Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan [RESOLVED]

Started by joejobs , Mar 13 2008 10:46 AM

  • This topic is locked This topic is locked

#1
joejobs
Posted 13 March 2008 - 10:46 AM

joejobs

    Member

  • Member
  • PipPipPip
  • 215 posts
PLEASE HELP!!
I followed all the steps previous to posting a hijackthis log and my pc is still infected.
I constantly get a window prompting me to buy a product that will clean PC.
PLEASE HELP!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:56 PM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.co...n...px&id=64855
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {29658207-F1E2-4DAD-A8DE-CAEDA9CFAC66} - C:\WINDOWS\system32\awtst.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {7ce1e092-61c0-fdb8-2124-9ee96ae23ae7} - {7ea32ea6-9ee9-4212-8bdf-0c16290e1ec7} - C:\WINDOWS\system32\jpydqifn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: (no name) - {D1F0E831-8A3F-4EBE-8AC5-427DC723B36A} - C:\WINDOWS\system32\vtuvuss.dll (file missing)
O2 - BHO: (no name) - {D878649A-86F5-4651-AECF-7F5E1A1AB222} - C:\WINDOWS\system32\sstqq.dll
O2 - BHO: (no name) - {DD0C8A35-D598-447B-8FF8-13F39CF8B008} - C:\WINDOWS\system32\jkhff.dll (file missing)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [474865e2] rundll32.exe "C:\WINDOWS\system32\lfqqvscc.dll",b
O4 - HKLM\..\Run: [BM447b567e] Rundll32.exe "C:\WINDOWS\system32\fityhevb.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {93EFDAB8-8800-4896-B428-76F943140E1B} (Setup Class) - http://www.consumeri...ple/dcainst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/...all/Crusher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: vtuvuss - vtuvuss.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9267 bytes

Edited by joejobs, 18 March 2008 - 11:09 AM.

  • 0

Advertisements

#2
Blade81
Posted 19 March 2008 - 10:57 AM

Blade81

    Member

  • Member
  • PipPipPip
  • 722 posts
  • MVP
Hi


1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here
  • 0

#3
joejobs
Posted 19 March 2008 - 06:27 PM

joejobs

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 215 posts
Hi,

Combofix:

ComboFix 08-03-18.1 - dos 2008-03-19 19:10:34.2 - NTFSx86
Running from: C:\Documents and Settings\dos\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\eastaxqe.ini
C:\WINDOWS\system32\eqxatsae.dll
C:\WINDOWS\system32\nkewfnma.dll
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\qqtss.ini2
C:\WINDOWS\system32\yypjcgst.dll
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Starware349
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\ebaykeyword.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\ebaykeyword.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\ebaysearch.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\ebaysearch.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\FindIt.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\FindItHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\findithotxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\finditxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\Highlight.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\HighlightHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\highlighthotxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\highlightxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\Reference.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\ReferenceHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\referencehotxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\referencexp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\starware_toolbar_icon.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\Weather.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\weatherhotxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\weatherxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\contexts\error.xml
C:\Documents and Settings\All Users\Application Data\Starware349\contexts\Related.xml
C:\Documents and Settings\All Users\Application Data\Starware349\contexts\Travel.xml
C:\Documents and Settings\All Users\Application Data\Starware349\images\walertXP.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\ProductMessagingConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\ProductMessagingConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\SimpleUpdateConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\SimpleUpdateConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\TimerManagerConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\TimerManagerConfig.xml.backup
C:\Documents and Settings\dos\Application Data\Starware349
C:\Documents and Settings\dos\Application Data\Starware349\BrowserSearch\BrowserSearch.xml
C:\Documents and Settings\dos\Application Data\Starware349\BrowserSearch\BrowserSearch.xml.backup
C:\Documents and Settings\dos\Application Data\Starware349\Configurator\Configurator.xml
C:\Documents and Settings\dos\Application Data\Starware349\Configurator\Configurator.xml.backup
C:\Documents and Settings\dos\Application Data\Starware349\EbayKeyword\EbayKeywordOptions.xml
C:\Documents and Settings\dos\Application Data\Starware349\EbayKeyword\EbayKeywordOptions.xml.backup
C:\Documents and Settings\dos\Application Data\Starware349\EbaySearch\EbaySearchOptions.xml
C:\Documents and Settings\dos\Application Data\Starware349\EbaySearch\EbaySearchOptions.xml.backup
C:\Documents and Settings\dos\Application Data\Starware349\ErrorSearch\ErrorSearchOptions.xml
C:\Documents and Settings\dos\Application Data\Starware349\ErrorSearch\ErrorSearchOptions.xml.backup
C:\Documents and Settings\dos\Application Data\Starware349\Games\GamesOptions.xml
C:\Documents and Settings\dos\Application Data\Starware349\Games\GamesOptions.xml.backup
C:\Documents and Settings\dos\Application Data\Starware349\Games\images\active\Games0.bmp
C:\Documents and Settings\dos\Application Data\Starware349\HoroscopesMarketingSitePager\HoroscopesMarketingSitePagerOptions.xml
C:\Documents and Settings\dos\Application Data\Starware349\HoroscopesMarketingSitePager\HoroscopesMarketingSitePagerOptions.xml.backup
C:\Documents and Settings\dos\Application Data\Starware349\HoroscopesMarketingSitePager\images\active\HoroscopesMarketingSitePager0.bmp
C:\Documents and Settings\dos\Application Data\Starware349\Layouts\ToolbarLayout.xml
C:\Documents and Settings\dos\Application Data\Starware349\Layouts\ToolbarLayout.xml.backup
C:\Documents and Settings\dos\Application Data\Starware349\Manager\ManagerOptions.xml
C:\Documents and Settings\dos\Application Data\Starware349\Manager\ManagerOptions.xml.backup
C:\Documents and Settings\dos\Application Data\Starware349\Movies\images\active\Movies0.bmp
C:\Documents and Settings\dos\Application Data\Starware349\Movies\MoviesOptions.xml
C:\Documents and Settings\dos\Application Data\Starware349\Movies\MoviesOptions.xml.backup
C:\Documents and Settings\dos\Application Data\Starware349\Reference\ReferenceOptions.xml
C:\Documents and Settings\dos\Application Data\Starware349\Reference\ReferenceOptions.xml.backup
C:\Documents and Settings\dos\Application Data\Starware349\RelatedSearch\RelatedSearchOptions.xml
C:\Documents and Settings\dos\Application Data\Starware349\RelatedSearch\RelatedSearchOptions.xml.backup
C:\Documents and Settings\dos\Application Data\Starware349\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp
C:\Documents and Settings\dos\Application Data\Starware349\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
C:\Documents and Settings\dos\Application Data\Starware349\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
C:\Documents and Settings\dos\Application Data\Starware349\Toolbar\TBProductsOptions.xml
C:\Documents and Settings\dos\Application Data\Starware349\Toolbar\TBProductsOptions.xml.backup
C:\Documents and Settings\dos\Application Data\Starware349\ToolbarLogo\ToolbarLogoOptions.xml
C:\Documents and Settings\dos\Application Data\Starware349\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\Documents and Settings\dos\Application Data\Starware349\ToolbarSearch\ToolbarSearchOptions.xml
C:\Documents and Settings\dos\Application Data\Starware349\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\Documents and Settings\dos\Application Data\Starware349\TravelSearch\TravelSearchOptions.xml
C:\Documents and Settings\dos\Application Data\Starware349\TravelSearch\TravelSearchOptions.xml.backup
C:\Documents and Settings\dos\Application Data\Starware349\Weather\AlertArchive.xml
C:\Documents and Settings\dos\Application Data\Starware349\Weather\WeatherOptions.xml
C:\Documents and Settings\dos\Application Data\Starware349\Weather\WeatherOptions.xml.backup
C:\Documents and Settings\Marzia\Application Data\Starware349
C:\Documents and Settings\Marzia\Application Data\Starware349\BrowserSearch\BrowserSearch.xml
C:\Documents and Settings\Marzia\Application Data\Starware349\BrowserSearch\BrowserSearch.xml.backup
C:\Documents and Settings\Marzia\Application Data\Starware349\Configurator\Configurator.xml
C:\Documents and Settings\Marzia\Application Data\Starware349\Configurator\Configurator.xml.backup
C:\Documents and Settings\Marzia\Application Data\Starware349\EbayKeyword\EbayKeywordOptions.xml
C:\Documents and Settings\Marzia\Application Data\Starware349\EbayKeyword\EbayKeywordOptions.xml.backup
C:\Documents and Settings\Marzia\Application Data\Starware349\EbaySearch\EbaySearchOptions.xml
C:\Documents and Settings\Marzia\Application Data\Starware349\EbaySearch\EbaySearchOptions.xml.backup
C:\Documents and Settings\Marzia\Application Data\Starware349\ErrorSearch\ErrorSearchOptions.xml
C:\Documents and Settings\Marzia\Application Data\Starware349\ErrorSearch\ErrorSearchOptions.xml.backup
C:\Documents and Settings\Marzia\Application Data\Starware349\Games\GamesOptions.xml
C:\Documents and Settings\Marzia\Application Data\Starware349\Games\GamesOptions.xml.backup
C:\Documents and Settings\Marzia\Application Data\Starware349\Games\images\active\Games0.bmp
C:\Documents and Settings\Marzia\Application Data\Starware349\HoroscopesMarketingSitePager\HoroscopesMarketingSitePagerOptions.xml
C:\Documents and Settings\Marzia\Application Data\Starware349\HoroscopesMarketingSitePager\HoroscopesMarketingSitePagerOptions.xml.backup
C:\Documents and Settings\Marzia\Application Data\Starware349\HoroscopesMarketingSitePager\images\active\HoroscopesMarketingSitePager0.bmp
C:\Documents and Settings\Marzia\Application Data\Starware349\Layouts\ToolbarLayout.xml
C:\Documents and Settings\Marzia\Application Data\Starware349\Layouts\ToolbarLayout.xml.backup
C:\Documents and Settings\Marzia\Application Data\Starware349\Manager\ManagerOptions.xml
C:\Documents and Settings\Marzia\Application Data\Starware349\Manager\ManagerOptions.xml.backup
C:\Documents and Settings\Marzia\Application Data\Starware349\Movies\images\active\Movies0.bmp
C:\Documents and Settings\Marzia\Application Data\Starware349\Movies\MoviesOptions.xml
C:\Documents and Settings\Marzia\Application Data\Starware349\Movies\MoviesOptions.xml.backup
C:\Documents and Settings\Marzia\Application Data\Starware349\Reference\ReferenceOptions.xml
C:\Documents and Settings\Marzia\Application Data\Starware349\Reference\ReferenceOptions.xml.backup
C:\Documents and Settings\Marzia\Application Data\Starware349\RelatedSearch\RelatedSearchOptions.xml
C:\Documents and Settings\Marzia\Application Data\Starware349\RelatedSearch\RelatedSearchOptions.xml.backup
C:\Documents and Settings\Marzia\Application Data\Starware349\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp
C:\Documents and Settings\Marzia\Application Data\Starware349\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
C:\Documents and Settings\Marzia\Application Data\Starware349\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
C:\Documents and Settings\Marzia\Application Data\Starware349\Toolbar\TBProductsOptions.xml
C:\Documents and Settings\Marzia\Application Data\Starware349\Toolbar\TBProductsOptions.xml.backup
C:\Documents and Settings\Marzia\Application Data\Starware349\ToolbarLogo\ToolbarLogoOptions.xml
C:\Documents and Settings\Marzia\Application Data\Starware349\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\Documents and Settings\Marzia\Application Data\Starware349\ToolbarSearch\ToolbarSearchOptions.xml
C:\Documents and Settings\Marzia\Application Data\Starware349\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\Documents and Settings\Marzia\Application Data\Starware349\TravelSearch\TravelSearchOptions.xml
C:\Documents and Settings\Marzia\Application Data\Starware349\TravelSearch\TravelSearchOptions.xml.backup
C:\Documents and Settings\Marzia\Application Data\Starware349\Weather\AlertArchive.xml
C:\Documents and Settings\Marzia\Application Data\Starware349\Weather\WeatherOptions.xml
C:\Documents and Settings\Marzia\Application Data\Starware349\Weather\WeatherOptions.xml.backup
C:\Program Files\Starware349
C:\Program Files\Starware349\brand.bmp
C:\Program Files\Starware349\icons\star_16.ico
C:\Program Files\Starware349\Starware349Config.xml
C:\Program Files\Starware349\Starware349Uninstall.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\btnceqen.dll
C:\WINDOWS\system32\ccsvqqfl.ini
C:\WINDOWS\system32\fityhevb.dll
C:\WINDOWS\system32\hwgoknam.dll
C:\WINDOWS\system32\ivasemma.dll
C:\WINDOWS\system32\jpydqifn.dll
C:\WINDOWS\system32\lfqqvscc.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mynajtja.dll
C:\WINDOWS\system32\neqecntb.ini
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\qqtss.ini2
C:\WINDOWS\system32\whnekabf.dll
C:\WINDOWS\system32\yfdbnwja.dll
C:\WINDOWS\system32\yocbgstq.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-19 to 2008-03-19 )))))))))))))))))))))))))))))))
.

2008-03-16 20:52 . 2008-03-17 12:39 1,366,983 ---hs---- C:\WINDOWS\system32\kbtrxlnx.ini
2008-03-16 20:47 . 2008-03-16 20:47 <DIR> d-------- C:\Documents and Settings\Marzia\Application Data\Leadertech
2008-03-16 15:37 . 2008-03-16 19:40 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-16 15:37 . 2008-03-16 15:54 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-16 15:37 . 2008-03-16 15:54 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-16 15:37 . 2008-03-16 15:54 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-16 11:50 . 2008-03-16 11:50 <DIR> d-------- C:\Documents and Settings\dos\Application Data\Grisoft
2008-03-16 11:50 . 2008-03-16 11:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-16 11:50 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-15 12:27 . 2008-03-17 15:36 1,359,187 ---hs---- C:\WINDOWS\system32\totnvgcr.ini
2008-03-15 11:18 . 2008-03-15 11:33 1,367,532 ---hs---- C:\WINDOWS\system32\cpxqyhqg.ini
2008-03-15 10:25 . 2008-03-15 10:25 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-15 10:17 . 2008-03-15 10:27 1,367,517 ---hs---- C:\WINDOWS\system32\qabnsjvy.ini
2008-03-15 10:16 . 2008-03-15 10:16 1,367,283 ---hs---- C:\WINDOWS\system32\xjtvplsl.ini
2008-03-14 14:57 . 2008-03-14 14:57 1,367,223 ---hs---- C:\WINDOWS\system32\bsmnbigm.ini
2008-03-14 14:51 . 2008-03-14 14:52 1,367,163 ---hs---- C:\WINDOWS\system32\pgxgdiyt.ini
2008-03-14 13:40 . 2008-03-14 13:40 1,367,103 ---hs---- C:\WINDOWS\system32\rgncibbg.ini
2008-03-14 12:51 . 2008-03-14 12:51 1,367,043 ---hs---- C:\WINDOWS\system32\caoomhty.ini
2008-03-11 09:03 . 2004-01-02 10:18 1,315,602 --ahsc--- C:\WINDOWS\system32\axtdksbv.ini
2008-03-07 11:02 . 2008-03-07 11:02 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-05 11:02 . 2007-07-30 20:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-05 11:02 . 2007-07-30 20:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-05 11:02 . 2007-07-30 20:19 30,072 --a--c--- C:\WINDOWS\system32\mucltui.dll.mui
2008-03-04 11:00 . 2008-03-04 11:02 <DIR> d-------- C:\Program Files\Windows Live
2008-03-04 11:00 . 2008-03-04 11:01 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-04 10:59 . 2004-01-01 18:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 23:14 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-17 00:47 --------- d-----w C:\Documents and Settings\Marzia\Application Data\Sonic
2008-03-16 22:59 --------- d-----w C:\Program Files\Google
2008-03-16 22:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-17 21:17 --------- d-----w C:\Program Files\America Online 9.0
2008-02-12 16:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-11 15:56 --------- d-----w C:\Documents and Settings\dos\Application Data\Skype
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29658207-F1E2-4DAD-A8DE-CAEDA9CFAC66}]
C:\WINDOWS\system32\awtst.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4923E9E-8BC3-4486-A24A-3EFCFDA2755C}]
2004-03-11 20:59 315536 --a------ C:\WINDOWS\system32\sstqq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD0C8A35-D598-447B-8FF8-13F39CF8B008}]
C:\WINDOWS\system32\jkhff.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 13:16 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-06-17 16:48 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-06-17 16:43 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvuss]
vtuvuss.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\sstqq.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 05:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\474865e2]
--a------ 2004-01-01 01:04 86080 C:\WINDOWS\system32\hygvrqrl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a--c--- 2004-10-18 17:42 79448 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a--c--- 2004-04-07 13:07 496752 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM447b567e]
--a------ 2004-01-01 01:03 90176 C:\WINDOWS\system32\loymleah.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a--c--- 2004-06-09 20:31 66680 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a--c--- 2004-10-13 21:34 229438 C:\Program Files\HPQ\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 04:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a--c--- 2004-09-17 20:19 290816 C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-06-17 16:43 118784 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-06-17 16:48 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-07-31 18:44 271672 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2007-04-12 02:43 1661304 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
--a--c--- 2004-08-24 16:09 99480 C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a--c--- 2007-01-17 10:26 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Remote Terminal Task]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu2000201.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-27 13:16 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a--c--- 2004-10-05 12:24 688218 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a--c--- 2004-10-05 12:25 98394 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a--c--- 2003-08-19 05:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a--c--- 2004-08-02 19:36 124232 C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
--a--c--- 2006-04-07 15:02 1343488 C:\PROGRA~1\AWS\WEATHE~1\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\Msmsgs.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5ad6beb9-1776-11dc-b4cc-00038a000015}]
\Shell\Auto\command - E:\adp.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL adp.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-07 21:22:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-19 15:43:18 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-03-19 03:45:59 C:\WINDOWS\Tasks\User_Feed_Synchronization-{581676B0-F3B3-4DA5-BBA9-A3C306DC38E8}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-19 19:19:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
.
**************************************************************************
.
Completion time: 2008-03-19 19:23:00 - machine was rebooted [dos]
ComboFix-quarantined-files.txt 2008-03-19 23:22:50
.
2008-03-15 14:25:29 --- E O F ---


Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:55 PM, on 3/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.co...n...px&id=64855
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {29658207-F1E2-4DAD-A8DE-CAEDA9CFAC66} - C:\WINDOWS\system32\awtst.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: (no name) - {D4923E9E-8BC3-4486-A24A-3EFCFDA2755C} - C:\WINDOWS\system32\sstqq.dll
O2 - BHO: (no name) - {DD0C8A35-D598-447B-8FF8-13F39CF8B008} - C:\WINDOWS\system32\jkhff.dll (file missing)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {93EFDAB8-8800-4896-B428-76F943140E1B} (Setup Class) - http://www.consumeri...ple/dcainst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/...all/Crusher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: vtuvuss - vtuvuss.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8570 bytes


THANKS.
  • 0

#4
Blade81
Posted 20 March 2008 - 03:49 PM

Blade81

    Member

  • Member
  • PipPipPip
  • 722 posts
  • MVP
Hi


Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\kbtrxlnx.ini
C:\WINDOWS\system32\totnvgcr.ini
C:\WINDOWS\system32\cpxqyhqg.ini
C:\WINDOWS\system32\qabnsjvy.ini
C:\WINDOWS\system32\xjtvplsl.ini
C:\WINDOWS\system32\bsmnbigm.ini
C:\WINDOWS\system32\pgxgdiyt.ini
C:\WINDOWS\system32\rgncibbg.ini
C:\WINDOWS\system32\caoomhty.ini
C:\WINDOWS\system32\axtdksbv.ini
C:\WINDOWS\system32\hygvrqrl.dll
C:\WINDOWS\system32\loymleah.dll
C:\WINDOWS\mrofinu2000201.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29658207-F1E2-4DAD-A8DE-CAEDA9CFAC66}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4923E9E-8BC3-4486-A24A-3EFCFDA2755C}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD0C8A35-D598-447B-8FF8-13F39CF8B008}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvuss]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages=hex(7):6d,73,76,31,5f,30,00,00

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\474865e2]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM447b567e]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5ad6beb9-1776-11dc-b4cc-00038a000015}]


Save this as
CFScript


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Please run an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings and select the following:

Scan using the following Anti-Virus database:

  • Extended (If available, otherwise Standard)

Scan Options:

  • Scan Archives
  • Scan Mail Bases
  • Click OK.
  • Under
    select a target to scan
    , select My Computer.
  • The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.
Once the scan is complete:
  • Click on the Save as Text button.
  • Save the file to your desktop.
  • Copy and paste that information into your next post if the AV content will fit into one post only. Post a fresh hjt log too.


Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.


Summary of logs to be posted:
-Combofix resultant log
-Kaspersky report
-a fresh hjt log.
  • 0

#5
joejobs
Posted 22 March 2008 - 07:23 PM

joejobs

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 215 posts
ComboFix 08-03-18.1 - dos 2008-03-22 20:10:19.3 - NTFSx86
Running from: C:\Documents and Settings\dos\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\dos\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\mrofinu2000201.exe
C:\WINDOWS\system32\axtdksbv.ini
C:\WINDOWS\system32\bsmnbigm.ini
C:\WINDOWS\system32\caoomhty.ini
C:\WINDOWS\system32\cpxqyhqg.ini
C:\WINDOWS\system32\hygvrqrl.dll
C:\WINDOWS\system32\kbtrxlnx.ini
C:\WINDOWS\system32\loymleah.dll
C:\WINDOWS\system32\pgxgdiyt.ini
C:\WINDOWS\system32\qabnsjvy.ini
C:\WINDOWS\system32\rgncibbg.ini
C:\WINDOWS\system32\totnvgcr.ini
C:\WINDOWS\system32\xjtvplsl.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\axtdksbv.ini
C:\WINDOWS\system32\bsmnbigm.ini
C:\WINDOWS\system32\caoomhty.ini
C:\WINDOWS\system32\cpxqyhqg.ini
C:\WINDOWS\system32\hygvrqrl.dll
C:\WINDOWS\system32\kbtrxlnx.ini
C:\WINDOWS\system32\loymleah.dll
C:\WINDOWS\system32\pgxgdiyt.ini
C:\WINDOWS\system32\qabnsjvy.ini
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\qqtss.ini2
C:\WINDOWS\system32\rgncibbg.ini
C:\WINDOWS\system32\totnvgcr.ini
C:\WINDOWS\system32\xjtvplsl.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 )))))))))))))))))))))))))))))))
.

2008-03-16 20:47 . 2008-03-16 20:47 <DIR> d-------- C:\Documents and Settings\Marzia\Application Data\Leadertech
2008-03-16 15:37 . 2008-03-16 19:40 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-16 15:37 . 2008-03-16 15:54 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-16 15:37 . 2008-03-16 15:54 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-16 15:37 . 2008-03-16 15:54 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-16 11:50 . 2008-03-16 11:50 <DIR> d-------- C:\Documents and Settings\dos\Application Data\Grisoft
2008-03-16 11:50 . 2008-03-16 11:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-16 11:50 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-15 10:25 . 2008-03-15 10:25 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-07 11:02 . 2008-03-07 11:02 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-05 11:02 . 2007-07-30 20:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-05 11:02 . 2007-07-30 20:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-05 11:02 . 2007-07-30 20:19 30,072 --a--c--- C:\WINDOWS\system32\mucltui.dll.mui
2008-03-04 11:00 . 2008-03-04 11:02 <DIR> d-------- C:\Program Files\Windows Live
2008-03-04 11:00 . 2008-03-04 11:01 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-04 10:59 . 2004-01-01 18:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 00:14 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-17 00:47 --------- d-----w C:\Documents and Settings\Marzia\Application Data\Sonic
2008-03-16 22:59 --------- d-----w C:\Program Files\Google
2008-03-16 22:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-17 21:17 --------- d-----w C:\Program Files\America Online 9.0
2008-02-12 16:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-11 15:56 --------- d-----w C:\Documents and Settings\dos\Application Data\Skype
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFEDD407-94D7-4310-9717-F0E5CF32AE7C}]
2004-03-11 20:59 315536 --a------ C:\WINDOWS\system32\sstqq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 13:16 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-06-17 16:48 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-06-17 16:43 118784]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\sstqq.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 05:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a--c--- 2004-10-18 17:42 79448 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a--c--- 2004-04-07 13:07 496752 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a--c--- 2004-06-09 20:31 66680 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a--c--- 2004-10-13 21:34 229438 C:\Program Files\HPQ\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 04:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a--c--- 2004-09-17 20:19 290816 C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-06-17 16:43 118784 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-06-17 16:48 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-07-31 18:44 271672 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2007-04-12 02:43 1661304 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
--a--c--- 2004-08-24 16:09 99480 C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a--c--- 2007-01-17 10:26 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Remote Terminal Task]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-27 13:16 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a--c--- 2004-10-05 12:24 688218 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a--c--- 2004-10-05 12:25 98394 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a--c--- 2003-08-19 05:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a--c--- 2004-08-02 19:36 124232 C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
--a--c--- 2006-04-07 15:02 1343488 C:\PROGRA~1\AWS\WEATHE~1\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\Msmsgs.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-03-07 21:22:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-21 15:43:26 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-03-22 16:25:11 C:\WINDOWS\Tasks\User_Feed_Synchronization-{581676B0-F3B3-4DA5-BBA9-A3C306DC38E8}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 20:17:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
.
**************************************************************************
.
Completion time: 2008-03-22 20:22:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-23 00:21:57
ComboFix2.txt 2008-03-19 23:23:01
.
2008-03-15 14:25:29 --- E O F ---
  • 0

#6
Blade81
Posted 23 March 2008 - 10:21 AM

Blade81

    Member

  • Member
  • PipPipPip
  • 722 posts
  • MVP
Hi

Please post Kaspersky report & a fresh hjt log too when you're ready. :)
  • 0

#7
joejobs
Posted 24 March 2008 - 10:33 AM

joejobs

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 215 posts
Hi,
I don't have Kaspersky, should I download it from www.kaspersky.com, and then post the report?
thanks
  • 0

#8
Blade81
Posted 24 March 2008 - 11:13 AM

Blade81

    Member

  • Member
  • PipPipPip
  • 722 posts
  • MVP
Use Kaspersky online scanner as instructed in post #4
  • 0

#9
joejobs
Posted 25 March 2008 - 08:56 PM

joejobs

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 215 posts
Hi,
I have tried several times to post the notepad file with the kaspersky report, but PC will freeze when I try to paste the file.
It says it foud 11 viruses in the report.
  • 0

#10
joejobs
Posted 25 March 2008 - 10:37 PM

joejobs

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 215 posts
After about three hours I managed to get the text of the report to paste into the message, but I got a return message that says the post was too long so it did not post.
  • 0

Advertisements

#11
Blade81
Posted 26 March 2008 - 04:06 AM

Blade81

    Member

  • Member
  • PipPipPip
  • 722 posts
  • MVP
Hi

You can upload it to http://rapidshare.com and post back download link to it.
  • 0

#12
joejobs
Posted 26 March 2008 - 02:48 PM

joejobs

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 215 posts
Hi,

http://rapidshare.co...persky.txt.html

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:20 PM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.co...n...px&id=64855
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [474865e2] rundll32.exe "C:\WINDOWS\system32\mhwnlgxw.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {93EFDAB8-8800-4896-B428-76F943140E1B} (Setup Class) - http://www.consumeri...ple/dcainst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/...all/Crusher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7760 bytes
  • 0

#13
Blade81
Posted 26 March 2008 - 03:35 PM

Blade81

    Member

  • Member
  • PipPipPip
  • 722 posts
  • MVP
Hi

Clear Symantec AntiVirus quarantine items (either from program itself or navigate into C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine folder and delete everything there but not the quarantine folder itself).


Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\sstqq.dll
C:\WINDOWS\system32\mhwnlgxw.dll
C:\WINDOWS\system32\fkslytey.dll
C:\WINDOWS\system32\jnseelga.dll
C:\WINDOWS\system32\vtuvttr.dll
C:\WINDOWS\system32\xwvnhweq.dll
C:\WINDOWS\system32\ykmtuyod.dll

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFEDD407-94D7-4310-9717-F0E5CF32AE7C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"474865e2"=-

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages=hex(7):6d,73,76,31,5f,30,00,00


Save this as
CFScript


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
  • 0

#14
joejobs
Posted 26 March 2008 - 05:54 PM

joejobs

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 215 posts
Hi,
If I log into that file path, Application Data does not appear under All Users, and I haven't installed symantec antivirus.
  • 0

#15
Blade81
Posted 27 March 2008 - 12:30 AM

Blade81

    Member

  • Member
  • PipPipPip
  • 722 posts
  • MVP
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Try finding Application Data folder now.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP