1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

D@mn this virus. D@mn it to h3ll. (Trojan.gaslide b)

Discussion in 'Windows - Virus and spyware problems' started by DeliverMe, Aug 6, 2008.

  1. cw322

    cw322 Member

    Joined:
    Aug 20, 2008
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    I did what you said. here is the log file.


    GMER 1.0.14.14536 - http://www.gmer.net
    Rootkit scan 2008-08-22 00:33:11
    Windows 5.1.2600 Service Pack 2


    ---- Devices - GMER 1.0.14 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVHook.sys (PC Tools Filter Driver for Windows 2000/XP/PC Tools Research Pty Ltd.)
    AttachedDevice \FileSystem\Ntfs \Ntfs AVRec.sys (PC Tools Recognizer Driver for Windows 2000/XP/PC Tools Research Pty Ltd )

    Device \FileSystem\Udfs \UdfsCdRom tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Udfs \UdfsDisk tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

    AttachedDevice \Driver\Tcpip \Device\Ip pctfw2.sys (PC Tools TDI Driver/PC Tools)
    AttachedDevice \Driver\Tcpip \Device\Tcp pctfw2.sys (PC Tools TDI Driver/PC Tools)

    ---- Disk sectors - GMER 1.0.14 ----

    Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

    ---- EOF - GMER 1.0.14 ----
     
  2. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    @ cw322,

    I am so sorry, cw322, but I will have to disqualify myself on this one….

    As I said, I have been working on the same Trojan for 2 days now and have not been able to remove it.

    There were several Trojans that MBAM removed the first time you ran it. With the second running it found others. Actually, it is some that were removed the first time but then returned.

    There is evidence in the Gmer Log of a Rootkit. This Rootkit is hiding a program that re-installs the Trojans each time they are removed.

    This would lead me to believe that this is a backdoor Trojan and a possible Keylogger.

    This allows hackers to remotely control your computer, steal critical system information and download and execute files

    I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.


    Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

    How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

    When Should I Format, How Should I Reinstall

    However, if you do not have the resources to reinstall your computer and would like to attempt to clean it, I will suggest you visit http://www.malwareremoval.com/ and post a log on their forum. These Guys and Gals are very skilled at removing nasty’s like this.


    My apologies for not being knowledgeable enough to assist you with your problem.

    Regards,
    2oldGeek
     
    Last edited: Aug 22, 2008
  3. cw322

    cw322 Member

    Joined:
    Aug 20, 2008
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    Thanks anyway. I figured id do a reformat just to be safe in the long run. I just use this computer for personal stuff. Like pictures and web browsing. I do go online to do online banking but ever since i got the virus i havent done it on that computer. Even now im using the computer at work.
    Since i havent done anything on the computer except try to get the virus off and i have no saved passwords on it for anything should i be ok?
     
  4. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Hey cw322,

    You know, I have spent about 36 hours straight trying to get a fix for this Trojan and have searched the web with a fine tooth comb…….with no success :(

    Found only 3 occurrences of it and 2 of them are right here on afterdawn..

    Just a thought; If you are intending to re-format/re-install anyway – I would greatly appreciate trying to remove that sucker from your computer before you do, just so I could hold my head up straight. I hate giving up, and it’s eating at my innards to have some stupid Trojan defeat me. :(

    I am looking over your logs and attempting to come up with a solution right now.. If you decide to get involved in an experiment, I promise not to hurt you and would be so appreciative. [​IMG]


    Let me know what you decide and we can have some Trojan soup (hopefully) lol


    Regards,
    2OG
     
  5. SgtJer

    SgtJer Member

    Joined:
    Aug 22, 2008
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    11
    2OG you are a Godsend!

    I have very limited technical experience and I found myself attacked by this virus. I was lucky enough to recognize the startup entry for this as suspicious and was able to find this thread by entering it into google.

    This thing was extremely tricky for me to navigate around as it was giving me error codes in my browser (Firefox) whenever I tried to log on to any commonly known Anti-Virus site.

    I'll post the logs of the two Malwarebytes anti-malware scans that I ran. Perhaps you could tell me if I need to take further steps?

    Log 1:



    Malwarebytes' Anti-Malware 1.25
    Database version: 1062
    Windows 5.1.2600 Service Pack 2

    3:12:05 AM 8/22/2008
    mbam-log-08-22-2008 (03-12-05).txt

    Scan type: Full Scan (C:\|E:\|)
    Objects scanned: 126640
    Time elapsed: 43 minute(s), 35 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 1
    Registry Keys Infected: 3
    Registry Values Infected: 5
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 14

    Memory Processes Infected:
    C:\WINDOWS\system32\lphcr5mj0e71n.exe (Trojan.FakeAlert) -> Unloaded process successfully.

    Memory Modules Infected:
    C:\WINDOWS\system32\blphcr5mj0e71n.scr (Trojan.FakeAlert) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\blphcr5mj0e71n.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lphcr5mj0e71n.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\phcr5mj0e71n.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Papa\Local Settings\Temp\CmdLineExt.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Papa\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Papa\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Papa\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.






    Log 2:


    Malwarebytes' Anti-Malware 1.25
    Database version: 1062
    Windows 5.1.2600 Service Pack 2

    5:12:23 AM 8/22/2008
    mbam-log-08-22-2008 (05-12-23).txt

    Scan type: Full Scan (C:\|E:\|)
    Objects scanned: 124443
    Time elapsed: 1 hour(s), 18 minute(s), 22 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)






    After running these two scans I also ran a AVG free 8.0 scan which removed a couple more suspicious items, and I ran a Spybot S&D which also removed a few cookies.

    Thanks for all your help!

    Regards.
     
  6. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Last edited: Aug 22, 2008
  7. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Hi cw322, [​IMG]

    What we are about to do seems to have removed this infection in the other computer that I have been helping with, so let’s do it! [​IMG]


    First:

    Download and install: Comodo BOClean

    After installation, re-boot and then you will not need to do anything else. This little jewel just sits there in the tray and does it’s thing, quietly until something moves. Uses very little resources. And, it’s FREE!

    Comodo BOClean protects your computer against trojans, malware and other threats. It constantly scans your system in the background and intercepts any recognized trojan activity. The program can ask the user what to do, or run in unattended mode and automatically shutdown and remove any suspected trojan application. Comodo BOClean currently supports more than 59000 malware items and offers automatic daily updates. Other features include updating via network share, tamper protection and stealth mode.


    Open Notepad - it must be Notepad, not Wordpad.
    Copy the text below in the quote box by highlighting all the text with your mouse and pressing Ctrl+C





    Go to the Notepad window and click Edit > Paste
    Then click File > Save
    Name the file "CFScript.txt" (including the quotes)
    Save the file to your Desktop


    [​IMG]


    Referring to the picture above, drag CFScript into ComboFix.exe

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.



    2OG
     
  8. gyqrr

    gyqrr Member

    Joined:
    Jul 5, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    2OG,
    I' having the same problems too. And thank God i found this forum and your post. I did want you said but i'm still not sure if i have completely removed the virus. Bec, after i did the scan, everytime i try to log in after a few seconds i will still get a blue screen. Please help. Your advise will greatly be appreciated. Thank you so much!

    Gyqrr

    FIRST SCAN
    ==========
    Malwarebytes' Anti-Malware 1.25
    Database version: 1076
    Windows 5.1.2600 Service Pack 2

    11:47:29 AM 8/23/2008
    mbam-log-08-23-2008 (11-47-29).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 108062
    Time elapsed: 25 minute(s), 58 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 4
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 17

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\blphc7gmj0epbj.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lphc7gmj0epbj.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\phc7gmj0epbj.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\sysrest32.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Girlie\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Girlie\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Girlie\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Girlie\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Girlie\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Girlie\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Girlie\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Girlie\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Girlie\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Girlie\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Girlie\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Girlie\Local Settings\Temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Girlie\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    ====================================================================

    After restarting windows, after a few seconds, i got the blue screen again.
     
  9. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Try to complete the ComboFix instructions.

    If you have trouble with it, run it in Safe Mode..
     
  10. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    p.s. I think the Blue Screen is just a joke screensaver....

    ComboFox should take care of that.
     
  11. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
  12. gyqrr

    gyqrr Member

    Joined:
    Jul 5, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    2OG,
    WOW! Thank you so much for the fast reply! I'll give it a try.
    Thank's a million again.

    gyqrr
     
  13. gyqrr

    gyqrr Member

    Joined:
    Jul 5, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    2OG
    After reading the extra note for ComboFix, i'm kinda having second thoughts if i should do it (this may sound stupid, but i dont know how to disable the script blocking.. hehehe). I'm scared that i might mess up my laptop (more).

    confused,
    gyqrr
     
  14. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    @gyqrr.

    It's not all that bad.. There are warnings on cigarette lighters also but who reads them. The program sets a restore point before running, just in case. [​IMG]

    No fear! It just means don't try to use it on your own without help.

    p.s. post a HJT Log also..
     
    Last edited: Aug 23, 2008
  15. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    If you will just send a hijackthis log, I will tell you if there is anything that needs disabling...
     
  16. cw322

    cw322 Member

    Joined:
    Aug 20, 2008
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    2OG,

    Sure. Let's try to remove it. In the long run I'll reformat but for now we can try to remove it. Let me know how you want to proceed.

    cw322
     
  17. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
  18. cw322

    cw322 Member

    Joined:
    Aug 20, 2008
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    Here is the combo fix log:

    ComboFix 08-08-21.01 - Craig Whitham 2008-08-23 18:08:27.5 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.714 [GMT -4:00]
    Running from: C:\Documents and Settings\Craig Whitham\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Craig Whitham\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\Documents and Settings\All Users\Application Data\edubqncj
    C:\Documents and Settings\All Users\Application Data\rmlsdkby
    C:\Program Files\gnfgay
    C:\WINDOWS\system32\614E2D13C8.sys
    C:\WINDOWS\system32\atgdgrkz.exe
    C:\WINDOWS\system32\atonaxmt.exe
    C:\WINDOWS\system32\cjaxwlqr.exe
    C:\WINDOWS\system32\evmnupqh.exe
    C:\WINDOWS\system32\futmhclu.exe
    C:\WINDOWS\system32\gpwzmreb.exe
    C:\WINDOWS\system32\hcpghwvc.exe
    C:\WINDOWS\system32\mjsfgrwn.exe
    C:\WINDOWS\system32\puvyzafy.exe
    C:\WINDOWS\system32\qxkdsfql.exe
    C:\WINDOWS\system32\vipipcty.exe
    C:\WINDOWS\system32\zolkdwnu.exe
    C:\WINDOWS\system32\zotuxcnu.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\614E2D13C8.sys
    C:\WINDOWS\system32\blphcg90j0ej7t.scr
    C:\WINDOWS\system32\lphcg90j0ej7t.exe
    C:\WINDOWS\system32\phcg90j0ej7t.bmp

    .
    ((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
    .

    2008-08-23 17:38 . 2008-08-23 17:38 <DIR> d-------- C:\Program Files\Comodo
    2008-08-23 17:38 . 2008-08-23 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC427
    2008-08-23 17:38 . 2008-07-14 05:09 212,728 --a------ C:\WINDOWS\CMDLIC.DLL
    2008-08-23 17:38 . 2008-07-14 05:09 205,560 --a------ C:\WINDOWS\UNBOC.EXE
    2008-08-23 17:38 . 2004-08-04 07:00 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
    2008-08-23 17:38 . 2008-08-23 18:14 11,703 --a------ C:\WINDOWS\BOC427.INI
    2008-08-23 16:55 . 2008-08-23 16:55 195,584 --a------ C:\WINDOWS\system32\qxqzkbed.exe
    2008-08-23 16:55 . 2008-08-23 16:55 106,496 --a------ C:\WINDOWS\system32\gpwhstmr.exe
    2008-08-22 01:54 . 2008-08-22 01:54 81,920 --a------ C:\WINDOWS\system32\sdezadit.exe
    2008-08-22 01:46 . 2008-08-22 01:46 81,920 --a------ C:\WINDOWS\system32\mxmxytkj.exe
    2008-08-22 01:02 . 2008-08-22 01:02 <DIR> d--h----- C:\WINDOWS\PIF
    2008-08-22 00:07 . 2008-08-22 00:44 250 --a------ C:\WINDOWS\gmer.ini
    2008-08-20 23:48 . 2008-08-20 23:48 <DIR> d-------- C:\Program Files\Trend Micro
    2008-08-20 22:25 . 2008-08-20 22:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-08-20 22:25 . 2008-08-20 23:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-08-19 20:09 . 2008-08-19 20:09 <DIR> d--hs---- C:\Documents and Settings\Craig Whitham\UserData
    2008-08-19 19:15 . 2008-08-19 19:14 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2008-08-19 19:14 . 2008-08-19 19:33 <DIR> d-------- C:\Documents and Settings\Craig Whitham\.housecall6.6
    2008-08-19 01:06 . 2008-08-19 01:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
    2008-08-19 00:56 . 2008-08-19 00:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-08-19 00:55 . 2008-08-19 02:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-08-19 00:55 . 2008-08-19 02:12 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\SUPERAntiSpyware.com
    2008-08-18 22:35 . 2008-08-18 22:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
    2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\Malwarebytes
    2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-18 20:48 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-08-18 20:48 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-08-18 18:48 . 2006-01-25 23:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
    2008-08-18 18:48 . 2006-01-25 23:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
    2008-08-18 18:48 . 2006-01-25 23:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
    2008-08-18 18:48 . 2008-08-20 23:23 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-08-16 14:40 . 2008-08-16 14:40 <DIR> d-------- C:\Program Files\gnfgay
    2008-08-16 14:40 . 2008-08-16 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\rmlsdkby
    2008-08-16 14:40 . 2008-08-16 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\edubqncj
    2008-08-13 19:28 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
    2008-07-25 13:39 . 2008-07-25 13:40 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\U3

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-23 22:14 --------- d-----w C:\Program Files\PC Tools AntiVirus
    2008-08-22 02:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-08-22 02:58 --------- d-----w C:\Program Files\Spyware Doctor
    2008-08-22 02:25 --------- d-----w C:\Program Files\Privacy Guardian
    2008-08-21 02:46 --------- d-----w C:\Program Files\RegSweep
    2008-08-05 06:03 160,792 ----a-w C:\WINDOWS\system32\drivers\pctfw2.sys
    2008-07-23 00:34 --------- d-----w C:\Program Files\Java
    2008-05-31 03:31 28,264 ----a-w C:\Documents and Settings\Craig Whitham\Application Data\GDIPFONTCACHEV1.DAT
    .

    ((((((((((((((((((((((((((((( snapshot@2008-08-21_20.25.41.03 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-08-22 04:07:37 884,736 ----a-w C:\WINDOWS\gmer.dll
    + 2008-08-22 04:06:26 811,008 ----a-w C:\WINDOWS\gmer.exe
    + 2004-08-04 11:00:00 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
    + 2008-08-22 04:07:37 85,969 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 18:33 155648]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
    "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 16:59 385024]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 23:05 344064]
    "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 22:15 290816]
    "PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2007-03-08 19:19 1074736]
    "BOC-427"="C:\PROGRA~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 05:09 351480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "PrivacyGuardianIndex"="C:\Program Files\Privacy Guardian\PgIndex.exe" [2006-10-30 13:57 38488]

    C:\Documents and Settings\Craig Whitham\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-25 23:04:19 24576]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
    2004-09-07 18:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.SEDG"= mcs_vfw.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Craig Whitham^Start Menu^Programs^Startup^Adobe Gamma.lnk]
    path=C:\Documents and Settings\Craig Whitham\Start Menu\Programs\Startup\Adobe Gamma.lnk
    backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    --a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
    --a------ 2004-12-06 03:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
    -----c--- 2005-02-23 18:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    --a------ 2005-06-10 12:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    --a------ 2005-06-10 12:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-06-02 11:13 267048 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
    --a------ 2005-07-19 17:32 221184 C:\WINDOWS\system32\LVCOMSX.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    --a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Privacy Guardian]
    --a------ 2007-06-12 10:20 2401832 C:\Program Files\Privacy Guardian\pg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2008-05-15 20:33 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Raven\\Star Trek Voyager Elite Force\\stvoyHM.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-08-05 02:03]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\LaunchU3.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2008-08-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-23 18:14:02
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Comodo\CBOClean\BOCore.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\Program Files\Apoint\ApntEx.exe
    .
    **************************************************************************
    .
    Completion time: 2008-08-23 18:19:37 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-08-23 22:19:27
    ComboFix2.txt 2008-08-22 05:59:30
    ComboFix3.txt 2008-08-22 03:38:52
    ComboFix4.txt 2008-08-22 02:30:36
    ComboFix5.txt 2008-08-23 22:07:51

    Pre-Run: 44,533,317,632 bytes free
    Post-Run: 44,519,350,272 bytes free

    206 --- E O F --- 2008-08-15 01:03:04
     
  19. cw322

    cw322 Member

    Joined:
    Aug 20, 2008
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    Highjack this log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:24:47 PM, on 8/23/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Comodo\CBOClean\BOCORE.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\PC Tools AntiVirus\PCTAV.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
    O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
    O4 - HKLM\..\RunOnce: [PrivacyGuardianIndex] C:\Program Files\Privacy Guardian\PgIndex.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NICCONFIGSVC - Unknown owner - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe (file missing)
    O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 8282 bytes
     
  20. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    @cw322,

    First, did you install BOClean before running ComboFix??

    I don't see a Rootkit, maybe we got lucky.

    It is going to take me a while to go through these Logs. I'll try to get them before long.
     

Share This Page