Jump to content


Photo

Intermittant popups, but all adware/ spyware programs say removed?


  • This topic is locked This topic is locked
8 replies to this topic

#1 mrsuicide

mrsuicide

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 06 June 2007 - 06:47 PM

I got some nasty infection by spyware trojans.

Using sophos antivirus, spybot search and destroy, superantivirus, windows defender, and ad aware they found vundo, clickspring, troj/ countof-e

Using those programs as well as verdugofix they all do not show any adware or trojans left. however I still get intermittant popups in internet explorer even though i am using firefox.


heres the vunfofix log

Attempting to delete C:\WINDOWS\system32\ntslrxlt.ini
C:\WINDOWS\system32\ntslrxlt.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qtvwa.bak1
C:\WINDOWS\system32\qtvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\qtvwa.ini
C:\WINDOWS\system32\qtvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\tlxrlstn.dll
C:\WINDOWS\system32\tlxrlstn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tplhbarb.dll
C:\WINDOWS\system32\tplhbarb.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awvtq.dll
C:\WINDOWS\system32\awvtq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebawtt.dll
C:\WINDOWS\system32\gebawtt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iiffcde.dll
C:\WINDOWS\system32\iiffcde.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.2

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 1:37:47 PM 6/6/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.4.2

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 16:29:41 2007-06-06

Listing files found while scanning....




heres is the latest hijackthis log file:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:41, on 2007-06-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Alan\Desktop\HiJackThis_v2.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\TK8\TK8 EasyNote 1.1\EasyNote.exe
C:\Program Files\TK8\TK8 EasyNote 1.1\Note.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.moccforum...alan/links.html
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: TK8 EasyNote 1.1.lnk = C:\Program Files\TK8\TK8 EasyNote 1.1\EasyNote.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5371 bytes


any help would be greatly appreciated.

I just ran combofix with these results

"Alan" - 2007-06-06 16:55:50 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\Alan\Desktop\"


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



-- Purity Folders:
C:\DOCUME~1\Alan\APPLIC~1.\macromedia\Flash Player\#SharedObjects\W77DUNTK\www.broadcaster.com
C:\DOCUME~1\Alan\APPLIC~1.\macromedia\Flash Player\#SharedObjects\W77DUNTK\www.broadcaster.com\played_list.sol
C:\DOCUME~1\Alan\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Alan\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\Alan\APPLIC~1\SSTEM3~1
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T4


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\core


((((((((((((((((((((((((( Files Created from 2007-05-06 to 2007-06-06 )))))))))))))))))))))))))))))))


2007-06-06 16:24 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-06 16:16 <DIR> d-------- C:\DOCUME~1\Alan\APPLIC~1\TrojanHunter
2007-06-06 16:11 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-06-06 16:09 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-06 13:19 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-06-06 13:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-06 13:19 <DIR> d-------- C:\DOCUME~1\Alan\APPLIC~1\SUPERAntiSpyware.com
2007-06-06 13:07 <DIR> d-------- C:\VundoFix Backups
2007-06-06 07:56 <DIR> d-------- C:\DOCUME~1\Alan\.housecall6.6
2007-06-06 07:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-05 17:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-05 17:31 <DIR> d-------- C:\DOCUME~1\Alan\APPLIC~1\Lavasoft
2007-06-05 17:24 2,580 --a------ C:\WINDOWS\system32\xqdfqpnb.exe
2007-06-05 17:15 14,868 --a------ C:\WINDOWS\system32\vcebvxhr.exe
2007-06-05 17:15 10,752 --a------ C:\WINDOWS\system32\j7281339.dll
2007-06-05 17:08 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-05 17:08 <DIR> d-------- C:\WINDOWS\system32\T6
2007-06-05 17:08 <DIR> d-------- C:\WINDOWS\system32\T5
2007-06-05 17:08 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-05-25 13:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-06 21:35:49 -------- d-----w C:\Program Files\DAEMON Tools
2007-06-06 21:32:14 -------- d-----w C:\Program Files\Photo Recovery2
2007-06-06 20:18:59 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-06 02:18:03 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-06-05 06:13:53 -------- d-----w C:\DOCUME~1\Alan\APPLIC~1\OpenOffice.org2
2007-04-29 17:47:51 1,265,152 ----a-w C:\Program Files\photorec.exe
2007-04-29 17:24:39 249,856 ------w C:\WINDOWS\Setup1.exe
2007-04-29 17:24:37 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2006-07-19 20:35:16 56 --sh--r C:\WINDOWS\system32\998AF0E1BB.sys
2006-05-31 19:50:13 88 --sh--r C:\WINDOWS\system32\B9D58E64C5.sys
2006-05-31 19:52:11 56 --sh--r C:\WINDOWS\system32\C5648ED5B9.sys
2006-07-20 15:04:29 5,798 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 19:35 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 12:58]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 16:56]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 12:43]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 18:29]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 07:57]
"DeadAIM"="C:\PROGRA~1\AIM\\DeadAIM.ocm" [2004-02-28 12:12]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-08-10 08:37]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SAVService]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe


Contents of the 'Scheduled Tasks' folder
2007-06-05 23:21:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2006-05-31 19:40:42 C:\WINDOWS\tasks\ISP signup reminder 1.job
2007-05-26 01:30:00 C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (hauserlaptop-Alan).job
2007-06-06 23:41:37 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-06 17:02:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-06 17:03:28 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-06 17:03

--- E O F ---


Edited by mrsuicide, 06 June 2007 - 07:06 PM.


#2 mrsuicide

mrsuicide

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 06 June 2007 - 07:21 PM

It think i might have fixed it myself with that last run of the combofix. No popups so far after running it.

here is the latest hijackthis logfile

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:20:06 PM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\TK8\TK8 EasyNote 1.1\EasyNote.exe
C:\Program Files\TK8\TK8 EasyNote 1.1\Note.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Alan\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.moccforum...alan/links.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: TK8 EasyNote 1.1.lnk = C:\Program Files\TK8\TK8 EasyNote 1.1\EasyNote.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5058 bytes



#3 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 09 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#4 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 09 June 2007 - 03:10 PM

Hello,

If you still need help; please rerun Combofix again and post the log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#5 mrsuicide

mrsuicide

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 10 June 2007 - 01:13 PM

heres the latest combo fix log

"Alan" - 2007-06-10 11:00:53 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\Alan\Desktop\spyware stuff\"


((((((((((((((((((((((((( Files Created from 2007-05-10 to 2007-06-10 )))))))))))))))))))))))))))))))


2007-06-06 17:03 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-06 16:24 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-06 16:16 <DIR> d-------- C:\DOCUME~1\Alan\APPLIC~1\TrojanHunter
2007-06-06 16:11 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-06-06 16:09 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-06 13:19 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-06-06 13:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-06 13:19 <DIR> d-------- C:\DOCUME~1\Alan\APPLIC~1\SUPERAntiSpyware.com
2007-06-06 13:07 <DIR> d-------- C:\VundoFix Backups
2007-06-06 07:56 <DIR> d-------- C:\DOCUME~1\Alan\.housecall6.6
2007-06-06 07:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-05 17:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-05 17:31 <DIR> d-------- C:\DOCUME~1\Alan\APPLIC~1\Lavasoft
2007-06-05 17:24 2,580 --a------ C:\WINDOWS\system32\xqdfqpnb.exe
2007-06-05 17:15 14,868 --a------ C:\WINDOWS\system32\vcebvxhr.exe
2007-06-05 17:15 10,752 --a------ C:\WINDOWS\system32\j7281339.dll
2007-06-05 17:08 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-05 17:08 <DIR> d-------- C:\WINDOWS\system32\T6
2007-06-05 17:08 <DIR> d-------- C:\WINDOWS\system32\T5
2007-06-05 17:08 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-05-25 13:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-10 16:57:19 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-06-08 04:18:53 -------- d-----w C:\DOCUME~1\Alan\APPLIC~1\OpenOffice.org2
2007-06-07 01:17:27 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-06 21:35:49 -------- d-----w C:\Program Files\DAEMON Tools
2007-06-06 21:32:14 -------- d-----w C:\Program Files\Photo Recovery2
2007-06-06 20:18:59 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-04-29 17:47:51 1,265,152 ----a-w C:\Program Files\photorec.exe
2007-04-29 17:24:39 249,856 ------w C:\WINDOWS\Setup1.exe
2007-04-29 17:24:37 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2006-07-19 20:35:16 56 --sh--r C:\WINDOWS\system32\998AF0E1BB.sys
2006-05-31 19:50:13 88 --sh--r C:\WINDOWS\system32\B9D58E64C5.sys
2006-05-31 19:52:11 56 --sh--r C:\WINDOWS\system32\C5648ED5B9.sys
2006-07-20 15:04:29 5,798 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 19:35 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 12:58]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 16:56]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 12:43]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 18:29]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 07:57]
"DeadAIM"="C:\PROGRA~1\AIM\\DeadAIM.ocm" [2004-02-28 12:12]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-08-10 08:37]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SAVService]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe


Contents of the 'Scheduled Tasks' folder
2007-06-05 23:21:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2006-05-31 19:40:42 C:\WINDOWS\tasks\ISP signup reminder 1.job
2007-06-09 01:30:00 C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (hauserlaptop-Alan).job
2007-06-10 16:59:26 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-10 11:04:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-10 11:05:21
C:\ComboFix-quarantined-files.txt ... 2007-06-10 11:05
C:\ComboFix2.txt ... 2007-06-06 17:10
C:\ComboFix3.txt ... 2007-06-06 17:03

--- E O F ---


since doing that i manually deleted these files, as well as the scheduled tasks:

2007-06-05 17:24 2,580 --a------ C:\WINDOWS\system32\xqdfqpnb.exe
2007-06-05 17:15 14,868 --a------ C:\WINDOWS\system32\vcebvxhr.exe
2007-06-05 17:15 10,752 --a------ C:\WINDOWS\system32\j7281339.dll

Edited by mrsuicide, 10 June 2007 - 01:22 PM.


#6 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 10 June 2007 - 01:22 PM

since doing that i manually deleted these files:

2007-06-05 17:24 2,580 --a------ C:\WINDOWS\system32\xqdfqpnb.exe
2007-06-05 17:15 14,868 --a------ C:\WINDOWS\system32\vcebvxhr.exe
2007-06-05 17:15 10,752 --a------ C:\WINDOWS\system32\j7281339.dll

Good. Also delete next folders:

C:\WINDOWS\system32\TQ0
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T5
C:\WINDOWS\system32\T1QaSQ

Also, delete the C:\VundoFix Backups - folder and C:\Qoobox folder since we don't need the backups of infected files in there anyway.

How are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#7 mrsuicide

mrsuicide

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 10 June 2007 - 02:14 PM

Deleted all the named files/ folders.

Everything has been running well. I am taking the time to run all the spyware/ adware scans again today and it is looking good.

Thanks for all the help, I've learned a lot from these forums. Hopefully I can help out some others. :thumbsup:

#8 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 10 June 2007 - 02:15 PM

Good to hear.

You can always join our Bootcamp here if you want. Then you'll learn a lot more about malware and malware removal.
To join Bootcamp, reply in the thread here:
http://forums.spywar...hp?showtopic=34

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#9 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 11 June 2007 - 03:44 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please tell the moderating team by replying here
This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button