------ C:\WINDOWS\UNBOC.EXE
    2008-08-21 17:38 . 2004-08-04 03:56 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
    2008-08-21 17:38 . 2008-08-21 21:08 9,892 --a------ C:\WINDOWS\BOC427.INI
    2008-08-21 16:04 . 2008-08-21 21:12 1,488,928 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2008-08-21 16:04 . 2008-08-21 21:07 18,428 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2008-08-21 16:01 . 2008-08-21 16:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
    2008-08-21 16:01 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
    2008-08-21 16:01 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
    2008-08-21 16:01 . 2008-08-21 16:02 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
    2008-08-21 16:00 . 2008-08-21 16:00 <DIR> d-------- C:\Program Files\Zone Labs
    2008-08-21 15:59 . 2008-08-21 20:55 <DIR> d-------- C:\WINDOWS\Internet Logs
    2008-08-20 19:00 . 2008-08-20 19:00 <DIR> d--hs---- C:\Documents and Settings\Sean\UserData
    2008-08-19 19:35 . 2008-08-19 19:35 0 --a------ C:\WINDOWS\LCDMedia.INI
    2008-08-19 17:37 . 2008-08-19 17:37 <DIR> d-------- C:\Program Files\Trend Micro
    2008-08-19 16:23 . 2008-08-19 16:23 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-19 16:23 . 2008-08-19 16:23 <DIR> d-------- C:\Documents and Settings\Sean\Application Data\Malwarebytes
    2008-08-19 16:23 . 2008-08-19 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-19 16:23 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-08-19 16:23 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-08-19 16:13 . 2008-08-19 16:50 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
    2008-08-18 19:10 . 2008-08-18 19:11 <DIR> d-------- C:\WINDOWS\system32\NtmsData
    2008-08-18 18:56 . 2008-08-18 18:56 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-08-18 17:45 . 2008-08-18 17:45 <DIR> d-------- C:\Program Files\ESET
    2008-08-18 17:45 . 2008-08-18 17:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
    2008-08-18 16:36 . 2008-08-18 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\buvqvsjo
    2008-08-14 16:01 . 2008-05-01 10:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
    2008-08-13 11:43 . 2008-08-13 11:44 <DIR> d-------- C:\Program Files\Launchpad Enhanced
    2008-08-09 14:13 . 2008-08-09 14:13 <DIR> d-------- C:\Program Files\Safari
    2008-08-09 12:32 . 2008-08-09 12:37 8 --a------ C:\WINDOWS\system32\nvModes.dat
    2008-08-07 16:55 . 2008-08-07 16:55 <DIR> d-------- C:\Program Files\StarWarsGalaxiesEmumusic

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-22 01:10 --------- d-----w C:\Program Files\Steam
    2008-08-21 21:46 --------- d-----w C:\Program Files\mIRC
    2008-08-18 21:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
    2008-08-18 21:31 --------- d-----w C:\Documents and Settings\Sean\Application Data\AVG7
    2008-08-13 17:42 --------- d-----w C:\Program Files\StarWarsGalaxiesEmu
    2008-08-10 19:33 --------- d-----w C:\Program Files\Apple Software Update
    2008-08-09 18:16 --------- d-----w C:\Program Files\iTunes
    2008-08-09 18:16 --------- d-----w C:\Program Files\iPod
    2008-08-08 20:18 --------- d-----w C:\Program Files\Jasc Software Inc
    2008-08-08 20:15 --------- d-----w C:\Program Files\Viewpoint
    2008-08-08 20:15 --------- d-----w C:\Documents and Settings\Sean\Application Data\Viewpoint
    2008-08-08 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
    2008-08-05 23:08 --------- d-----w C:\Program Files\Full Tilt Poker
    2008-08-02 14:22 --------- d-----w C:\Program Files\AIMTunes
    2008-07-30 14:37 137,840 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
    2008-07-30 14:37 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
    2008-07-30 14:16 --------- d-----w C:\Documents and Settings\Sean\Application Data\Apple Computer
    2008-07-25 22:43 --------- d-----w C:\Program Files\QuickTime
    2008-07-20 16:16 --------- d-----w C:\Documents and Settings\Sean\Application Data\AdobeUM
    2008-07-19 02:24 --------- d-----w C:\Program Files\Semagic
    2008-07-10 13:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
    2008-07-09 13:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
    2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
    2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
    2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
    2008-02-12 22:59 27 ----a-w C:\Program Files\user.cfg
    .

    ((((((((((((((((((((((((((((( snapshot@2008-08-21_17.45.02.29 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-08-22 01:11:58 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_c28.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ResChanger 2005"="C:\Program Files\ResChanger 2005\ResChanger2005.exe" [2005-05-26 19:30 885248]
    "Steam"="c:\program files\steam\steam.exe" [2008-03-27 20:02 1271032]
    "Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 12:15 50528]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
    "Launch LGDCore"="C:\Program Files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 11:31 1122304]
    "Launch LCDMon"="C:\Program Files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 11:14 497152]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 22:34 49152]
    "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-03-28 01:07 593920]
    "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
    "egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 18:52 1447168]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
    "BOC-427"="C:\PROGRA~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 05:09 351480]
    "SoundMan"="SOUNDMAN.EXE" [2005-07-22 03:00 81920 C:\WINDOWS\SOUNDMAN.EXE]
    "nwiz"="nwiz.exe" [2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-01 20:03:29 113664]
    CoreCenter.lnk - C:\Program Files\MSI\Core Center\CoreCenter.exe [2006-10-22 21:11:35 928256]
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520]
    Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-05-18 00:13:58 91440]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\Program Files\\AIM6\\aim6.exe"=
    "C:\\Program Files\\AIM\\aim.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
    "C:\\Program Files\\BitComet\\BitComet.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\Steam\\steamapps\\thrasher529\\half-life\\hl.exe"=
    "C:\\Program Files\\Steam\\steamapps\\thrasher11@thrasher1.com\\half-life\\hl.exe"=
    "C:\\Program Files\\Steam\\steamapps\\thrasher11@thrasher1.com\\day of defeat source\\hl2.exe"=
    "C:\\Program Files\\Steam\\steamapps\\thrasher11@thrasher1.com\\counter-strike source\\hl2.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
    "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "C:\\Program Files\\mIRC\\mirc.exe"=
    "C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
    "C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\WINDOWS\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Steam\\steam.exe"=
    "C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
    "C:\\Program Files\\PopCap Games\\Zuma Deluxe\\Zuma.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "13052:TCP"= 13052:TCP:*:Disabled:BitComet 13052 TCP
    "13052:UDP"= 13052:UDP:*:Disabled:BitComet 13052 UDP

    R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 18:56]
    R2 IOPort;IOPort;C:\WINDOWS\system32\IOPORT.SYS [1998-11-27 19:57]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
    R3 PCAlertDriver;PCAlertDriver;C:\Program Files\MSI\Core Center\NTGLM7X.sys [2006-05-25 11:07]
    R3 RushTopDevice;RushTopDevice;C:\Program Files\MSI\Core Center\RushTop.sys [2006-05-23 15:05]
    S3 se59bus;Sony Ericsson Device 089 driver (WDM);C:\WINDOWS\system32\DRIVERS\se59bus.sys [2006-09-05 20:07]
    S3 se59mdfl;Sony Ericsson Device 089 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se59mdfl.sys [2006-09-05 20:07]
    S3 se59mdm;Sony Ericsson Device 089 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se59mdm.sys [2006-09-05 20:07]
    S3 se59mgmt;Sony Ericsson Device 089 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se59mgmt.sys [2006-09-05 20:08]
    S3 se59nd5;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (NDIS);C:\WINDOWS\system32\DRIVERS\se59nd5.sys [2006-09-05 20:06]
    S3 se59obex;Sony Ericsson Device 089 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se59obex.sys [2006-09-05 20:09]
    S3 se59unic;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (WDM);C:\WINDOWS\system32\DRIVERS\se59unic.sys [2006-09-05 20:06]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

    *Newly Created Service* - PCALERTDRIVER
    .
    Contents of the 'Scheduled Tasks' folder

    2008-08-09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-21 21:09:07
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Comodo\CBOClean\BOCore.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
    C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
    C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
    C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    .
    **************************************************************************
    .
    Completion time: 2008-08-21 21:15:39 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-08-22 01:15:29
    ComboFix2.txt 2008-08-22 00:27:44
    ComboFix3.txt 2008-08-21 21:45:31

    Pre-Run: 148,057,530,368 bytes free
    Post-Run: 148,036,882,432 bytes free

    215 --- E O F --- 2008-08-14 21:31:11



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:17:44 PM, on 8/21/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Comodo\CBOClean\BOCORE.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Logitech\G-series Software\LGDCore.exe
    C:\Program Files\Logitech\G-series Software\LCDMon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
    C:\Program Files\ResChanger 2005\ResChanger2005.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\MSI\Core Center\CoreCenter.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
    C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
    C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
    O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
    O4 - HKCU\..\Run: [ResChanger 2005] C:\Program Files\ResChanger 2005\ResChanger2005.exe
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
    O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
    O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161566314718
    O16 - DPF: {6697AFA6-1CD3-462E-AC0A-363EF8BCD102} (SyScan2 Control) - http://www.evga.com/Support/SyScan/SyScan.cab
    O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
    O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://drm1.reelsurvey.com/ePlayer/V3_2_0_0/ACNePlayer.cab
    O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 10074 bytes
     
  6. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    @Oukeef,

    I haven't forgotten you..

    I have been doing some research trying to figure out how to defeat this bugger of a rootkit you have.

    I hope it hasn't gotten to the system files. If it did, do you have a restore disc or a XP disk that we can get some files from.

    or better yet, goto c:\windows and see if you have the Folder C:\windows\I386 and let me know..
     
  7. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    I am so sorry, Oukeef, but after spending most of the night researching this issue, I must disqualify myself on this one….

    I have never seen a Trojan like this one before and my research turned up nothing. Evidently it’s a new one that has not been classified.

    It has a rootkit hiding the Trojan and it keeps re-installing each time it is deleted, as you saw when you would re-run MBAM and each time there would be the same 2 Trojans removed.

    That action caused me to suspect a Rootkit even though none had shown up in the combofix log. That’s when I asked you to install BOClean. In the next combofix after installing BOClean the Rootkit was revealed. I made 2 attempts at deleting it with no luck at all. It is affecting some of your System Files and may cause more damage as it goes on.

    Later last night I was contacted by another member of afterdawn that has the exact same Trojan/rootkit that is infecting you. His HJT Log has the same symptoms as does his MBAM Logs and each time he runs MBAM they return.
    I had him run Gmer, rootkit revealer and it shows to be in the Master Boot Records.

    Needless to say, I didn’t get involved with a second “bear” like this.

    Oh, while I’m thinking of it, you can restore your clock and desktop (that is if the Trojan hasn’t affected it) by un-installing ComboFix. To do this goto > Start >Run and in the box type combofix /u click OK and that should reset everything.



    This Rootkit is hiding the Trojan with so much tenacity that it leads me to believe that this is a backdoor Trojan and a possible Keylogger.

    This allows hackers to remotely control your computer, steal critical system information and download and execute files

    This is the advice I submitted to the second victim last night and will also submit it to you.

    I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.


    Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

    How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

    When Should I Format, How Should I Reinstall

    However, if you do not have the resources to reinstall your computer and would like to attempt to clean it, I will suggest you visit http://www.malwareremoval.com/ and post a log on their forum. These Guys and Gals at MRU are very skilled at removing nasties like this.


    My apologies for not being knowledgeable enough to assist you with this problem.
    Had I known what this was, I would have given you the Backdoor speech before we started but I had no idea at that time and still cannot find any info on it….

    Regards,
    2oldGeek
     
  8. Oukeef

    Oukeef Member

    Joined:
    Aug 19, 2008
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    11
    which part of the logs show the rootkit or whatever?
    and im going to post another malwarebytes log... is it possible it is actually gone and there was a mistake made by me or something?
     
  9. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    @Oukeef,

    Like they say, anything is possible…

    Run a MBAM scan and I will almost guarantee that it finds the same Trojans we have been deleting.

    Then run Gmer to check for a Rootkit.

    These Trojans keep showing up in your Logs after they have been deleted and that is a sign of a Rootkit…


    Download and Run Gmer
    Download Gmer to your Desktop and unzip it to your Desktop.
    HERE

    Disconnect from internet and close running programs.
    There is a small chance this application may crash your computer so save any work you have open.
    Double click gmer.exe.
    Let the gmer.sys driver load if asked.
    If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
    If no warning....
    Click the rootkit tab
    To the right of the program you will see a bunch of boxes that have been checked... leave everything checked. Then click the Scan button. Wait for the scan to finish.
    Once done click the Copy button.
    Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please.


    Please post that Gmer Log and MBAM Log in your reply

    2OG
     
  10. Oukeef

    Oukeef Member

    Joined:
    Aug 19, 2008
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    11
    i ran mbam and it came up finding nothing. the log is below im about to run gmer but i have to disconnect from the internet. will post log when back on


    Malwarebytes' Anti-Malware 1.25
    Database version: 1072
    Windows 5.1.2600 Service Pack 2

    4:57:01 PM 8/22/2008
    mbam-log-08-22-2008 (16-57-01).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 117932
    Time elapsed: 42 minute(s), 33 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

     
  11. Oukeef

    Oukeef Member

    Joined:
    Aug 19, 2008
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    11
    the GMER log...


    GMER 1.0.14.14536 - http://www.gmer.net
    Rootkit scan 2008-08-22 17:33:24
    Windows 5.1.2600 Service Pack 2


    ---- System - GMER 1.0.14 ----

    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xF43B5040]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xF43B1930]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xF43BCA80]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xF43B5510]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xF43BB870]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcessEx [0xF43BBAA0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xF43BEFD0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xF43B5600]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xF43B1F20]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xF43BD6E0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xF43BD440]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xF43BB580]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xF43BD8B0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xF43B1D70]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xF43BB350]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xF43BB150]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRenameKey [0xF43BE250]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xF43BDCB0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xF43B4C00]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xF43BE080]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xF43B5220]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xF43B2120]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xF43BD140]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwTerminateProcess [0xF43BBCD0]

    ---- Kernel code sections - GMER 1.0.14 ----

    .text ntkrnlpa.exe!ZwCallbackReturn + 23E4 805012B4 12 Bytes [ 10, 55, 3B, F4, 70, B8, 3B, ... ]
    ? srescan.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.14 ----

    .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[2060] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 4 Bytes [ C2, 04, 00, 00 ]

    ---- Kernel IAT/EAT - GMER 1.0.14 ----

    IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F43B9CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F43BA1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F43BA320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F43B9E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F43B9E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F43B9CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F43BA1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F43BA320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F43B9CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F43BA320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F43BA1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F43B9E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F43BA320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F43BA1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F43B9CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F43B9E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F43B9CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F43BA1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F43BA320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F43B9CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F43B9E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F43BA320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F43BA1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

    ---- User IAT/EAT - GMER 1.0.14 ----

    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!RegQueryValueExA] [00FFC166] c:\program files\aim6\services\imApp\ver6_5_9_1\imAppService.dll (imAppService EE Application Service/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aim6.exe[360] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\AIM6\aolsoftware.exe[2376] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [017773CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [01777376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [01777376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [017773CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [01777376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [017773CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [017773CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [01777376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [01777376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [017773CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [017773CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [01777376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [017773CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [01777376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [017773CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [01777376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [01777376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [017773CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [017773CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [01777376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [017773CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [01777376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [01777376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [017773CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [017773CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [01777376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [017773CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [01777376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [01777376] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [017773CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[3000] @ C:\WINDOWS\system32\SAMLIB.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [017773CC] C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

    ---- Devices - GMER 1.0.14 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

    Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

    AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

    Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

    ---- EOF - GMER 1.0.14 ----
     
  12. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78


    What isn't loading?

    The fatal error comes from a bug in the “Steam” update, it’s not really fatal and I don’t know if they have it fixed yet but maybe soon..

    I think I told you, your clock will reset when you run the final instructions.

    OTMoveIt2 will un-install ComboFix and that will take care of it..

    After your last run of MBAM and Gmer it looks like the Rootkit and Trojan are gone…

    I really would like to see another ComboFix Log just to verify, though.

    Please run ComboFix and post a log so we can say for sure that you are clean and then you can wrap it up by performing the Final instructions > HERE


    2OG
     
    Last edited: Aug 23, 2008
  13. Oukeef

    Oukeef Member

    Joined:
    Aug 19, 2008
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    11
    ComboFix 08-08-21.02 - Sean 2008-08-23 12:10:45.7 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.267 [GMT -4:00]
    Running from: C:\Documents and Settings\Sean\Desktop\ComboFix.exe
    * Created a new restore point
    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
    .

    2008-08-22 16:59 . 2008-08-22 16:59 250 --a------ C:\WINDOWS\gmer.ini
    2008-08-21 17:38 . 2008-08-21 17:38 <DIR> d-------- C:\Program Files\Comodo
    2008-08-21 17:38 . 2008-08-21 17:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC427
    2008-08-21 17:38 . 2008-07-14 05:09 212,728 --a------ C:\WINDOWS\CMDLIC.DLL
    2008-08-21 17:38 . 2008-07-14 05:09 205,560 --a------ C:\WINDOWS\UNBOC.EXE
    2008-08-21 17:38 . 2004-08-04 03:56 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
    2008-08-21 17:38 . 2008-08-23 12:08 9,948 --a------ C:\WINDOWS\BOC427.INI
    2008-08-21 16:04 . 2008-08-23 12:14 2,107,424 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2008-08-21 16:04 . 2008-08-22 22:16 23,564 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2008-08-21 16:01 . 2008-08-21 16:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
    2008-08-21 16:01 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
    2008-08-21 16:01 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
    2008-08-21 16:01 . 2008-08-21 16:02 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
    2008-08-21 16:00 . 2008-08-21 16:00 <DIR> d-------- C:\Program Files\Zone Labs
    2008-08-21 15:59 . 2008-08-23 12:02 <DIR> d-------- C:\WINDOWS\Internet Logs
    2008-08-20 19:00 . 2008-08-20 19:00 <DIR> d--hs---- C:\Documents and Settings\Sean\UserData
    2008-08-19 19:35 . 2008-08-19 19:35 0 --a------ C:\WINDOWS\LCDMedia.INI
    2008-08-19 17:37 . 2008-08-19 17:37 <DIR> d-------- C:\Program Files\Trend Micro
    2008-08-19 16:23 . 2008-08-19 16:23 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-19 16:23 . 2008-08-19 16:23 <DIR> d-------- C:\Documents and Settings\Sean\Application Data\Malwarebytes
    2008-08-19 16:23 . 2008-08-19 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-19 16:23 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-08-19 16:23 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-08-19 16:13 . 2008-08-19 16:50 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
    2008-08-18 19:10 . 2008-08-18 19:11 <DIR> d-------- C:\WINDOWS\system32\NtmsData
    2008-08-18 18:56 . 2008-08-18 18:56 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-08-18 17:45 . 2008-08-18 17:45 <DIR> d-------- C:\Program Files\ESET
    2008-08-18 17:45 . 2008-08-18 17:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
    2008-08-18 16:36 . 2008-08-18 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\buvqvsjo
    2008-08-14 16:01 . 2008-05-01 10:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
    2008-08-13 11:43 . 2008-08-13 11:44 <DIR> d-------- C:\Program Files\Launchpad Enhanced
    2008-08-09 14:13 . 2008-08-09 14:13 <DIR> d-------- C:\Program Files\Safari
    2008-08-09 12:32 . 2008-08-09 12:37 8 --a------ C:\WINDOWS\system32\nvModes.dat
    2008-08-07 16:55 . 2008-08-07 16:55 <DIR> d-------- C:\Program Files\StarWarsGalaxiesEmumusic

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-23 15:12 --------- d-----w C:\Program Files\Steam
    2008-08-22 20:09 --------- d-----w C:\Program Files\mIRC
    2008-08-18 21:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
    2008-08-18 21:31 --------- d-----w C:\Documents and Settings\Sean\Application Data\AVG7
    2008-08-13 17:42 --------- d-----w C:\Program Files\StarWarsGalaxiesEmu
    2008-08-10 19:33 --------- d-----w C:\Program Files\Apple Software Update
    2008-08-09 18:16 --------- d-----w C:\Program Files\iTunes
    2008-08-09 18:16 --------- d-----w C:\Program Files\iPod
    2008-08-08 20:18 --------- d-----w C:\Program Files\Jasc Software Inc
    2008-08-08 20:15 --------- d-----w C:\Program Files\Viewpoint
    2008-08-08 20:15 --------- d-----w C:\Documents and Settings\Sean\Application Data\Viewpoint
    2008-08-08 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
    2008-08-05 23:08 --------- d-----w C:\Program Files\Full Tilt Poker
    2008-08-02 14:22 --------- d-----w C:\Program Files\AIMTunes
    2008-07-30 14:37 137,840 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
    2008-07-30 14:37 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
    2008-07-30 14:16 --------- d-----w C:\Documents and Settings\Sean\Application Data\Apple Computer
    2008-07-25 22:43 --------- d-----w C:\Program Files\QuickTime
    2008-07-20 16:16 --------- d-----w C:\Documents and Settings\Sean\Application Data\AdobeUM
    2008-07-19 02:24 --------- d-----w C:\Program Files\Semagic
    2008-07-10 13:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
    2008-07-09 13:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
    2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
    2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
    2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
    2008-02-12 22:59 27 ----a-w C:\Program Files\user.cfg
    .

    ((((((((((((((((((((((((((((( snapshot@2008-08-21_17.45.02.29 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-08-22 20:59:46 884,736 ----a-w C:\WINDOWS\gmer.dll
    + 2008-04-18 01:13:02 811,008 ----a-w C:\WINDOWS\gmer.exe
    + 2008-08-22 20:59:46 85,969 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ResChanger 2005"="C:\Program Files\ResChanger 2005\ResChanger2005.exe" [2005-05-26 19:30 885248]
    "Steam"="c:\program files\steam\steam.exe" [2008-03-27 20:02 1271032]
    "Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 12:15 50528]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
    "Launch LGDCore"="C:\Program Files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 11:31 1122304]
    "Launch LCDMon"="C:\Program Files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 11:14 497152]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 22:34 49152]
    "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-03-28 01:07 593920]
    "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
    "egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 18:52 1447168]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
    "BOC-427"="C:\PROGRA~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 05:09 351480]
    "SoundMan"="SOUNDMAN.EXE" [2005-07-22 03:00 81920 C:\WINDOWS\SOUNDMAN.EXE]
    "nwiz"="nwiz.exe" [2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-01 20:03:29 113664]
    CoreCenter.lnk - C:\Program Files\MSI\Core Center\CoreCenter.exe [2006-10-22 21:11:35 928256]
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520]
    Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-05-18 00:13:58 91440]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\Program Files\\AIM6\\aim6.exe"=
    "C:\\Program Files\\AIM\\aim.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
    "C:\\Program Files\\BitComet\\BitComet.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\Steam\\steamapps\\thrasher529\\half-life\\hl.exe"=
    "C:\\Program Files\\Steam\\steamapps\\thrasher11@thrasher1.com\\half-life\\hl.exe"=
    "C:\\Program Files\\Steam\\steamapps\\thrasher11@thrasher1.com\\day of defeat source\\hl2.exe"=
    "C:\\Program Files\\Steam\\steamapps\\thrasher11@thrasher1.com\\counter-strike source\\hl2.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
    "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "C:\\Program Files\\mIRC\\mirc.exe"=
    "C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
    "C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\WINDOWS\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Steam\\steam.exe"=
    "C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
    "C:\\Program Files\\PopCap Games\\Zuma Deluxe\\Zuma.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "13052:TCP"= 13052:TCP:*:Disabled:BitComet 13052 TCP
    "13052:UDP"= 13052:UDP:*:Disabled:BitComet 13052 UDP

    R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 18:56]
    R2 IOPort;IOPort;C:\WINDOWS\system32\IOPORT.SYS [1998-11-27 19:57]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
    R3 RushTopDevice;RushTopDevice;C:\Program Files\MSI\Core Center\RushTop.sys [2006-05-23 15:05]
    S3 se59bus;Sony Ericsson Device 089 driver (WDM);C:\WINDOWS\system32\DRIVERS\se59bus.sys [2006-09-05 20:07]
    S3 se59mdfl;Sony Ericsson Device 089 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se59mdfl.sys [2006-09-05 20:07]
    S3 se59mdm;Sony Ericsson Device 089 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se59mdm.sys [2006-09-05 20:07]
    S3 se59mgmt;Sony Ericsson Device 089 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se59mgmt.sys [2006-09-05 20:08]
    S3 se59nd5;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (NDIS);C:\WINDOWS\system32\DRIVERS\se59nd5.sys [2006-09-05 20:06]
    S3 se59obex;Sony Ericsson Device 089 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se59obex.sys [2006-09-05 20:09]
    S3 se59unic;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (WDM);C:\WINDOWS\system32\DRIVERS\se59unic.sys [2006-09-05 20:06]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2008-08-09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\z6wgkj7g.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.msn.com/
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-23 12:13:48
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-08-23 12:15:16
    ComboFix-quarantined-files.txt 2008-08-23 16:14:57
    ComboFix2.txt 2008-08-22 01:15:40
    ComboFix3.txt 2008-08-22 00:27:44
    ComboFix4.txt 2008-08-21 21:45:31

    Pre-Run: 147,836,215,296 bytes free
    Post-Run: 147,844,632,576 bytes free

    193 --- E O F --- 2008-08-14 21:31:11
     
  14. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
  15. Oukeef

    Oukeef Member

    Joined:
    Aug 19, 2008
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    11
    thank you again so much, i really appreciate all your help.
     
  16. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    Hey, I'm just glad I could help. That sucker had me confused for a while there.

    Take care [​IMG]

    2OG
     
  17. Zoneblitz

    Zoneblitz Member

    Joined:
    Aug 13, 2008
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    11
    Hey OG,Can you give me a little help too?I also got the bluescreenjoke.Everything is doing good except my screen saver and desktop options have disappeared.I still have a desktop thats blue that Reads "Warning spyware detected on your computer"

    Does this mean I still have it?I use to have random shut downs but havent had any in about a week.Everything seems back to normal excpet I still have the problem with the desktop.At startup I get a small black box that pops up for about 2 seconds.

    Thanks in advance!
     
    Last edited: Aug 23, 2008
  18. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    Hi Zoneblitz, [​IMG]

    Just follow these instructions at the start of this thread and post the Logs back here:
    http://forums.afterdawn.com/thread_view.cfm/691887#4208313


    I’ll look them over. Remember, these instructions may not clean you completely so be sure to follow through with posting your logs.


    2OG [​IMG]
     
  19. Zoneblitz

    Zoneblitz Member

    Joined:
    Aug 13, 2008
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    11
    First I would like to thank you for your time.Ill go ahead and post the hijack.The other one is taking a little more time.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:18:34 PM, on 8/23/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
    O4 - HKLM\..\Run: [octblido] %systemroot%\octblido.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

    --
    End of file - 3113 bytes


     
  20. Zoneblitz

    Zoneblitz Member

    Joined:
    Aug 13, 2008
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    11
    Malwarebytes' Anti-Malware 1.25
    Database version: 1078
    Windows 5.1.2600 Service Pack 2

    4:05:59 PM 8/23/2008
    mbam-log-08-23-2008 (16-05-59).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 107901
    Time elapsed: 47 minute(s), 45 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 4
    Registry Data Items Infected: 2
    Folders Infected: 12
    Files Infected: 14

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\rhcttqj0e56g (Rogue.Multiple) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\Program Files\rhcttqj0e56g (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Harrison Family\Application Data\rhcttqj0e56g (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Harrison Family\Application Data\rhcttqj0e56g\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Harrison Family\Application Data\rhcttqj0e56g\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Harrison Family\Application Data\rhcttqj0e56g\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Harrison Family\Application Data\rhcttqj0e56g\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Harrison Family\Application Data\rhcttqj0e56g\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Harrison Family\Application Data\rhcttqj0e56g\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Harrison Family\Application Data\rhcttqj0e56g\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Harrison Family\Application Data\rhcttqj0e56g\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Harrison Family\Application Data\rhcttqj0e56g\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Harrison Family\Application Data\rhcttqj0e56g\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Program Files\rhcttqj0e56g\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Program Files\rhcttqj0e56g\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Program Files\rhcttqj0e56g\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Program Files\rhcttqj0e56g\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Program Files\rhcttqj0e56g\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Program Files\rhcttqj0e56g\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Program Files\rhcttqj0e56g\rhcttqj0e56g.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Harrison Family\Local Settings\Temp\.tt15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Harrison Family\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Harrison Family\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Harrison Family\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Harrison Family\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Harrison Family\Local Settings\Temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Harrison Family\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
     

Share This Page