Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

A LOG TO PONDER [RESOLVED]

Started by davidregal , Apr 15 2008 03:37 PM

  • This topic is locked This topic is locked

#1
davidregal
Posted 15 April 2008 - 03:37 PM

davidregal

    New Member

  • Member
  • Pip
  • 5 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:30:49 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Canon\BJPV\TVMon.exe
C:\Program Files\Canon\BJCard\BJLaunch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\TrueSwitchAT&TYahoo\TrueWizard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E1F4800-66E3-4AD4-BA2E-13D0FB2C1067} - c:\windows\system32\colbactv.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {FC4337B6-4083-440D-BB87-D57B1887852D} - C:\WINDOWS\system32\d3d8i.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJPD HID Control] C:\Program Files\Canon\BJPV\TVMon.exe
O4 - HKLM\..\Run: [BJLaunchEXE] C:\Program Files\Canon\BJCard\BJLaunch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueSwitchAT&TYahoo\TrueWizard.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitc...eInstallSBC.exe
O20 - Winlogon Notify: gbvvcdqu - C:\WINDOWS\SYSTEM32\colbactv.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon BJ Memory Card Manager (Bjmcmng) - CANON INC. - C:\Program Files\Canon\BJCard\Bjmcmng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 12359 bytes
  • 0

Advertisements

#2
greyknight17
Posted 19 April 2008 - 08:36 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Download Malwarebytes' Anti-Malware at http://www.besttechi.../mbam-setup.exe or http://www.majorgeek...ware_d5756.html

Double-click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
davidregal
Posted 20 April 2008 - 03:48 AM

davidregal

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thank you for the reply. In my searches for a solution, yesterday I found bleepingcomputer.com and tried a recommended fix by running Superantispyware in safe mode. That seems to have fixed the problem.
  • 0

#4
greyknight17
Posted 20 April 2008 - 10:22 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
We recommend having a look at the logs at least one more time to confirm that all is well. Sometimes a malware file may remain dormant and won't cause problems in the interim until a later date. If you have time to do this, I highly recommend running the above two scans. Otherwise, post back one more time saying you are ok with the results after running SUPERAntispyware and I will mark this topic as solved and close it.
  • 0

#5
davidregal
Posted 20 April 2008 - 06:21 PM

davidregal

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
The Anti-Malware found nothing, but Combifix removed a few files. Here's the combofix log:

ComboFix 08-04-20.2 - Owner 2008-04-20 17:00:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.240 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Tasks.\At1.job
D:\Autorun.inf
C:\WINDOWS\system32\colbactv.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_pwrkkhav
-------\Legacy_pwrkkhav
-------\Service_pwrkkhav


((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-18 17:49 . 2008-04-18 17:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\nvymheog
2008-04-18 06:58 . 2008-04-18 08:08 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-18 06:58 . 2008-04-18 06:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-18 06:58 . 2008-04-18 06:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-18 01:40 . 2004-08-27 02:54 <DIR> d-------- C:\Documents and Settings\Administrator.DAVID\WINDOWS
2008-04-18 01:40 . 2006-07-18 02:42 <DIR> d-------- C:\Documents and Settings\Administrator.DAVID\Application Data\SampleView
2008-04-18 01:40 . 2008-04-18 01:40 <DIR> d-------- C:\Documents and Settings\Administrator.DAVID
2008-04-18 01:40 . 2008-04-20 17:02 1,024 --ah----- C:\Documents and Settings\Administrator.DAVID\ntuser.dat.LOG
2008-04-17 15:00 . 2008-04-17 15:02 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-04-17 08:36 . 2008-04-17 12:25 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-16 14:51 . 2008-04-16 14:51 <DIR> d-------- C:\VundoFix Backups
2008-04-16 12:43 . 2008-04-16 12:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-16 12:43 . 2008-04-16 12:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-16 12:43 . 2008-04-16 12:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-16 12:29 . 2008-04-16 12:29 <DIR> d-------- C:\Program Files\CleanUp!
2008-04-15 15:08 . 2008-04-20 16:34 <DIR> d-------- C:\Spyware stuff
2008-04-15 14:30 . 2008-04-15 14:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-14 09:59 . 2008-04-14 09:59 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-14 09:59 . 2008-04-14 10:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-13 12:10 . 2008-04-18 17:49 <DIR> d-------- C:\Program Files\Common Files\Mozilla Shared
2008-04-13 12:10 . 2008-04-13 12:10 6,490,880 --a------ C:\WINDOWS\system32\bbetudak.dat
2008-04-13 12:10 . 2008-04-13 12:10 1,015,808 --a------ C:\WINDOWS\system32\libeay32.dll
2008-04-13 12:10 . 2008-04-13 12:10 638,208 --a------ C:\WINDOWS\system32\rtjdskli.dat
2008-04-13 12:10 . 2008-04-13 12:10 196,608 --a------ C:\WINDOWS\system32\libssl32.dll
2008-04-13 12:10 . 2008-04-18 13:00 190,208 --a------ C:\WINDOWS\system32\nfgmnzhg.dat
2008-04-13 12:10 . 2008-04-13 12:10 42,752 --a------ C:\WINDOWS\system32\ofnbkqde.dat
2008-04-13 12:10 . 2008-04-13 12:10 36,608 --a------ C:\WINDOWS\system32\gbsttznp.dat
2008-04-13 12:10 . 2008-04-13 12:10 35,584 --a------ C:\WINDOWS\system32\vmeblovd.dat
2008-04-13 12:10 . 20,224 C:\WINDOWS\system32\drivers\veusxaut.dat
2008-04-13 11:51 . 2008-04-20 17:05 82,944 --a------ C:\WINDOWS\system32\colbactv.dll
2008-04-13 11:51 . 2008-04-14 12:20 81,920 --a------ C:\WINDOWS\system32\colbactv.dll.bak
2008-04-13 11:50 . 2004-08-04 12:00 88,064 --a------ C:\WINDOWS\system32\d3d8i.dll
2008-04-03 09:35 . 2008-04-03 09:35 1,291,776 --a------ C:\WINDOWS\MailSwitch.ocx
2008-04-01 10:43 . 2008-04-20 17:11 <DIR> d-------- C:\Program Files\TrueSwitchAT&TYahoo
2008-04-01 10:43 . 2008-04-01 10:45 <DIR> d-------- C:\Program Files\TrueSwitch
2008-04-01 10:43 . 2008-04-01 10:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TrueSwitch
2008-03-31 17:05 . 2008-03-31 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-21 12:06 . 2008-03-21 12:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Viewpoint

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-04-17 20:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-04-16 20:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-16 20:06 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-16 19:36 --------- d-----w C:\Program Files\Zultrax P2P
2008-04-16 19:36 --------- d-----w C:\Program Files\PCFriendly
2008-04-14 16:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 11:50 --------- d-----w C:\Program Files\Java
2008-03-21 19:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-08 13:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
.

------- Sigcheck -------

2004-08-04 12:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2004-08-04 12:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe

2005-03-02 11:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 08:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 12:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 11:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2007-03-08 08:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\user32.dll
2007-03-08 08:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\dllcache\user32.dll

2004-08-04 12:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2004-08-04 12:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll

2004-08-04 12:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
2004-08-04 12:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe

2004-08-04 12:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-04 12:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-04 12:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-04 12:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2004-08-04 12:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
2004-08-04 12:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E1F4800-66E3-4AD4-BA2E-13D0FB2C1067}]
2008-04-20 17:05 82944 --a------ c:\windows\system32\colbactv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC4337B6-4083-440D-BB87-D57B1887852D}]
2004-08-04 12:00 88064 --a------ C:\WINDOWS\system32\d3d8i.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 10:12 68856]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 08:29 50736]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-05-18 13:21 1033800]
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2008-02-09 15:02 6051144]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 13:42 212992]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 09:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 09:47 688218]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-01-27 23:39 1179648]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-18 16:39 180269]
"BJPD HID Control"="C:\Program Files\Canon\BJPV\TVMon.exe" [2003-01-21 16:35 45056]
"BJLaunchEXE"="C:\Program Files\Canon\BJCard\BJLaunch.exe" [2002-12-20 14:26 716800]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-02-07 08:39 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-02-07 08:36 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 08:40 118784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18 270648]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 16:02 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 16:06 2027792]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 18:01 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 18:50 1603152]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 10:03 210472]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 13:02 79400]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"combofix"="C:\WINDOWS\system32\CF22760.exe" [2004-08-04 12:00 388608]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
TrueAssistant.lnk - C:\Program Files\TrueSwitchAT&TYahoo\TrueWizard.exe [2008-03-13 02:35:00 1069056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-07-18 16:14:58 25214]
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2006-07-18 02:38:27 1742384]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-11-26 09:20:05 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.CFHD"= cfhd.dll
"msacm.ac3acm"= AC3ACM.acm
"msacm.lameacm"= lameACM.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Zultrax P2P\\Zultrax.Exe"=
"C:\\Program Files\\utorrent\\utorrent.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\utorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27756:TCP"= 27756:TCP:@xpsp2res.dll,-22009
"29303:TCP"= 29303:TCP:@xpsp2res.dll,-22009

R0 refblhlo;refblhlo;C:\WINDOWS\system32\drivers\veusxaut.dat []
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 11:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 11:35]
R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 09:20]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2006-04-07 18:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 02:32:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 17:09:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\refblhlo]
"ImagePath"="system32\drivers\veusxaut.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-20 17:17:42 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-04-21 00:17:21

Pre-Run: 19,306,389,504 bytes free
Post-Run: 19,409,891,328 bytes free

212 --- E O F --- 2008-04-10 02:36:35
  • 0

#6
greyknight17
Posted 20 April 2008 - 06:55 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Still have a handful of malware files there....

Uninstall Kontiki and Viewpoint via the Add/Remove Programs panel.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

Driver::
refblhlo
File::
C:\WINDOWS\system32\bbetudak.dat
C:\WINDOWS\system32\libeay32.dll
C:\WINDOWS\system32\rtjdskli.dat
C:\WINDOWS\system32\libssl32.dll
C:\WINDOWS\system32\nfgmnzhg.dat
C:\WINDOWS\system32\ofnbkqde.dat
C:\WINDOWS\system32\gbsttznp.dat
C:\WINDOWS\system32\vmeblovd.dat
C:\WINDOWS\system32\drivers\veusxaut.dat
C:\WINDOWS\system32\colbactv.dll
C:\WINDOWS\system32\colbactv.dll.bak
C:\WINDOWS\system32\d3d8i.dll
C:\WINDOWS\system32\drivers\veusxaut.dat
Folder::
C:\Documents and Settings\Owner\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Kontiki
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Program Files\Kontiki
C:\Documents and Settings\Owner\Application Data\nvymheog
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E1F4800-66E3-4AD4-BA2E-13D0FB2C1067}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC4337B6-4083-440D-BB87-D57B1887852D}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\StubInstaller.exe"=-
"C:\\Program Files\\Kontiki\\KService.exe"=-

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

See if it's still running ok now...or maybe a bit more improvement even :)
  • 0

#7
davidregal
Posted 20 April 2008 - 07:56 PM

davidregal

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Running Combofix seems to have killed my Avast resident protection - it is no longer in the toolbar. Should I re-install avast?

Getting rid of Kontiki was tricky - it was disguised as an AOL Hi Res Video something or other, but I got it out.

Here is the new Combofix log:

ComboFix 08-04-20.2 - Owner 2008-04-20 18:33:33.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\bbetudak.dat
C:\WINDOWS\system32\colbactv.dll
C:\WINDOWS\system32\colbactv.dll.bak
C:\WINDOWS\system32\d3d8i.dll
C:\WINDOWS\system32\drivers\veusxaut.dat
C:\WINDOWS\system32\gbsttznp.dat
C:\WINDOWS\system32\libeay32.dll
C:\WINDOWS\system32\libssl32.dll
C:\WINDOWS\system32\nfgmnzhg.dat
C:\WINDOWS\system32\ofnbkqde.dat
C:\WINDOWS\system32\rtjdskli.dat
C:\WINDOWS\system32\vmeblovd.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\Owner\Application Data\nvymheog
C:\Documents and Settings\Owner\Application Data\nvymheog\profiles.ini
C:\Documents and Settings\Owner\Application Data\nvymheog\Profiles\751b5oh3.default\cert8.db
C:\Documents and Settings\Owner\Application Data\nvymheog\Profiles\751b5oh3.default\compatibility.ini
C:\Documents and Settings\Owner\Application Data\nvymheog\Profiles\751b5oh3.default\compreg.dat
C:\Documents and Settings\Owner\Application Data\nvymheog\Profiles\751b5oh3.default\cookies.sqlite
C:\Documents and Settings\Owner\Application Data\nvymheog\Profiles\751b5oh3.default\formhistory.sqlite
C:\Documents and Settings\Owner\Application Data\nvymheog\Profiles\751b5oh3.default\key3.db
C:\Documents and Settings\Owner\Application Data\nvymheog\Profiles\751b5oh3.default\localstore.rdf
C:\Documents and Settings\Owner\Application Data\nvymheog\Profiles\751b5oh3.default\permissions.sqlite
C:\Documents and Settings\Owner\Application Data\nvymheog\Profiles\751b5oh3.default\places.sqlite-journal
C:\Documents and Settings\Owner\Application Data\nvymheog\Profiles\751b5oh3.default\places.sqlite
C:\Documents and Settings\Owner\Application Data\nvymheog\Profiles\751b5oh3.default\pluginreg.dat
C:\Documents and Settings\Owner\Application Data\nvymheog\Profiles\751b5oh3.default\prefs.js
C:\Documents and Settings\Owner\Application Data\nvymheog\Profiles\751b5oh3.default\secmod.db
C:\Documents and Settings\Owner\Application Data\nvymheog\Profiles\751b5oh3.default\xpti.dat
C:\Documents and Settings\Owner\Application Data\Viewpoint
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\URLCache.ini
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\URLCache.ini
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\URLCache.ini
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\URLCache.ini
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\UpdateVersionList_v2.mtx
C:\WINDOWS\system32\bbetudak.dat
c:\windows\system32\colbactv.dll
C:\WINDOWS\system32\colbactv.dll.bak
C:\WINDOWS\system32\d3d8i.dll
C:\WINDOWS\system32\drivers\veusxaut.dat
C:\WINDOWS\system32\gbsttznp.dat
C:\WINDOWS\system32\libeay32.dll
C:\WINDOWS\system32\libssl32.dll
C:\WINDOWS\system32\nfgmnzhg.dat
C:\WINDOWS\system32\ofnbkqde.dat
C:\WINDOWS\system32\rtjdskli.dat
C:\WINDOWS\system32\vmeblovd.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PWRKKHAV
-------\Service_pwrkkhav
-------\Legacy_refblhlo
-------\Service_refblhlo


((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-18 06:58 . 2008-04-18 08:08 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-18 06:58 . 2008-04-18 06:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-18 06:58 . 2008-04-18 06:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-18 01:40 . 2004-08-27 02:54 <DIR> d-------- C:\Documents and Settings\Administrator.DAVID\WINDOWS
2008-04-18 01:40 . 2006-07-18 02:42 <DIR> d-------- C:\Documents and Settings\Administrator.DAVID\Application Data\SampleView
2008-04-18 01:40 . 2008-04-18 01:40 <DIR> d-------- C:\Documents and Settings\Administrator.DAVID
2008-04-18 01:40 . 2008-04-20 18:27 1,024 --ah----- C:\Documents and Settings\Administrator.DAVID\ntuser.dat.LOG
2008-04-17 15:00 . 2008-04-17 15:02 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-04-17 08:36 . 2008-04-17 12:25 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-16 14:51 . 2008-04-16 14:51 <DIR> d-------- C:\VundoFix Backups
2008-04-16 12:43 . 2008-04-16 12:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-16 12:43 . 2008-04-16 12:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-16 12:43 . 2008-04-16 12:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-16 12:29 . 2008-04-16 12:29 <DIR> d-------- C:\Program Files\CleanUp!
2008-04-15 15:08 . 2008-04-20 16:34 <DIR> d-------- C:\Spyware stuff
2008-04-15 14:30 . 2008-04-15 14:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-14 09:59 . 2008-04-14 09:59 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-14 09:59 . 2008-04-14 10:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-13 12:10 . 2008-04-18 17:49 <DIR> d-------- C:\Program Files\Common Files\Mozilla Shared
2008-04-03 09:35 . 2008-04-03 09:35 1,291,776 --a------ C:\WINDOWS\MailSwitch.ocx
2008-04-01 10:43 . 2008-04-20 18:02 <DIR> d-------- C:\Program Files\TrueSwitchAT&TYahoo
2008-04-01 10:43 . 2008-04-01 10:45 <DIR> d-------- C:\Program Files\TrueSwitch
2008-04-01 10:43 . 2008-04-01 10:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TrueSwitch
2008-03-31 17:05 . 2008-03-31 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 20:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-04-16 20:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-16 20:06 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-16 19:36 --------- d-----w C:\Program Files\Zultrax P2P
2008-04-16 19:36 --------- d-----w C:\Program Files\PCFriendly
2008-04-14 16:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 11:50 --------- d-----w C:\Program Files\Java
2008-03-08 13:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
.

------- Sigcheck -------

2004-08-04 12:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2004-08-04 12:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe

2005-03-02 11:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 08:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 12:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 11:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2007-03-08 08:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\user32.dll
2007-03-08 08:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\dllcache\user32.dll

2004-08-04 12:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2004-08-04 12:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll

2004-08-04 12:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
2004-08-04 12:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe

2004-08-04 12:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-04 12:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-04 12:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-04 12:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2004-08-04 12:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
2004-08-04 12:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-04-20_17.16.56.83 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-21 00:08:21 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-21 01:39:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-21 01:39:55 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_704.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 10:12 68856]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 08:29 50736]
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2008-02-09 15:02 6051144]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 13:42 212992]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 09:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 09:47 688218]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-01-27 23:39 1179648]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-18 16:39 180269]
"BJPD HID Control"="C:\Program Files\Canon\BJPV\TVMon.exe" [2003-01-21 16:35 45056]
"BJLaunchEXE"="C:\Program Files\Canon\BJCard\BJLaunch.exe" [2002-12-20 14:26 716800]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-02-07 08:39 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-02-07 08:36 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 08:40 118784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18 270648]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 16:02 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 16:06 2027792]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 18:01 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 18:50 1603152]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 10:03 210472]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 13:02 79400]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
TrueAssistant.lnk - C:\Program Files\TrueSwitchAT&TYahoo\TrueWizard.exe [2008-03-13 02:35:00 1069056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-07-18 16:14:58 25214]
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2006-07-18 02:38:27 1742384]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-11-26 09:20:05 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.CFHD"= cfhd.dll
"msacm.ac3acm"= AC3ACM.acm
"msacm.lameacm"= lameACM.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Zultrax P2P\\Zultrax.Exe"=
"C:\\Program Files\\utorrent\\utorrent.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\utorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27756:TCP"= 27756:TCP:@xpsp2res.dll,-22009
"29303:TCP"= 29303:TCP:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 11:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 11:35]
R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 09:20]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2006-04-07 18:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 02:32:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 18:40:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-20 18:47:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-21 01:47:36
ComboFix2.txt 2008-04-21 00:17:43

Pre-Run: 19,457,708,032 bytes free
Post-Run: 19,447,365,632 bytes free

239 --- E O F --- 2008-04-10 02:36:35

Edited by davidregal, 20 April 2008 - 07:56 PM.

  • 0

#8
greyknight17
Posted 21 April 2008 - 03:58 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Restart the computer and see if Avast runs again. If not, uninstall it and restart the computer. Then reinstall it back.

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run and copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#9
davidregal
Posted 21 April 2008 - 04:08 PM

davidregal

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thank you so much. I am lucky to have found you. My computer is much faster and I am much less suicidal.

Thanks again,

David
  • 0

#10
greyknight17
Posted 21 April 2008 - 06:06 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP