 Windows Privacy Protection Malware Threat Please Help, need help deciphering my deckards system scan txt files |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
 Jul 4 2008, 03:01 AM
Post
#1
|
|
|
New Member  Group: Members Posts: 4 Joined: 4-July 08 Member No.: 220,374  |
Seems I've contracted the windows-privacy-protection.com malware that seems to be all over the web atm. Your's was the first forum link i found when i googled the problem and you helped this guy out http://www.bleepingcomputer.com/forums/topic152543.html I followed the first step described here but soon realised that the two of us had very different logs so I went no further. I've run deckards system scan and it gave me the following main.txt (don't seem to have extra.txt, i have run dss more than once and i think it appeared the first time, i'm not sure where on my computer this file would be though). Everything from the notepad appears below the dashed line --------------------------------------------------------------------------------------------------------------------------------------------------------------- Deckard's System Scanner v20071014.68 Run by leanneb on 2008-07-04 17:54:33 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as leanneb.exe) --------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:54:42 PM, on 4/07/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Network Associates\VirusScan\mcshield.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Windows Media Player\WMPNetwk.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\iftuyszv.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\Program Files\Spyware Doctor\svcntaux.exe C:\Program Files\Spyware Doctor\swdsvc.exe C:\Program Files\Spyware Doctor\SDTrayApp.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\leanneb\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\leanneb.exe C:\WINDOWS\System32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.csiro.au/intranet/index.asp R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.csiro.au/intranet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe, O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file) O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file) O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file) O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file) O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file) O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file) O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file) O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file) O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file) O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file) O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file) O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file) O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file) O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file) O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file) O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file) O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file) O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file) O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file) O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file) O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file) O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - HKCU\..\Run: [Yghw] "C:\Program Files\Common Files\?dobe\j?vaw.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user') O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201 O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204 O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203 O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: Movies Extractor Scout - {E4296A88-6900-46A9-8473-84768BB7FFAF} - C:\Program Files\Movies Extractor Scout\flashextract.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nexus.csiro.au O17 - HKLM\Software\..\Telephony: DomainName = nexus.csiro.au O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nexus.csiro.au O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nexus.csiro.au O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe -- End of file - 12608 bytes -- Files created between 2008-06-04 and 2008-07-04 ----------------------------- 2008-07-04 17:43:08 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-07-04 17:42:47 0 d-------- C:\Program Files\Spyware Doctor 2008-07-04 17:42:47 0 d-------- C:\Documents and Settings\leanneb\Application Data\PC Tools 2008-07-04 17:30:16 1152 --a------ C:\WINDOWS\system32\windrv.sys 2008-07-04 17:30:12 0 d-------- C:\Program Files\SpyNoMore 2008-07-04 17:30:09 0 d-------- C:\Program Files\Common Files\Download Manager 2008-07-04 17:22:04 12288 --a------ C:\WINDOWS\y.exe 2008-07-04 17:22:04 29952 --a------ C:\WINDOWS\xplugin.dll 2008-07-04 17:22:04 20224 --a------ C:\WINDOWS\x.exe 2008-07-04 17:22:04 30976 --a------ C:\WINDOWS\winmgnt.exe 2008-07-04 17:22:03 10240 --a------ C:\WINDOWS\window.exe 2008-07-04 17:22:03 11008 --a------ C:\WINDOWS\winajbm.dll 2008-07-04 17:22:03 31488 --a------ C:\WINDOWS\win64.exe 2008-07-04 17:22:03 29952 --a------ C:\WINDOWS\win32e.exe 2008-07-04 17:22:03 16384 --a------ C:\WINDOWS\waol.exe 2008-07-04 17:22:03 16640 --a------ C:\WINDOWS\users32.exe 2008-07-04 17:22:02 31744 --a------ C:\WINDOWS\time.exe 2008-07-04 17:22:02 20992 --a------ C:\WINDOWS\systemcritical.exe 2008-07-04 17:22:02 26880 --a------ C:\WINDOWS\systeem.exe 2008-07-04 17:22:02 28416 --a------ C:\WINDOWS\svcinit.exe 2008-07-04 17:22:01 29696 --a------ C:\WINDOWS\svchost32.exe 2008-07-04 17:22:01 30464 --a------ C:\WINDOWS\sistem.exe 2008-07-04 17:22:01 18944 --a------ C:\WINDOWS\searchword.dll 2008-07-04 17:22:00 13312 --a------ C:\WINDOWS\rundll16.exe 2008-07-04 17:22:00 15104 --a------ C:\WINDOWS\quicken.exe 2008-07-04 17:22:00 20224 --a------ C:\WINDOWS\qttasks.exe 2008-07-04 17:22:00 13312 --a------ C:\WINDOWS\olehelp.exe 2008-07-04 17:21:59 16896 --a------ C:\WINDOWS\notepad32.exe 2008-07-04 17:21:59 12032 --a------ C:\WINDOWS\mtwirl32.dll 2008-07-04 17:21:59 23296 --a------ C:\WINDOWS\mswsc20.dll 2008-07-04 17:21:59 29952 --a------ C:\WINDOWS\mswsc10.dll 2008-07-04 17:21:59 9984 --a------ C:\WINDOWS\msupdate.exe 2008-07-04 17:21:59 12544 --a------ C:\WINDOWS\mssys.exe 2008-07-04 17:21:59 9472 --a------ C:\WINDOWS\msspi.dll 2008-07-04 17:21:58 24320 --a------ C:\WINDOWS\msconfd.dll 2008-07-04 17:21:58 32256 --a------ C:\WINDOWS\loader.exe 2008-07-04 17:21:58 32768 --a------ C:\WINDOWS\internet.exe 2008-07-04 17:21:57 24320 --a------ C:\WINDOWS\inetinf.exe 2008-07-04 17:21:57 29952 --a------ C:\WINDOWS\iexplorer.exe 2008-07-04 17:21:56 30720 --a------ C:\WINDOWS\iedll.exe 2008-07-04 17:21:55 15360 --a------ C:\WINDOWS\helpcvs.exe 2008-07-04 17:21:55 10240 --a------ C:\WINDOWS\gfmnaaa.dll 2008-07-04 17:21:55 19712 --a------ C:\WINDOWS\funny.exe 2008-07-04 17:21:55 0 d-------- C:\Temp 2008-07-04 17:21:54 20480 --a------ C:\WINDOWS\funniest.exe 2008-07-04 17:21:54 15616 --a------ C:\WINDOWS\explorer32.exe 2008-07-04 17:21:54 22016 --a------ C:\WINDOWS\explore.exe 2008-07-04 17:21:54 13824 --a------ C:\WINDOWS\editpad.exe 2008-07-04 17:21:54 30208 --a------ C:\WINDOWS\dnsrelay.dll 2008-07-04 17:21:53 14592 --a------ C:\WINDOWS\directx32.exe 2008-07-04 17:21:53 25088 --a------ C:\WINDOWS\ctrlpan.dll 2008-07-04 17:21:53 31232 --a------ C:\WINDOWS\ctfmon32.exe 2008-07-04 17:21:53 15360 --a------ C:\WINDOWS\cpan.dll 2008-07-04 17:21:52 20480 --a------ C:\WINDOWS\clrssn.exe 2008-07-04 17:21:52 15872 --a------ C:\WINDOWS\avpcc.dll 2008-07-04 17:21:52 25088 --a------ C:\WINDOWS\accesss.exe 2008-07-04 17:15:09 0 d-------- C:\Program Files\Trend Micro 2008-07-04 16:59:42 68096 --a------ C:\WINDOWS\zip.exe 2008-07-04 16:59:42 49152 --a------ C:\WINDOWS\VFind.exe 2008-07-04 16:59:42 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists> 2008-07-04 16:59:42 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller> 2008-07-04 16:59:42 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor> 2008-07-04 16:59:42 98816 --a------ C:\WINDOWS\sed.exe 2008-07-04 16:59:42 80412 --a------ C:\WINDOWS\grep.exe 2008-07-04 16:59:42 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; > 2008-07-04 16:41:20 0 d-------- C:\Program Files\IObit 2008-07-03 23:55:06 0 d-------- C:\WINDOWS\system32\pRI 2008-07-03 23:55:03 0 d-------- C:\WINDOWS\system32\yrt 2008-07-03 23:54:56 0 d-------- C:\WINDOWS\system32\modtrux01 2008-07-03 19:49:39 0 d-------- C:\Program Files\The Witcher 2008-06-20 13:40:58 90073 --a------ C:\WINDOWS\system32\iftuyszv.exe <Not Verified; Microsoft; XML Media> -- Find3M Report --------------------------------------------------------------- 2008-07-04 17:30:09 0 d-------- C:\Program Files\Common Files 2008-07-03 20:22:08 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-06-02 00:34:01 0 d-------- C:\Documents and Settings\leanneb\Application Data\Orbit -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e9caff6-30c7-4208-8807-e79d4ec6f806}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [06/05/2004 02:52 PM] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [06/05/2004 02:48 PM] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [26/04/2004 07:04 AM] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [15/03/2004 12:04 AM] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [03/08/2004 10:32 PM] "IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [23/08/2001 10:00 PM] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [03/08/2004 10:31 PM] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 10:32 PM] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 10:32 PM] "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [22/09/2004 08:00 PM] "Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [07/10/2003 09:48 AM] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [17/08/2007 04:23 PM] "nwiz"="nwiz.exe" [17/08/2007 04:23 PM C:\WINDOWS\system32\nwiz.exe] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/02/2007 07:26 PM] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [12/02/2008 08:22 PM] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06 AM] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [17/08/2007 04:23 PM] "PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [15/06/2006 11:36 AM] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [31/01/2008 10:13 PM] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [19/02/2008 12:10 PM] "SNM"="C:\Program Files\SpyNoMore\SNM.exe" [04/07/2008 05:30 PM] "SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [02/10/2007 04:27 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 01:26 AM] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [03/02/2004 03:42 PM] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/04/2007 01:31 PM] "PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [27/06/2006 03:21 PM] "Yghw"="C:\Program Files\Common Files\?dobe\j?vaw.exe" [] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [4/08/2005 3:13:08 PM] Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2/02/2007 7:22:51 PM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "HideStartupScripts"=0 (0x0) "SynchronousMachineGroupPolicy"=0 (0x0) "SynchronousUserGroupPolicy"=0 (0x0) "DisableRegistryTools"=0 (0x0) "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "DisableTaskMgr"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) "DisableTaskMgr"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "LinkResolveIgnoreLinkInfo"=0 (0x0) "NoResolveSearch"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "LinkResolveIgnoreLinkInfo"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe," [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0] "Script"=Domain_policy.exe [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Usnsvc usnsvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1724584-c27a-11dc-88f2-806d6172696f}] AutoRun\command- E:\Installer.exe *Newly Created Service* - ENTDRV51 *Newly Created Service* - IKFILESEC *Newly Created Service* - IKSYSFLT *Newly Created Service* - IKSYSSEC *Newly Created Service* - MCHINJDRV *Newly Created Service* - SDAUXSERVICE *Newly Created Service* - SDCORESERVICE -- End of Deckard's System Scanner: finished at 2008-07-04 17:56:00 ------------ --------------------------------------------------------------------------------------------------------------------------------------------------------------- If someone could help me out I'd be very grateful, i also have combofix however given the need to turn off the internet to run it i've gone with dss for the moment, if combofix is better let me know. Cheers This post has been edited by Answerer: Jul 4 2008, 05:36 AM |
 |
 
|
|
Jul 4 2008, 07:57 AM
Post
#2
|
|
 Malware Killer Dog Group: HJT Team Posts: 15,558 Joined: 18-February 05 From: Belgium Member No.: 12,408 |
Hi,
* Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix This includes installing the Windows XP Recovery Console in case you have not installed it yet. Post the log from ComboFix when you've accomplished that, along with a new HijackThis log. -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum. |
|
|
|
|
Jul 4 2008, 08:46 PM
Post
#3
|
|
|
New Member Group: Members Posts: 4 Joined: 4-July 08 Member No.: 220,374 |
I unfortunately do not have the windows XP install disc on me and as such haven't installed the windows recovery console, nevertheless here is the combofix log and hijackthis log (from deckards system scan)
--------------------------------------------------------------------------------------------------------------------------------------------------------------- ComboFix 08-07-03.3 - leanneb 2008-07-05 11:35:25.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.601 [GMT 10:00] Running from: C:\Documents and Settings\leanneb\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\accesss.exe C:\WINDOWS\astctl32.ocx C:\WINDOWS\avpcc.dll C:\WINDOWS\clrssn.exe C:\WINDOWS\cpan.dll C:\WINDOWS\ctfmon32.exe C:\WINDOWS\ctrlpan.dll C:\WINDOWS\default.htm C:\WINDOWS\directx32.exe C:\WINDOWS\dnsrelay.dll C:\WINDOWS\editpad.exe C:\WINDOWS\explore.exe C:\WINDOWS\explorer32.exe C:\WINDOWS\funniest.exe C:\WINDOWS\funny.exe C:\WINDOWS\gfmnaaa.dll C:\WINDOWS\helpcvs.exe C:\WINDOWS\iedll.exe C:\WINDOWS\iexplorer.exe C:\WINDOWS\inetinf.exe C:\WINDOWS\internet.exe C:\WINDOWS\loader.exe C:\WINDOWS\msconfd.dll C:\WINDOWS\msspi.dll C:\WINDOWS\mssys.exe C:\WINDOWS\msupdate.exe C:\WINDOWS\mswsc10.dll C:\WINDOWS\mswsc20.dll C:\WINDOWS\mtwirl32.dll C:\WINDOWS\notepad32.exe C:\WINDOWS\olehelp.exe C:\WINDOWS\qttasks.exe C:\WINDOWS\quicken.exe C:\WINDOWS\rundll16.exe C:\WINDOWS\rundll32.vbe C:\WINDOWS\searchword.dll C:\WINDOWS\sistem.exe C:\WINDOWS\svchost32.exe C:\WINDOWS\svcinit.exe C:\WINDOWS\systeem.exe C:\WINDOWS\systemcritical.exe C:\WINDOWS\time.exe C:\WINDOWS\users32.exe C:\WINDOWS\waol.exe C:\WINDOWS\win32e.exe C:\WINDOWS\win64.exe C:\WINDOWS\winajbm.dll C:\WINDOWS\window.exe C:\WINDOWS\winmgnt.exe C:\WINDOWS\x.exe C:\WINDOWS\xplugin.dll C:\WINDOWS\xxxvideo.hta C:\WINDOWS\y.exe . ((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 ))))))))))))))))))))))))))))))) . 2008-07-05 11:37 . 2008-07-05 11:37 <DIR> d-------- C:\Temp 2008-07-04 17:43 . 2008-07-04 18:21 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-07-04 17:42 . 2008-07-05 11:29 <DIR> d-------- C:\Program Files\Spyware Doctor 2008-07-04 17:42 . 2008-07-04 17:42 <DIR> d-------- C:\Documents and Settings\leanneb\Application Data\PC Tools 2008-07-04 17:42 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2008-07-04 17:42 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2008-07-04 17:42 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2008-07-04 17:42 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2008-07-04 17:42 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2008-07-04 17:30 . 2008-07-04 17:35 <DIR> d-------- C:\Program Files\SpyNoMore 2008-07-04 17:30 . 2008-07-04 17:42 <DIR> d-------- C:\Program Files\Common Files\Download Manager 2008-07-04 17:30 . 2008-07-04 17:30 1,152 --a------ C:\WINDOWS\system32\windrv.sys 2008-07-04 17:15 . 2008-07-04 17:15 <DIR> d-------- C:\Program Files\Trend Micro 2008-07-04 17:11 . 2008-07-04 17:11 <DIR> d-------- C:\Deckard 2008-07-04 16:41 . 2008-07-04 16:41 <DIR> d-------- C:\Program Files\IObit 2008-07-03 23:55 . 2008-07-03 23:55 <DIR> d-------- C:\WINDOWS\system32\yrt 2008-07-03 23:55 . 2008-07-03 23:55 <DIR> d-------- C:\WINDOWS\system32\pRI 2008-07-03 23:54 . 2008-07-03 23:54 <DIR> d-------- C:\WINDOWS\system32\modtrux01 2008-07-03 20:01 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll 2008-07-03 20:01 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll 2008-07-03 20:01 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll 2008-07-03 20:01 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll 2008-07-03 19:49 . 2008-07-03 20:22 <DIR> d-------- C:\Program Files\The Witcher 2008-06-20 13:40 . 2008-06-20 13:40 90,073 --a------ C:\WINDOWS\system32\iftuyszv.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-03 10:22 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-03 10:02 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys 2008-07-03 09:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater 2008-06-01 14:34 --------- d-----w C:\Documents and Settings\leanneb\Application Data\Orbit 2008-02-28 02:19 44,184 ----a-w C:\Documents and Settings\leanneb\Application Data\GDIPFONTCACHEV1.DAT 2007-04-22 23:51 8,852,094 ----a-w C:\Program Files\stk-WW-10001.exe 2007-04-13 15:40 25,980,320 ----a-w C:\Program Files\FLV PlayerRCSetup.exe 2007-03-09 09:12 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll . ((((((((((((((((((((((((((((( snapshot@2008-07-04_17.21.18.09 ))))))))))))))))))))))))))))))))))))))))) . - 2008-07-04 07:07:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-07-05 01:29:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat - 2008-04-02 08:55:39 73,434 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-07-04 07:43:59 73,434 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-04-02 08:55:39 447,990 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-07-04 07:43:59 447,990 ----a-w C:\WINDOWS\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Yghw"="C:\Program Files\Common Files\?dobe\j?vaw.exe" [?] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:26 15360] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 15:42 401491] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-06 13:31 68856] "PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 15:21 1449984] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-05-06 14:52 155648] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-05-06 14:48 118784] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 07:04 53248] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 00:04 122933] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 22:32 208952] "IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 22:00 44032] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 22:31 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168] "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 20:00 94208] "Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 09:48 147514] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-08-17 16:23 8478720] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-02 19:26 185896] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-12 20:22 29744] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-08-17 16:23 81920] "PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-06-15 11:36 229376] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 22:13 385024] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 12:10 267048] "SNM"="C:\Program Files\SpyNoMore\SNM.exe" [2008-07-04 17:30 1064400] "nwiz"="nwiz.exe" [2007-08-17 16:23 1626112 C:\WINDOWS\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:26 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "TSClientMSIUninstaller"="cscript" [X] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2005-08-04 15:13:08 1474576] Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-02-02 19:22:51 124912] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "SynchronousMachineGroupPolicy"= 0 (0x0) "SynchronousUserGroupPolicy"= 0 (0x0) "DisableTaskMgr"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveSearch"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\iftuyszv.exe," [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.iac2"= C:\PROGRA~1\REPLAY~1\iac25_32.ax "MSACM.CEGSM"= mobilev.acm [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0] "Script"=Domain_policy.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\WINDOWS\\system32\\dpvsetup.exe"= "C:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe"= "C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"= "C:\\StubInstaller.exe"= "C:\\Program Files\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enUS-downloader.exe"= "C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe"= "C:\\Program Files\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\msncall.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"= "C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"= "C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"= "C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"= "C:\\Program Files\\Orbitdownloader\\orbitdm.exe"= "C:\\Program Files\\Orbitdownloader\\orbitnet.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "3724:TCP"= 3724:TCP:Blizzard Download S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-12 20:22] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1724584-c27a-11dc-88f2-806d6172696f}] \Shell\AutoRun\command - E:\Installer.exe . Contents of the 'Scheduled Tasks' folder "2008-06-02 12:12:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-07-05 01:30:43 C:\WINDOWS\Tasks\CSIRO IT Tasks.job" . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-05 11:37:35 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-07-05 11:38:44 ComboFix-quarantined-files.txt 2008-07-05 01:38:28 ComboFix2.txt 2008-07-04 07:21:53 Pre-Run: 15,862,337,536 bytes free Post-Run: 15,876,747,264 bytes free 217 --- E O F --- 2007-11-17 11:17:48 --------------------------------------------------------------------------------------------------------------------------------------------------------------- Here is the hijackthis log --------------------------------------------------------------------------------------------------------------------------------------------------------------- Deckard's System Scanner v20071014.68 Run by leanneb on 2008-07-05 11:39:18 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as leanneb.exe) --------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:39:24 AM, on 5/07/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Network Associates\VirusScan\mcshield.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\iftuyszv.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\leanneb\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\leanneb.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.csiro.au/intranet/index.asp R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.csiro.au/intranet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe, O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - HKCU\..\Run: [Yghw] "C:\Program Files\Common Files\?dobe\j?vaw.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user') O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201 O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204 O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203 O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: Movies Extractor Scout - {E4296A88-6900-46A9-8473-84768BB7FFAF} - C:\Program Files\Movies Extractor Scout\flashextract.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nexus.csiro.au O17 - HKLM\Software\..\Telephony: DomainName = nexus.csiro.au O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nexus.csiro.au O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nexus.csiro.au O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe -- End of file - 10257 bytes -- Files created between 2008-06-05 and 2008-07-05 ----------------------------- 2008-07-05 11:38:57 11264 --a------ C:\WINDOWS\y.exe 2008-07-05 11:38:56 24064 --a------ C:\WINDOWS\xplugin.dll 2008-07-05 11:38:56 29696 --a------ C:\WINDOWS\x.exe 2008-07-05 11:38:56 22272 --a------ C:\WINDOWS\winmgnt.exe 2008-07-05 11:38:56 29440 --a------ C:\WINDOWS\window.exe 2008-07-05 11:38:56 9472 --a------ C:\WINDOWS\winajbm.dll 2008-07-05 11:38:55 20992 --a------ C:\WINDOWS\win64.exe 2008-07-05 11:38:55 16384 --a------ C:\WINDOWS\win32e.exe 2008-07-05 11:38:55 28928 --a------ C:\WINDOWS\waol.exe 2008-07-05 11:38:55 17408 --a------ C:\WINDOWS\users32.exe 2008-07-05 11:38:55 29952 --a------ C:\WINDOWS\time.exe 2008-07-05 11:38:55 19968 --a------ C:\WINDOWS\systemcritical.exe 2008-07-05 11:38:55 20992 --a------ C:\WINDOWS\systeem.exe 2008-07-05 11:38:54 27136 --a------ C:\WINDOWS\svcinit.exe 2008-07-05 11:38:54 30208 --a------ C:\WINDOWS\svchost32.exe 2008-07-05 11:38:54 27904 --a------ C:\WINDOWS\sistem.exe 2008-07-05 11:38:54 31744 --a------ C:\WINDOWS\searchword.dll 2008-07-05 11:38:52 14848 --a------ C:\WINDOWS\rundll16.exe 2008-07-05 11:38:52 27136 --a------ C:\WINDOWS\quicken.exe 2008-07-05 11:38:51 27904 --a------ C:\WINDOWS\qttasks.exe 2008-07-05 11:38:51 30464 --a------ C:\WINDOWS\olehelp.exe 2008-07-05 11:38:51 15616 --a------ C:\WINDOWS\notepad32.exe 2008-07-05 11:38:51 25088 --a------ C:\WINDOWS\mtwirl32.dll 2008-07-05 11:38:51 29696 --a------ C:\WINDOWS\mswsc20.dll 2008-07-05 11:38:50 8192 --a------ C:\WINDOWS\mswsc10.dll 2008-07-05 11:38:50 20992 --a------ C:\WINDOWS\msupdate.exe 2008-07-05 11:38:50 11264 --a------ C:\WINDOWS\mssys.exe 2008-07-05 11:38:50 20480 --a------ C:\WINDOWS\msspi.dll 2008-07-05 11:38:50 9728 --a------ C:\WINDOWS\msconfd.dll 2008-07-05 11:38:50 24320 --a------ C:\WINDOWS\loader.exe 2008-07-05 11:38:49 11264 --a------ C:\WINDOWS\internet.exe 2008-07-05 11:38:49 27904 --a------ C:\WINDOWS\inetinf.exe 2008-07-05 11:38:49 30208 --a------ C:\WINDOWS\iexplorer.exe 2008-07-05 11:38:48 25088 --a------ C:\WINDOWS\iedll.exe 2008-07-05 11:38:48 22016 --a------ C:\WINDOWS\helpcvs.exe 2008-07-05 11:38:48 0 d-------- C:\Temp 2008-07-05 11:38:47 24576 --a------ C:\WINDOWS\gfmnaaa.dll 2008-07-05 11:38:47 23040 --a------ C:\WINDOWS\funny.exe 2008-07-05 11:38:46 20480 --a------ C:\WINDOWS\funniest.exe 2008-07-05 11:38:46 11264 --a------ C:\WINDOWS\explorer32.exe 2008-07-05 11:38:46 24064 --a------ C:\WINDOWS\explore.exe 2008-07-05 11:38:46 13824 --a------ C:\WINDOWS\editpad.exe 2008-07-05 11:38:46 32256 --a------ C:\WINDOWS\dnsrelay.dll 2008-07-05 11:38:45 16384 --a------ C:\WINDOWS\directx32.exe 2008-07-05 11:38:45 11520 --a------ C:\WINDOWS\ctrlpan.dll 2008-07-05 11:38:45 19456 --a------ C:\WINDOWS\ctfmon32.exe 2008-07-05 11:38:45 13312 --a------ C:\WINDOWS\cpan.dll 2008-07-05 11:38:45 27136 --a------ C:\WINDOWS\clrssn.exe 2008-07-05 11:38:44 15872 --a------ C:\WINDOWS\avpcc.dll 2008-07-05 11:38:44 30720 --a------ C:\WINDOWS\accesss.exe 2008-07-04 17:43:08 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-07-04 17:42:47 0 d-------- C:\Program Files\Spyware Doctor 2008-07-04 17:42:47 0 d-------- C:\Documents and Settings\leanneb\Application Data\PC Tools 2008-07-04 17:30:16 1152 --a------ C:\WINDOWS\system32\windrv.sys 2008-07-04 17:30:12 0 d-------- C:\Program Files\SpyNoMore 2008-07-04 17:30:09 0 d-------- C:\Program Files\Common Files\Download Manager 2008-07-04 17:15:09 0 d-------- C:\Program Files\Trend Micro 2008-07-04 16:59:42 68096 --a------ C:\WINDOWS\zip.exe 2008-07-04 16:59:42 49152 --a------ C:\WINDOWS\VFind.exe 2008-07-04 16:59:42 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists> 2008-07-04 16:59:42 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller> 2008-07-04 16:59:42 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor> 2008-07-04 16:59:42 98816 --a------ C:\WINDOWS\sed.exe 2008-07-04 16:59:42 80412 --a------ C:\WINDOWS\grep.exe 2008-07-04 16:59:42 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; > 2008-07-04 16:41:20 0 d-------- C:\Program Files\IObit 2008-07-03 23:55:06 0 d-------- C:\WINDOWS\system32\pRI 2008-07-03 23:55:03 0 d-------- C:\WINDOWS\system32\yrt 2008-07-03 23:54:56 0 d-------- C:\WINDOWS\system32\modtrux01 2008-07-03 19:49:39 0 d-------- C:\Program Files\The Witcher 2008-06-20 13:40:58 90073 --a------ C:\WINDOWS\system32\iftuyszv.exe <Not Verified; Microsoft; XML Media> -- Find3M Report --------------------------------------------------------------- 2008-07-04 17:30:09 0 d-------- C:\Program Files\Common Files 2008-07-03 20:22:08 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-06-02 00:34:01 0 d-------- C:\Documents and Settings\leanneb\Application Data\Orbit -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [06/05/2004 02:52 PM] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [06/05/2004 02:48 PM] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [26/04/2004 07:04 AM] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [15/03/2004 12:04 AM] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [03/08/2004 10:32 PM] "IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [23/08/2001 10:00 PM] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [03/08/2004 10:31 PM] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 10:32 PM] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 10:32 PM] "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [22/09/2004 08:00 PM] "Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [07/10/2003 09:48 AM] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [17/08/2007 04:23 PM] "nwiz"="nwiz.exe" [17/08/2007 04:23 PM C:\WINDOWS\system32\nwiz.exe] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/02/2007 07:26 PM] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [12/02/2008 08:22 PM] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06 AM] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [17/08/2007 04:23 PM] "PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [15/06/2006 11:36 AM] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [31/01/2008 10:13 PM] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [19/02/2008 12:10 PM] "SNM"="C:\Program Files\SpyNoMore\SNM.exe" [04/07/2008 05:30 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 01:26 AM] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [03/02/2004 03:42 PM] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/04/2007 01:31 PM] "PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [27/06/2006 03:21 PM] "Yghw"="C:\Program Files\Common Files\?dobe\j?vaw.exe" [] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [4/08/2005 3:13:08 PM] Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2/02/2007 7:22:51 PM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "HideStartupScripts"=0 (0x0) "SynchronousMachineGroupPolicy"=0 (0x0) "SynchronousUserGroupPolicy"=0 (0x0) "DisableRegistryTools"=0 (0x0) "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "DisableTaskMgr"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) "DisableTaskMgr"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "LinkResolveIgnoreLinkInfo"=0 (0x0) "NoResolveSearch"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "LinkResolveIgnoreLinkInfo"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe," [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0] "Script"=Domain_policy.exe [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Usnsvc usnsvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1724584-c27a-11dc-88f2-806d6172696f}] AutoRun\command- E:\Installer.exe -- End of Deckard's System Scanner: finished at 2008-07-05 11:39:49 ------------ --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
|
|
Jul 5 2008, 12:04 AM
Post
#4
|
|
|
Malware Killer Dog Group: HJT Team Posts: 15,558 Joined: 18-February 05 From: Belgium Member No.: 12,408 |
Hi,
QUOTE I unfortunately do not have the windows XP install disc on me and as such haven't installed the windows recovery console Not sure if you have read the instructions on the Combofix page, but it also says there:QUOTE If you use Windows XP and do not have the Windows CD, ComboFix includes a method of installing the Windows Recovery console by downloading a file from Microsoft. To install the Windows Recovery Console when you do not have the Windows XP CD, please follow these instructions:.... So read from there and perform the instructions how to install the Recovery Console with Combofix.Also, did you purchase SpyNoMore? If not, then uninstall it. Then, * Open notepad - don't use any other texteditor than notepad or the script will fail. Copy/paste the text in the quotebox below into notepad: QUOTE File:: C:\WINDOWS\system32\iftuyszv.exe Folder:: C:\WINDOWS\system32\yrt C:\WINDOWS\system32\pRI C:\WINDOWS\system32\modtrux01 Registry:: [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "TSClientMSIUninstaller"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="C:\\WINDOWS\\system32\\userinit.exe," [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=- Save this as txtfile CFScript Then drag the CFScript into ComboFix.exe as you see in the screenshot below.  This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog. -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum. |
|
|
|
|
Jul 5 2008, 05:38 AM
Post
#5
|
|
|
New Member Group: Members Posts: 4 Joined: 4-July 08 Member No.: 220,374 |
Many thanks for the assistance, after running combofix with your changes my system appears to be back to normal now. Heres the combofix and hijackthis log just in case, but just wanted to say, thanks so much for your fast and effective response  --------------------------------------------------------------------------------------------------------------------------------------------------------------------- ComboFix 08-07-03.3 - leanneb 2008-07-05 20:28:07.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.588 [GMT 10:00] Running from: C:\Documents and Settings\leanneb\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\leanneb\Desktop\CFScript.txt * Created a new restore point FILE :: C:\WINDOWS\system32\iftuyszv.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\accesss.exe C:\WINDOWS\astctl32.ocx C:\WINDOWS\avpcc.dll C:\WINDOWS\clrssn.exe C:\WINDOWS\cpan.dll C:\WINDOWS\ctfmon32.exe C:\WINDOWS\ctrlpan.dll C:\WINDOWS\default.htm C:\WINDOWS\directx32.exe C:\WINDOWS\dnsrelay.dll C:\WINDOWS� |