Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

kxvo.exe [CLOSED]

Started by dannychench , Apr 06 2008 06:21 AM

  • This topic is locked This topic is locked

#1
dannychench
Posted 06 April 2008 - 06:21 AM

dannychench

    Member

  • Member
  • PipPip
  • 17 posts
When i load my computer an error message appears containing the name kxvo.exe.
I also had an issue 2 days ago where my World of Warcraft account was hacked. My friends informed me that i must have downloaded a keylogger. I want to proceed to change my password but want to make sure that my password and account info cannot be recorded again and hacked.
Thank You.



Here is my Hijack Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:05:03 AM, on 4/6/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2080201
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2080201
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\ieso0.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5646 bytes








Here is my uninstall list

Adobe Flash Player ActiveX
Adobe Flash Player Plugin
AIM 6
ATI Catalyst Control Center
ATI Display Driver
AVG Anti-Spyware 7.5
Browser Address Error Redirector
Dell ETS Factory Installation
Google Desktop
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
HP PSC & OfficeJet 6.1.A
Intel® Matrix Storage Manager
Intel® PRO Alerting Agent
Intel® PRO Network Connections 12.1.12.4
J2SE Runtime Environment 5.0 Update 6
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft National Language Support Downlevel APIs
Mozilla Firefox (2.0.0.13)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
NETGEAR WG111T 108Mbps Wireless USB2.0 Adapter
Panda ActiveScan 2.0
PowerDVD
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio Update Manager
SearchAssist
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Sonic Activation Module
SUPERAntiSpyware Free Edition
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Viewpoint Media Player
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WinRAR archiver
World of Warcraft
Xvid 1.1.3 final uninstall








Here is my ActiveScan List

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-04-06 04:51:13
PROTECTIONS: 0
MALWARE: 10
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00039204 adware/cws Adware No 0 Yes No hkey_classes_root\iehlprobj.iehlprobj.1
00039204 adware/cws Adware No 0 Yes No hkey_classes_root\iehlprobj.iehlprobj
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\9q07kfxb.default\cookies.txt[.com.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\9q07kfxb.default\cookies.txt[.apmebf.com/]
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\9q07kfxb.default\cookies.txt[.bravenet.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\9q07kfxb.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\9q07kfxb.default\cookies.txt[.go.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\9q07kfxb.default\cookies.txt[.target.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew\Cookies\andrew@target[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\9q07kfxb.default\cookies.txt[.atwola.com/]
02908910 W32/Lineage.HXI.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP15\A0001055.dll
02908913 W32/Lineage.HXI.worm Virus/Worm No 0 Yes No C:\vuts0e.cmd
02908915 W32/Lineage.HXI.worm Virus/Worm No 0 Yes No C:\Documents and Settings\Andrew\Local Settings\Temp\vd.dll
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location +
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description +
;===============================================================================
=================================================================================
===================
182048 HIGH MS07-069 +
;===============================================================================
=================================================================================
===================
  • 0

Advertisements

#2
Tigger93
Posted 06 April 2008 - 08:11 AM

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Hello and Welcome to Geekstogo! :)

I would advise not to login to World of Warcraft for a while still, you still have a keylogger on your computer.

Go Start > Control Panel > Add/Remove Programs and uninstall Viewpoint Media Player.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\vuts0e.cmd
C:\Documents and Settings\Andrew\Local Settings\Temp\vd.dll
C:\WINDOWS\system32\ieso0.dll
C:\WINDOWS\system32\kxvo.exe

Folder::
C:\Program Files\Viewpoint\

Driver::
Viewpoint Manager Service

Registry::
[-HKEY_CLEASSE_ROOT\iehlprobj.iehlprobj.1]
[-HKEY_cLASSES_ROOT\iehlprobj.iehlprobj]



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#3
dannychench
Posted 06 April 2008 - 09:46 AM

dannychench

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
The kxvo.exe error no longer appears, and i guess you have to tell me if my computer is safe now. By the way, i had misread the directions and ran combo fix before i added the CSFscript, i then ran it again with the CSFscript, just letting you know in case in changes what the combofix log should have looked like.



Here is my HiJack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:07 AM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2080201
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 5529 bytes\






Here is my Combofix log


ComboFix 08-04-04.1 - Andrew 2008-04-06 8:23:49.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1369 [GMT -7:00]
Running from: C:\Documents and Settings\Andrew\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Andrew\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Andrew\Local Settings\Temp\vd.dll
C:\vuts0e.cmd
C:\WINDOWS\system32\ieso0.dll
C:\WINDOWS\system32\kxvo.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ieso0.dll
C:\WINDOWS\system32\kxvo.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-06 to 2008-04-06 )))))))))))))))))))))))))))))))
.

2008-04-06 05:04 . 2008-04-06 05:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-06 04:16 . 2008-04-06 04:16 <DIR> d-------- C:\Program Files\Panda Security
2008-04-06 04:16 . 2008-04-06 04:16 1,847 --a------ C:\WINDOWS\mozver.dat
2008-04-06 03:53 . 2008-04-06 03:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-04-06 03:47 . 2008-04-06 03:47 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\Grisoft
2008-04-06 03:47 . 2008-04-06 03:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-06 03:47 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-05 09:10 . 2008-04-05 09:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-05 09:09 . 2008-04-05 09:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-05 09:09 . 2008-04-05 09:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-05 09:09 . 2008-04-05 09:09 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\SUPERAntiSpyware.com
2008-04-05 08:58 . 2006-06-03 04:40 33,792 --------- C:\WINDOWS\system32\dllcache\custsat.dll
2008-04-05 03:05 . 2008-04-05 09:32 158,774 -r-hs---- C:\lpufwi6.com
2008-04-03 18:40 . 2008-04-03 18:40 158,112 -r-hs---- C:\fg8m.exe
2008-04-03 18:40 . 2008-04-05 09:32 92,160 -r-hs---- C:\WINDOWS\system32\fool1.dll
2008-04-03 18:39 . 2008-04-06 05:01 92,160 -r-hs---- C:\WINDOWS\system32\fool0.dll
2008-04-01 14:03 . 2008-04-03 18:40 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\U3
2008-03-25 09:29 . 2008-03-25 09:29 <DIR> d-------- C:\Logs
2008-03-18 15:13 . 2008-03-18 15:13 <DIR> d-------- C:\Program Files\Xvid
2008-03-18 15:13 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-03-18 15:13 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-03-18 15:13 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-03-15 05:12 . 2008-03-15 05:12 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-03-15 05:12 . 2005-10-14 22:42 46,592 --a------ C:\WINDOWS\system32\hpzll43a.dll
2008-03-15 05:11 . 2005-03-14 12:03 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-03-15 05:11 . 2005-03-14 12:05 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-03-15 05:11 . 2005-03-08 11:55 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-03-15 05:11 . 2005-03-14 12:05 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-03-15 05:11 . 2005-03-14 13:39 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-03-15 05:11 . 2005-03-08 11:55 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-03-15 05:11 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-15 05:11 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-15 05:10 . 2008-03-15 05:11 <DIR> d-------- C:\Program Files\HP
2008-03-15 05:10 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-03-15 05:09 . 2005-10-28 16:11 614,400 --a------ C:\WINDOWS\system32\hpotscl2.dll
2008-03-15 05:09 . 2005-10-28 16:11 602,112 --a------ C:\WINDOWS\system32\hpowiax2.dll
2008-03-15 05:09 . 2005-10-28 16:11 254,026 --a------ C:\WINDOWS\system32\hpovst09.dll
2008-03-15 05:09 . 2008-03-15 05:12 103,193 --a------ C:\WINDOWS\hpoins08.dat
2008-03-15 05:09 . 2005-09-09 16:28 98,304 --a------ C:\WINDOWS\system32\hpzjsn01.dll
2008-03-15 05:09 . 2005-10-27 18:23 77,824 --a------ C:\WINDOWS\system32\hpzids01.dll
2008-03-15 05:09 . 2005-10-27 18:24 49,664 --a------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-03-15 05:09 . 2005-10-27 18:24 16,496 --a------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-03-15 05:09 . 2006-01-24 14:03 4,445 --------- C:\WINDOWS\hpomdl08.dat
2008-03-13 03:40 . 2008-03-13 03:40 <DIR> d-------- C:\WINDOWS\Sun
2008-03-11 22:43 . 2008-03-11 22:43 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\acccore
2008-03-11 22:39 . 2008-03-11 22:39 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-11 22:36 . 2008-03-11 22:36 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-03-11 22:36 . 2008-03-11 22:37 <DIR> d-------- C:\Program Files\AIM6
2008-03-11 22:36 . 2008-04-06 08:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-11 22:36 . 2008-03-11 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-11 22:36 . 2008-03-11 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-03-11 22:35 . 2008-03-11 22:37 444 --ah----- C:\IPH.PH
2008-03-11 17:40 . 2008-03-11 17:40 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-11 17:34 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-11 17:34 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-11 10:27 . 2008-03-11 10:27 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-11 03:03 . 2007-07-09 06:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-10 15:26 . 2008-03-10 15:26 <DIR> d---s---- C:\Documents and Settings\Andrew\UserData
2008-03-10 14:47 . 2008-03-10 14:47 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-03-10 14:37 . 2008-04-01 09:04 <DIR> d-------- C:\Program Files\World of Warcraft
2008-03-10 14:04 . 2005-09-05 11:21 362,944 --a------ C:\WINDOWS\system32\drivers\WG11TND5.sys
2008-03-10 13:55 . 2008-03-10 13:55 <DIR> d-------- C:\Program Files\NETGEAR
2008-03-10 13:55 . 2004-04-18 16:43 651,264 --a------ C:\WINDOWS\system32\libeay32.dll
2008-03-10 13:55 . 2004-04-18 16:43 147,456 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-03-10 13:55 . 2003-07-24 12:10 94,208 --a------ C:\WINDOWS\system32\DNIN50.dll
2008-03-10 13:55 . 2008-03-10 13:55 17,801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-03-10 13:55 . 2003-07-24 12:10 17,149 --a------ C:\WINDOWS\system32\DNINDIS5.sys
2008-03-10 13:51 . 2005-07-27 21:15 149,392 --a------ C:\WINDOWS\system32\drivers\ar5523.bin
2008-03-10 13:51 . 2004-10-14 19:24 43,392 -ra------ C:\WINDOWS\system32\drivers\Athfmwdl.sys
2008-03-10 12:15 . 2008-03-10 12:15 4,128 --a------ C:\INFCACHE.1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-11 17:38 --------- d-----w C:\Program Files\Google
2008-03-10 21:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"kxva"="C:\WINDOWS\system32\kxvo.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 11:03 36975]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-26 17:03 178712]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 07:12 90112]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 17:12 1036288]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 14:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 14:50 81920]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 07:00 1116920]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 15:23 118784]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-31 18:32 1838592]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25 6731312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T\wlan111t.exe [2008-03-10 14:04:55 884840]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:*:Disabled:Blizzard Downloader: 6112

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 08:35]
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe [2007-01-23 01:58]
S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys [2005-09-05 11:21]
S3 ATHFMWDL;NETGEAR WG111T Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys [2004-10-14 19:24]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 12:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{141a605e-002f-11dd-a20b-001e4f47f801}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{141a605f-002f-11dd-a20b-001e4f47f801}]
\Shell\AutoRun\command - F:\vuts0e.cmd
\Shell\explore\Command - F:\vuts0e.cmd
\Shell\open\Command - F:\vuts0e.cmd

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 08:24:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-06 8:24:23
ComboFix-quarantined-files.txt 2008-04-06 15:24:16
ComboFix2.txt 2008-04-06 15:19:26
Pre-Run: 61,011,456,000 bytes free
Post-Run: 61,009,182,720 bytes free
.
2008-04-05 15:59:30 --- E O F ---
  • 0

#4
Tigger93
Posted 06 April 2008 - 10:08 AM

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Hi again.

Still some things left to clean up.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\lpufwi6.com
C:\fg8m.exe
C:\WINDOWS\system32\fool1.dll
C:\WINDOWS\system32\fool0.dll
F:\vuts0e.cmd

Folder::
C:\Documents and Settings\All Users\Application Data\Viewpoint\

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kxva"=-



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#5
dannychench
Posted 06 April 2008 - 09:44 PM

dannychench

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Here is my Hijack log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:51 PM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2080201
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 5390 bytes







Here is my Combofix log


ComboFix 08-04-04.1 - Andrew 2008-04-06 20:39:59.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1553 [GMT -7:00]
Running from: C:\Documents and Settings\Andrew\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Andrew\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\fg8m.exe
C:\lpufwi6.com
C:\WINDOWS\system32\fool0.dll
C:\WINDOWS\system32\fool1.dll
F:\vuts0e.cmd
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Viewpoint\
C:\fg8m.exe
C:\lpufwi6.com
C:\WINDOWS\system32\fool0.dll
C:\WINDOWS\system32\fool1.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-04-06 05:04 . 2008-04-06 05:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-06 04:16 . 2008-04-06 04:16 <DIR> d-------- C:\Program Files\Panda Security
2008-04-06 04:16 . 2008-04-06 04:16 1,847 --a------ C:\WINDOWS\mozver.dat
2008-04-06 03:53 . 2008-04-06 03:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-04-06 03:47 . 2008-04-06 03:47 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\Grisoft
2008-04-06 03:47 . 2008-04-06 03:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-06 03:47 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-05 09:10 . 2008-04-05 09:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-05 09:09 . 2008-04-05 09:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-05 09:09 . 2008-04-05 09:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-05 09:09 . 2008-04-05 09:09 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\SUPERAntiSpyware.com
2008-04-05 08:58 . 2006-06-03 04:40 33,792 --------- C:\WINDOWS\system32\dllcache\custsat.dll
2008-04-01 14:03 . 2008-04-03 18:40 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\U3
2008-03-25 09:29 . 2008-03-25 09:29 <DIR> d-------- C:\Logs
2008-03-18 15:13 . 2008-03-18 15:13 <DIR> d-------- C:\Program Files\Xvid
2008-03-18 15:13 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-03-18 15:13 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-03-18 15:13 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-03-15 05:12 . 2008-03-15 05:12 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-03-15 05:12 . 2005-10-14 22:42 46,592 --a------ C:\WINDOWS\system32\hpzll43a.dll
2008-03-15 05:11 . 2005-03-14 12:03 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-03-15 05:11 . 2005-03-14 12:05 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-03-15 05:11 . 2005-03-08 11:55 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-03-15 05:11 . 2005-03-14 12:05 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-03-15 05:11 . 2005-03-14 13:39 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-03-15 05:11 . 2005-03-08 11:55 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-03-15 05:11 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-15 05:11 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-15 05:10 . 2008-03-15 05:11 <DIR> d-------- C:\Program Files\HP
2008-03-15 05:10 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-03-15 05:09 . 2005-10-28 16:11 614,400 --a------ C:\WINDOWS\system32\hpotscl2.dll
2008-03-15 05:09 . 2005-10-28 16:11 602,112 --a------ C:\WINDOWS\system32\hpowiax2.dll
2008-03-15 05:09 . 2005-10-28 16:11 254,026 --a------ C:\WINDOWS\system32\hpovst09.dll
2008-03-15 05:09 . 2008-03-15 05:12 103,193 --a------ C:\WINDOWS\hpoins08.dat
2008-03-15 05:09 . 2005-09-09 16:28 98,304 --a------ C:\WINDOWS\system32\hpzjsn01.dll
2008-03-15 05:09 . 2005-10-27 18:23 77,824 --a------ C:\WINDOWS\system32\hpzids01.dll
2008-03-15 05:09 . 2005-10-27 18:24 49,664 --a------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-03-15 05:09 . 2005-10-27 18:24 16,496 --a------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-03-15 05:09 . 2006-01-24 14:03 4,445 --------- C:\WINDOWS\hpomdl08.dat
2008-03-13 03:40 . 2008-03-13 03:40 <DIR> d-------- C:\WINDOWS\Sun
2008-03-11 22:43 . 2008-03-11 22:43 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\acccore
2008-03-11 22:39 . 2008-03-11 22:39 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-11 22:36 . 2008-03-11 22:36 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-03-11 22:36 . 2008-03-11 22:37 <DIR> d-------- C:\Program Files\AIM6
2008-03-11 22:36 . 2008-03-11 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-11 22:36 . 2008-03-11 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-03-11 22:35 . 2008-03-11 22:37 444 --ah----- C:\IPH.PH
2008-03-11 17:40 . 2008-03-11 17:40 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-11 17:34 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-11 17:34 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-11 10:27 . 2008-03-11 10:27 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-11 03:03 . 2007-07-09 06:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-10 15:26 . 2008-03-10 15:26 <DIR> d---s---- C:\Documents and Settings\Andrew\UserData
2008-03-10 14:47 . 2008-03-10 14:47 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-03-10 14:37 . 2008-04-01 09:04 <DIR> d-------- C:\Program Files\World of Warcraft
2008-03-10 14:04 . 2005-09-05 11:21 362,944 --a------ C:\WINDOWS\system32\drivers\WG11TND5.sys
2008-03-10 13:55 . 2008-03-10 13:55 <DIR> d-------- C:\Program Files\NETGEAR
2008-03-10 13:55 . 2004-04-18 16:43 651,264 --a------ C:\WINDOWS\system32\libeay32.dll
2008-03-10 13:55 . 2004-04-18 16:43 147,456 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-03-10 13:55 . 2003-07-24 12:10 94,208 --a------ C:\WINDOWS\system32\DNIN50.dll
2008-03-10 13:55 . 2008-03-10 13:55 17,801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-03-10 13:55 . 2003-07-24 12:10 17,149 --a------ C:\WINDOWS\system32\DNINDIS5.sys
2008-03-10 13:51 . 2005-07-27 21:15 149,392 --a------ C:\WINDOWS\system32\drivers\ar5523.bin
2008-03-10 13:51 . 2004-10-14 19:24 43,392 -ra------ C:\WINDOWS\system32\drivers\Athfmwdl.sys
2008-03-10 12:15 . 2008-03-10 12:15 4,128 --a------ C:\INFCACHE.1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-11 17:38 --------- d-----w C:\Program Files\Google
2008-03-10 21:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 11:03 36975]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-26 17:03 178712]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 07:12 90112]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 17:12 1036288]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 14:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 14:50 81920]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 07:00 1116920]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 15:23 118784]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-31 18:32 1838592]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25 6731312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T\wlan111t.exe [2008-03-10 14:04:55 884840]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:*:Disabled:Blizzard Downloader: 6112

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 08:35]
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe [2007-01-23 01:58]
S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys [2005-09-05 11:21]
S3 ATHFMWDL;NETGEAR WG111T Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys [2004-10-14 19:24]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 12:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{141a605e-002f-11dd-a20b-001e4f47f801}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{141a605f-002f-11dd-a20b-001e4f47f801}]
\Shell\AutoRun\command - F:\vuts0e.cmd
\Shell\explore\Command - F:\vuts0e.cmd
\Shell\open\Command - F:\vuts0e.cmd

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 20:41:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-06 20:41:46
ComboFix-quarantined-files.txt 2008-04-07 03:41:39
ComboFix2.txt 2008-04-06 15:24:24
ComboFix3.txt 2008-04-06 15:19:26
Pre-Run: 61,004,668,928 bytes free
Post-Run: 60,992,450,560 bytes free
.
2008-04-05 15:59:30 --- E O F ---
  • 0

#6
Tigger93
Posted 07 April 2008 - 03:36 PM

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Then post a new HijackThis log again please. :)
  • 0

#7
Tigger93
Posted 19 April 2008 - 08:24 AM

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP