Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Repeatedly Finding Trojan Win32: Vundo@dll [CLOSED]

Started by Commander Keen , May 20 2008 09:30 PM

  • This topic is locked This topic is locked

#1
Commander Keen
Posted 20 May 2008 - 09:30 PM

Commander Keen

    New Member

  • Member
  • Pip
  • 4 posts
Avast has been going crazy popping up with the same System32 trojan, Win32: Vundo@dll [Trj].
I read the post about using the VundoFix, and that turned up with nothing (!).
Here's the hijackthis logfile, what should I do?

Thanks
Mary Beth


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:28 PM, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Documents and Settings\Administrator\Policies\catsrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\System32\svchost.exe
C:\program files\steam\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Last.fm\LastFM.exe
C:\PROGRA~1\Avast4\ashQuick.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: (no name) - {2AA0726C-95B7-4216-AA43-B5BDD524892F} - C:\WINDOWS\system32\yayaXOEX.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {CF7AE370-1AFF-4181-AB47-E1EFE067D9BD} - C:\WINDOWS\system32\pmnmjJDW.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] "C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE"
O4 - HKLM\..\Run: [LogitechGalleryRepair] "C:\Program Files\Logitech\ImageStudio\ISStart.exe"
O4 - HKLM\..\Run: [LogitechImageStudioTray] "C:\Program Files\Logitech\ImageStudio\LogiTray.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" /logon
O4 - HKLM\..\Run: [catsrv] "C:\Documents and Settings\Administrator\Policies\catsrv.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [PKVOLUME] C:\Program Files\PKVolume\PKVOLUME.exe
O4 - HKLM\..\Run: [Pepsi Volume Controller 3.0] C:\Program Files\Zamaan's Software\Pepsi Volume Controller 3.0\pvc3.0.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [b09e95b0] rundll32.exe "C:\WINDOWS\system32\remaemws.dll",b
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BMb3ada62c] Rundll32.exe "C:\WINDOWS\system32\xipbwjqe.dll",s
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [catsrv] C:\Documents and Settings\Administrator\Policies\catsrv.exe -AutoStart
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3D3BF1F8-9696-4A5E-B4F1-49101C997B70} (VaxSIPUserAgentCAB Control) - http://earthcaller.c...serAgentCAB.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0446776D-2BEE-4894-A738-63FF7EF2A586}: NameServer = 208.67.220.220,4.2.2.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: yayaXOEX - C:\WINDOWS\SYSTEM32\yayaXOEX.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9586 bytes
  • 0

Advertisements

#2
Rorschach112
Posted 21 May 2008 - 05:21 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please don't lower the font on the logs



Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#3
Commander Keen
Posted 22 May 2008 - 11:38 AM

Commander Keen

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks!
Here's the new logs:


ComboFix log:

ComboFix 08-05-21.2 - Administrator 2008-05-22 4:38:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.866 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\myglobalsearch
C:\WINDOWS\BMb3ada62c.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\btryyacd.ini
C:\WINDOWS\system32\cbXQkiGy.dll
C:\WINDOWS\system32\egmyfdrg.ini
C:\WINDOWS\system32\jibbfhrp.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pmnmjJDW.dll
C:\WINDOWS\system32\swmeamer.ini
C:\WINDOWS\system32\WDJjmnmp.ini
C:\WINDOWS\system32\WDJjmnmp.ini2
C:\WINDOWS\system32\yayaXOEX.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.

2008-05-20 23:14 . 2008-05-20 23:14 <DIR> d-------- C:\VundoFix Backups
2008-05-20 20:26 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-05-20 20:26 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-05-20 20:26 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-05-20 20:26 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-05-20 20:26 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-05-20 20:26 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-05-20 20:25 . 2008-05-20 20:25 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-05-20 20:25 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-05-20 20:21 . 2008-05-20 20:21 <DIR> d-------- C:\Program Files\Electronic Arts
2008-05-19 15:21 . 2008-05-19 15:41 121 --a------ C:\WINDOWS\bdagent.INI
2008-05-19 10:52 . 2008-05-19 10:52 <DIR> d-------- C:\Program Files\BitDefender
2008-05-19 10:49 . 2008-05-19 10:52 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-05-18 15:05 . 2008-05-18 15:05 <DIR> d-------- C:\Program Files\Avast4
2008-05-16 03:35 . 2008-05-16 04:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ulead Systems
2008-05-16 03:32 . 2008-05-16 03:32 <DIR> d-------- C:\Program Files\Common Files\InterVideo
2008-05-16 03:32 . 2008-05-16 03:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InterVideo
2008-05-16 03:31 . 2007-03-06 11:58 210,456 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2008-05-16 03:31 . 2007-03-06 11:58 206,360 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2008-05-16 03:31 . 2007-03-06 11:58 198,168 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2008-05-16 03:31 . 2007-03-06 11:58 198,168 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2008-05-16 03:31 . 2007-03-06 11:58 194,072 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2008-05-16 03:31 . 2007-03-06 11:58 26,136 --a------ C:\WINDOWS\system32\IVIresize.dll
2008-05-16 03:29 . 2008-05-16 03:29 <DIR> d-------- C:\Program Files\Ulead Systems
2008-05-16 03:29 . 2008-05-16 03:30 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
2008-05-16 03:29 . 2008-05-16 03:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-05-16 03:27 . 2008-05-16 19:11 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-05-11 13:24 . 2005-03-03 13:32 86,094 --a------ C:\WINDOWS\system32\ImageDrive.cpl
2008-05-09 02:34 . 2003-11-20 18:00 54,784 -rahs---- C:\WINDOWS\system32\RLAPEDec.ax
2008-05-09 02:34 . 2004-04-26 18:00 37,888 -rahs---- C:\WINDOWS\system32\RLMPCDec.ax
2008-05-09 02:34 . 2007-02-21 06:47 31,232 -rahs---- C:\WINDOWS\system32\msfDX.dll
2008-05-09 02:34 . 2007-12-17 08:43 27,648 --ahs---- C:\WINDOWS\system32\Smab0.dll
2008-05-09 02:33 . 2006-09-12 06:46 227,328 -rahs---- C:\WINDOWS\system32\ac3DX.ax
2008-05-09 02:33 . 2006-05-03 05:06 163,328 -rahs---- C:\WINDOWS\system32\flvDX.dll
2008-05-09 02:33 . 2006-01-12 18:23 123,904 -rahs---- C:\WINDOWS\system32\AVCDX.ax
2008-05-09 02:31 . 2008-05-09 02:31 <DIR> d-------- C:\Program Files\eRightSoft
2008-05-07 23:41 . 2008-05-07 23:43 <DIR> d-------- C:\Program Files\Dofus

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 08:45 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DNA
2008-05-21 00:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-05-21 00:28 --------- d-----w C:\Program Files\Eset
2008-05-19 19:47 --------- d-----w C:\Program Files\Steam
2008-05-19 19:21 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-05-19 15:48 --------- d-----w C:\Program Files\Recover my Files
2008-05-18 04:25 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ZoomBrowser EX
2008-05-18 04:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-05-17 05:41 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 4
2008-05-16 23:15 --------- d-----w C:\Program Files\Last.fm
2008-05-16 23:11 --------- d-----w C:\Program Files\Spyware Doctor
2008-05-16 22:17 --------- d-----w C:\Program Files\Hitman Pro
2008-05-16 22:14 74,240 ----a-w C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-16 22:14 56,832 ----a-w C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-16 21:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-16 07:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-07 06:45 --------- d-----w C:\Program Files\Soulseek
2008-04-26 19:13 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-04-19 23:21 --------- d-----w C:\Program Files\Azureus
2008-04-16 01:09 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-04-16 01:09 --------- d-----w C:\Program Files\Avanquest update
2008-04-16 01:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-04-15 01:30 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ArcSoft
2008-04-15 01:29 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-04-15 01:29 --------- d-----w C:\Program Files\ArcSoft
2008-04-15 01:28 --------- d-----w C:\Program Files\Common Files\snpstd3
2008-04-15 01:26 --------- d-----w C:\Program Files\Dynex
2008-04-04 14:54 --------- d-----w C:\Program Files\iTunes
2008-04-04 14:54 --------- d-----w C:\Program Files\iPod
2008-04-04 14:52 --------- d-----w C:\Program Files\QuickTime Alternative
2008-04-03 03:20 --------- d-----w C:\Program Files\Trillian Pro
2007-10-31 04:41 20,856 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
2007-12-17 12:43 27,648 --sha-w C:\WINDOWS\system32\Smab0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"WhatPulse"="C:\Program Files\WhatPulse\WhatPulse.exe" [ ]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-19 15:25 289088]
"Steam"="c:\program files\steam\steam.exe" [2008-03-30 19:17 1271032]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-12-31 08:00 1694208]
"catsrv"="C:\Documents and Settings\Administrator\Policies\catsrv.exe" [2007-04-09 18:26 626176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 04:50 155648]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 10:54 127022]
"LogitechGalleryRepair"="C:\Program Files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 11:32 155648]
"LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 11:31 61440]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"SoundMan"="SOUNDMAN.EXE" [2005-10-24 02:45 90112 C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2006-10-16 21:20 398944]
"catsrv"="C:\Documents and Settings\Administrator\Policies\catsrv.exe" [2007-04-09 18:26 626176]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-22 02:19 949376]
"PKVOLUME"="C:\Program Files\PKVolume\PKVOLUME.exe" [ ]
"Pepsi Volume Controller 3.0"="C:\Program Files\Zamaan's Software\Pepsi Volume Controller 3.0\pvc3.0.exe" [ ]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 16:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 16:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask.exe" [2008-03-29 00:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 11:36 267048]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2006-11-29 16:28 262144]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-18 14:12 843776]
"UVS11 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 14:12 341488]
"b09e95b0"="C:\WINDOWS\system32\remaemws.dll" [ ]
"avast!"="C:\PROGRA~1\Avast4\ashDisp.exe" [2007-09-06 06:06 79224]
"BMb3ada62c"="C:\WINDOWS\system32\xipbwjqe.dll" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 13:16:50 113664]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-06-29 16:54:04 169472]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-01-13 02:05:00 692224]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
"vidc.yv12"= yv12vfw.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InvisibleBrowsing]
--a------ 2005-12-21 11:47 917504 C:\Program Files\Invisible Browsing\InvisibleBrowsing.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Last.fm\\LastFM.exe"=
"C:\\Program Files\\Trillian Pro\\trillian.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Documents and Settings\\Administrator\\Policies\\catsrv.exe"=
"C:\\Program Files\\Steam\\steamapps\\bishopmac\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"=

R3 crtaud;Conexant Riptide WDM Audio Driver;C:\WINDOWS\system32\drivers\crtaud.sys [2001-08-17 08:19]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2008-01-14 06:06]
R3 rpfun;Conexant Riptide Dummy Driver;C:\WINDOWS\system32\drivers\rpfun.sys [2001-08-17 08:19]
R3 rthwcls;Conexant Riptide Bus / Firmware Downloader;C:\WINDOWS\system32\drivers\rthwcls.sys [2001-08-17 08:19]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys [2006-09-27 00:21]
R3 SUPERWEBCAM;SuperWebcam, WDM Virtual Video Capture Device;C:\WINDOWS\system32\DRIVERS\superwebcam.sys [2006-06-27 08:56]
S3 SampleScanner;Ultima2000 Scanner;C:\WINDOWS\system32\DRIVERS\GT680x.sys [2001-06-07 10:56]
S3 TCCrystalCpuInfo;TCCrystalCpuInfo;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TCCpuInfo.sys []
S3 UnlockerDriver4;UnlockerDriver4 Driver;C:\WINDOWS\system32\UnlockerDriver4.sys [2005-04-23 22:08]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CC757037-CDE7-FF20-D829-4828058F45E5}]
C:\WINDOWS\system32:ieupdate32.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 04:49:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2008-05-22 4:56:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-22 08:56:20

Pre-Run: 64,008,376,320 bytes free
Post-Run: 63,960,379,392 bytes free

243










HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:37:51 PM, on 5/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\oodag.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Documents and Settings\Administrator\Policies\catsrv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\DNA\btdna.exe
C:\program files\steam\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] "C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE"
O4 - HKLM\..\Run: [LogitechGalleryRepair] "C:\Program Files\Logitech\ImageStudio\ISStart.exe"
O4 - HKLM\..\Run: [LogitechImageStudioTray] "C:\Program Files\Logitech\ImageStudio\LogiTray.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" /logon
O4 - HKLM\..\Run: [catsrv] "C:\Documents and Settings\Administrator\Policies\catsrv.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [PKVOLUME] C:\Program Files\PKVolume\PKVOLUME.exe
O4 - HKLM\..\Run: [Pepsi Volume Controller 3.0] C:\Program Files\Zamaan's Software\Pepsi Volume Controller 3.0\pvc3.0.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [b09e95b0] rundll32.exe "C:\WINDOWS\system32\remaemws.dll",b
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BMb3ada62c] Rundll32.exe "C:\WINDOWS\system32\xipbwjqe.dll",s
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [catsrv] C:\Documents and Settings\Administrator\Policies\catsrv.exe -AutoStart
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3D3BF1F8-9696-4A5E-B4F1-49101C997B70} (VaxSIPUserAgentCAB Control) - http://earthcaller.c...serAgentCAB.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0446776D-2BEE-4894-A738-63FF7EF2A586}: NameServer = 208.67.220.220,4.2.2.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9588 bytes
  • 0

#4
Rorschach112
Posted 22 May 2008 - 03:20 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [b09e95b0] rundll32.exe "C:\WINDOWS\system32\remaemws.dll",b
O4 - HKLM\..\Run: [BMb3ada62c] Rundll32.exe "C:\WINDOWS\system32\xipbwjqe.dll",s


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.





1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32:ieupdate32.exe

Folder::

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CC757037-CDE7-FF20-D829-4828058F45E5}]
[-HKEY_CLASSES_ROOT\CLSID\{CC757037-CDE7-FF20-D829-4828058F45E5}]

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Also post a new HijackThis log
  • 0

#5
Commander Keen
Posted 23 May 2008 - 01:21 AM

Commander Keen

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Alright, thanks!
Here's the new logs:




ComboFix log:

ComboFix 08-05-21.2 - Administrator 2008-05-22 21:02:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.854 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\system32:ieupdate32.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url

.
((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.

2008-05-20 23:14 . 2008-05-20 23:14 <DIR> d-------- C:\VundoFix Backups
2008-05-20 20:26 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-05-20 20:26 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-05-20 20:26 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-05-20 20:26 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-05-20 20:26 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-05-20 20:26 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-05-20 20:25 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-05-20 20:21 . 2008-05-20 20:21 <DIR> d-------- C:\Program Files\Electronic Arts
2008-05-19 15:21 . 2008-05-19 15:41 121 --a------ C:\WINDOWS\bdagent.INI
2008-05-19 10:52 . 2008-05-19 10:52 <DIR> d-------- C:\Program Files\BitDefender
2008-05-19 10:49 . 2008-05-19 10:52 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-05-18 15:05 . 2008-05-18 15:05 <DIR> d-------- C:\Program Files\Avast4
2008-05-16 03:35 . 2008-05-16 04:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ulead Systems
2008-05-16 03:32 . 2008-05-16 03:32 <DIR> d-------- C:\Program Files\Common Files\InterVideo
2008-05-16 03:32 . 2008-05-16 03:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InterVideo
2008-05-16 03:31 . 2007-03-06 11:58 210,456 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2008-05-16 03:31 . 2007-03-06 11:58 206,360 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2008-05-16 03:31 . 2007-03-06 11:58 198,168 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2008-05-16 03:31 . 2007-03-06 11:58 198,168 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2008-05-16 03:31 . 2007-03-06 11:58 194,072 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2008-05-16 03:31 . 2007-03-06 11:58 26,136 --a------ C:\WINDOWS\system32\IVIresize.dll
2008-05-16 03:29 . 2008-05-16 03:29 <DIR> d-------- C:\Program Files\Ulead Systems
2008-05-16 03:29 . 2008-05-16 03:30 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
2008-05-16 03:29 . 2008-05-16 03:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-05-16 03:27 . 2008-05-16 19:11 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-05-11 13:24 . 2005-03-03 13:32 86,094 --a------ C:\WINDOWS\system32\ImageDrive.cpl
2008-05-09 02:34 . 2003-11-20 18:00 54,784 -rahs---- C:\WINDOWS\system32\RLAPEDec.ax
2008-05-09 02:34 . 2004-04-26 18:00 37,888 -rahs---- C:\WINDOWS\system32\RLMPCDec.ax
2008-05-09 02:34 . 2007-02-21 06:47 31,232 -rahs---- C:\WINDOWS\system32\msfDX.dll
2008-05-09 02:34 . 2007-12-17 08:43 27,648 --ahs---- C:\WINDOWS\system32\Smab0.dll
2008-05-09 02:33 . 2006-09-12 06:46 227,328 -rahs---- C:\WINDOWS\system32\ac3DX.ax
2008-05-09 02:33 . 2006-05-03 05:06 163,328 -rahs---- C:\WINDOWS\system32\flvDX.dll
2008-05-09 02:33 . 2006-01-12 18:23 123,904 -rahs---- C:\WINDOWS\system32\AVCDX.ax
2008-05-09 02:31 . 2008-05-09 02:31 <DIR> d-------- C:\Program Files\eRightSoft
2008-05-07 23:41 . 2008-05-07 23:43 <DIR> d-------- C:\Program Files\Dofus

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-23 01:02 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DNA
2008-05-22 08:53 --------- d-----w C:\Program Files\Steam
2008-05-21 00:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-05-21 00:28 --------- d-----w C:\Program Files\Eset
2008-05-19 19:21 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-05-19 15:48 --------- d-----w C:\Program Files\Recover my Files
2008-05-18 04:25 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ZoomBrowser EX
2008-05-18 04:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-05-17 05:41 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 4
2008-05-16 23:15 --------- d-----w C:\Program Files\Last.fm
2008-05-16 23:11 --------- d-----w C:\Program Files\Spyware Doctor
2008-05-16 22:17 --------- d-----w C:\Program Files\Hitman Pro
2008-05-16 22:14 74,240 ----a-w C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-16 22:14 56,832 ----a-w C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-16 21:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-16 07:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-07 06:45 --------- d-----w C:\Program Files\Soulseek
2008-04-26 19:13 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-04-19 23:21 --------- d-----w C:\Program Files\Azureus
2008-04-16 01:09 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-04-16 01:09 --------- d-----w C:\Program Files\Avanquest update
2008-04-16 01:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-04-15 01:30 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ArcSoft
2008-04-15 01:29 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-04-15 01:29 --------- d-----w C:\Program Files\ArcSoft
2008-04-15 01:28 --------- d-----w C:\Program Files\Common Files\snpstd3
2008-04-15 01:26 --------- d-----w C:\Program Files\Dynex
2008-04-04 14:54 --------- d-----w C:\Program Files\iTunes
2008-04-04 14:54 --------- d-----w C:\Program Files\iPod
2008-04-04 14:52 --------- d-----w C:\Program Files\QuickTime Alternative
2008-04-03 03:20 --------- d-----w C:\Program Files\Trillian Pro
2007-10-31 04:41 20,856 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
2007-12-17 12:43 27,648 --sha-w C:\WINDOWS\system32\Smab0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"WhatPulse"="C:\Program Files\WhatPulse\WhatPulse.exe" [ ]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-19 15:25 289088]
"Steam"="c:\program files\steam\steam.exe" [2008-03-30 19:17 1271032]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-12-31 08:00 1694208]
"catsrv"="C:\Documents and Settings\Administrator\Policies\catsrv.exe" [2007-04-09 18:26 626176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 04:50 155648]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 10:54 127022]
"LogitechGalleryRepair"="C:\Program Files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 11:32 155648]
"LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 11:31 61440]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"SoundMan"="SOUNDMAN.EXE" [2005-10-24 02:45 90112 C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2006-10-16 21:20 398944]
"catsrv"="C:\Documents and Settings\Administrator\Policies\catsrv.exe" [2007-04-09 18:26 626176]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-22 02:19 949376]
"PKVOLUME"="C:\Program Files\PKVolume\PKVOLUME.exe" [ ]
"Pepsi Volume Controller 3.0"="C:\Program Files\Zamaan's Software\Pepsi Volume Controller 3.0\pvc3.0.exe" [ ]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 16:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 16:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask.exe" [2008-03-29 00:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 11:36 267048]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2006-11-29 16:28 262144]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-18 14:12 843776]
"UVS11 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 14:12 341488]
"avast!"="C:\PROGRA~1\Avast4\ashDisp.exe" [2007-09-06 06:06 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 13:16:50 113664]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-06-29 16:54:04 169472]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-01-13 02:05:00 692224]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
"vidc.yv12"= yv12vfw.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InvisibleBrowsing]
--a------ 2005-12-21 11:47 917504 C:\Program Files\Invisible Browsing\InvisibleBrowsing.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Last.fm\\LastFM.exe"=
"C:\\Program Files\\Trillian Pro\\trillian.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Documents and Settings\\Administrator\\Policies\\catsrv.exe"=
"C:\\Program Files\\Steam\\steamapps\\bishopmac\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"=

R3 crtaud;Conexant Riptide WDM Audio Driver;C:\WINDOWS\system32\drivers\crtaud.sys [2001-08-17 08:19]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2008-01-14 06:06]
R3 rpfun;Conexant Riptide Dummy Driver;C:\WINDOWS\system32\drivers\rpfun.sys [2001-08-17 08:19]
R3 rthwcls;Conexant Riptide Bus / Firmware Downloader;C:\WINDOWS\system32\drivers\rthwcls.sys [2001-08-17 08:19]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys [2006-09-27 00:21]
R3 SUPERWEBCAM;SuperWebcam, WDM Virtual Video Capture Device;C:\WINDOWS\system32\DRIVERS\superwebcam.sys [2006-06-27 08:56]
S3 SampleScanner;Ultima2000 Scanner;C:\WINDOWS\system32\DRIVERS\GT680x.sys [2001-06-07 10:56]
S3 TCCrystalCpuInfo;TCCrystalCpuInfo;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TCCpuInfo.sys []
S3 UnlockerDriver4;UnlockerDriver4 Driver;C:\WINDOWS\system32\UnlockerDriver4.sys [2005-04-23 22:08]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 21:04:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-22 21:05:23
ComboFix-quarantined-files.txt 2008-05-23 01:05:11
ComboFix2.txt 2008-05-22 08:56:28

Pre-Run: 63,976,603,648 bytes free
Post-Run: 63,961,538,560 bytes free

208


















Kaspersky report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, May 23, 2008 3:18:11 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/05/2008
Kaspersky Anti-Virus database records: 796694
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 317506
Number of viruses found: 9
Number of infected objects: 24
Number of suspicious objects: 0
Duration of the scan process: 04:56:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ea1ge6u.default\4chan_main.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ea1ge6u.default\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ea1ge6u.default\history.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ea1ge6u.default\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ea1ge6u.default\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ea1ge6u.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ea1ge6u.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\1ea1ge6u.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\1ea1ge6u.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\1ea1ge6u.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\1ea1ge6u.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\1ea1ge6u.default\XUL.mfl Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008052220080523\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Policies\fxset\001.part Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Eset\cache\CACHE.NDB Object is locked skipped
C:\Program Files\Eset\logs\virlog.dat Object is locked skipped
C:\Program Files\Eset\logs\warnlog.dat Object is locked skipped
C:\Program Files\Steam\logs\connection_log.txt Object is locked skipped
C:\Program Files\Steam\Steam.log Object is locked skipped
C:\Program Files\Steam\steamapps\source 2007 binaries.gcf Object is locked skipped
C:\Program Files\Steam\steamapps\source 2007 shared materials.gcf Object is locked skipped
C:\Program Files\Steam\steamapps\source 2007 shared models.gcf Object is locked skipped
C:\Program Files\Steam\steamapps\source 2007 shared sounds.gcf Object is locked skipped
C:\Program Files\Steam\steamapps\source materials.gcf Object is locked skipped
C:\Program Files\Steam\steamapps\source models.gcf Object is locked skipped
C:\Program Files\Steam\steamapps\source sounds.gcf Object is locked skipped
C:\Program Files\Steam\steamapps\team fortress 2 client content.gcf Object is locked skipped
C:\Program Files\Steam\steamapps\team fortress 2 content.gcf Object is locked skipped
C:\Program Files\Steam\steamapps\team fortress 2 materials.gcf Object is locked skipped
C:\Program Files\Steam\steamapps\winui.gcf Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9123CF55-EF70-48D4-8FC7-8358422C0AF6}\RP357\A0083150.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.sbz skipped
C:\System Volume Information\_restore{9123CF55-EF70-48D4-8FC7-8358422C0AF6}\RP357\A0083151.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{9123CF55-EF70-48D4-8FC7-8358422C0AF6}\RP357\A0083152.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.sce skipped
C:\System Volume Information\_restore{9123CF55-EF70-48D4-8FC7-8358422C0AF6}\RP360\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SB Insta.evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_658.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Installers\Internet\HideIPSetup.exe Infected: not-a-virus:AdWare.Win32.EShoper.j skipped
D:\Installers\Media\FLV2Video_Lite_Setup.exe/file27/file09 Infected: not-a-virus:AdWare.Win32.AdMoke.agg skipped
D:\Installers\Media\FLV2Video_Lite_Setup.exe/file27 Infected: not-a-virus:AdWare.Win32.AdMoke.agg skipped
D:\Installers\Media\FLV2Video_Lite_Setup.exe Inno: infected - 2 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{9123CF55-EF70-48D4-8FC7-8358422C0AF6}\RP351\A0080366.exe/data0008 Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped
D:\System Volume Information\_restore{9123CF55-EF70-48D4-8FC7-8358422C0AF6}\RP351\A0080366.exe/data0009 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
D:\System Volume Information\_restore{9123CF55-EF70-48D4-8FC7-8358422C0AF6}\RP351\A0080366.exe NSIS: infected - 2 skipped
D:\System Volume Information\_restore{9123CF55-EF70-48D4-8FC7-8358422C0AF6}\RP360\change.log Object is locked skipped
E:\Azureus Downloads\Ulead VideoStudio Video Studio 11.5 Plus English ( Dolby ) + Unlock Patch\Ulead VideoStudio Video Studio 11.5 Plus English ( Dolby ) + Unlock Patch\UVS11Plus_TBYB_EUS.exe/data0000.cab/is153927.exe Infected: Trojan.Win32.Pakes.cwe skipped
E:\Azureus Downloads\Ulead VideoStudio Video Studio 11.5 Plus English ( Dolby ) + Unlock Patch\Ulead VideoStudio Video Studio 11.5 Plus English ( Dolby ) + Unlock Patch\UVS11Plus_TBYB_EUS.exe/data0000.cab Infected: Trojan.Win32.Pakes.cwe skipped
E:\Azureus Downloads\Ulead VideoStudio Video Studio 11.5 Plus English ( Dolby ) + Unlock Patch\Ulead VideoStudio Video Studio 11.5 Plus English ( Dolby ) + Unlock Patch\UVS11Plus_TBYB_EUS.exe Rsrc-Package: infected - 2 skipped
E:\RECYCLER\S-1-5-21-448539723-562591055-725345543-500\De4.2\system32\cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
E:\RECYCLER\S-1-5-21-448539723-562591055-725345543-500\De4.2\XPize\Backup\cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
E:\RECYCLER\S-1-5-21-448539723-562591055-725345543-500\De4.2\XPize\NewFiles\cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{2F05451B-BC29-470D-BB71-A959CBB282F6}\RP9\A0000689.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
E:\System Volume Information\_restore{A93AC888-E4A2-4071-BFB0-E4A75C5BADCB}\RP15\A0003262.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
E:\System Volume Information\_restore{A93AC888-E4A2-4071-BFB0-E4A75C5BADCB}\RP9\A0001306.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
E:\System Volume Information\_restore{A93AC888-E4A2-4071-BFB0-E4A75C5BADCB}\RP9\A0001502.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
F:\$OEM$\$1\INSTALL\WPI\Tools\cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
F:\I386\RVMUPPCK.CAB/cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
F:\I386\RVMUPPCK.CAB CAB: infected - 1 skipped

Scan process completed.













New HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:20:14 AM, on 5/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\oodag.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Documents and Settings\Administrator\Policies\catsrv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\DNA\btdna.exe
C:\program files\steam\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] "C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE"
O4 - HKLM\..\Run: [LogitechGalleryRepair] "C:\Program Files\Logitech\ImageStudio\ISStart.exe"
O4 - HKLM\..\Run: [LogitechImageStudioTray] "C:\Program Files\Logitech\ImageStudio\LogiTray.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" /logon
O4 - HKLM\..\Run: [catsrv] "C:\Documents and Settings\Administrator\Policies\catsrv.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [PKVOLUME] C:\Program Files\PKVolume\PKVOLUME.exe
O4 - HKLM\..\Run: [Pepsi Volume Controller 3.0] C:\Program Files\Zamaan's Software\Pepsi Volume Controller 3.0\pvc3.0.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [catsrv] C:\Documents and Settings\Administrator\Policies\catsrv.exe -AutoStart
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {3D3BF1F8-9696-4A5E-B4F1-49101C997B70} (VaxSIPUserAgentCAB Control) - http://earthcaller.c...serAgentCAB.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0446776D-2BEE-4894-A738-63FF7EF2A586}: NameServer = 208.67.220.220,4.2.2.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9943 bytes
  • 0

#6
Rorschach112
Posted 23 May 2008 - 05:20 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

You got infected cause you downloaded cracks


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
D:\Installers\Internet\HideIPSetup.exe
D:\Installers\Media\FLV2Video_Lite_Setup.exe
E:\Azureus Downloads\Ulead VideoStudio Video Studio 11.5 Plus English ( Dolby ) + Unlock Patch

Folder::
E:\Azureus Downloads\Ulead VideoStudio Video Studio 11.5 Plus English ( Dolby ) + Unlock Patch

DirLook::
E:\Azureus Downloads

ADS::
C:\WINDOWS\system32


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Also tell me how your PC is running
  • 0

#7
Commander Keen
Posted 23 May 2008 - 09:00 AM

Commander Keen

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I figured it was something to do with what I'd downloaded recently (which was that Ulead Video Studio)...

Well, it's definitely not having any more Vundo trojan errors when I start Firefox, which is always a good sign.
Other than that, I haven't noticed anything out of the ordinary.

If you spot anything in the logs, let me know... thanks again for all your help!


The Combofix log is too long to put in the post or to even attach, so I've hosted it temporarily here as a txt file: http://www.box.net/shared/wfh156r4s0
And here's the new HijackThis log, just in case:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:51 AM, on 5/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\oodag.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Documents and Settings\Administrator\Policies\catsrv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\DNA\btdna.exe
C:\program files\steam\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Last.fm\LastFM.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] "C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE"
O4 - HKLM\..\Run: [LogitechGalleryRepair] "C:\Program Files\Logitech\ImageStudio\ISStart.exe"
O4 - HKLM\..\Run: [LogitechImageStudioTray] "C:\Program Files\Logitech\ImageStudio\LogiTray.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" /logon
O4 - HKLM\..\Run: [catsrv] "C:\Documents and Settings\Administrator\Policies\catsrv.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [PKVOLUME] C:\Program Files\PKVolume\PKVOLUME.exe
O4 - HKLM\..\Run: [Pepsi Volume Controller 3.0] C:\Program Files\Zamaan's Software\Pepsi Volume Controller 3.0\pvc3.0.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [catsrv] C:\Documents and Settings\Administrator\Policies\catsrv.exe -AutoStart
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {3D3BF1F8-9696-4A5E-B4F1-49101C997B70} (VaxSIPUserAgentCAB Control) - http://earthcaller.c...serAgentCAB.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0446776D-2BEE-4894-A738-63FF7EF2A586}: NameServer = 208.67.220.220,4.2.2.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9544 bytes
  • 0

#8
Rorschach112
Posted 23 May 2008 - 10:15 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ok looking good

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Also tell me how the PC is running
  • 0

#9
Rorschach112
Posted 27 May 2008 - 05:19 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP