Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

geede.dll...urgent!


  • Please log in to reply

#1
Kelp

Kelp

    Member

  • Member
  • PipPip
  • 13 posts
Scotty won't kill it, not even Security Task Manager (I'm using the free version).

What this spyware is doing to my computer is it makes everything (icons, etc.), excluding browsers, suddenly disappear from view when I'm surfing the net. Though when I press ctrl, alt, delete, the Task Manager comes up normally. But I can't make the Start Menu appear no matter how many times I press the button.



Kelp really needs help.




One more thing. I'm not sure about this, but is ssqolll.dll a spyware too?

Edited by Kelp, 08 March 2008 - 11:32 PM.

  • 0

Advertisements


#2
Kelp

Kelp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Erm, I've looked for threads similar to this and I've solved my spyware problem (or so I think, that Recovery Console stuff makes me feel uneasy). The mods may close or do anything to this thread.




Here are the logs...


HijackThis log #1:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:37 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\WINDOWS\system32\r_server.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
E:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
E:\Program Files\Messenger\msmsgs.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\PC Connectivity Solution\ServiceLayer.exe
E:\WINDOWS\explorer.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.citadel.com.ph/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.7:8080
O1 - Hosts: 127.58.223.166 drngsa.delta.com #ADDED BY F5 NETWORKS SSL TUNNEL - ORIGINAL RECORD#
O1 - Hosts: 127.58.223.166 drngsa #ADDED BY F5 NETWORKS SSL TUNNEL - ORIGINAL RECORD#
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [WinPatrol] E:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [PCSuiteTrayApplication] E:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Runonce] E:\WINDOWS\smss.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://E:\Program Files\ScanSoft\PDF Converter 3.0\IEShellExt.dll /100
O10 - Unknown file in Winsock LSP: e:\windows\system32\nwprovau.dll
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) - https://secure.logme...scueControl.cab
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://si-connect.d...,2007,1001,2137
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://si-connect.d...llerControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://si-connect.d...,2007,1001,2139
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://si-connect.d...,2007,1001,2136
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://si-connect.d...,2007,1001,2141
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://si-connect.d...,2007,1001,2140
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://si-connect.d...,2007,1001,2143
O17 - HKLM\System\CCS\Services\Tcpip\..\{471494A2-CD2D-404C-AB88-DAD602D3A55A}: NameServer = 203.172.11.21,210.16.47.2
O20 - AppInit_DLLs: WIKI.DLL
O20 - Winlogon Notify: avgwlntf - E:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: fsp_lmwl - fsp_lmwl.dll (file missing)
O20 - Winlogon Notify: ssqolll - ssqolll.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - E:\WINDOWS\system32\r_server.exe
O23 - Service: ServiceLayer - Nokia. - E:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5974 bytes



ComboFix log:

ComboFix 08-03-08.2 - wfax 2008-03-09 12:43:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.462 [GMT 8:00]
Running from: E:\Documents and Settings\wfax\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\WINDOWS\Downloaded Program Files\x64
E:\WINDOWS\Downloaded Program Files\x64\racodec.ax
E:\WINDOWS\Downloaded Program Files\x86
E:\WINDOWS\Downloaded Program Files\x86\racodec.ax
E:\WINDOWS\pskt.ini
E:\WINDOWS\system32\edeeg.ini
E:\WINDOWS\system32\edeeg.ini2
E:\WINDOWS\system32\gahbxiel.dll
E:\WINDOWS\system32\geede.dll
E:\WINDOWS\system32\mcrh.tmp
E:\WINDOWS\system32\msssc.dll
E:\WINDOWS\system32\ssqolll.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\nm


((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-09 12:30 . 2008-03-09 12:30 <DIR> d-------- E:\Program Files\Trend Micro
2008-03-08 21:10 . 2008-03-08 21:16 <DIR> d-------- E:\Program Files\Security Task Manager
2008-03-08 21:10 . 2008-03-09 00:15 <DIR> d-------- E:\Documents and Settings\All Users.WINDOWS\Application Data\SecTaskMan
2008-03-07 23:01 . 2008-03-07 23:01 <DIR> d-------- E:\Documents and Settings\wfax\Application Data\PandoraRecovery
2008-03-07 21:15 . 2008-03-07 21:43 <DIR> d-------- E:\Program Files\New Folder
2008-03-07 20:20 . 2008-03-07 20:20 <DIR> d-------- E:\WINDOWS\Start Menu
2008-03-07 20:20 . 2008-03-07 20:20 <DIR> d-------- E:\WINDOWS\Favorites
2008-03-07 20:20 . 2008-03-07 21:15 <DIR> d---s---- E:\WINDOWS\Cookies
2008-03-07 20:20 . 2008-03-07 20:20 <DIR> d-------- E:\WINDOWS\Application Data
2008-03-06 20:17 . 2004-05-14 16:53 462,848 --a------ E:\WINDOWS\system32\ltkrn13n.dll
2008-03-06 20:17 . 2004-05-14 16:53 450,560 --a------ E:\WINDOWS\system32\ltimg13n.dll
2008-03-06 20:17 . 2004-05-14 16:53 401,408 --a------ E:\WINDOWS\system32\lfcmp13n.dll
2008-03-06 20:17 . 2004-05-14 16:53 299,008 --a------ E:\WINDOWS\system32\ltdis13n.dll
2008-03-06 20:17 . 2004-01-12 02:09 206,336 --a------ E:\WINDOWS\system32\ltefx13n.dll
2008-03-06 20:17 . 2004-05-14 16:53 163,840 --a------ E:\WINDOWS\system32\ltfil13n.dll
2008-03-06 20:17 . 2003-11-04 15:11 159,744 --a------ E:\WINDOWS\system32\lfpng13n.dll
2008-03-06 20:17 . 2003-11-04 15:10 69,632 --a------ E:\WINDOWS\system32\lfgif13n.dll
2008-03-06 20:17 . 2004-05-14 16:53 57,344 --a------ E:\WINDOWS\system32\lfbmp13n.dll
2008-03-04 09:05 . 2008-03-04 09:05 <DIR> d-------- E:\Program Files\BinaryBiz
2008-03-02 12:53 . 2008-03-02 12:53 54,156 --ah----- E:\WINDOWS\QTFont.qfn
2008-03-02 12:53 . 2008-03-02 12:53 1,409 --a------ E:\WINDOWS\QTFont.for
2008-03-01 10:52 . 2008-03-01 11:10 <DIR> d-------- E:\Program Files\Free FLV Converter
2008-03-01 10:51 . 2008-03-01 10:51 <DIR> d-------- E:\Program Files\FLV Converter
2008-02-29 21:26 . 2008-02-29 21:42 <DIR> d-------- E:\Program Files\DAZ Studio
2008-02-29 21:22 . 2008-02-29 21:22 <DIR> d-------- E:\Program Files\DAZ
2008-02-29 21:22 . 2008-02-29 21:22 <DIR> d-------- E:\Program Files\Common Files\DAZ
2008-02-26 06:22 . 2008-02-26 06:22 <DIR> d-------- E:\log
2008-02-26 06:14 . 2007-12-20 16:50 229,621 -rahs---- E:\Funny UST Scandal.avi.exe
2008-02-24 16:59 . 2008-02-24 16:59 <DIR> d-a------ E:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-02-23 20:40 . 2008-02-23 20:40 <DIR> d-------- E:\Program Files\GLOBEtrotter Software Inc
2008-02-23 20:34 . 2008-02-23 20:34 <DIR> d-------- E:\Program Files\Autodesk
2008-02-23 18:24 . 2008-02-23 18:24 <DIR> d-------- E:\Documents and Settings\wfax\Application Data\Nokia Multimedia Player
2008-02-23 17:45 . 2008-02-23 17:45 <DIR> d-------- E:\Documents and Settings\wfax\Application Data\Nero
2008-02-23 17:22 . 2008-02-23 17:22 <DIR> d-------- E:\Documents and Settings\All Users.WINDOWS\Application Data\Ahead
2008-02-20 17:27 . 2008-02-20 17:27 <DIR> d-------- E:\WINDOWS\VirtualEar
2008-02-14 20:37 . 2008-02-14 20:37 <DIR> d-------- E:\Documents and Settings\All Users.WINDOWS\Application Data\NFS Underground
2008-02-14 20:29 . 2008-02-14 20:29 <DIR> d-------- E:\Program Files\Common Files\DirectX
2008-02-11 22:08 . 2008-02-11 22:08 1,158 --a------ E:\WINDOWS\mozver.dat
2008-02-10 09:05 . 2008-02-10 09:05 0 --a------ E:\WINDOWS\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 01:03 --------- d-----w E:\Documents and Settings\wfax\Application Data\AVG7
2008-03-08 16:11 --------- d-----w E:\Program Files\Paint Shop Pro 5
2008-03-07 06:01 --------- d-----w E:\Program Files\kidswp
2008-03-07 05:54 --------- d-----w E:\Program Files\3GP Player
2008-02-23 12:40 6,656 ----a-w E:\WINDOWS\system32\haspvdd.dll
2008-02-23 12:40 47,616 ----a-w E:\WINDOWS\system32\drivers\Haspnt.sys
2008-02-23 12:40 453,632 ----a-w E:\WINDOWS\system32\drivers\hardlock.sys
2008-02-23 12:40 264,704 ----a-w E:\WINDOWS\system32\hlvdd.dll
2008-02-23 09:22 --------- d-----w E:\Documents and Settings\wfax\Application Data\Ahead
2008-02-20 09:27 --------- d--h--w E:\Program Files\InstallShield Installation Information
2008-02-08 09:58 12,208 --sha-w E:\WINDOWS\system32\KGyGaAvL.sys
2008-02-03 00:00 --------- d-----w E:\Program Files\Task Killer
2008-02-02 07:56 --------- d-----w E:\Program Files\Common Files\Alias Shared
2008-02-02 07:53 --------- d-----w E:\Program Files\Common Files\Autodesk Shared
2008-01-27 12:44 --------- d-----w E:\Documents and Settings\wfax\Application Data\muvee Technologies
2008-01-27 12:01 --------- d-----w E:\Program Files\muvee Technologies
2008-01-27 12:01 --------- d-----w E:\Program Files\DivX
2008-01-27 12:01 --------- d-----w E:\Program Files\Common Files\muvee Technologies
2008-01-27 11:59 --------- d-----w E:\Documents and Settings\All Users.WINDOWS\Application Data\muvee Technologies
2008-01-27 11:58 --------- d-----w E:\Program Files\Common Files\InstallShield
2008-01-26 13:26 --------- d-----w E:\Program Files\The Rosetta Stone2
2008-01-26 13:04 --------- d-----w E:\Program Files\The Rosetta Stone
2008-01-26 13:03 --------- d-----w E:\Program Files\QuickTime
2008-01-26 13:02 --------- d-----w E:\Documents and Settings\All Users.WINDOWS\Application Data\QuickTime
2008-01-26 05:50 --------- d-----w E:\Program Files\Personal Voice Changer Driver
2008-01-26 05:49 --------- d-----w E:\Program Files\Fake Voice
2008-01-26 02:53 --------- d-----w E:\Documents and Settings\All Users.WINDOWS\Application Data\Aventail
2008-01-26 02:46 --------- d-----w E:\Documents and Settings\wfax\Application Data\Skype
2008-01-25 01:32 --------- d-----w E:\Program Files\Skype
2008-01-25 01:32 --------- d-----w E:\Documents and Settings\All Users.WINDOWS\Application Data\Skype
2008-01-22 11:02 17,627 ----a-w E:\Program Files\kidswp.zip
2008-01-14 04:24 --------- d-----w E:\Documents and Settings\wfax\Application Data\LogMeIn Rescue
2008-01-10 07:50 32,256 ----a-w E:\WINDOWS\system32\dzbryce6.dll
2008-01-10 07:50 180,224 ----a-w E:\WINDOWS\system32\dzwrapper.dll
2008-01-10 07:46 8,720,384 ----a-w E:\WINDOWS\system32\dzcore.dll
2008-01-10 07:46 65,536 ----a-w E:\WINDOWS\system32\dzcarrara.dll
2008-01-10 05:00 6,131,712 ----a-w E:\WINDOWS\system32\daz-qt-mt.dll
2008-01-10 05:00 1,785,856 ----a-w E:\WINDOWS\system32\daz-qsa.dll
2008-01-10 04:56 2,076,672 ----a-w E:\WINDOWS\system32\dz3delight.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="E:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24 1694208]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:07 15360]
"Runonce"="E:\WINDOWS\smss.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="E:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" [2006-07-20 21:38 230976]
"AVG7_CC"="E:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 12:16 579072]
"pdfFactory Dispatcher v2"="E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2006-04-06 09:40 499712]
"PCSuiteTrayApplication"="E:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="E:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-30 16:27 219136]
"Nokia.PCSync"="E:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-10-30 15:56 9216 E:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fsp_lmwl]
fsp_lmwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqolll]
ssqolll.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=WIKI.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"E:\\Program Files\\LimeWire\\LimeWire.exe"=
"E:\\Program Files\\PC-in-IE\\IEServer.exe"=
"E:\\Program Files\\PC-in-IE\\IEService.exe"=
"E:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"E:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"E:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"E:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"E:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 r_server;Remote Administrator Service;"E:\WINDOWS\system32\r_server.exe" /service []
R3 LMPC2;LMPC2;E:\WINDOWS\system32\drivers\LMPC2.sys [2003-05-31 12:09]
R3 tenCapture;tenCapture;E:\WINDOWS\system32\DRIVERS\tenCapture.sys [2007-04-21 22:15]
S3 StreamSurge;StreamSurge Driver (miniport);E:\WINDOWS\system32\DRIVERS\ss.sys [2005-06-17 13:48]
S4 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;E:\Program Files\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 14:18]
S4 msServerForm;ArGoSoft Mail Server;c:\Program Files\ArGo Software Design\Mail Server\mlsrvnt.exe [2006-08-14 11:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04dd443d-d6b1-11dc-bb37-e00cf9ce5da7}]
\Shell\AutoRun\command - SilentSoftech.exe
\Shell\explore\command - SilentSoftech.exe
\Shell\open\command - SilentSoftech.exe
\Shell\var1\command - SilentSoftech.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{641b5e12-b4f6-11db-884b-806d6172696f}]
\Shell\Autoplay\Command - smss.exe
\Shell\AutoRun\command - smss.exe
\Shell\Explore\Command - smss.exe
\Shell\Open\Command - smss.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 12:51:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
E:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\Program Files\PC Connectivity Solution\ServiceLayer.exe
E:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-03-09 12:54:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-09 04:54:18



HijackThis log #2:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:37 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\WINDOWS\system32\r_server.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
E:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
E:\Program Files\Messenger\msmsgs.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\PC Connectivity Solution\ServiceLayer.exe
E:\WINDOWS\explorer.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.citadel.com.ph/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.7:8080
O1 - Hosts: 127.58.223.166 drngsa.delta.com #ADDED BY F5 NETWORKS SSL TUNNEL - ORIGINAL RECORD#
O1 - Hosts: 127.58.223.166 drngsa #ADDED BY F5 NETWORKS SSL TUNNEL - ORIGINAL RECORD#
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [WinPatrol] E:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [PCSuiteTrayApplication] E:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Runonce] E:\WINDOWS\smss.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://E:\Program Files\ScanSoft\PDF Converter 3.0\IEShellExt.dll /100
O10 - Unknown file in Winsock LSP: e:\windows\system32\nwprovau.dll
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) - https://secure.logme...scueControl.cab
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://si-connect.d...,2007,1001,2137
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://si-connect.d...llerControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://si-connect.d...,2007,1001,2139
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://si-connect.d...,2007,1001,2136
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://si-connect.d...,2007,1001,2141
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://si-connect.d...,2007,1001,2140
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://si-connect.d...,2007,1001,2143
O17 - HKLM\System\CCS\Services\Tcpip\..\{471494A2-CD2D-404C-AB88-DAD602D3A55A}: NameServer = 203.172.11.21,210.16.47.2
O20 - AppInit_DLLs: WIKI.DLL
O20 - Winlogon Notify: avgwlntf - E:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: fsp_lmwl - fsp_lmwl.dll (file missing)
O20 - Winlogon Notify: ssqolll - ssqolll.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - E:\WINDOWS\system32\r_server.exe
O23 - Service: ServiceLayer - Nokia. - E:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5974 bytes

Edited by Kelp, 08 March 2008 - 11:25 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP