Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Hosed with Internet Speed Monitor, Outerinfo, & Brave Sentry [Reso

Started by amywendlt , Nov 20 2007 07:53 PM

This topic is locked

#1
amywendlt

Posted 20 November 2007 - 07:53 PM

Member

Member
45 posts

Hello GTG,

Ironically, I used Internet Explorer the other day (I almost always use Firefox) to update my machine with security patches, and I realized soon after that I was infected with Internet Speed Monitor, Outerinfo, & Brave Sentry. I've seen posts here that explain how to remove each individually, but I'm stumped on how to remove them all and I'm not sure where to begin. Your help is greatly appreciated.

Thanks.

#2
kahdah

Posted 20 November 2007 - 08:22 PM

GeekU Teacher

Retired Staff
15,822 posts

Hello amywendlt

Welcome to G2Go.

=================
* Click here to download HJTsetup.exe

Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\Hijack This.
Click on I agree
Then Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Also I will need you to create an uninstall list using Hijackthis.
To do this:
Open HijackThis
*click Config
*click Misc Tools
*Click "Open Uninstall Manager"
*Click "Save List" (generates uninstall_list.txt)
*Click Save

copy and paste the results in your next post as well as a hijackthis log.

#3
amywendlt

Posted 21 November 2007 - 01:04 AM

Member

Topic Starter
Member
45 posts

Thanks for replying kahdah.

I tried numerous times to run HJT in normal mode, but it would continually hang up and not save a log file. I was able to run it and save a log, however, in safe mode. I don't know if that helps. (note: I have an older version of HJT, 1.99.0.1, that will run and save a log in normal mode, but much like the newer version, it closes when Uninstall Manager tries to save a list).

Also, HJT won't save the uninstall_list.txt file. Everytime I tried to save it, the application would quickly close. I searched to see if the file was saved in some mysterious directory, but it didn't come up in my search.

-------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:02 PM, on 11/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: run=C:\WINNT\mmall.exe
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\system32\WinNB58.dll
O4 - HKLM\..\Run: [mexekisol] C:\Program Files\microsoft frontpage\mexekisol77798.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINNT\system32\ctfmona.exe
O4 - HKLM\..\Run: [BABABAC2BEC2C0C6C] 5454545C585C5A6.exe
O4 - HKLM\..\Run: [sdaferel] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\sdaferel.dll"
O4 - HKLM\..\Run: [SystemSv12] C:\WINNT\system32\newmaxxsv234.exe
O4 - HKLM\..\Run: [taskmon] C:\WINNT\taskmon.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINNT\system32\spoolsvv.exe
O4 - HKLM\..\Run: [mstaskmgr.exe] C:\WINNT\system32\mstaskmgr.exe
O4 - HKLM\..\Run: [Microsoft all] C:\WINNT\mmall.exe
O4 - HKLM\..\Run: [NvMainApp] "C:\Documents and Settings\All Users\Application Data\nvapp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Otue] "C:\WINNT\SMBOLS~1\winword.exe" -vt yazb
O4 - HKCU\..\Run: [Thjzob] "C:\Program Files\?racle\wuauboot.exe"
O4 - HKCU\..\Run: [Service Pack 1] C:\WINNT\system32\vedxg6ame4.exe
O4 - HKCU\..\Run: [noskrnl] C:\WINNT\noskrnl.exe
O4 - HKCU\..\Run: [Microsoft all] C:\WINNT\mmall.exe
O4 - HKUS\S-1-5-20\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk.disabled
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1194724659312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1195003667719
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{498C630D-9BAD-44DA-BBE0-034289F6E3CB}: NameServer = 68.87.76.178,68.87.78.130
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B19DE9E-6C88-4A13-A94C-73523E156B51}: NameServer = 68.87.76.178,
O17 - HKLM\System\CS1\Services\Tcpip\..\{498C630D-9BAD-44DA-BBE0-034289F6E3CB}: NameServer = 68.87.76.178,68.87.78.130
O17 - HKLM\System\CS2\Services\Tcpip\..\{498C630D-9BAD-44DA-BBE0-034289F6E3CB}: NameServer = 68.87.76.178,68.87.78.130
O20 - AppInit_DLLs: winmine.dll
O21 - SSODL: YwgDrsLQFE - {48C2CA17-E268-60BD-2DD7-F4DE6DF767DD} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe

--
End of file - 6922 bytes

#4
kahdah

Posted 21 November 2007 - 04:16 AM

GeekU Teacher

Retired Staff
15,822 posts

You are welcome.

You have some infectons that target Hiackthis.
I will need you to rename Hijackthis:
To do this:*Go to Start
*Right click and choose Explore
*Navigate to this location C:\Program Files\TrendMicro\Hijackthis
*Open the Hijackthis folder
*Right click on the Hijackthis icon and click rename
*rename it to fixthis
after doing this if you can in your next reply please try to post another uninstall list.
==================================================
I don't see any antivirus running in your log.

The first thing I will need you to do is to Download this anti-virus program and install it.
This is free.
During the installation when it asks you to schedule a boot time scan choose yes.
Whenever you are prompted then choose the number that moves it to the chest.
(If this will not install then try it later)
Avast
====================================================
Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

==================
After that Please download VundoFix.exe to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
===========================
Please post back with these logs:
SD Fix log
Vundofix log
New Hijackthis log.

#5
amywendlt

Posted 21 November 2007 - 03:53 PM

Member

Topic Starter
Member
45 posts

kahdah,

Everything ran as expected, except for VundoFix, which didn't find any infected files. Regardless, its text file is posted below.

=================================================

SDFix: Version 1.115

Run by Meat Lips on Wed 11/21/2007 at 12:42 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\ADMINI~1\Desktop\SDFix

Safe Mode:
Checking Services:

Name:
Driver
Network Monitor
noskrnl.sys
usbpda

Path:
\??\C:\WINNT\system32\kernelw.sys
C:\Program Files\Network Monitor\netmon.exe service
\??\C:\WINNT\system32\noskrnl.sys
%SystemRoot%\System32\svchost.exe -k netsvcs

Driver - Deleted
Network Monitor - Deleted
noskrnl.sys - Deleted
usbpda - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service

Rebooting...

Service asc3550p - Deleted after Reboot

Normal Mode:
Checking Files:

Trojan Files Found:

C:\24.TMP - Deleted
C:\25.TMP - Deleted
C:\27.TMP - Deleted
C:\2F.TMP - Deleted
C:\30.TMP - Deleted
C:\33.TMP - Deleted
C:\34.TMP - Deleted
C:\35.TMP - Deleted
C:\3CA.TMP - Deleted
C:\3CB.TMP - Deleted
C:\3D4.TMP - Deleted
C:\3D5.TMP - Deleted
C:\PROGRA~1\WINDOW~1\QUCANOW - Deleted
C:\PROGRA~1\MICROS~1\MEXEKI~1.EXE - Deleted
C:\WINNT\system32\away.exe.exe - Deleted
C:\WINNT\mrofinu72.exe.tmp - Deleted
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Temp\abW9\tPho.log - Deleted
C:\WINNT\b103.exe - Deleted
C:\WINNT\b111.exe - Deleted
C:\WINNT\mrofinu1000106.exe - Deleted
C:\WINNT\mrofinu27.exe - Deleted
C:\WINNT\mrofinu72.exe - Deleted
C:\WINNT\noskrnl.config - Deleted
C:\WINNT\noskrnl.exe - Deleted
C:\WINNT\system32\dllh8jkd1q1.exe - Deleted
C:\WINNT\system32\dllh8jkd1q2.exe - Deleted
C:\WINNT\system32\dllh8jkd1q5.exe - Deleted
C:\WINNT\system32\dllh8jkd1q6.exe - Deleted
C:\WINNT\system32\dllh8jkd1q7.exe - Deleted
C:\WINNT\system32\drivers\core.cache.dsk - Deleted
C:\WINNT\system32\drivers\core.sys - Deleted
C:\WINNT\system32\kernelwind32.exe - Deleted
C:\WINNT\system32\kr_done1 - Deleted
C:\WINNT\system32\n.ini - Deleted
C:\WINNT\system32\noskrnl.sys - Deleted
C:\WINNT\system32\pac.txt - Deleted
C:\WINNT\system32\spoolsvv.exe - Deleted
C:\WINNT\system32\usbpda.dll - Deleted
C:\WINNT\system32\vedxg4am1et2.exe - Deleted
C:\WINNT\system32\vedxga1me4t1.exe - Deleted
C:\WINNT\system32\vedxga3me2.exe - Deleted
C:\WINNT\system32\vedxga4m1et4.exe - Deleted
C:\WINNT\system32\vedxga5me3.exe - Deleted
C:\WINNT\system32\vx.tll - Deleted
C:\WINNT\TTC-4444.exe - Deleted
C:\WINNT\system32\drivers\asc3550p.sys - Deleted

Folder C:\Documents and Settings\All Users\Documents\Settings - Removed
Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\Network Monitor - Removed
Folder C:\Temp\abW9 - Removed
Folder C:\Temp\1cb - Removed

Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.

Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-21 13:05:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mis46]
"Type"=dword:00000001
"Tag"=dword:00000001
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Mis46]
"Type"=dword:00000001
"Tag"=dword:00000001
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000

scanning hidden registry entries ...

scanning hidden files ...

C:\WINNT\system32\drivers\scsiport.sys 96256 bytes executable
C:\WINNT\system32\drivers\sdbus.sys 67584 bytes executable
C:\WINNT\system32\drivers\secdrv.sys 27440 bytes executable
C:\WINNT\system32\drivers\serenum.sys 15488 bytes executable
C:\WINNT\system32\drivers\serial.sys 64896 bytes executable
C:\WINNT\system32\drivers\sffdisk.sys 11136 bytes executable
C:\WINNT\system32\drivers\sffp_sd.sys 10240 bytes executable
C:\WINNT\system32\drivers\sfloppy.sys 11392 bytes executable
C:\WINNT\system32\drivers\siint5.dll 3901 bytes executable
C:\WINNT\system32\drivers\sisagp.sys 41088 bytes executable
C:\WINNT\system32\drivers\slip.sys 11136 bytes executable
C:\WINNT\system32\drivers\slnt7554.sys 129535 bytes executable
C:\WINNT\system32\drivers\slntamr.sys 404990 bytes executable
C:\WINNT\system32\drivers\slnthal.sys 95424 bytes executable
C:\WINNT\system32\drivers\slwdmsup.sys 13240 bytes executable
C:\WINNT\system32\drivers\smbali.sys 6016 bytes executable
C:\WINNT\system32\drivers\smclib.sys 14592 bytes executable
C:\WINNT\system32\drivers\smss.exe 38128 bytes executable
C:\WINNT\system32\drivers\sonydcam.sys 25472 bytes executable
C:\WINNT\system32\drivers\SONYPVU1.SYS 7552 bytes executable
C:\WINNT\system32\drivers\splitter.sys 6400 bytes executable
C:\WINNT\system32\drivers\sr.sys 73472 bytes executable
C:\WINNT\system32\drivers\srv.sys 336256 bytes executable
C:\WINNT\system32\drivers\stream.sys 48640 bytes executable
C:\WINNT\system32\drivers\streamip.sys 15360 bytes executable
C:\WINNT\system32\drivers\streams.sys 105840 bytes executable
C:\WINNT\system32\drivers\swenum.sys 4352 bytes executable
C:\WINNT\system32\drivers\swmidi.sys 54272 bytes executable
C:\WINNT\system32\drivers\symavc32.sys 179200 bytes executable
C:\WINNT\system32\drivers\SCI1PL.SYS 21510 bytes executable
C:\WINNT\system32\drivers\Mis46.sys 179200 bytes executable
C:\WINNT\system32\drivers\s3gnbm.sys 166912 bytes executable
C:\WINNT\system32\drivers\sbp2port.sys 43136 bytes executable
C:\WINNT\system32\drivers\SCI0PL.SYS 8615 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 34

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINNT\\system32\\vedxga3me2.exe"="C:\\WINNT\\system32\\vedxga3me2.exe:*:Enabled:microsoft"
"C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\91.tmp.taras"="C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\91.tmp.taras:*:Enabled:mstaskmgr.exe"
"C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\92.tmp.taras"="C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\92.tmp.taras:*:Enabled:mstaskmgr.exe"
"C:\\WINNT\\system32\\mstaskmgr.exe"="C:\\WINNT\\system32\\mstaskmgr.exe:*:Enabled:mstaskmgr.exe"
"C:\\WINNT\\taskmon.exe"="C:\\WINNT\\taskmon.exe:*:Enabled:enable"
"C:\\WINNT\\system32\\spoolsvv.exe"="C:\\WINNT\\system32\\spoolsvv.exe:*:Enabled:enable"
"C:\\WINNT\\noskrnl.exe"="C:\\WINNT\\noskrnl.exe:*:Enabled:enable"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\DOCUME~1\ADMINI~1\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 21 Sep 2005 22,528 A..H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL0435.tmp"
Wed 21 Sep 2005 22,016 A..H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL0885.tmp"
Wed 21 Sep 2005 20,992 A..H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL1095.tmp"
Wed 21 Sep 2005 20,992 A..H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL1222.tmp"
Wed 21 Sep 2005 20,992 A..H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL1758.tmp"
Wed 21 Sep 2005 22,528 A..H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL1868.tmp"
Wed 21 Sep 2005 20,992 A..H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL2875.tmp"
Wed 21 Sep 2005 22,016 A..H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL3200.tmp"
Wed 21 Sep 2005 22,528 A..H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL3477.tmp"
Wed 7 Dec 2005 19,968 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL0005.tmp"
Wed 7 Dec 2005 20,992 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL0335.tmp"
Wed 7 Dec 2005 20,480 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL4029.tmp"
Wed 7 Dec 2005 20,992 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL4070.tmp"
Wed 16 Feb 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 24 Aug 2004 1,740 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Tue 24 Aug 2004 274,904 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Tue 24 Aug 2004 156,916 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\IAM.reg"

Finished!

#6
amywendlt

Posted 21 November 2007 - 03:54 PM

Member

Topic Starter
Member
45 posts

VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 1:32:21 PM 11/21/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 1:43:14 PM 11/21/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

#7
amywendlt

Posted 21 November 2007 - 03:55 PM

Member

Topic Starter
Member
45 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:44:37 PM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\atievxx.exe
C:\WINNT\system32\ctfmona.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\system32\5454545C585C5A6.exe
C:\WINNT\system32\regsvr32.exe
C:\WINNT\system32\newmaxxsv234.exe
C:\WINNT\system32\mstaskmgr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\fixthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1320FE94-EF53-4D25-A0AA-429B86DE7803} - C:\Program Files\ComPlus Applications\meqot4444.dll (file missing)
O2 - BHO: (no name) - {262eb796-1dd2-11b2-b08b-8139c4904fa7} - C:\WINNT\afwvuhwz.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {6228F767-34CC-4F3F-8993-91F692B8543B} - (no file)
O2 - BHO: (no name) - {6403DFC8-964F-49B7-9A1F-B2461DBEA361} - C:\Program Files\ComPlus Applications\meqot83122.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINNT\system32\mljhigg.dll
O2 - BHO: (no name) - {DEA1F6F9-2664-42A5-84E0-9F16B0015564} - C:\WINNT\system32\ssqoo.dll
O2 - BHO: (no name) - {E1DDF747-15A9-692A-DA2B-3DE678F6039C} - C:\WINNT\system32\kldjbo.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [mexekisol] C:\Program Files\microsoft frontpage\mexekisol77798.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINNT\system32\ctfmona.exe
O4 - HKLM\..\Run: [BABABAC2BEC2C0C6C] 5454545C585C5A6.exe
O4 - HKLM\..\Run: [sdaferel] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\sdaferel.dll"
O4 - HKLM\..\Run: [SystemSv12] C:\WINNT\system32\newmaxxsv234.exe
O4 - HKLM\..\Run: [mstaskmgr.exe] C:\WINNT\system32\mstaskmgr.exe
O4 - HKLM\..\Run: [Microsoft all] C:\WINNT\mmall.exe
O4 - HKLM\..\Run: [NvMainApp] "C:\Documents and Settings\All Users\Application Data\nvapp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Otue] "C:\WINNT\SMBOLS~1\winword.exe" -vt yazb
O4 - HKCU\..\Run: [Thjzob] "C:\Program Files\?racle\wuauboot.exe"
O4 - HKCU\..\Run: [Microsoft all] C:\WINNT\mmall.exe
O4 - HKUS\S-1-5-19\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk.disabled
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1194724659312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1195003667719
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{498C630D-9BAD-44DA-BBE0-034289F6E3CB}: NameServer = 68.87.76.178,68.87.78.130
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B19DE9E-6C88-4A13-A94C-73523E156B51}: NameServer = 68.87.76.178,
O17 - HKLM\System\CS1\Services\Tcpip\..\{498C630D-9BAD-44DA-BBE0-034289F6E3CB}: NameServer = 68.87.76.178,68.87.78.130
O17 - HKLM\System\CS2\Services\Tcpip\..\{498C630D-9BAD-44DA-BBE0-034289F6E3CB}: NameServer = 68.87.76.178,68.87.78.130
O20 - AppInit_DLLs: winmine.dll
O20 - Winlogon Notify: cryptnet32 - C:\WINNT\SYSTEM32\cryptnet32.dll
O20 - Winlogon Notify: mljhigg - C:\WINNT\SYSTEM32\mljhigg.dll
O21 - SSODL: YwgDrsLQFE - {48C2CA17-E268-60BD-2DD7-F4DE6DF767DD} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe

--
End of file - 9077 bytes

#8
amywendlt

Posted 21 November 2007 - 03:55 PM

Member

Topic Starter
Member
45 posts

ACE Mega CoDecS Pack
Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop CS
Adobe Reader 6.0.1
AVG Anti-Spyware 7.5
Azureus
Bodog Poker Version 2.12.2.3
CCleaner (remove only)
Comcast High-Speed Internet Install Wizard
Conexant-Ambit® SoftK56 Data/Fax Modem Driver for Microsoft® Windows® XP & 2000
Full Tilt Poker
Google Video Player
HijackThis 2.0.2
hp deskjet 5100 series
Internet Explorer Q903235
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 6
Microsoft .NET Framework 2.0
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft XML Parser and SDK
Mirar
Mozilla Firefox (2.0.0.3)
Mozilla Thunderbird (1.0.7)
Network Monitor
Network Stumbler 0.4.0 (remove only)
Poker Academy Pro 2
Poker Tracker Version 2.16.03d
PokerAce Hud (remove only)
PokerStars
QuickTime
RealPlayer
Shockwave
Spybot - Search & Destroy 1.4
TSA
USB-IDE Bridge Driver
VIA Audio Driver Setup Program
Viewpoint Media Player
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Service Pack 2
WinRAR archiver
WinZip
Wireless-G Notebook Adapter
Yahoo! Messenger

#9
kahdah

Posted 21 November 2007 - 05:33 PM

GeekU Teacher

Retired Staff
15,822 posts

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

In case you have used Combofix before, please delete the version you have and redownload it again, because Combofix is being updated everyday.

In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.
you can see this link if you do not know how to disable your anti virus or other software.

#10
amywendlt

Posted 21 November 2007 - 07:52 PM

Member

Topic Starter
Member
45 posts

Looks like there is some light shinning in this dark tunnel!

======================================
ComboFix 07-11-19.3 - Meat Lips 2007-11-21 17:27:07.3 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\drivers\npf.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF

((((((((((((((((((((((((( Files Created from 2007-10-22 to 2007-11-22 )))))))))))))))))))))))))))))))
.

2007-11-21 13:32 <DIR> d-------- C:\VundoFix Backups
2007-11-21 12:40 <DIR> d-------- C:\WINNT\ERUNT
2007-11-21 08:56 <DIR> d-------- C:\Program Files\Alwil Software
2007-11-20 21:06 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-19 20:44 <DIR> d-------- C:\Program Files\CCleaner
2007-11-19 17:43 37,888 --a------ C:\WINNT\mm_tmp_hr.exe
2007-11-19 17:43 37,376 --a------ C:\WINNT\mm_tmp_r.exe
2007-11-19 17:43 34,304 --a------ C:\WINNT\mm_tmp_gr.exe
2007-11-19 17:42 531,968 --a------ C:\WINNT\mmbin3.exe
2007-11-17 22:12 34,304 --a------ C:\WINNT\mmgr.exe
2007-11-17 22:11 37,888 --a------ C:\WINNT\mmhr.exe
2007-11-17 22:11 37,376 --a------ C:\WINNT\mmmspool.exe
2007-11-17 22:08 531,968 --a------ C:\WINNT\mmbin.exe
2007-11-17 22:06 23,552 --a------ C:\WINNT\mmall.exe
2007-11-17 21:55 38,128 --a------ C:\WINNT\system32\drivers\smss.exe
2007-11-17 21:55 38,128 --a------ C:\Documents and Settings\Administrator\smss.exe
2007-11-17 21:55 14 --a------ C:\WINNT\system32\msguppi.dll
2007-11-17 21:49 45,072 --a------ C:\WINNT\taskmon.exe
2007-11-17 21:49 12,960 --a------ C:\WINNT\system32\taskmon.sys
2007-11-17 20:51 5,120 --a------ C:\WINNT\system32\nnvapi.dll
2007-11-17 20:49 <DIR> d-------- C:\WINNT\system32\FCFCFC050105030
2007-11-17 20:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Anti-Virus-Pro.com
2007-11-17 20:49 123,904 --a------ C:\Documents and Settings\All Users\Application Data\nvapp.exe
2007-11-17 20:49 58,880 --a------ C:\WINNT\afwvuhwz.dll
2007-11-17 20:48 124,416 --a------ C:\WINNT\system32\5454545C585C5A6.exe
2007-11-17 20:47 <DIR> d--hs---- C:\WINNT\RSBMaW1h
2007-11-17 20:47 <DIR> d-------- C:\WINNT\PerfInfo
2007-11-17 20:47 <DIR> d-------- C:\Program Files\AntiVirusPro
2007-11-17 20:46 <DIR> d-------- C:\WINNT\system32\rMa13yy
2007-11-17 20:46 <DIR> d-------- C:\Temp
2007-11-17 20:46 3,638 --a------ C:\wndpgfd.exe
2007-11-17 19:35 <DIR> d-------- C:\WINNT\krmf
2007-11-17 19:35 <DIR> d-------- C:\Program Files\Common Files\krmf
2007-11-17 19:26 36,352 --a------ C:\WINNT\system32\mljjhij.dll
2007-11-17 14:47 36,352 --a------ C:\WINNT\system32\mljhigg.dll
2007-11-16 22:01 <DIR> d-------- C:\Program Files\PokerStars
2007-11-14 21:51 239,616 --------- C:\WINNT\system32\wstrenderer.ax
2007-11-14 21:51 164,352 --------- C:\WINNT\system32\wstpager.ax
2007-11-14 21:51 78,464 --------- C:\WINNT\system32\drivers\usbvideo.sys
2007-11-14 21:51 64,352 --------- C:\WINNT\system32\drivers\ativmc20.cod
2007-11-14 21:51 53,248 --------- C:\WINNT\system32\vbicodec.ax
2007-11-14 21:51 44,672 --------- C:\WINNT\system32\drivers\uagp35.sys
2007-11-14 21:51 12,672 --------- C:\WINNT\system32\drivers\usb8023x.sys
2007-11-14 21:51 9,728 --a------ C:\WINNT\system32\comsdupd.exe
2007-11-14 21:50 <DIR> d-------- C:\WINNT\provisioning
2007-11-14 21:50 <DIR> d-------- C:\WINNT\peernet
2007-11-14 21:50 1,888,992 --a------ C:\WINNT\system32\ati3duag.dll
2007-11-14 21:50 1,737,856 --a------ C:\WINNT\system32\mtxparhd.dll
2007-11-14 21:50 516,768 --a------ C:\WINNT\system32\ativvaxx.dll
2007-11-14 21:50 229,376 --a------ C:\WINNT\system32\ati2cqag.dll
2007-11-14 21:50 193,024 --a------ C:\WINNT\system32\fsquirt.exe
2007-11-14 21:50 129,536 --------- C:\WINNT\system32\xmlprov.dll
2007-11-14 21:50 110,592 --a------ C:\WINNT\system32\bthprops.cpl
2007-11-14 21:50 86,016 --a------ C:\WINNT\system32\mdmxsdk.dll
2007-11-14 21:50 81,920 --a------ C:\WINNT\system32\ieencode.dll
2007-11-14 21:50 75,776 --a------ C:\WINNT\system32\strmfilt.dll
2007-11-14 21:50 60,416 --a------ C:\WINNT\system32\fwcfg.dll
2007-11-14 21:50 50,688 --a------ C:\WINNT\system32\btpanui.dll
2007-11-14 21:50 50,176 --------- C:\WINNT\system32\xmlprovi.dll
2007-11-14 21:50 49,152 --a------ C:\WINNT\system32\powercfg.exe
2007-11-14 21:50 48,640 --a------ C:\WINNT\system32\pnrpnsp.dll
2007-11-14 21:50 44,032 --------- C:\WINNT\system32\twext.dll
2007-11-14 21:50 32,866 --------- C:\WINNT\slrundll.exe
2007-11-14 21:50 32,768 --a------ C:\WINNT\system32\ativtmxx.dll
2007-11-14 21:50 30,208 --a------ C:\WINNT\system32\bthserv.dll
2007-11-14 21:50 25,471 --------- C:\WINNT\system32\drivers\watv10nt.sys
2007-11-14 21:50 22,271 --------- C:\WINNT\system32\drivers\watv06nt.sys
2007-11-14 21:50 20,992 --a------ C:\WINNT\system32\bthci.dll
2007-11-14 21:50 11,935 --------- C:\WINNT\system32\drivers\wadv11nt.sys
2007-11-14 21:50 11,871 --------- C:\WINNT\system32\drivers\wadv09nt.sys
2007-11-14 21:50 11,807 --------- C:\WINNT\system32\drivers\wadv07nt.sys
2007-11-14 21:50 11,325 --------- C:\WINNT\system32\drivers\vchnt5.dll
2007-11-14 21:50 11,295 --------- C:\WINNT\system32\drivers\wadv08nt.sys
2007-11-14 21:50 8,192 --a------ C:\WINNT\system32\smbinst.exe
2007-11-14 21:50 7,680 --a------ C:\WINNT\system32\kbdsmsno.dll
2007-11-14 21:50 7,680 --a------ C:\WINNT\system32\kbdsmsfi.dll
2007-11-14 21:50 7,168 --a------ C:\WINNT\system32\kbdukx.dll
2007-11-14 21:50 7,168 --a------ C:\WINNT\system32\kbdno1.dll
2007-11-14 21:50 7,168 --a------ C:\WINNT\system32\kbdfi1.dll
2007-11-14 21:50 6,656 --a------ C:\WINNT\system32\kbdinmal.dll
2007-11-14 21:50 6,656 --a------ C:\WINNT\system32\kbdinben.dll
2007-11-14 21:50 6,144 --a------ C:\WINNT\system32\kbdmlt48.dll
2007-11-14 21:50 6,144 --a------ C:\WINNT\system32\kbdmlt47.dll
2007-11-14 21:50 6,144 --a------ C:\WINNT\system32\kbdinbe1.dll
2007-11-14 21:50 5,632 --a------ C:\WINNT\system32\kbdmaori.dll
2007-11-13 18:11 96,768 --a------ C:\WINNT\system32\dpcdll.dll
2007-11-13 18:07 <DIR> d-------- C:\WINNT\ServicePackFiles
2007-11-13 18:07 <DIR> d-------- C:\WINNT\ehome
2007-11-13 18:07 1,677,312 --------- C:\WINNT\system32\wmvcore2.dll
2007-11-13 18:07 1,057,760 --a------ C:\WINNT\system32\ati3d2ag.dll
2007-11-13 18:07 937,984 --------- C:\WINNT\system32\winbrand.dll
2007-11-13 18:07 870,784 --a------ C:\WINNT\system32\ati3d1ag.dll
2007-11-13 18:07 377,984 --a------ C:\WINNT\system32\ati2dvaa.dll
2007-11-13 18:07 327,040 --------- C:\WINNT\system32\drivers\ati2mtaa.sys
2007-11-13 18:07 201,728 --a------ C:\WINNT\system32\ati2dvag.dll
2007-11-13 18:07 198,656 --a------ C:\WINNT\system32\gptext.dll
2007-11-13 18:07 187,392 --------- C:\WINNT\system32\xpsp1res.dll
2007-11-13 18:07 186,368 --a------ C:\WINNT\system32\encdec.dll
2007-11-13 18:07 177,152 --a------ C:\WINNT\system32\msctfime.ime
2007-11-13 18:07 134,656 --a------ C:\WINNT\system32\mssap.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-22 01:19 5,632 ----a-w C:\WINNT\system32\nview32.dll
2007-11-21 20:54 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-20 04:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-18 04:51 9,216 ----a-w C:\WINNT\system32\cryptnet32.dll
2007-11-18 03:37 --------- d-----w C:\Program Files\Full Tilt Poker
2007-11-17 00:37 --------- d-----w C:\Program Files\Bodog Poker
2007-11-15 23:48 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2007-11-13 04:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-11 05:03 81,984 ----a-w C:\WINNT\system32\bdod.bin
2007-11-07 07:38 --------- d-----w C:\Program Files\Azureus
2007-11-05 04:38 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2005-10-25 15:59 20,192 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2004-08-24 23:19 271 --sh--w C:\Program Files\desktop.ini
2004-08-24 23:19 21,952 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( snapshot_2007-11-21_17.00.14.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-22 01:15:32 262,144 ----a-w C:\WINNT\system32\config\systemprofile\NtUser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1320FE94-EF53-4D25-A0AA-429B86DE7803}]
C:\Program Files\ComPlus Applications\meqot4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{262eb796-1dd2-11b2-b08b-8139c4904fa7}]
2007-11-17 20:49 58880 --a------ C:\WINNT\afwvuhwz.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6228F767-34CC-4F3F-8993-91F692B8543B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6403DFC8-964F-49B7-9A1F-B2461DBEA361}]
C:\Program Files\ComPlus Applications\meqot83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]
2007-11-17 14:47 36352 --a------ C:\WINNT\system32\mljhigg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1DDF747-15A9-692A-DA2B-3DE678F6039C}]
C:\WINNT\system32\kldjbo.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINNT\system32\WinNB58.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}]
[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Otue"="C:\WINNT\SMBOLS~1\winword.exe" []
"Thjzob"="C:\Program Files\?racle\wuauboot.exe" []
"Microsoft all"="C:\WINNT\mmall.exe" [2007-11-17 21:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mexekisol"="C:\Program Files\microsoft frontpage\mexekisol77798.exe" []
"ctfmona"="C:\WINNT\system32\ctfmona.exe" []
"BABABAC2BEC2C0C6C"="5454545C585C5A6.exe" [2007-11-02 14:39 C:\WINNT\system32\5454545C585C5A6.exe]
"Microsoft all"="C:\WINNT\mmall.exe" [2007-11-17 21:54]
"NvMainApp"="C:\Documents and Settings\All Users\Application Data\nvapp.exe" [2007-11-17 20:49]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" []
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2004-08-04 00:56]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2004-08-03 22:59]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk.disabled [2005-08-22 17:16:41]
Wireless-G Notebook Adapter with SpeedBooster Utility.lnk.disabled [2005-07-15 16:15:00]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINNT\system32\mljhigg.dll [2007-11-17 14:47 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet32]
cryptnet32.dll 2007-11-17 20:51 9216 C:\WINNT\system32\cryptnet32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhigg]
mljhigg.dll 2007-11-17 14:47 36352 C:\WINNT\system32\mljhigg.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk.disabled
backup=C:\WINNT\pss\Microsoft Office.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk.disabled
backup=C:\WINNT\pss\WinZip Quick Pick.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 12:03 36975 --a------ C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"MSConfig"=C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"BDMCon"="C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe"

S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINNT\System32\CBTNDIS5.SYS
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\C:\WINNT\System32\NSNDIS5.SYS
S3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINNT\system32\DRIVERS\odysseyIM4.sys
S3 taskmon.sys;taskmon.sys;\??\C:\WINNT\system32\taskmon.sys

*Newly Created Service* - NPF
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-21 17:38:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\Documents and Settings\All Users\Application Data\nvapp.exe [1160] 0x82084BE8

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-21 17:45:03 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-21 17:09
C:\ComboFix3.txt ... 2007-11-12 18:58
.
--- E O F ---

#11
amywendlt

Posted 21 November 2007 - 07:53 PM

Member

Topic Starter
Member
45 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:46:56 PM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\atievxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\5454545C585C5A6.exe
C:\Program Files\Trend Micro\HijackThis\fixthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1320FE94-EF53-4D25-A0AA-429B86DE7803} - C:\Program Files\ComPlus Applications\meqot4444.dll (file missing)
O2 - BHO: (no name) - {262eb796-1dd2-11b2-b08b-8139c4904fa7} - C:\WINNT\afwvuhwz.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {6228F767-34CC-4F3F-8993-91F692B8543B} - (no file)
O2 - BHO: (no name) - {6403DFC8-964F-49B7-9A1F-B2461DBEA361} - C:\Program Files\ComPlus Applications\meqot83122.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINNT\system32\mljhigg.dll
O2 - BHO: (no name) - {E1DDF747-15A9-692A-DA2B-3DE678F6039C} - C:\WINNT\system32\kldjbo.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [mexekisol] C:\Program Files\microsoft frontpage\mexekisol77798.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINNT\system32\ctfmona.exe
O4 - HKLM\..\Run: [BABABAC2BEC2C0C6C] 5454545C585C5A6.exe
O4 - HKLM\..\Run: [Microsoft all] C:\WINNT\mmall.exe
O4 - HKLM\..\Run: [NvMainApp] "C:\Documents and Settings\All Users\Application Data\nvapp.exe"
O4 - HKCU\..\Run: [Otue] "C:\WINNT\SMBOLS~1\winword.exe" -vt yazb
O4 - HKCU\..\Run: [Thjzob] "C:\Program Files\?racle\wuauboot.exe"
O4 - HKCU\..\Run: [Microsoft all] C:\WINNT\mmall.exe
O4 - HKUS\S-1-5-19\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk.disabled
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1194724659312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1195003667719
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{498C630D-9BAD-44DA-BBE0-034289F6E3CB}: NameServer = 68.87.76.178,68.87.78.130
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B19DE9E-6C88-4A13-A94C-73523E156B51}: NameServer = 68.87.76.178,
O17 - HKLM\System\CS1\Services\Tcpip\..\{498C630D-9BAD-44DA-BBE0-034289F6E3CB}: NameServer = 68.87.76.178,68.87.78.130
O17 - HKLM\System\CS2\Services\Tcpip\..\{498C630D-9BAD-44DA-BBE0-034289F6E3CB}: NameServer = 68.87.76.178,68.87.78.130
O20 - Winlogon Notify: cryptnet32 - C:\WINNT\SYSTEM32\cryptnet32.dll
O20 - Winlogon Notify: mljhigg - C:\WINNT\SYSTEM32\mljhigg.dll
O21 - SSODL: YwgDrsLQFE - {48C2CA17-E268-60BD-2DD7-F4DE6DF767DD} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe

--
End of file - 7678 bytes

#12
kahdah

Posted 21 November 2007 - 09:04 PM

GeekU Teacher

Retired Staff
15,822 posts

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINNT\mm_tmp_hr.exe
C:\WINNT\mm_tmp_r.exe
C:\WINNT\mm_tmp_gr.exe
C:\WINNT\mmbin3.exe
C:\WINNT\mmgr.exe
C:\WINNT\mmhr.exe
C:\WINNT\mmmspool.exe
C:\WINNT\mmbin.exe
C:\WINNT\mmall.exe
C:\WINNT\system32\drivers\smss.exe
C:\Documents and Settings\Administrator\smss.exe
C:\WINNT\taskmon.exe
C:\Documents and Settings\Administrator\Application Data\Anti-Virus-Pro.com
C:\WINNT\afwvuhwz.dll
C:\WINNT\system32\5454545C585C5A6.exe
C:\wndpgfd.exe
C:\WINNT\system32\mljjhij.dll
C:\WINNT\system32\mljhigg.dll
C:\Program Files\ComPlus Applications\meqot4444.dll
C:\WINNT\afwvuhwz.dll
C:\Program Files\ComPlus Applications\meqot83122.dll
C:\WINNT\system32\kldjbo.dll
C:\WINNT\system32\WinNB58.dll 
C:\WINNT\SMBOLS~1\winword.exe
C:\Program Files\microsoft frontpage\mexekisol77798.exe
C:\WINNT\system32\mstaskmgr.exe
C:\WINNT\system32\spoolsvv.exe
C:\WINNT\system32\newmaxxsv234.exe
C:\WINNT\system32\ssqoo.dll
C:\WINNT\SYSTEM32\cryptnet32.dll
C:\WINNT\winmine.dll 
C:\WINNT\SYSTEM32\winmine.dll
C:\WINNT\system32\ctfmona.exe
C:\WINNT\system32\taskmon.sys

Folder::
C:\VundoFix Backups
C:\WINNT\system32\FCFCFC050105030
C:\WINNT\RSBMaW1h
C:\Program Files\AntiVirusPro
C:\WINNT\system32\rMa13yy
C:\WINNT\krmf
C:\Program Files\?racle
C:\Program Files\Mirar
C:\Program Files\Viewpoint

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1320FE94-EF53-4D25-A0AA-429B86DE7803}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{262eb796-1dd2-11b2-b08b-8139c4904fa7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6228F767-34CC-4F3F-8993-91F692B8543B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6403DFC8-964F-49B7-9A1F-B2461DBEA361}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1DDF747-15A9-692A-DA2B-3DE678F6039C}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"=-
[-HKEY_CLASSES_ROOT\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}]
[-HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Otue"=-
"Thjzob"=-
"Microsoft all"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mexekisol"=-
"ctfmona"=-
"BABABAC2BEC2C0C6C"=-
"Microsoft all"=-
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet32]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhigg]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\{48C2CA17-E268-60BD-2DD7-F4DE6DF767DD}]

Driver::
"NPF"
"taskmon.sys"

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#13
amywendlt

Posted 21 November 2007 - 10:06 PM

Member

Topic Starter
Member
45 posts

ComboFix 07-11-19.3 - Meat Lips 2007-11-21 19:41:59.4 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt.txt
* Created a new restore point

FILE
C:\Documents and Settings\Administrator\Application Data\Anti-Virus-Pro.com
C:\Documents and Settings\Administrator\smss.exe
C:\Program Files\ComPlus Applications\meqot4444.dll
C:\Program Files\ComPlus Applications\meqot83122.dll
C:\Program Files\microsoft frontpage\mexekisol77798.exe
C:\WINNT\afwvuhwz.dll
C:\WINNT\mm_tmp_gr.exe
C:\WINNT\mm_tmp_hr.exe
C:\WINNT\mm_tmp_r.exe
C:\WINNT\mmall.exe
C:\WINNT\mmbin.exe
C:\WINNT\mmbin3.exe
C:\WINNT\mmgr.exe
C:\WINNT\mmhr.exe
C:\WINNT\mmmspool.exe
C:\WINNT\SMBOLS~1\winword.exe
C:\WINNT\system32\5454545C585C5A6.exe
C:\WINNT\SYSTEM32\cryptnet32.dll
C:\WINNT\system32\ctfmona.exe
C:\WINNT\system32\drivers\smss.exe
C:\WINNT\system32\kldjbo.dll
C:\WINNT\system32\mljhigg.dll
C:\WINNT\system32\mljjhij.dll
C:\WINNT\system32\mstaskmgr.exe
C:\WINNT\system32\newmaxxsv234.exe
C:\WINNT\system32\spoolsvv.exe
C:\WINNT\system32\ssqoo.dll
C:\WINNT\system32\taskmon.sys
C:\WINNT\SYSTEM32\winmine.dll
C:\WINNT\system32\WinNB58.dll
C:\WINNT\taskmon.exe
C:\WINNT\winmine.dll
C:\wndpgfd.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\smss.exe
C:\Program Files\AntiVirusPro
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_0302021C.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_0302021C_.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr_03000F11.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\VMgr.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\WaveletReader.dll
C:\VundoFix Backups
C:\WINNT\afwvuhwz.dll
C:\WINNT\krmf
C:\WINNT\krmf\krmf.dat
C:\WINNT\krmf\wu
C:\WINNT\mm_tmp_gr.exe
C:\WINNT\mm_tmp_hr.exe
C:\WINNT\mm_tmp_r.exe
C:\WINNT\mmall.exe
C:\WINNT\mmbin.exe
C:\WINNT\mmbin3.exe
C:\WINNT\mmgr.exe
C:\WINNT\mmhr.exe
C:\WINNT\mmmspool.exe
C:\WINNT\RSBMaW1h
C:\WINNT\system32\5454545C585C5A6.exe
C:\WINNT\SYSTEM32\cryptnet32.dll
C:\WINNT\system32\drivers\npf.sys
C:\WINNT\system32\drivers\smss.exe
C:\WINNT\system32\FCFCFC050105030
C:\WINNT\system32\FCFCFC050105030\6565656D696D6B7
C:\WINNT\system32\mljhigg.dll
C:\WINNT\system32\mljjhij.dll
C:\WINNT\system32\rMa13yy
C:\WINNT\system32\rMa13yy\rMa13yy2218.exe
C:\WINNT\system32\taskmon.sys
C:\WINNT\taskmon.exe
C:\wndpgfd.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF
-------\LEGACY_TASKMON.SYS
-------\NPF
-------\taskmon.sys

((((((((((((((((((((((((( Files Created from 2007-10-22 to 2007-11-22 )))))))))))))))))))))))))))))))
.

2007-11-21 12:40 <DIR> d-------- C:\WINNT\ERUNT
2007-11-21 08:56 <DIR> d-------- C:\Program Files\Alwil Software
2007-11-20 21:06 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-19 20:44 <DIR> d-------- C:\Program Files\CCleaner
2007-11-17 21:55 14 --a------ C:\WINNT\system32\msguppi.dll
2007-11-17 20:51 5,120 --a------ C:\WINNT\system32\nnvapi.dll
2007-11-17 20:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Anti-Virus-Pro.com
2007-11-17 20:49 123,904 --a------ C:\Documents and Settings\All Users\Application Data\nvapp.exe
2007-11-17 20:47 <DIR> d-------- C:\WINNT\PerfInfo
2007-11-17 20:46 <DIR> d-------- C:\Temp
2007-11-17 19:35 <DIR> d-------- C:\Program Files\Common Files\krmf
2007-11-16 22:01 <DIR> d-------- C:\Program Files\PokerStars
2007-11-14 21:51 239,616 --a------ C:\WINNT\system32\wstrenderer.ax
2007-11-14 21:51 164,352 --a------ C:\WINNT\system32\wstpager.ax
2007-11-14 21:51 78,464 --------- C:\WINNT\system32\drivers\usbvideo.sys
2007-11-14 21:51 64,352 --------- C:\WINNT\system32\drivers\ativmc20.cod
2007-11-14 21:51 53,248 --a------ C:\WINNT\system32\vbicodec.ax
2007-11-14 21:51 9,728 --a------ C:\WINNT\system32\comsdupd.exe
2007-11-14 21:50 <DIR> d-------- C:\WINNT\provisioning
2007-11-14 21:50 <DIR> d-------- C:\WINNT\peernet
2007-11-14 21:50 1,888,992 --a------ C:\WINNT\system32\ati3duag.dll
2007-11-14 21:50 1,737,856 --a------ C:\WINNT\system32\mtxparhd.dll
2007-11-14 21:50 516,768 --a------ C:\WINNT\system32\ativvaxx.dll
2007-11-14 21:50 229,376 --a------ C:\WINNT\system32\ati2cqag.dll
2007-11-14 21:50 193,024 --a------ C:\WINNT\system32\fsquirt.exe
2007-11-14 21:50 129,536 --a------ C:\WINNT\system32\xmlprov.dll
2007-11-14 21:50 110,592 --a------ C:\WINNT\system32\bthprops.cpl
2007-11-14 21:50 86,016 --a------ C:\WINNT\system32\mdmxsdk.dll
2007-11-14 21:50 81,920 --a------ C:\WINNT\system32\ieencode.dll
2007-11-14 21:50 75,776 --a------ C:\WINNT\system32\strmfilt.dll
2007-11-14 21:50 60,416 --a------ C:\WINNT\system32\fwcfg.dll
2007-11-14 21:50 50,688 --a------ C:\WINNT\system32\btpanui.dll
2007-11-14 21:50 49,152 --a------ C:\WINNT\system32\powercfg.exe
2007-11-14 21:50 48,640 --a------ C:\WINNT\system32\pnrpnsp.dll
2007-11-14 21:50 44,032 --a------ C:\WINNT\system32\twext.dll
2007-11-14 21:50 32,768 --a------ C:\WINNT\system32\ativtmxx.dll
2007-11-14 21:50 30,208 --a------ C:\WINNT\system32\bthserv.dll
2007-11-14 21:50 25,471 --------- C:\WINNT\system32\drivers\watv10nt.sys
2007-11-14 21:50 22,271 --------- C:\WINNT\system32\drivers\watv06nt.sys
2007-11-14 21:50 20,992 --a------ C:\WINNT\system32\bthci.dll
2007-11-14 21:50 11,935 --------- C:\WINNT\system32\drivers\wadv11nt.sys
2007-11-14 21:50 11,871 --------- C:\WINNT\system32\drivers\wadv09nt.sys
2007-11-14 21:50 11,807 --------- C:\WINNT\system32\drivers\wadv07nt.sys
2007-11-14 21:50 11,325 --------- C:\WINNT\system32\drivers\vchnt5.dll
2007-11-14 21:50 11,295 --------- C:\WINNT\system32\drivers\wadv08nt.sys
2007-11-14 21:50 8,192 --a------ C:\WINNT\system32\smbinst.exe
2007-11-14 21:50 7,680 --a------ C:\WINNT\system32\kbdsmsno.dll
2007-11-14 21:50 7,680 --a------ C:\WINNT\system32\kbdsmsfi.dll
2007-11-14 21:50 7,168 --a------ C:\WINNT\system32\kbdukx.dll
2007-11-14 21:50 7,168 --a------ C:\WINNT\system32\kbdno1.dll
2007-11-14 21:50 7,168 --a------ C:\WINNT\system32\kbdfi1.dll
2007-11-14 21:50 6,656 --a------ C:\WINNT\system32\kbdinmal.dll
2007-11-14 21:50 6,656 --a------ C:\WINNT\system32\kbdinben.dll
2007-11-14 21:50 6,144 --a------ C:\WINNT\system32\kbdmlt48.dll
2007-11-14 21:50 6,144 --a------ C:\WINNT\system32\kbdmlt47.dll
2007-11-14 21:50 6,144 --a------ C:\WINNT\system32\kbdinbe1.dll
2007-11-14 21:50 5,632 --a------ C:\WINNT\system32\kbdmaori.dll
2007-11-13 18:11 96,768 --a------ C:\WINNT\system32\dpcdll.dll
2007-11-13 18:07 <DIR> d-------- C:\WINNT\ServicePackFiles
2007-11-13 18:07 <DIR> d-------- C:\WINNT\ehome
2007-11-13 18:07 1,677,312 --a------ C:\WINNT\system32\wmvcore2.dll
2007-11-13 18:07 1,057,760 --a------ C:\WINNT\system32\ati3d2ag.dll
2007-11-13 18:07 937,984 --a------ C:\WINNT\system32\winbrand.dll
2007-11-13 18:07 870,784 --a------ C:\WINNT\system32\ati3d1ag.dll
2007-11-13 18:07 377,984 --a------ C:\WINNT\system32\ati2dvaa.dll
2007-11-13 18:07 327,040 --------- C:\WINNT\system32\drivers\ati2mtaa.sys
2007-11-13 18:07 201,728 --a------ C:\WINNT\system32\ati2dvag.dll
2007-11-13 18:07 198,656 --a------ C:\WINNT\system32\gptext.dll
2007-11-13 18:07 186,368 --a------ C:\WINNT\system32\encdec.dll
2007-11-13 18:07 177,152 --a------ C:\WINNT\system32\msctfime.ime
2007-11-13 18:07 134,656 --a------ C:\WINNT\system32\mssap.dll
2007-11-13 18:07 121,856 --a------ C:\WINNT\system32\schtasks.exe
2007-11-13 18:07 119,808 --a------ C:\WINNT\system32\gpresult.exe
2007-11-13 18:07 32,768 --a------ C:\WINNT\system32\asr_pfu.exe
2007-11-13 18:07 26,624 --------- C:\WINNT\system32\drivers\usbehci.sys
2007-11-13 18:07 23,040 --a------ C:\WINNT\system32\ativmvxx.ax
2007-11-13 18:07 15,104 --------- C:\WINNT\system32\drivers\hidir.sys
2007-11-13 18:07 13,568 --------- C:\WINNT\system32\drivers\wacompen.sys
2007-11-13 18:07 12,672 --------- C:\WINNT\system32\drivers\mutohpen.sys
2007-11-13 18:07 9,728 --a------ C:\WINNT\system32\ativdaxx.ax
2007-11-13 18:07 7,168 --a------ C:\WINNT\system32\hccoin.dll
2007-11-13 18:05 549,888 --a------ C:\WINNT\system32\appwiz.cpl
2007-11-13 18:05 358,400 --a------ C:\WINNT\system32\inetcpl.cpl
2007-11-13 18:05 283,648 --a------ C:\WINNT\winhlp32.exe
2007-11-13 18:05 194,560 --a------ C:\WINNT\system32\certcli.dll
2007-11-13 18:05 150,016 --a------ C:\WINNT\system32\imapi.exe
2007-11-13 18:05 123,392 --a------ C:\WINNT\system32\input.dll
2007-11-13 18:05 114,688 --a------ C:\WINNT\system32\asctrls.ocx
2007-11-13 18:05 110,080 --a------ C:\WINNT\system32\imm32.dll
2007-11-13 18:05 100,352 --a------ C:\WINNT\system32\6to4svc.dll
2007-11-13 18:05 81,920 --a------ C:\WINNT\system32\ils.dll
2007-11-13 18:05 62,976 --a------ C:\WINNT\system32\iesetup.dll
2007-11-13 18:05 38,912 --a------ C:\WINNT\system32\cfgbkend.dll
2007-11-13 18:05 36,921 --a------ C:\WINNT\system32\imeshare.dll
2007-11-13 18:05 35,840 --a------ C:\WINNT\system32\imgutil.dll
2007-11-13 18:05 25,088 --a------ C:\WINNT\system32\at.exe
2007-11-13 18:05 23,040 --a------ C:\WINNT\system32\ersvc.dll
2007-11-13 18:05 16,384 --a------ C:\WINNT\system32\imaadp32.acm
2007-11-13 18:04 1,192,960 --a------ C:\WINNT\system32\mmcndmgr.dll
2007-11-13 18:04 956,990 --a------ C:\WINNT\system32\instcat.sql

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-21 20:54 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-20 04:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-18 03:37 --------- d-----w C:\Program Files\Full Tilt Poker
2007-11-17 00:37 --------- d-----w C:\Program Files\Bodog Poker
2007-11-15 23:48 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2007-11-13 04:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-07 07:38 --------- d-----w C:\Program Files\Azureus
2007-11-05 04:38 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2005-10-25 15:59 20,192 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2004-08-24 23:19 271 --sh--w C:\Program Files\desktop.ini
2004-08-24 23:19 21,952 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( snapshot_2007-11-21_17.00.14.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-22 01:15:32 262,144 ----a-w C:\WINNT\system32\config\systemprofile\NtUser.dat
- 2007-11-21 21:31:20 5,632 ----a-w C:\WINNT\system32\nview32.dll
+ 2007-11-22 01:38:55 5,632 ----a-w C:\WINNT\system32\nview32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMainApp"="C:\Documents and Settings\All Users\Application Data\nvapp.exe" [2007-11-17 20:49]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" []
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2004-08-04 00:56]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2004-08-03 22:59]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk.disabled [2005-08-22 17:16:41]
Wireless-G Notebook Adapter with SpeedBooster Utility.lnk.disabled [2005-07-15 16:15:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet32]
cryptnet32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk.disabled
backup=C:\WINNT\pss\Microsoft Office.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk.disabled
backup=C:\WINNT\pss\WinZip Quick Pick.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 12:03 36975 --a------ C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"MSConfig"=C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"BDMCon"="C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe"

R2 NICSer_WPC54G;NICSer_WPC54G;C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINNT\System32\CBTNDIS5.SYS
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\C:\WINNT\System32\NSNDIS5.SYS
S3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINNT\system32\DRIVERS\odysseyIM4.sys

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-21 19:56:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-21 19:58:52 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-21 17:09
C:\ComboFix3.txt ... 2007-11-12 18:58
.
--- E O F ---

#14
amywendlt

Posted 21 November 2007 - 10:06 PM

Member

Topic Starter
Member
45 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:02 PM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\atievxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\fixthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [NvMainApp] "C:\Documents and Settings\All Users\Application Data\nvapp.exe"
O4 - HKUS\S-1-5-19\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk.disabled
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1194724659312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1195003667719
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{498C630D-9BAD-44DA-BBE0-034289F6E3CB}: NameServer = 68.87.76.178,68.87.78.130
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B19DE9E-6C88-4A13-A94C-73523E156B51}: NameServer = 68.87.76.178,
O17 - HKLM\System\CS1\Services\Tcpip\..\{498C630D-9BAD-44DA-BBE0-034289F6E3CB}: NameServer = 68.87.76.178,68.87.78.130
O17 - HKLM\System\CS2\Services\Tcpip\..\{498C630D-9BAD-44DA-BBE0-034289F6E3CB}: NameServer = 68.87.76.178,68.87.78.130
O21 - SSODL: YwgDrsLQFE - {48C2CA17-E268-60BD-2DD7-F4DE6DF767DD} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe

--
End of file - 6472 bytes

#15
kahdah

Posted 21 November 2007 - 10:25 PM

GeekU Teacher

Retired Staff
15,822 posts

Please double click on Hijackthis and choose do a system scan only.
Then place a check mark next to these entries below:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O21 - SSODL: YwgDrsLQFE - {48C2CA17-E268-60BD-2DD7-F4DE6DF767DD} - (no file)

Now click on Fix Checked and then close Hijackthis.
=======================================
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
===============================================================
After that Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.