# Solved: spyware or virus adtrgt.com



## cjr71244 (Jan 30, 2008)

I use firefox but IE will pop up randomly and it's not even running. I have run spybot and avg latest version repeatedly and it will not clean this.

the pop up in IE is
http://url.adtrgt.com/cpv.jsp?p=112...selectedKeyword=ron&selectedListingId=7013811

but sometimes it goes to a couple other websites.

another site that pops up is http://www.searchfeed.com/rd/Clk.js...H&p=66617&sid=275596&ex=1201664815016&snid=69

again these only pop up in IE and I think it's only when I'm in firefox

here is my hijack this log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:41:58 PM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Mozilla Firefox 3 Beta 2\firefox.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\croberts\My Documents\Software\HiJackThis_v2.exe
C:\WINDOWS\system32\cmd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)

--
End of file - 1694 bytes


----------



## cybertech (Apr 16, 2002)

Hi, Welcome to TSG!!

Please visit *this webpage* for instructions for downloading and running ComboFix:

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.


----------



## cjr71244 (Jan 30, 2008)

ComboFix 08-01-31.1 - croberts 2008-02-01 15:00:08.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.68 [GMT -5:00]
Running from: C:\Documents and Settings\croberts\Desktop\ComboFix.exe

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-01 22:24 . 2008-02-01 22:24 d--------	C:\TEMP\tn3
2008-01-31 22:06 . 2008-01-31 22:06 d--------	C:\Program Files\Free iPod Video Converter
2008-01-31 22:06 . 2005-02-27 21:48	356,352	--a------	C:\WINDOWS\system32\RealMediaSplitter.ax
2008-01-31 10:25 . 2008-01-31 20:44	167,545	--a------	C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-30 22:20 . 2008-01-31 22:17 d--------	C:\Program Files\Enigma Software Group
2008-01-30 20:39 . 2008-01-30 20:39 d--------	C:\Program Files\Handbrake
2008-01-30 20:23 . 2008-01-30 20:54	1,302	--a------	C:\WINDOWS\system32\tmp.reg
2008-01-30 19:32 . 2008-01-31 13:16	91,700	--a------	C:\WINDOWS\system32\drivers\klin.dat
2008-01-30 19:32 . 2008-01-30 19:32	85,860	--a------	C:\WINDOWS\system32\drivers\klick.dat
2008-01-30 19:31 . 2008-01-30 19:31 d--------	C:\Program Files\Kaspersky Lab
2008-01-30 19:31 . 2008-02-01 22:27	1,315,360	--ahs----	C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-30 19:31 . 2008-02-01 22:21	19,232	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-30 19:31 . 2008-02-01 15:06	18,524	--ahs----	C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-30 19:31 . 2008-02-01 15:06	2,804	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-30 18:55 . 2008-01-30 18:55 d--------	C:\kav
2008-01-29 22:25 . 2008-01-29 22:25 d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-29 22:22 . 2008-01-31 10:34 d--------	C:\Program Files\SUPERAntiSpyware
2008-01-29 22:22 . 2008-01-29 22:22 d--------	C:\Documents and Settings\croberts\Application Data\SUPERAntiSpyware.com
2008-01-29 18:11 . 2008-01-29 18:11 d--------	C:\Program Files\Windows Defender
2008-01-29 18:08 . 2008-01-29 18:08 d--------	C:\VundoFix Backups
2008-01-28 22:55 . 2008-01-28 22:55	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-01-28 22:55 . 2008-01-28 22:55	1,409	--a------	C:\WINDOWS\QTFont.for
2008-01-26 15:59 . 2008-01-26 15:59 d--------	C:\Program Files\Microsoft Silverlight
2008-01-26 15:56 . 2008-01-26 15:56 d--------	C:\Program Files\MSBuild
2008-01-26 15:44 . 2008-01-26 15:44 d--------	C:\WINDOWS\system32\XPSViewer
2008-01-26 15:42 . 2008-01-26 15:42 d--------	C:\Program Files\Reference Assemblies
2008-01-26 15:39 . 2008-01-26 15:39 d--------	C:\Program Files\MSXML 6.0
2008-01-26 15:39 . 2008-01-26 15:39 d--------	C:\f74c52db9530c19314a92cb7000b08a3
2008-01-26 15:39 . 2006-06-29 13:07	14,048	---------	C:\WINDOWS\system32\spmsg2.dll
2008-01-26 15:36 . 2008-01-26 15:37 d--------	C:\Program Files\Windows Media Connect 2
2008-01-26 15:30 . 2008-01-26 15:33 d--------	C:\WINDOWS\system32\drivers\UMDF
2008-01-26 12:45 . 2008-01-26 12:49 d--------	C:\WINDOWS\system32\URTTemp
2008-01-26 12:38 . 2006-11-13 01:02	288,768	---------	C:\WINDOWS\system32\rhttpaa.dll
2008-01-26 12:38 . 2006-11-13 01:02	116,736	---------	C:\WINDOWS\system32\aaclient.dll
2008-01-26 12:38 . 2006-11-13 01:02	36,352	---------	C:\WINDOWS\system32\tsgqec.dll
2008-01-26 08:05 . 2008-01-27 13:46	292	--a------	C:\WINDOWS\wininit.ini
2008-01-26 00:05 . 2008-01-26 00:05 d--------	C:\Documents and Settings\croberts\Application Data\vlc
2008-01-26 00:04 . 2008-01-26 00:04 d--------	C:\Program Files\VideoLAN
2008-01-25 23:21 . 2008-01-25 23:21 d--------	C:\Documents and Settings\croberts\Application Data\McAfee
2008-01-25 22:32 . 2008-01-25 22:32 d--------	C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-25 22:22 . 2008-01-25 22:41 d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-25 22:15 . 2008-01-25 22:15 d--------	C:\WINDOWS\system32\Kaspersky Lab
2008-01-25 22:15 . 2008-02-01 22:27 d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-25 20:18 . 2008-01-25 20:20 d--------	C:\Documents and Settings\croberts\Application Data\DivX
2008-01-25 09:10 . 2008-01-28 16:46	4,195,211	--a------	C:\WINDOWS\pfirewall.log.old
2008-01-24 21:58 . 2008-01-30 16:17 d--------	C:\Documents and Settings\croberts\Application Data\AVG7
2008-01-24 21:57 . 2008-01-24 21:57 d--------	C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-24 21:56 . 2008-01-30 19:02 d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-24 20:13 . 2008-01-25 02:21 d--------	C:\Program Files\Dot1XCfg
2008-01-24 20:03 . 2008-01-24 20:03	86,016	--a------	C:\WINDOWS\system32\drivers\rmcastt.sys
2008-01-24 20:02 . 2008-01-24 21:35 d--------	C:\WINDOWS\system32\wnzs6
2008-01-24 20:02 . 2008-01-24 21:35 d--------	C:\WINDOWS\system32\ni4
2008-01-24 20:02 . 2008-01-24 20:02 d--------	C:\WINDOWS\system32\etz1
2008-01-24 20:02 . 2008-01-24 20:15 d--------	C:\WINDOWS\system32\comg7
2008-01-24 20:01 . 2008-01-25 02:21 d--------	C:\WINDOWS\system32\nGpxx01
2008-01-24 19:45 . 2008-01-24 22:08 d--------	C:\Documents and Settings\croberts\Application Data\uTorrent
2008-01-24 19:24 . 2008-01-24 19:26 d--------	C:\Program Files\DivX
2008-01-21 19:27 . 2008-01-24 22:37 d--------	C:\Program Files\Google Video
2008-01-20 01:00 . 2008-01-20 01:38 d--------	C:\Program Files\Common Files\Mediafour
2008-01-20 01:00 . 2008-01-20 01:00 d--------	C:\Documents and Settings\All Users\Application Data\Mediafour
2008-01-19 19:48 . 2008-01-19 19:48 d--------	C:\Program Files\iPod
2008-01-16 15:00 . 2008-01-16 15:00 d--------	C:\Program Files\MySpace
2008-01-16 15:00 . 2008-01-16 15:00 d--------	C:\Documents and Settings\croberts\Application Data\MySpace
2008-01-15 23:12 . 2008-01-28 22:20	664	--a------	C:\WINDOWS\system32\d3d9caps.dat
2008-01-14 08:25 . 2008-01-14 08:25 d--------	C:\Program Files\Common Files\xing shared
2008-01-14 08:23 . 2008-01-14 08:25 d--------	C:\Program Files\Real
2008-01-14 08:22 . 2008-01-14 08:24 d--------	C:\Program Files\Common Files\Real
2008-01-13 18:25 . 2008-01-30 19:20 d--------	C:\Program Files\Mozilla Firefox 3 Beta 2
2008-01-13 09:25 . 2008-01-13 09:25 d--------	C:\Documents and Settings\All Users\Application Data\Last.fm
2008-01-13 09:20 . 2008-01-13 09:21 d--------	C:\Program Files\Last.fm
2008-01-12 21:20 . 2008-01-12 21:20 d--------	C:\Program Files\Lavasoft
2008-01-12 21:20 . 2008-01-25 20:28 d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-12 21:17 . 2008-01-29 22:18 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2008-01-12 09:55 . 2008-01-20 01:20 d--------	C:\Program Files\Mediafour
2008-01-12 08:42 . 2008-01-12 08:42 d--------	C:\Program Files\TagRename
2008-01-12 08:42 . 2008-01-12 11:21 d--------	C:\Documents and Settings\croberts\Application Data\Flickr
2008-01-12 08:41 . 2008-01-12 10:46 d--------	C:\Program Files\Flickr Uploadr
2008-01-11 20:10 . 2008-01-30 19:24 d--------	C:\Program Files\Soulseek
2008-01-11 19:10 . 2008-01-11 19:10	1,158	--a------	C:\WINDOWS\mozver.dat
2008-01-11 08:33 . 2008-01-11 08:33 d--------	C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-11 08:28 . 2008-01-11 08:31 d--------	C:\Program Files\Yahoo!
2008-01-10 23:50 . 2008-01-10 23:50 d--------	C:\Documents and Settings\croberts\Application Data\Talkback
2008-01-10 23:49 . 2008-01-10 23:49	0	--a------	C:\WINDOWS\nsreg.dat
2008-01-10 23:46 . 2008-01-10 23:46 d--------	C:\cabs
2008-01-10 23:35 . 2008-01-19 19:49 d--------	C:\Program Files\iTunes
2008-01-10 23:33 . 2008-01-19 19:39 d--------	C:\Program Files\QuickTime
2008-01-10 23:30 . 2007-10-31 14:09	30,464	--a------	C:\WINDOWS\system32\drivers\usbaapl.sys
2008-01-10 18:10 . 2008-01-21 10:04 d--------	C:\Documents and Settings\croberts\Application Data\Apple Computer
2008-01-10 15:27 . 2008-01-10 15:27	90,112	--a------	C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27	57,344	--a------	C:\WINDOWS\system32\QuickTime.qts
2008-01-07 20:16 . 2008-01-07 20:16	630,784	--a------	C:\WINDOWS\system32\divxdec.ax
2008-01-04 16:59 . 2008-01-04 16:59	524,288	--a------	C:\WINDOWS\system32\DivXsm.exe
2008-01-04 16:59 . 2008-01-04 16:59	4,816	--a------	C:\WINDOWS\system32\divxsm.tlb
2008-01-04 16:58 . 2008-01-04 16:58	3,596,288	--a------	C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 16:58 . 2008-01-04 16:58	1,044,480	--a------	C:\WINDOWS\system32\libdivx.dll
2008-01-04 16:58 . 2008-01-04 16:58	200,704	--a------	C:\WINDOWS\system32\ssldivx.dll
2008-01-04 16:56 . 2008-01-04 16:56	156,992	--a------	C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 16:56 . 2008-01-04 16:56	12,288	--a------	C:\WINDOWS\system32\DivXWMPExtType.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 14:33	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-01-11 04:31	---------	d-----w	C:\Program Files\Apple Software Update
2008-01-09 23:33	---------	d-----w	C:\Program Files\Trend Micro
2008-01-04 21:58	9,464	------w	C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-04 21:58	9,336	------w	C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-01-04 21:58	43,528	------w	C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-18 05:43	23,396	----a-w	C:\WINDOWS\system32\drivers\klopp.dat
2007-12-13 18:28	24,592	----a-w	C:\WINDOWS\system32\drivers\klim5.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{A08FB30D-51C4-4E54-AA5E-FF18739802EA}]
@=Mediafour Mac Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 02:56 158208]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-12-18 00:43 227856]
"combofix"="C:\ComboFix\kmd.exe" [2004-08-04 07:00 388608]

C:\Documents and Settings\croberts\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-01-13 09:20:42 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3907091294-3805975333-3756005976-1113\Scripts\Logon\0\0]
"Script"=change local admin password.vbe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3907091294-3805975333-3756005976-1113\Scripts\Logon\0\1]
"Script"=time sync.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3907091294-3805975333-3756005976-1113\Scripts\Logon\0\2]
"Script"=users.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3907091294-3805975333-3756005976-1113\Scripts\Logon\1\0]
"Script"=omni.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3907091294-3805975333-3756005976-1691\Scripts\Logon\0\0]
"Script"=time sync.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3907091294-3805975333-3756005976-1691\Scripts\Logon\0\1]
"Script"=users.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3907091294-3805975333-3756005976-1691\Scripts\Logon\0\2]
"Script"=duty roster.vbs

[HKLM\~\startupfolder\C:^Documents and Settings^croberts^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\croberts\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
--a------ 2007-12-18 00:43 227856 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dot1XCfg]
C:\Program Files\Dot1XCfg\Dot1XCfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Phem]
C:\WINDOWS\system32\?dobe\?explore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2007-06-21 14:06 1318912 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.6\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 18:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys [2005-07-20 16:35]
R1 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys [2006-09-13 13:53]
R1 rmcastt;rmcastt;C:\WINDOWS\system32\drivers\rmcastt.sys [2008-01-24 20:03]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 maestro;ESS Maestro 3 Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198x.sys [2001-08-17 07:19]
S3 IPN2220;Wireless-G Notebook Adapter ver.4.0 Driver;C:\WINDOWS\system32\DRIVERS\i2220ntx.sys [2004-01-05 10:25]
S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;C:\WINDOWS\system32\DRIVERS\m4301A.sys [2004-05-13 18:31]
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []
S3 S3GSavageMX;S3GSavageMX;C:\WINDOWS\system32\DRIVERS\s3gsavm.sys [2002-03-12 00:20]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-28 22:42:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-01 20:09:54 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 22:27:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-02-01 22:39:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-02 03:37:27
ComboFix2.txt 2008-01-31 04:13:38
ComboFix3.txt 2008-01-30 01:44:33
.
2008-02-01 05:13:15	--- E O F ---


----------



## cjr71244 (Jan 30, 2008)

new hijackthis log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:51:52 PM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\ComboFix\kmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Documents and Settings\croberts\My Documents\Software\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O15 - Trusted Zone: http://www.filehippo.com
O15 - Trusted Zone: http://*.windowsupdate.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)

--
End of file - 1916 bytes


----------



## cybertech (Apr 16, 2002)

Open Notepad and copy and paste the text in the quote box below into it:

```
File::
C:\WINDOWS\wininit.ini
C:\WINDOWS\system32\drivers\rmcastt.sys
C:\WINDOWS\system32\drivers\core.cache.dsk

Folder::
C:\Program Files\Dot1XCfg
C:\WINDOWS\system32\wnzs6
C:\WINDOWS\system32\ni4
C:\WINDOWS\system32\etz1
C:\WINDOWS\system32\comg7
C:\WINDOWS\system32\nGpxx01
C:\Program Files\Web Buying

Driver::
rmcastt
MSControlService

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dot1XCfg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Phem]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
```
Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply

*Please update your version of HJT.*
*Click here* to download *HJTInstall.exe*

Save *HJTInstall.exe* to your desktop.
Doubleclick on the *HJTInstall.exe* icon on your desktop.
By default it will install to *C:\Program Files\Trend Micro\HijackThis* . 
Click on *Install*.
It will create a HijackThis icon on the desktop.
Once installed, it will launch *Hijackthis*.
Post a new HJT log.


----------



## cjr71244 (Jan 30, 2008)

ComboFix 08-01-31.1 - croberts 2008-02-02 16:45:50.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.83 [GMT -5:00]
Running from: C:\Documents and Settings\croberts\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\croberts\Desktop\cfscript.txt
* Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*

FILE
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\rmcastt.sys
C:\WINDOWS\wininit.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\rmcastt.sys
C:\Program Files\Dot1XCfg
C:\temp\tn3
C:\WINDOWS\system32\comg7
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\rmcastt.sys
C:\WINDOWS\system32\etz1
C:\WINDOWS\system32\etz1\lovstadcom2.exe
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\ni4
C:\WINDOWS\system32\wnzs6
C:\WINDOWS\wininit.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MSCONTROLSERVICE
-------\LEGACY_RMCASTT
-------\MSControlService
-------\rmcastt

((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-02 12:24 . 2008-02-02 16:23	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-02-02 12:24 . 2008-02-02 12:24	1,409	--a------	C:\WINDOWS\QTFont.for
2008-01-31 22:06 . 2008-01-31 22:06 d--------	C:\Program Files\Free iPod Video Converter
2008-01-31 22:06 . 2005-02-27 21:48	356,352	--a------	C:\WINDOWS\system32\RealMediaSplitter.ax
2008-01-30 22:20 . 2008-01-31 22:17 d--------	C:\Program Files\Enigma Software Group
2008-01-30 20:39 . 2008-01-30 20:39 d--------	C:\Program Files\Handbrake
2008-01-30 20:23 . 2008-01-30 20:54	1,302	--a------	C:\WINDOWS\system32\tmp.reg
2008-01-30 19:32 . 2008-01-31 13:16	91,700	--a------	C:\WINDOWS\system32\drivers\klin.dat
2008-01-30 19:32 . 2008-01-30 19:32	85,860	--a------	C:\WINDOWS\system32\drivers\klick.dat
2008-01-30 19:31 . 2008-01-30 19:31 d--------	C:\Program Files\Kaspersky Lab
2008-01-30 19:31 . 2008-02-02 16:53	1,415,712	--ahs----	C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-30 19:31 . 2008-02-02 16:53	23,840	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-30 19:31 . 2008-02-02 16:53	19,292	--ahs----	C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-30 19:31 . 2008-02-02 16:53	3,092	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-30 18:55 . 2008-01-30 18:55 d--------	C:\kav
2008-01-29 22:25 . 2008-01-29 22:25 d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-29 22:22 . 2008-01-31 10:34 d--------	C:\Program Files\SUPERAntiSpyware
2008-01-29 22:22 . 2008-01-29 22:22 d--------	C:\Documents and Settings\croberts\Application Data\SUPERAntiSpyware.com
2008-01-29 18:11 . 2008-01-29 18:11 d--------	C:\Program Files\Windows Defender
2008-01-29 18:08 . 2008-01-29 18:08 d--------	C:\VundoFix Backups
2008-01-26 15:59 . 2008-01-26 15:59 d--------	C:\Program Files\Microsoft Silverlight
2008-01-26 15:56 . 2008-01-26 15:56 d--------	C:\Program Files\MSBuild
2008-01-26 15:44 . 2008-01-26 15:44 d--------	C:\WINDOWS\system32\XPSViewer
2008-01-26 15:42 . 2008-01-26 15:42 d--------	C:\Program Files\Reference Assemblies
2008-01-26 15:39 . 2008-01-26 15:39 d--------	C:\Program Files\MSXML 6.0
2008-01-26 15:39 . 2008-01-26 15:39 d--------	C:\f74c52db9530c19314a92cb7000b08a3
2008-01-26 15:39 . 2006-06-29 13:07	14,048	---------	C:\WINDOWS\system32\spmsg2.dll
2008-01-26 15:36 . 2008-01-26 15:37 d--------	C:\Program Files\Windows Media Connect 2
2008-01-26 15:30 . 2008-01-26 15:33 d--------	C:\WINDOWS\system32\drivers\UMDF
2008-01-26 12:45 . 2008-01-26 12:49 d--------	C:\WINDOWS\system32\URTTemp
2008-01-26 12:38 . 2006-11-13 01:02	288,768	---------	C:\WINDOWS\system32\rhttpaa.dll
2008-01-26 12:38 . 2006-11-13 01:02	116,736	---------	C:\WINDOWS\system32\aaclient.dll
2008-01-26 12:38 . 2006-11-13 01:02	36,352	---------	C:\WINDOWS\system32\tsgqec.dll
2008-01-26 00:05 . 2008-01-26 00:05 d--------	C:\Documents and Settings\croberts\Application Data\vlc
2008-01-26 00:04 . 2008-01-26 00:04 d--------	C:\Program Files\VideoLAN
2008-01-25 23:21 . 2008-01-25 23:21 d--------	C:\Documents and Settings\croberts\Application Data\McAfee
2008-01-25 22:32 . 2008-01-25 22:32 d--------	C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-25 22:22 . 2008-01-25 22:41 d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-25 22:15 . 2008-01-25 22:15 d--------	C:\WINDOWS\system32\Kaspersky Lab
2008-01-25 22:15 . 2008-02-02 17:55 d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-25 20:18 . 2008-01-25 20:20 d--------	C:\Documents and Settings\croberts\Application Data\DivX
2008-01-25 09:10 . 2008-02-01 23:59	4,195,632	--a------	C:\WINDOWS\pfirewall.log.old
2008-01-24 21:58 . 2008-01-30 16:17 d--------	C:\Documents and Settings\croberts\Application Data\AVG7
2008-01-24 21:57 . 2008-01-24 21:57 d--------	C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-24 21:56 . 2008-01-30 19:02 d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-24 19:45 . 2008-01-24 22:08 d--------	C:\Documents and Settings\croberts\Application Data\uTorrent
2008-01-24 19:24 . 2008-01-24 19:26 d--------	C:\Program Files\DivX
2008-01-21 19:27 . 2008-01-24 22:37 d--------	C:\Program Files\Google Video
2008-01-20 01:00 . 2008-01-20 01:38 d--------	C:\Program Files\Common Files\Mediafour
2008-01-20 01:00 . 2008-01-20 01:00 d--------	C:\Documents and Settings\All Users\Application Data\Mediafour
2008-01-19 19:48 . 2008-01-19 19:48 d--------	C:\Program Files\iPod
2008-01-16 15:00 . 2008-01-16 15:00 d--------	C:\Program Files\MySpace
2008-01-16 15:00 . 2008-01-16 15:00 d--------	C:\Documents and Settings\croberts\Application Data\MySpace
2008-01-15 23:12 . 2008-01-28 22:20	664	--a------	C:\WINDOWS\system32\d3d9caps.dat
2008-01-14 08:25 . 2008-01-14 08:25 d--------	C:\Program Files\Common Files\xing shared
2008-01-14 08:23 . 2008-01-14 08:25 d--------	C:\Program Files\Real
2008-01-14 08:22 . 2008-01-14 08:24 d--------	C:\Program Files\Common Files\Real
2008-01-13 18:25 . 2008-01-30 19:20 d--------	C:\Program Files\Mozilla Firefox 3 Beta 2
2008-01-13 09:25 . 2008-01-13 09:25 d--------	C:\Documents and Settings\All Users\Application Data\Last.fm
2008-01-13 09:20 . 2008-01-13 09:21 d--------	C:\Program Files\Last.fm
2008-01-12 21:20 . 2008-01-12 21:20 d--------	C:\Program Files\Lavasoft
2008-01-12 21:20 . 2008-01-25 20:28 d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-12 21:17 . 2008-01-29 22:18 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2008-01-12 09:55 . 2008-01-20 01:20 d--------	C:\Program Files\Mediafour
2008-01-12 08:42 . 2008-01-12 08:42 d--------	C:\Program Files\TagRename
2008-01-12 08:42 . 2008-01-12 11:21 d--------	C:\Documents and Settings\croberts\Application Data\Flickr
2008-01-12 08:41 . 2008-01-12 10:46 d--------	C:\Program Files\Flickr Uploadr
2008-01-11 20:10 . 2008-01-30 19:24 d--------	C:\Program Files\Soulseek
2008-01-11 19:10 . 2008-01-11 19:10	1,158	--a------	C:\WINDOWS\mozver.dat
2008-01-11 08:33 . 2008-01-11 08:33 d--------	C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-11 08:28 . 2008-01-11 08:31 d--------	C:\Program Files\Yahoo!
2008-01-10 23:50 . 2008-01-10 23:50 d--------	C:\Documents and Settings\croberts\Application Data\Talkback
2008-01-10 23:49 . 2008-01-10 23:49	0	--a------	C:\WINDOWS\nsreg.dat
2008-01-10 23:46 . 2008-01-10 23:46 d--------	C:\cabs
2008-01-10 23:35 . 2008-01-19 19:49 d--------	C:\Program Files\iTunes
2008-01-10 23:33 . 2008-01-19 19:39 d--------	C:\Program Files\QuickTime
2008-01-10 23:30 . 2007-10-31 14:09	30,464	--a------	C:\WINDOWS\system32\drivers\usbaapl.sys
2008-01-10 18:10 . 2008-01-21 10:04 d--------	C:\Documents and Settings\croberts\Application Data\Apple Computer
2008-01-10 15:27 . 2008-01-10 15:27	90,112	--a------	C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27	57,344	--a------	C:\WINDOWS\system32\QuickTime.qts
2008-01-07 20:16 . 2008-01-07 20:16	630,784	--a------	C:\WINDOWS\system32\divxdec.ax
2008-01-04 16:59 . 2008-01-04 16:59	524,288	--a------	C:\WINDOWS\system32\DivXsm.exe
2008-01-04 16:59 . 2008-01-04 16:59	4,816	--a------	C:\WINDOWS\system32\divxsm.tlb
2008-01-04 16:58 . 2008-01-04 16:58	3,596,288	--a------	C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 16:58 . 2008-01-04 16:58	1,044,480	--a------	C:\WINDOWS\system32\libdivx.dll
2008-01-04 16:58 . 2008-01-04 16:58	200,704	--a------	C:\WINDOWS\system32\ssldivx.dll
2008-01-04 16:56 . 2008-01-04 16:56	156,992	--a------	C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 16:56 . 2008-01-04 16:56	12,288	--a------	C:\WINDOWS\system32\DivXWMPExtType.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 14:33	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-01-11 04:31	---------	d-----w	C:\Program Files\Apple Software Update
2008-01-09 23:33	---------	d-----w	C:\Program Files\Trend Micro
2008-01-04 21:58	9,464	------w	C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-04 21:58	9,336	------w	C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-01-04 21:58	43,528	------w	C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-18 05:43	23,396	----a-w	C:\WINDOWS\system32\drivers\klopp.dat
2007-12-13 18:28	24,592	----a-w	C:\WINDOWS\system32\drivers\klim5.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{A08FB30D-51C4-4E54-AA5E-FF18739802EA}]
@=Mediafour Mac Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-12-18 00:43 227856]
"combofix"="C:\ComboFix\kmd.exe" [2004-08-04 07:00 388608]

C:\Documents and Settings\croberts\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-01-13 09:20:42 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3907091294-3805975333-3756005976-1113\Scripts\Logon\0\0]
"Script"=change local admin password.vbe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3907091294-3805975333-3756005976-1113\Scripts\Logon\0\1]
"Script"=time sync.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3907091294-3805975333-3756005976-1113\Scripts\Logon\0\2]
"Script"=users.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3907091294-3805975333-3756005976-1113\Scripts\Logon\1\0]
"Script"=omni.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3907091294-3805975333-3756005976-1691\Scripts\Logon\0\0]
"Script"=time sync.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3907091294-3805975333-3756005976-1691\Scripts\Logon\0\1]
"Script"=users.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3907091294-3805975333-3756005976-1691\Scripts\Logon\0\2]
"Script"=duty roster.vbs

[HKLM\~\startupfolder\C:^Documents and Settings^croberts^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\croberts\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
--a------ 2007-12-18 00:43 227856 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dot1XCfg]
C:\Program Files\Dot1XCfg\Dot1XCfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Phem]
C:\WINDOWS\system32\?dobe\?explore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2007-06-21 14:06 1318912 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.6\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 18:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys [2005-07-20 16:35]
R1 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys [2006-09-13 13:53]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 maestro;ESS Maestro 3 Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198x.sys [2001-08-17 07:19]
S3 IPN2220;Wireless-G Notebook Adapter ver.4.0 Driver;C:\WINDOWS\system32\DRIVERS\i2220ntx.sys [2004-01-05 10:25]
S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;C:\WINDOWS\system32\DRIVERS\m4301A.sys [2004-05-13 18:31]
S3 S3GSavageMX;S3GSavageMX;C:\WINDOWS\system32\DRIVERS\s3gsavm.sys [2002-03-12 00:20]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-28 22:42:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-02 21:57:46 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 17:55:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Last.fm\LastFMHelper.exe
.
**************************************************************************
.
Completion time: 2008-02-02 18:03:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-02 23:03:28
ComboFix2.txt 2008-02-02 03:39:52
ComboFix3.txt 2008-01-31 04:13:38
ComboFix4.txt 2008-01-30 01:44:33
.
2008-02-01 05:13:15	--- E O F ---


----------



## cjr71244 (Jan 30, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:18:21 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O15 - Trusted Zone: http://www.filehippo.com
O15 - Trusted Zone: http://*.windowsupdate.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 1782 bytes


----------



## cybertech (Apr 16, 2002)

How is it running now? Any problems?


----------



## cjr71244 (Jan 30, 2008)

nope you seem to have solved it, thanks 1 million! how did you figure out what files to delete?


----------



## cybertech (Apr 16, 2002)

It's a constant battle to stay on top of this junk.

Happy to hear all is well. :up:

You can and *should* remove all of the tools I requested you to download and/or folders associated with them now. It is pointless to keep these tools around as they are updated so frequently that the tools can be outdated within a few days, sometimes within just hours.

*OTMoveIt2 by OldTimer* has a *CleanUp!* option you can use to remove most of the fixes and associated files and folders. 

Make sure you have an Internet Connection. 
Double-click *OTMoveIt2.exe* to run it. 
Click on the *CleanUp!* button 
A list of tool components used in the Cleanup of malware will be downloaded. 
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so. 
Click Yes to beging the Cleanup process and remove these components, including this application. 
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose *Yes.* 

It's a good idea to Flush your System Restore after removing malware: 
Turn off system restore and then turn it back on: http://support.microsoft.com/kb/310405

Now you should Clean up your PC

Here are some additional links for you to check out to help you with your computer security.

How did I get infected in the first place.

Secunia software inspector & update checker

Good free tools and advice on how to tighten your security settings.

Security Help Tools

You're welcome!


----------

