Autorun Problem

Zephiron · #1 13th Feb 2008, 23:35

Hey,
I'm having the same problem as dgethin. I'll be posting the combofix and HJT logs in the morning.

**evilfantasy** · #2 14th Feb 2008, 09:53

Please use the Malware Removal thread and don't run anything other than that unless requested.
http://www.computer-juice.com/forums...-posting-7476/

Zephiron · #3 16th Feb 2008, 19:14

I have tried all of the software on the thread, and have had no results. When I start XP, Sygate pops up saying:

C:\Documents and Settings\Alex\Local Settings\Temp\ir_ext_temp_19\autorun.exe is trying to connect to update.ath.cx [85.88.12.29] using remote port 80 [HTTP - World Wide Web]. Do you want to allow this program to access the network?

Zephiron · #4 16th Feb 2008, 19:37

Disregard my previous post for the time being, please.
It seems to have stopped after I ran SmitfraudFix.exe

**evilfantasy** · #5 17th Feb 2008, 09:33

Without logs I can't see what is going on. Please post a Hijackthis log.

Zephiron · #6 17th Feb 2008, 10:40

Never mind, SmitfraudFix.exe didn't work, but after running SDFix, it seems to have stopped.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38:28 PM, on 2/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA DA.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\NOD32\nod32kui.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\NOD32\nod32krn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\sniper.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [\\PARENTS\EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA DA.EXE /P36 "\\PARENTS\EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX4800 Series on PARENTS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA DA.EXE /P42 "Auto EPSON Stylus CX4800 Series on PARENTS" /O17 "\\PARENTS\Printer" /M "Stylus CX4800"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX4800 Series on PARENTS (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA DA.EXE /P51 "Auto EPSON Stylus CX4800 Series on PARENTS (Copy 1)" /O15 "\\PARENTS\epson" /M "Stylus CX4800"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\NOD32\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\NOD32\nod32krn.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 6838 bytes

**evilfantasy** · #7 17th Feb 2008, 11:52

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

Important! Combofix.exe MUST be saved to and ran from the Desktop.

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
- Click this link to see a list of security programs that should be disabled and how to disable them.
- If yours is not listed and you don't know how to disable it, please ask.
Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
Double click combofix.exe & follow the prompts.
- From the keyboard select 1 and press Enter
When finished, it will produce a log for you.
Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

----------

Please go to C:\SDFix and post the Report.txt back here along with the Combofix log.

Zephiron · #8 17th Feb 2008, 13:38

ComboFix 08-02-17.2 - Alex 2008-02-17 15:33:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.984 [GMT -5:00]
Running from: C:\Documents and Settings\Alex\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.

2008-02-16 22:53 . 2008-02-16 22:53 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-16 21:19 . 2008-02-16 21:25 4,706 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-14 21:38 . 2008-02-14 21:38 <DIR> d-------- C:\Program Files\Shareaza
2008-02-14 21:38 . 2008-02-14 21:38 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\Shareaza
2008-02-14 18:39 . 2008-02-14 18:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-14 18:39 . 2008-02-14 18:39 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\Grisoft
2008-02-14 18:39 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-14 18:38 . 2008-02-14 18:39 <DIR> d-------- C:\Documents and Settings\Alex\.SunDownloadManager
2008-02-14 18:00 . 2008-02-14 18:00 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-14 18:00 . 2008-02-14 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-14 17:08 . 2008-02-14 17:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-14 17:00 . 2008-02-14 17:00 <DIR> d-------- C:\Program Files\VS Revo Group
2008-02-14 16:26 . 2008-02-14 16:26 <DIR> d-------- C:\Program Files\CCleaner
2008-02-14 01:27 . 2008-02-14 01:27 <DIR> d-------- C:\Documents and Settings\Alex\DoctorWeb
2008-02-12 01:17 . 2007-11-05 16:34 15,760 --a------ C:\WINDOWS\system32\iviaspi.sys
2008-02-12 00:58 . 2008-02-14 16:23 <DIR> d-------- C:\Program Files\Any Video Converter
2008-02-12 00:58 . 2008-02-14 16:23 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\Any Video Converter
2008-02-12 00:44 . 2008-02-14 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\River Past G5
2008-02-12 00:44 . 2008-02-14 16:24 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\River Past G5
2008-02-12 00:34 . 2008-02-12 00:34 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\ArcSoft
2008-02-12 00:16 . 2008-02-14 16:24 <DIR> d-------- C:\Program Files\NCH Software
2008-02-12 00:16 . 2008-02-12 00:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-02-11 23:21 . 2008-02-11 23:21 <DIR> d-------- C:\Program Files\iPod
2008-02-11 23:21 . 2008-02-17 15:18 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-11 23:21 . 2008-02-11 23:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-11 23:20 . 2008-02-11 23:21 <DIR> d-------- C:\Program Files\iTunes
2008-02-11 23:18 . 2008-02-11 23:19 <DIR> d-------- C:\Program Files\QuickTime
2008-02-08 19:38 . 2008-02-08 19:38 <DIR> d-------- C:\Program Files\Mp3tag
2008-02-08 19:38 . 2008-02-08 19:48 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\Mp3tag
2008-02-05 07:30 . 2008-02-05 23:28 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-02-05 07:30 . 2008-02-05 23:28 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-02-05 00:40 . 2008-02-05 23:34 <DIR> d-------- C:\bin
2008-02-04 18:48 . 2008-02-04 18:48 870,128 --a------ C:\WINDOWS\system32\mcs.rma
2008-02-04 18:48 . 2008-02-04 18:48 4 --a------ C:\WINDOWS\system32\C3F1F0
2008-02-04 18:46 . 2008-02-04 18:46 <DIR> d-------- C:\Program Files\Common Files\Real
2008-02-04 18:46 . 2008-02-04 18:46 8,413 --a------ C:\WINDOWS\system32\drivers\mcstrm.sys
2008-02-04 18:45 . 2008-02-04 18:45 <DIR> d-------- C:\Program Files\Real
2008-02-04 18:11 . 2008-02-12 01:16 <DIR> d-------- C:\Program Files\SanDisk
2008-02-04 17:47 . 2004-08-03 18:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-04 17:39 . 2008-02-05 23:32 <DIR> d-------- C:\WINDOWS\system32\drivers\umdf
2008-02-01 14:42 . 2008-02-01 14:40 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-01 14:42 . 2008-02-01 14:42 3,440 --a------ C:\WINDOWS\unins000.dat
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-26 20:11 . 2008-02-16 16:49 <DIR> d-------- C:\Program Files\Steam
2008-01-25 17:25 . 2008-01-28 20:17 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-02-17 17:46 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-17 04:53 --------- d-----w C:\Documents and Settings\Alex\Application Data\.purple
2008-02-15 03:05 --------- d-----w C:\Documents and Settings\Alex\Application Data\LimeWire
2008-02-14 22:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-12 06:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-12 04:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-11 12:37 --------- d-----w C:\Documents and Settings\Alex\Application Data\OpenOffice.org2
2008-02-09 00:12 --------- d-----w C:\Program Files\NOD32
2008-02-06 04:17 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-04 22:55 --------- d-----w C:\Program Files\Last.fm
2008-02-01 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-01 19:43 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-01 01:29 --------- d-----w C:\Documents and Settings\Alex\Application Data\gtk-2.0
2008-01-19 02:24 --------- d-----w C:\Program Files\DivX
2008-01-07 00:47 --------- d-----w C:\Program Files\NCSoft
2008-01-07 00:45 --------- d-----w C:\Documents and Settings\Alex\Application Data\InstallShield
2007-12-26 19:43 --------- d-----w C:\Program Files\Guitar Pro 5
2007-12-26 19:02 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-25 04:58 --------- d-----w C:\Documents and Settings\Alex\Application Data\Apple Computer
2007-12-25 04:56 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 20:10 335872]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 15:46 192512]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2004-05-20 09:21 135168]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 18:40 2577632]
"\\PARENTS\EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\ 3\E_FATIADA.exe" [2005-02-01 14:00 98304]
"Auto EPSON Stylus CX4800 Series on PARENTS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86 \3\E_FATIADA.exe" [2005-02-01 14:00 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"Auto EPSON Stylus CX4800 Series on PARENTS (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_ FATIADA.exe" [2005-02-01 14:00 98304]
"nod32kui"="C:\Program Files\NOD32\nod32kui.exe" [2007-09-22 19:28 949376]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 16:48 479232]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-10-22 12:52 75584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 14:18 267048]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

C:\Documents and Settings\Alex\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-11-23 20:41:24 106496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2007-05-17 19:28:25 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 14:18 267048 C:\Program Files\iTunes\iTunesHelper.exe

R1 ECioctl;ECioctl;C:\WINDOWS\system32\Drivers\ECioct l.sys [2004-05-06 12:40]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-12 04:12:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 15:36:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"\\\\PARENTS\\EPSON Stylus CX4800 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W3 2X86\\3\\E_FATIADA.EXE /P36 \"\\\\PARENTS\\EPSON Stylus CX4800 Series\" /O6 \"USB001\" /M \"Stylus CX4800\""
.
Completion time: 2008-02-17 15:37:28
ComboFix-quarantined-files.txt 2008-02-17 20:37:03
ComboFix2.txt 2008-02-01 18:40:13
.
2008-02-12 22:03:35 --- E O F ---

SDFix: Version 1.143

Run by Alex on Sat 02/16/2008 at 10:55 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Alex\Desktop\SDFix

Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 23:03:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\B THPORT\Parameters\Keys\0400ea440ad8]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\B THPORT\Parameters\Keys\1000aa440ad8]
"0016cff28996"=hex:08,4a,ab,4e,cb,87,db,38,85,b9,0 6,40,ec,97,25,75
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\B THPORT\Parameters\Keys\1020e84408d8]
"001963092cc5"=hex:f3,31,90,9f,77,92,3a,67,c8,c7,1 4,dc,15,5d,94,f8
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s ptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:71,01,87,6a,a3,bf,ad,ca,49,9b,dc,e8,d8 ,47,a7,01,fa,07,8f,86,2d,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\BTHPORT\Parameters\Keys\0400ea440ad8]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\BTHPORT\Parameters\Keys\1000aa440ad8]
"0016cff28996"=hex:08,4a,ab,4e,cb,87,db,38,85,b9,0 6,40,ec,97,25,75
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\BTHPORT\Parameters\Keys\1020e84408d8]
"001963092cc5"=hex:f3,31,90,9f,77,92,3a,67,c8,c7,1 4,dc,15,5d,94,f8
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg]
"s1"=dword:6f80447f
"s2"=dword:a6a05479
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:91,b0,10,47,0b,98,1b,ef,71,b1,dc,9f,73 ,d5,38,e7,d8,b4,7b,ce,cc,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\B THPORT\Parameters\Keys\0400ea440ad8]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\B THPORT\Parameters\Keys\1000aa440ad8]
"0016cff28996"=hex:08,4a,ab,4e,cb,87,db,38,85,b9,0 6,40,ec,97,25,75
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\B THPORT\Parameters\Keys\1020e84408d8]
"001963092cc5"=hex:f3,31,90,9f,77,92,3a,67,c8,c7,1 4,dc,15,5d,94,f8
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\s ptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:91,b0,10,47,0b,98,1b,ef,71,b1,dc,9f,73 ,d5,38,e7,d8,b4,7b,ce,cc,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Reinstall\%\xe3\xce\21\xbf\xc1\b]
"DisplayName"=""
"DeviceDesc"=""
"ProviderName"=""
"MFG"="\x435c\x6e6f\x7274\x6c6f\x435c\x616c\x7373\ x745c\2"
"ReinstallString"="C:\WINDOWS\System32\ReinstallBa ckups\\xe325\x11ce\xc1bf\b\DriverFiles\\x49c8\23\x 5a00\x7c91\x48b4\23\x4a54\23\1.INF"
"DeviceInstanceIds"=str(7):"\temp\wzse0.tmp\smbus\ smbusati.inf"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\WindowsUpdate\Auto Update]
"ScheduledInstallDate"="2008-02-15 22:00:00"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]

Remaining Files:

Files with Hidden Attributes:

Thu 6 Sep 2007 4 A.SHR --- "C:\WINOS.SYS"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 5 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 1 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc261 2ebcefc90e7dee4c276ee95e\BIT1B.tmp"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc261 2ebcefc90e7dee4c276ee95e\BIT23.tmp"

Finished!

**evilfantasy** · #9 17th Feb 2008, 14:05

SDFix didn't remove anything but it did restore the Windows Default Hosts File so that could have been the source of the problem.

I don't see any malware in the logs.

You will want to open Spybot and update it and run the Immunization.

Time to do some cleanup and secure the work you have done to this point.

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:

Delete:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it)

1. Double click OTMoveIt2.exe to launch it.
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

When finished exit out of OTMoveIt2

Check out Keeping Yourself safe On The Web for tips and free tools to keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Zephiron · #10 17th Feb 2008, 14:26

Alright, done. Thanks for all the help!