Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojan horse bho.bis [RESOLVED]


  • This topic is locked This topic is locked

#1
compdummy

compdummy

    Member

  • Member
  • PipPip
  • 11 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:12 AM, on 2/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {4BBB5BBF-B79B-4635-94C3-9B5B629C3FC3} - C:\WINDOWS\system32\dmcompo.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {729427F8-D0E7-4FFF-963F-0217D193DF7f} - C:\WINDOWS\system32\pveijelq.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\system32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\system32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &Search - ?p=ZNxmk572LVUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O16 - DPF: {98BFD494-F6AD-4794-9038-832C0654CC43} (AOL YGP UPF Ctrl) - http://pak04.picture...-US.9.2.4.0.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemreq...m/sysreqlab.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: 4y1j82lpsrdecdr.dll.dll.dll.dll.dll.dll.dll C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: fcccbcy - fcccbcy.dll (file missing)
O20 - Winlogon Notify: ljjjklj - ljjjklj.dll (file missing)
O20 - Winlogon Notify: ssqrs - C:\WINDOWS\system32\ssqrs.dll (file missing)
O20 - Winlogon Notify: vtstq - C:\WINDOWS\system32\vtstq.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: dns cache reader (DNSCacheReader) - Unknown owner - C:\WINDOWS\system32\j4251531.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 8733 bytes



Active Disk
Ad-Aware SE Personal
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.9
Adobe Stock Photos 1.0
Adobe® Photoshop® Album Starter Edition 3.0
AOL "You've Got Pictures" Picture Finder Plugin v9.2.4.0
AOL Uninstaller (Choose which Products to Remove)
AVG 7.5
AVG Anti-Spyware 7.5
Belkin 54g USB Network Adapter
Creative MediaSource
Flash Slideshow Maker Pro 4.02
GalleryPlayer Images
Game Elements PC Recoil Pad
Google Desktop
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB926239)
Intel® Extreme Graphics 2 Driver
iTunes
J2SE Runtime Environment 5.0 Update 3
Jasc Paint Shop Pro 9
Jasc Paint Shop Pro 9 GDI+ Patch
Jasc Paint Shop Pro 9.01 Patch
LimeWire PRO 4.12.3
Macromedia Shockwave Player
Max Media Creator
MaxDrive PS2
Microsoft .NET Framework 2.0
Microsoft ActiveSync 4.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.12)
MP3 Player Utilities 2.22
MSN Music Assistant
Musicmatch® Jukebox
MySpaceIM
NotePadSync
Panda ActiveScan
Picture Package
QuickTime
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Sony USB Driver
Sound Blaster Audigy 2
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Starcraft
SUPERAntiSpyware Free Edition
System Requirements Lab
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Viewpoint Media Player
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086


SUPERAntiSpyware Scan Log
Generated 02/26/2008 at 10:59 PM

Application Version : 3.6.1000

Core Rules Database Version : 3409
Trace Rules Database Version: 1401

Scan type : Complete Scan
Total Scan Time : 03:28:11

Memory items scanned : 356
Memory threats detected : 0
Registry items scanned : 5642
Registry threats detected : 18
File items scanned : 89221
File threats detected : 41

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{15BEF7CD-A6E6-4446-8F2B-409EA7CF4D79}
HKCR\CLSID\{15BEF7CD-A6E6-4446-8F2B-409EA7CF4D79}
HKCR\CLSID\{15BEF7CD-A6E6-4446-8F2B-409EA7CF4D79}\InprocServer32
HKCR\CLSID\{15BEF7CD-A6E6-4446-8F2B-409EA7CF4D79}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTSTQ.DLL
HKLM\Software\Classes\CLSID\{58593602-73BE-450D-95BF-CAA2CD98D94D}
HKCR\CLSID\{58593602-73BE-450D-95BF-CAA2CD98D94D}
HKCR\CLSID\{58593602-73BE-450D-95BF-CAA2CD98D94D}\InprocServer32
HKCR\CLSID\{58593602-73BE-450D-95BF-CAA2CD98D94D}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JKKJH.DLL
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\PDBHFEUB.DLL

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{2C3B62C4-AC6D-4A76-8475-C395946A1EA0}
HKCR\CLSID\{2C3B62C4-AC6D-4A76-8475-C395946A1EA0}
HKCR\CLSID\{2C3B62C4-AC6D-4A76-8475-C395946A1EA0}\InprocServer32
HKCR\CLSID\{2C3B62C4-AC6D-4A76-8475-C395946A1EA0}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SSQRS.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][3].txt

Adware.MovieLand/MediaPipe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaPipe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaPipe#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaPipe#UninstallString
HKCR\AppId\MediaPipe.EXE
HKCR\AppId\MediaPipe.EXE#AppID

Adware.180solutions/Seekmo
C:\Program Files\Seekmo Programs

Unclassified.PC MightyMax
HKU\S-1-5-21-839522115-963894560-682003330-1003\Software\PC MightyMax
C:\Program Files\PC MightyMax\lic.conf
C:\Program Files\PC MightyMax\lic.dat
C:\Program Files\PC MightyMax\pcdocrx.conf
C:\Program Files\PC MightyMax\tmp_res_x_101.tmp
C:\Program Files\PC MightyMax\tmp_res_x_102.tmp
C:\Program Files\PC MightyMax\tmp_res_x_103.tmp
C:\Program Files\PC MightyMax\tmp_res_x_104.tmp
C:\Program Files\PC MightyMax\tmp_res_x_105.tmp
C:\Program Files\PC MightyMax\tmp_res_x_106.tmp
C:\Program Files\PC MightyMax\tmp_res_x_107.tmp
C:\Program Files\PC MightyMax\tmp_res_x_108.tmp
C:\Program Files\PC MightyMax\tmp_res_x_109.tmp
C:\Program Files\PC MightyMax\tmp_res_x_110.tmp
C:\Program Files\PC MightyMax\tmp_res_x_111.tmp
C:\Program Files\PC MightyMax\tmp_res_x_112.tmp
C:\Program Files\PC MightyMax\tmp_res_x_113.tmp
C:\Program Files\PC MightyMax\tmp_res_x_114.tmp
C:\Program Files\PC MightyMax\tmp_res_x_115.tmp
C:\Program Files\PC MightyMax\tmp_res_x_116.tmp
C:\Program Files\PC MightyMax\tmp_res_x_117.tmp
C:\Program Files\PC MightyMax\tmp_res_x_118.tmp
C:\Program Files\PC MightyMax\tmp_res_x_119.tmp
C:\Program Files\PC MightyMax\tmp_res_x_120.tmp
C:\Program Files\PC MightyMax\tmp_res_x_121.tmp
C:\Program Files\PC MightyMax\tmp_res_x_122.tmp
C:\Program Files\PC MightyMax\tmp_res_x_123.tmp
C:\Program Files\PC MightyMax\tmp_res_x_124.tmp
C:\Program Files\PC MightyMax\tmp_res_x_125.tmp
C:\Program Files\PC MightyMax\undo
C:\Program Files\PC MightyMax

Spyware.Melkosoft (CoolWebSearch Variant)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F9C1719A-F217-4B15-AD8B-47BA1BECF865}\RP3\A0001021.DLL

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\GHKMP.BAK1
C:\WINDOWS\SYSTEM32\GHKMP.INI
C:\WINDOWS\SYSTEM32\HJKKJ.TMP
C:\WINDOWS\SYSTEM32\MCRH.TMP

Attached Files


Edited by rambro, 27 February 2008 - 09:53 AM.

  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Did Super Anti-Spyware remove all the threats found?

Print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should NOT have any open browsers when you are following the procedures below.

Download VundoFix at http://www.atribune..../click.php?id=4 and save it to your desktop.
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files. Click Yes.
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer. Click OK.
- Post the contents of C:\vundofix.txt here.

NOTE: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot. Simply follow the above instructions starting from Click the Scan for Vundo button when VundoFix appears upon rebooting.


Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL"


Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.


Uninstall the following via the Add/Remove Panel (Start->Settings->Control Panel->Add/Remove Programs) if found:

PC MightyMax
Viewpoint Media Player


Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O2 - BHO: (no name) - {4BBB5BBF-B79B-4635-94C3-9B5B629C3FC3} - C:\WINDOWS\system32\dmcompo.dll
O2 - BHO: (no name) - {729427F8-D0E7-4FFF-963F-0217D193DF7f} - C:\WINDOWS\system32\pveijelq.dll (file missing)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &Search - ?p=ZNxmk572LVUS
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: fcccbcy - fcccbcy.dll (file missing)
O20 - Winlogon Notify: ljjjklj - ljjjklj.dll (file missing)
O20 - Winlogon Notify: ssqrs - C:\WINDOWS\system32\ssqrs.dll (file missing)
O20 - Winlogon Notify: vtstq - C:\WINDOWS\system32\vtstq.dll (file missing)
O23 - Service: dns cache reader (DNSCacheReader) - Unknown owner - C:\WINDOWS\system32\j4251531.exe (file missing)

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop DNSCacheReader
sc delete DNSCacheReader
del delete.bat


Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.


Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\dmcompo.dll
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\winlogin.exe


Restart the computer.

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

Post a new HijackThis log here when ready.
  • 0

#3
compdummy

compdummy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Grey Knight,
Thanks for your help.. here are the reports as requested. The Vundo found nothing so there was no log
  • 0

#4
compdummy

compdummy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
omboFix 08-02-25.3 - Owner 2008-02-29 0:13:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.168 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\456B0XYF\ComboFix[1].exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\m.exe
C:\p.exe
C:\q.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\coxfcohdq_navps.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-29 )))))))))))))))))))))))))))))))
.

2008-02-28 22:22 . 2008-02-28 22:22 <DIR> d-------- C:\VundoFix Backups
2008-02-27 07:54 . 2008-02-27 07:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-26 23:58 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-26 23:42 . 2008-02-27 01:22 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-26 23:42 . 2008-02-26 23:42 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-26 23:42 . 2008-02-26 23:42 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-26 23:42 . 2008-02-26 23:42 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-26 19:27 . 2008-02-26 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-26 19:26 . 2008-02-27 01:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-26 19:26 . 2008-02-26 19:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-26 19:26 . 2008-02-26 19:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-26 00:30 . 2008-02-26 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-26 00:19 . 2008-02-26 00:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-02-26 00:18 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-23 21:36 . 2008-02-23 21:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-02-23 18:26 . 2008-02-23 18:25 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-23 18:26 . 2008-02-23 18:26 2,541 --a------ C:\WINDOWS\unins000.dat
2008-02-13 14:23 . 2008-02-13 15:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-13 14:23 . 2008-02-13 14:23 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-08 15:16 . 2008-02-08 15:16 <DIR> d-------- C:\WINDOWS\OIS
2008-02-06 21:40 . 2008-02-06 21:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-29 04:55 --------- d-----w C:\Program Files\Viewpoint
2008-02-29 04:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-29 02:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-02-27 06:07 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-27 06:06 --------- d-----w C:\Program Files\QuickTime
2008-02-27 05:58 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-27 05:52 --------- d-----w C:\Program Files\Google
2008-02-26 05:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-25 21:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-25 19:41 --------- d-----w C:\Program Files\Samsung
2008-02-23 22:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-07 02:40 --------- d-----w C:\Program Files\Corel
2008-02-06 21:24 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-06-22 01:38 10,220 ----a-w C:\Documents and Settings\Owner\Application Data\ViewerApp.dat
2004-12-06 00:21 0 -csh--r C:\Program Files\q330994.exe
2004-12-06 00:21 0 -csh--r C:\WINDOWS\cvchost.exe
2004-12-06 00:21 0 -csh--r C:\WINDOWS\dl.exe
2004-12-06 00:21 0 -csh--r C:\WINDOWS\dlm.exe
2004-12-06 00:21 0 -csh--r C:\WINDOWS\msstasks.exe
2004-12-06 00:21 0 -csh--r C:\WINDOWS\mssys.com
2004-12-06 00:21 0 -csh--r C:\WINDOWS\mstasks1.exe
2004-12-06 00:21 0 -csh--r C:\WINDOWS\mstaskss.exe
2004-12-06 00:21 0 -csh--r C:\WINDOWS\ntldr.exe
2004-12-06 00:21 0 -csh--r C:\WINDOWS\rocky.exe
2004-12-06 00:21 0 -csh--r C:\WINDOWS\seksdialer.exe
2004-08-12 14:10 73,728 --sha-w C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
2004-12-06 00:21 0 -csh--r C:\WINDOWS\system\system.exe
2004-12-06 00:21 0 -csh--r C:\WINDOWS\system\wmscrop.exe
2007-08-06 02:59 1,205,040 --sha-w C:\WINDOWS\system32\cuukntgs.ini2
2007-09-11 21:20 7,720 --sha-w C:\WINDOWS\system32\ghkmp.bak2
2007-09-11 22:17 6,929 --sha-w C:\WINDOWS\system32\ghkmp.ini2
2004-12-06 00:21 0 -csha-r C:\WINDOWS\system32\jac.dll
2004-12-06 00:21 0 -csha-r C:\WINDOWS\system32\mcc.exe
2007-10-05 18:37 693,721 --sha-w C:\WINDOWS\system32\mrdrvxrb.ini2
2007-08-03 05:52 1,205,350 --sha-w C:\WINDOWS\system32\nmgthfuv.ini2
2007-06-09 22:32 1,808,519 --sha-w C:\WINDOWS\system32\qtstv.bak1
2007-06-10 01:17 1,817,826 --sha-w C:\WINDOWS\system32\qtstv.ini2
2007-06-10 02:10 1,808,675 --sha-w C:\WINDOWS\system32\srqss.bak1
2007-10-15 18:38 456,639 --sha-w C:\WINDOWS\system32\vyadd.bak1
2007-11-14 18:22 469,473 --sh--w C:\WINDOWS\system32\vyadd.bak2
2007-11-15 01:17 474,359 --sh--w C:\WINDOWS\system32\vyadd.ini2
2007-07-20 17:11 1,137,044 --sha-w C:\WINDOWS\system32\wfqiiows.ini2
.

------- Sigcheck -------

8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
----a-w 14,336 2004-08-12 14:06:49 C:\WINDOWS\system32\svchost.exe
-c--a-w 14,336 2004-08-12 14:06:49 C:\WINDOWS\system32\dllcache\svchost.exe

2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
----a-w 82,944 2004-08-12 14:10:27 C:\WINDOWS\system32\ws2_32.dll
-c--a-w 82,944 2004-08-12 14:10:27 C:\WINDOWS\system32\dllcache\ws2_32.dll

01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
----a-w 502,272 2004-08-12 14:09:30 C:\WINDOWS\system32\winlogon.exe
-c--a-w 502,272 2004-08-12 14:09:30 C:\WINDOWS\system32\dllcache\winlogon.exe

558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys
-c--a-w 182,912 2004-08-12 14:01:38 C:\WINDOWS\system32\dllcache\ndis.sys
-c--a-w 182,912 2004-08-12 14:01:38 C:\WINDOWS\system32\drivers\ndis.sys

4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
-c--a-w 29,056 2004-08-12 13:58:08 C:\WINDOWS\system32\dllcache\ip6fw.sys
----a-w 29,056 2004-08-12 13:58:08 C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BBB5BBF-B79B-4635-94C3-9B5B629C3FC3}]
2004-08-12 08:56 105983 --a------ C:\WINDOWS\system32\dmcompo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-12 22:24 68856]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 21:36 1207080]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32 77824]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-26 21:43 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-16 09:39 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"combofix"="C:\WINDOWS\system32\kmd.exe" [2004-08-12 08:56 388608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 20:34 5419008]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 21:18 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="C:\WINDOWS\system32\msiexec.exe" [2005-03-21 14:00 78848]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"SFCDisable"=dword:00000004

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=4y1j82lpsrdecdr.dll.dll.dll.dll.dll.dll.dll C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
"LoadAppInit_DLLs"=1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^winlogin.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
backup=C:\WINDOWS\pss\winlogin.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 22:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]
--a------ 2002-09-24 15:39 147456 C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-05-09 19:24 50760 C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
--a------ 2004-08-12 09:04 11776 C:\WINDOWS\system32\regsvr32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
--a------ 2002-09-30 01:00 45056 C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2003-02-20 17:45 28672 C:\WINDOWS\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a------ 2002-10-29 09:18 49152 C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
--a------ 2004-04-15 03:32 270336 C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2004-08-13 01:05 122939 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-08-23 18:19 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-05-12 22:25 1831424 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
C:\WINDOWS\system32\nghwonhb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-06-20 21:36 1207080 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-05-09 19:24 50760 C:\Program Files\Common Files\AOL\1139706769\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
--a------ 2006-02-17 11:59 124520 C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iPodManager]
C:\Program Files\iPod\bin\iPodManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-12-20 20:54 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2006-01-17 12:03 53248 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-05-29 20:34 5419008 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWA7P_0001_N91M0809]
C:\DOCUME~1\Owner\LOCALS~1\Temp\install4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2004-04-11 20:15 290816 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-26 21:43 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMDeviceManager]
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
C:\WINDOWS\system32\scchk32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
C:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SemanticInsight]
C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-04-13 02:48 36975 C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-05-12 22:24 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2004-11-15 19:40 95456 C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 00:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmfcbypo.exe]
C:\Documents and Settings\All Users\Application Data\vmfcbypo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"ose"=3 (0x3)
"navapsvc"=3 (0x3)
"MDM"=2 (0x2)
"LexBceS"=2 (0x2)
"iPodService"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire 4.0.8\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1139706769\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1139706769\\ee\\aim6.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 noittukv;noittukv;C:\WINDOWS\system32\drivers\snkwevbj.sys []
S3 pfsvgae;pfsvgae;C:\DOCUME~1\Owner\LOCALS~1\Temp\pfsvgae.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbb48502-36a6-11d9-8ad4-0011114656b0}]
\Shell\AutoRun\command - LinksysConnectPC.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-29 00:20:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
.
**************************************************************************
.
Completion time: 2008-02-29 0:25:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-29 05:25:28
.
2008-02-23 22:19:59 --- E O F ---
ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:31 PM, on 2/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {4BBB5BBF-B79B-4635-94C3-9B5B629C3FC3} - C:\WINDOWS\system32\dmcompo.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {729427F8-D0E7-4FFF-963F-0217D193DF7f} - C:\WINDOWS\system32\pveijelq.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\system32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\system32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &Search - ?p=ZNxmk572LVUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O16 - DPF: {98BFD494-F6AD-4794-9038-832C0654CC43} (AOL YGP UPF Ctrl) - http://pak04.picture...-US.9.2.4.0.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemreq...m/sysreqlab.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: 4y1j82lpsrdecdr.dll.dll.dll.dll.dll.dll.dll C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: fcccbcy - fcccbcy.dll (file missing)
O20 - Winlogon Notify: ljjjklj - ljjjklj.dll (file missing)
O20 - Winlogon Notify: ssqrs - C:\WINDOWS\system32\ssqrs.dll (file missing)
O20 - Winlogon Notify: vtstq - C:\WINDOWS\system32\vtstq.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: dns cache reader (DNSCacheReader) - Unknown owner - C:\WINDOWS\system32\j4251531.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 8759 bytes
  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please post an updated HijackThis log. The one you posted was still the old one.
  • 0

#6
compdummy

compdummy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:01 AM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {4BBB5BBF-B79B-4635-94C3-9B5B629C3FC3} - C:\WINDOWS\system32\dmcompo.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\system32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\system32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O16 - DPF: {98BFD494-F6AD-4794-9038-832C0654CC43} (AOL YGP UPF Ctrl) - http://pak04.picture...-US.9.2.4.0.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemreq...m/sysreqlab.cab
O20 - AppInit_DLLs: 4y1j82lpsrdecdr.dll.dll.dll.dll.dll.dll.dll C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 8035 bytes
THANKS
  • 0

#7
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Uninstall Viewpoint Media Player and RXToolbar via the Add/Remove panel if found. Also uninstall the Java version you have there and install the latest version at:

http://www.java.com/...load/manual.jsp

I recommend uninstalling Limewire....there is a adware file associated with it in your log.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\Program Files\q330994.exe
C:\WINDOWS\cvchost.exe
C:\WINDOWS\dl.exe
C:\WINDOWS\dlm.exe
C:\WINDOWS\msstasks.exe
C:\WINDOWS\mssys.com
C:\WINDOWS\mstasks1.exe
C:\WINDOWS\mstaskss.exe
C:\WINDOWS\ntldr.exe
C:\WINDOWS\rocky.exe
C:\WINDOWS\seksdialer.exe
C:\WINDOWS\system\system.exe
C:\WINDOWS\system\wmscrop.exe
C:\WINDOWS\system32\cuukntgs.ini2
C:\WINDOWS\system32\ghkmp.bak2
C:\WINDOWS\system32\ghkmp.ini2
C:\WINDOWS\system32\jac.dll
C:\WINDOWS\system32\mcc.exe
C:\WINDOWS\system32\mrdrvxrb.ini2
C:\WINDOWS\system32\nmgthfuv.ini2
C:\WINDOWS\system32\qtstv.bak1
C:\WINDOWS\system32\qtstv.ini2
C:\WINDOWS\system32\srqss.bak1
C:\WINDOWS\system32\vyadd.bak1
C:\WINDOWS\system32\vyadd.bak2
C:\WINDOWS\system32\vyadd.ini2
C:\WINDOWS\system32\wfqiiows.ini2
C:\WINDOWS\system32\dmcompo.dll
C:\WINDOWS\system32\nghwonhb.dll
C:\WINDOWS\system32\scchk32.exe
C:\Documents and Settings\All Users\Application Data\vmfcbypo.exe
C:\StubInstaller.exe
C:\WINDOWS\system32\drivers\snkwevbj.sys
C:\DOCUME~1\Owner\LOCALS~1\Temp\pfsvgae.sys

Folder::
C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\
C:\Program Files\RXToolBar\

Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BBB5BBF-B79B-4635-94C3-9B5B629C3FC3}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWA7P_0001_N91M0809]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SemanticInsight]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmfcbypo.exe]

Driver::
noittukv
pfsvgae
LEGACY_DOMAINSERVICE

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.


Note: Do not click on combofix's window while it's running. That may cause it to stall.

What's inside this folder -> C:\WINDOWS\OIS
  • 0

#8
compdummy

compdummy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
greyKnight,
Thanks I will do as u suggested. This is my teenage son and daughters computer.. I dont really use it. I will look in the folders and see whats there and delete limewire. I will post the logs as suggested. I cant thank you enough!!. I really appreciate you taking the time to help me with this
  • 0

#9
compdummy

compdummy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi GreyKnight,
I did not see the video player or rxtoolbar. windows folder ois was empty
Thanks
ComboFix 08-03-05.1 - Owner 2008-03-05 21:02:14.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.198 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\
C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\\System\$BackupData$
C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\\System\asferror.dll
C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\\System\custsat.dll
C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\\System\migrate.exe
C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\\System\mpvis.dll
C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\\System\unregmp2.exe
C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\\System\wmerror.dll
C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\\System\wmp.dll
C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\\System\wmpasf.dll
C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\\System\wmpband.dll
C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\\System\wmpdxm.dll
C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\\System\wmplayer.exe
C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\\System\wmploc.dll
C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\\System\wmpshell.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NOITTUKV
-------\LEGACY_PFSVGAE
-------\noittukv
-------\pfsvgae


((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.

2008-03-05 20:35 . 2008-03-05 20:35 279 --a------ C:\Shortcut to Local Disk ©.lnk
2008-02-28 22:22 . 2008-02-28 22:22 <DIR> d-------- C:\VundoFix Backups
2008-02-27 07:54 . 2008-02-27 07:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-26 23:58 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-26 23:42 . 2008-02-27 01:22 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-26 23:42 . 2008-02-26 23:42 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-26 23:42 . 2008-02-26 23:42 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-26 23:42 . 2008-02-26 23:42 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-26 19:27 . 2008-02-26 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-26 19:26 . 2008-02-29 11:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-26 19:26 . 2008-02-26 19:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-26 19:26 . 2008-02-26 19:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-26 00:30 . 2008-02-26 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-26 00:19 . 2008-02-26 00:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-02-26 00:18 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-23 21:36 . 2008-02-23 21:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-02-23 18:26 . 2008-02-23 18:25 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-23 18:26 . 2008-02-23 18:26 2,541 --a------ C:\WINDOWS\unins000.dat
2008-02-08 15:16 . 2008-02-08 15:16 <DIR> d-------- C:\WINDOWS\OIS
2008-02-06 21:40 . 2008-02-06 21:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-05 22:03 --------- d-----w C:\Program Files\LimeWire
2008-03-05 21:55 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-02-29 04:55 --------- d-----w C:\Program Files\Viewpoint
2008-02-29 04:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-27 06:07 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-27 06:06 --------- d-----w C:\Program Files\QuickTime
2008-02-27 05:58 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-27 05:52 --------- d-----w C:\Program Files\Google
2008-02-26 05:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-25 21:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-25 19:41 --------- d-----w C:\Program Files\Samsung
2008-02-23 22:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-07 02:40 --------- d-----w C:\Program Files\Corel
2008-02-06 21:24 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-06-22 01:38 10,220 ----a-w C:\Documents and Settings\Owner\Application Data\ViewerApp.dat
2004-12-06 00:21 0 -csh--r C:\Program Files\q330994.exe
2004-12-06 00:21 0 -csh--r C:\WINDOWS\cvchost.exe
2004-12-06 00:21 0 -csh--r C:\WINDOWS\dl.exe
2004-12-06 00:21 0 -csh--r C:\WINDOWS\dlm.exe
2004-12-06 00:21 0 -csh--r C:\WINDOWS\msstasks.exe
2004-12-06 00:21 0 -csh--r C:\WINDOWS\mssys.com
2004-12-06 00:21 0 -csh--r C:\WINDOWS\mstasks1.exe
2004-12-06 00:21 0 -csh--r C:\WINDOWS\mstaskss.exe
2004-12-06 00:21 0 -csh--r C:\WINDOWS\ntldr.exe
2004-12-06 00:21 0 -csh--r C:\WINDOWS\rocky.exe
2004-12-06 00:21 0 -csh--r C:\WINDOWS\seksdialer.exe
2004-12-06 00:21 0 -csh--r C:\WINDOWS\system\system.exe
2004-12-06 00:21 0 -csh--r C:\WINDOWS\system\wmscrop.exe
2007-08-06 02:59 1,205,040 --sha-w C:\WINDOWS\system32\cuukntgs.ini2
2007-09-11 21:20 7,720 --sha-w C:\WINDOWS\system32\ghkmp.bak2
2007-09-11 22:17 6,929 --sha-w C:\WINDOWS\system32\ghkmp.ini2
2004-12-06 00:21 0 -csha-r C:\WINDOWS\system32\jac.dll
2004-12-06 00:21 0 -csha-r C:\WINDOWS\system32\mcc.exe
2007-10-05 18:37 693,721 --sha-w C:\WINDOWS\system32\mrdrvxrb.ini2
2007-08-03 05:52 1,205,350 --sha-w C:\WINDOWS\system32\nmgthfuv.ini2
2007-06-09 22:32 1,808,519 --sha-w C:\WINDOWS\system32\qtstv.bak1
2007-06-10 01:17 1,817,826 --sha-w C:\WINDOWS\system32\qtstv.ini2
2007-06-10 02:10 1,808,675 --sha-w C:\WINDOWS\system32\srqss.bak1
2007-10-15 18:38 456,639 --sha-w C:\WINDOWS\system32\vyadd.bak1
2007-11-14 18:22 469,473 --sh--w C:\WINDOWS\system32\vyadd.bak2
2007-11-15 01:17 474,359 --sh--w C:\WINDOWS\system32\vyadd.ini2
2007-07-20 17:11 1,137,044 --sha-w C:\WINDOWS\system32\wfqiiows.ini2
.

------- Sigcheck -------

8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
----a-w 14,336 2004-08-12 14:06:49 C:\WINDOWS\system32\svchost.exe
-c--a-w 14,336 2004-08-12 14:06:49 C:\WINDOWS\system32\dllcache\svchost.exe

2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
----a-w 82,944 2004-08-12 14:10:27 C:\WINDOWS\system32\ws2_32.dll
-c--a-w 82,944 2004-08-12 14:10:27 C:\WINDOWS\system32\dllcache\ws2_32.dll

01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
----a-w 502,272 2004-08-12 14:09:30 C:\WINDOWS\system32\winlogon.exe
-c--a-w 502,272 2004-08-12 14:09:30 C:\WINDOWS\system32\dllcache\winlogon.exe

558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys
-c--a-w 182,912 2004-08-12 14:01:38 C:\WINDOWS\system32\dllcache\ndis.sys
-c--a-w 182,912 2004-08-12 14:01:38 C:\WINDOWS\system32\drivers\ndis.sys

4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
-c--a-w 29,056 2004-08-12 13:58:08 C:\WINDOWS\system32\dllcache\ip6fw.sys
----a-w 29,056 2004-08-12 13:58:08 C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BBB5BBF-B79B-4635-94C3-9B5B629C3FC3}]
2004-08-12 08:56 105983 --a------ C:\WINDOWS\system32\dmcompo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-12 22:24 68856]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 21:36 1207080]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32 77824]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-26 21:43 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-16 09:39 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" [2004-09-28 20:26 32881]
"combofix"="C:\WINDOWS\system32\CF11185.exe" [2004-08-12 08:56 388608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 20:34 5419008]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 21:18 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="C:\WINDOWS\system32\msiexec.exe" [2005-03-21 14:00 78848]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=4y1j82lpsrdecdr.dll.dll.dll.dll.dll.dll.dll C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^winlogin.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
backup=C:\WINDOWS\pss\winlogin.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 22:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]
--a------ 2002-09-24 15:39 147456 C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-05-09 19:24 50760 C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
--a------ 2004-08-12 09:04 11776 C:\WINDOWS\system32\regsvr32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
--a------ 2002-09-30 01:00 45056 C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2003-02-20 17:45 28672 C:\WINDOWS\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a------ 2002-10-29 09:18 49152 C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
--a------ 2004-04-15 03:32 270336 C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2004-08-13 01:05 122939 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-08-23 18:19 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-05-12 22:25 1831424 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
C:\WINDOWS\system32\nghwonhb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-06-20 21:36 1207080 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-05-09 19:24 50760 C:\Program Files\Common Files\AOL\1139706769\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
--a------ 2006-02-17 11:59 124520 C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iPodManager]
C:\Program Files\iPod\bin\iPodManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-12-20 20:54 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2006-01-17 12:03 53248 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-05-29 20:34 5419008 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWA7P_0001_N91M0809]
C:\DOCUME~1\Owner\LOCALS~1\Temp\install4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2004-04-11 20:15 290816 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-26 21:43 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMDeviceManager]
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
C:\WINDOWS\system32\scchk32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
C:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SemanticInsight]
C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-05-12 22:24 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2004-11-15 19:40 95456 C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 00:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmfcbypo.exe]
C:\Documents and Settings\All Users\Application Data\vmfcbypo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"ose"=3 (0x3)
"navapsvc"=3 (0x3)
"MDM"=2 (0x2)
"LexBceS"=2 (0x2)
"iPodService"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire 4.0.8\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1139706769\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1139706769\\ee\\aim6.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 noittukv;noittukv;C:\WINDOWS\system32\drivers\snkwevbj.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbb48502-36a6-11d9-8ad4-0011114656b0}]
\Shell\AutoRun\command - LinksysConnectPC.exe

*Newly Created Service* - NOITTUKV
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 21:09:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jucheck.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-03-05 21:13:30 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-03-06 02:13:23
ComboFix2.txt 2008-03-06 01:49:47
ComboFix3.txt 2008-02-29 05:25:36
.
2008-02-23 22:19:59 --- E O F ---

Attached Files


  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Let's try this again.....

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\Program Files\q330994.exe
C:\WINDOWS\cvchost.exe
C:\WINDOWS\dl.exe
C:\WINDOWS\dlm.exe
C:\WINDOWS\msstasks.exe
C:\WINDOWS\mssys.com
C:\WINDOWS\mstasks1.exe
C:\WINDOWS\mstaskss.exe
C:\WINDOWS\ntldr.exe
C:\WINDOWS\rocky.exe
C:\WINDOWS\seksdialer.exe
C:\WINDOWS\system\system.exe
C:\WINDOWS\system\wmscrop.exe
C:\WINDOWS\system32\cuukntgs.ini2
C:\WINDOWS\system32\ghkmp.bak2
C:\WINDOWS\system32\ghkmp.ini2
C:\WINDOWS\system32\jac.dll
C:\WINDOWS\system32\mcc.exe
C:\WINDOWS\system32\mrdrvxrb.ini2
C:\WINDOWS\system32\nmgthfuv.ini2
C:\WINDOWS\system32\qtstv.bak1
C:\WINDOWS\system32\qtstv.ini2
C:\WINDOWS\system32\srqss.bak1
C:\WINDOWS\system32\vyadd.bak1
C:\WINDOWS\system32\vyadd.bak2
C:\WINDOWS\system32\vyadd.ini2
C:\WINDOWS\system32\wfqiiows.ini2
C:\WINDOWS\system32\dmcompo.dll
C:\WINDOWS\system32\nghwonhb.dll
C:\WINDOWS\system32\scchk32.exe
C:\Documents and Settings\All Users\Application Data\vmfcbypo.exe
C:\StubInstaller.exe
C:\WINDOWS\system32\drivers\snkwevbj.sys
C:\DOCUME~1\Owner\LOCALS~1\Temp\pfsvgae.sys

Folder::
C:\Program Files\RXToolBar\
C:\WINDOWS\OIS

Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BBB5BBF-B79B-4635-94C3-9B5B629C3FC3}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWA7P_0001_N91M0809]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SemanticInsight]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmfcbypo.exe]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NOITTUKV]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LEGACY_NOITTUKV]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NOITTUKV]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LEGACY_NOITTUKV]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NOITTUKV]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\LEGACY_NOITTUKV]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PFSVGAE]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LEGACY_PFSVGAE]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PFSVGAE]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LEGACY_PFSVGAE]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_PFSVGAE]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\LEGACY_PFSVGAE]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\noittukv]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\noittukv]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\noittukv]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\noittukv]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\noittukv]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\noittukv]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\pfsvgae]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pfsvgae]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\pfsvgae]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pfsvgae]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\pfsvgae]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\pfsvgae]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

Post a new HijackThis log here also.

Any improvement?
  • 0

Advertisements


#11
compdummy

compdummy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Grey Knight I hope I am doing this correctly.. Please pardon my ignorance..

Attached Files


  • 0

#12
compdummy

compdummy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
no improvement still getting the trojan message from avg
  • 0

#13
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Did you create the CFScript.txt file and then drag and drop that file into the Combofix tool? Doesn't look like it executed properly if you did. Try it again...
  • 0

#14
compdummy

compdummy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Greyknight,
I di as you suggested.. I hope I did it right.. I opened the notepad saved it as cfscript on my desktop,, draggged it into the combo fix icon and ran it.. here is the log.. thanks for your time.

Attached Files


  • 0

#15
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
This log looks much better now :)

Let's try one more run:

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
C:\WINDOWS\pss\winlogin.exe
C:\WINDOWS\system32\dmcompo.dll

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^winlogin.exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{4BBB5BBF-B79B-4635-94C3-9B5B629C3FC3}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4BBB5BBF-B79B-4635-94C3-9B5B629C3FC3}]
[-HKEY_CLASSES_ROOT\CLSID\{4BBB5BBF-B79B-4635-94C3-9B5B629C3FC3}]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

Post a new HijackThis log here also along with a progress on the computer (any better?).
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP