Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Yet Again....


  • This topic is locked This topic is locked
26 replies to this topic

#1 deroock

deroock

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 23 July 2007 - 12:50 AM

The popups and slowing of the computer have re-occurred. I think the inciting software never actually left.
Thanks again, in advance. Here's my Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 10:45:42 PM, on 7/22/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\starter.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TangoManager.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\retadpu572.exe
C:\Program Files\Netscape\Netscape 6\Netscp.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.lib.ucdavis.edu/proxy/pacserve
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.netscape.com"); (C:\Documents and Settings\Ian\Application Data\Mozilla\Profiles\default\kninjy3u.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ian\Application Data\Mozilla\Profiles\default\kninjy3u.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D156BF7-AE69-8AE8-1A61-8A8DCC51D59E} - C:\WINNT\system32\ifadsuld.dll
O2 - BHO: (no name) - {70a44d10-be7a-41d6-b8db-27c936ecbf8c} - C:\WINNT\system32\hbfiais.dll
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\system32\WinNB58.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\system32\WinNB58.dll
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\SYSTEM32\starter.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [NBInstall] C:\DOCUME~1\Ian\LOCALS~1\Temp\MBDownloader_876919.exe
O4 - HKLM\..\Run: [runner1] C:\WINNT\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [tkvrbuvA] C:\WINNT\tkvrbuvA.exe
O4 - HKLM\..\Run: [{97-7B-B3-37-ZN}] c:\winnt\system32\dwdsregt.exe SKY009
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINNT\system32\mwinpndt.exe SKY009
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Haus] "C:\DOCUME~1\Ian\APPLIC~1\SEMBLY~1\svchost.exe" -vt yazb
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.0\webbuying.exe
O4 - HKCU\..\Run: [Mtthgk] "C:\Documents and Settings\Ian\Application Data\??mantec\mshta.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: TA_Start.lnk = C:\WINNT\TISKY009.exe
O4 - Startup: Think-Adz.lnk = C:\WINNT\system32\mwinpndt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/packages/GSManager.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://hsmail2.ucdmc.ucdavis.edu/iNotes6W.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {47F59200-8783-11D2-8343-00A0C945A819} (RFXInstMgr Class) - http://greetingcenter.richfx.com/download/twophase.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_0.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.biz/fvlite/fvliteY.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://www.rockefellercenter.com/viewer/wg_webeye.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://luckynugget.microgaming.com/luckynugget/FlashAX.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://hsmail2.ucdmc.ucdavis.edu/dwa7W.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\System32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\tkvrbuv.exe

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 23 July 2007 - 04:42 AM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post that in your next reply.

Please post back with both the combofix.txt file and a new HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 23 July 2007 - 04:43 AM

*Post removed*

Edited by RichieUK, 23 July 2007 - 04:44 AM.

Posted Image
Posted Image

#4 deroock

deroock
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 23 July 2007 - 10:19 PM

Thanks Charles, here's the logs:

"Ian" - Mon 2007-07-23 19:10:42 Service Pack 4
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Ian\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\Ian
C:\qoobox\purity\C\DOCUME~1\Ian\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\Ian\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\Ian\APPLIC~1\MANTEC~1
C:\qoobox\purity\C\DOCUME~1\Ian\APPLIC~1\SEMBLY~1
C:\qoobox\purity\C\DOCUME~1\Ian\MYDOCU~1\YSTEM3~1
C:\qoobox\purity\C\WINNT\CROSOF~1
C:\qoobox\purity\C\WINNT\RACLE~1


((((((((((((((((((((((((((((((( Files Created from 2007-06-23 to 2007-07-23 ))))))))))))))))))))))))))))))))))


2007-07-22 22:21 <DIR> d-------- C:\Program Files\WinPop
2007-07-22 22:19 60,928 --a------ C:\WINNT\system32\ifadsuld.dll
2007-07-22 22:18 932 --a------ C:\WINNT\system32\winpfz32.sys
2007-07-22 22:18 716,352 -r-hs---- C:\WINNT\tkvrbuvA.exe
2007-07-22 22:18 663,288 --a------ C:\Temp\bY001.exe
2007-07-22 22:18 39,424 --a------ C:\WINNT\retadpu572.exe
2007-07-22 22:18 39,424 --a------ C:\WINNT\retadpu1000106.exe
2007-07-22 22:18 34,816 --a------ C:\WINNT\rau001978.exe
2007-07-22 22:18 171,520 --a------ C:\WINNT\system32\hbfiais.dll
2007-07-22 22:18 <DIR> d-------- C:\WINNT\system32\win
2007-07-22 22:18 <DIR> d-------- C:\WINNT\system32\L9
2007-07-22 22:18 <DIR> d-------- C:\WINNT\system32\L7
2007-07-22 22:18 <DIR> d-------- C:\WINNT\system32\L5
2007-07-22 22:18 <DIR> d-------- C:\WINNT\system32\L3
2007-07-22 22:18 <DIR> d-------- C:\WINNT\system32\L11
2007-07-22 22:18 <DIR> d-------- C:\WINNT\system32\L1
2007-07-22 22:18 <DIR> d-------- C:\WINNT\system32\b02FdUe
2007-07-22 22:18 <DIR> d-------- C:\Temp\tn3
2007-07-22 22:18 <DIR> d-------- C:\Temp\brr
2007-07-22 22:18 <DIR> d-------- C:\Temp\0c2
2007-07-17 07:27 56,320 --a------ C:\WINNT\b122.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-06-18 10:59 163840 --a------ C:\Program Files\ttc.dll
2007-04-25 03:40 7952 --a------ C:\WINNT\system32\svchost.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4efb-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
{1D156BF7-AE69-8AE8-1A61-8A8DCC51D59E} C:\WINNT\system32\ifadsuld.dll
{70a44d10-be7a-41d6-b8db-27c936ecbf8c} C:\WINNT\system32\hbfiais.dll
{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} C:\WINNT\system32\WinNB58.dll [x]
{AE7CD045-E861-484f-8273-0445EE161910} C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
{BDF3E430-B101-42AD-A544-FADC6B084872} C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"EnsoniqMixer"="C:\\WINNT\\SYSTEM32\\starter.exe"
"LWBMOUSE"="C:\\Program Files\\Browser Mouse\\Browser Mouse\\1.0\\lwbwheel.exe"
"Synchronization Manager"="mobsync.exe /logon"
"TangoManager"="C:\\PROGRA~1\\FRONTI~1\\FRONTI~1\\app\\TANGOM~1.EXE"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"LogitechVideo[inspector]"="C:\\Program Files\\Logitech\\Video\\InstallHelper.exe /inspect"
"LogitechCommunicationsManager"="\"C:\\Program Files\\Common Files\\Logitech\\LComMgr\\Communications_Helper.exe\""
"LVCOMSX"="\"C:\\Program Files\\Common Files\\Logitech\\LComMgr\\LVComSX.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"CountrySelection"="pctptt.exe"
"tkvrbuvA"="C:\\WINNT\\tkvrbuvA.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"Haus"="\"C:\\DOCUME~1\\Ian\\APPLIC~1\\SEMBLY~1\\svchost.exe\" -vt yazb"
"WebBuying"="C:\\Program Files\\Web Buying\\v1.8.0\\webbuying.exe"
"Mtthgk"="\"C:\\Documents and Settings\\Ian\\Application Data\\??mantec\\mshta.exe\""
"WinPop"="C:\\Program Files\\WinPop\\winpop.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="Microsoft AntiSpyware Service Hook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Synchronization Manager"="mobsync.exe /logon"
"CountrySelection"="pctptt.exe"
"LoadQM"="loadqm.exe"
"Adaptec DirectCD"="C:\\PROGRA~1\\HPCD-W~1\\DirectCD\\directcd.exe"
"HP CD-Writer"="C:\\Program Files\\HP CD-Writer\\Mmenu\\hpcdtray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
WmdmPmSN

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_NET_AGENT


Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\AppleSoftwareUpdate.job
C:\WINNT\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-23 19:14:22
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: Mon 2007-07-23 19:14:50
C:\ComboFix-quarantined-files.txt ... 07-07-23 19:14
C:\ComboFix2.txt ... 07-04-29 19:45


Logfile of HijackThis v1.99.1
Scan saved at 8:15:29 PM, on 7/23/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\starter.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TangoManager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\tkvrbuvA.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Netscape\Netscape 6\Netscp.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.lib.ucdavis.edu/proxy/pacserve
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.netscape.com"); (C:\Documents and Settings\Ian\Application Data\Mozilla\Profiles\default\kninjy3u.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ian\Application Data\Mozilla\Profiles\default\kninjy3u.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D156BF7-AE69-8AE8-1A61-8A8DCC51D59E} - C:\WINNT\system32\ifadsuld.dll
O2 - BHO: (no name) - {70a44d10-be7a-41d6-b8db-27c936ecbf8c} - C:\WINNT\system32\hbfiais.dll
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\system32\WinNB58.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\system32\WinNB58.dll (file missing)
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\SYSTEM32\starter.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [tkvrbuvA] C:\WINNT\tkvrbuvA.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Haus] "C:\DOCUME~1\Ian\APPLIC~1\SEMBLY~1\svchost.exe" -vt yazb
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.0\webbuying.exe
O4 - HKCU\..\Run: [Mtthgk] "C:\Documents and Settings\Ian\Application Data\??mantec\mshta.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/packages/GSManager.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://hsmail2.ucdmc.ucdavis.edu/iNotes6W.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {47F59200-8783-11D2-8343-00A0C945A819} (RFXInstMgr Class) - http://greetingcenter.richfx.com/download/twophase.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_0.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.biz/fvlite/fvliteY.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://www.rockefellercenter.com/viewer/wg_webeye.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://luckynugget.microgaming.com/luckynugget/FlashAX.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://hsmail2.ucdmc.ucdavis.edu/dwa7W.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe (file missing)
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\System32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe

#5 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 24 July 2007 - 04:11 AM

Hello again,
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O2 - BHO: (no name) - {1D156BF7-AE69-8AE8-1A61-8A8DCC51D59E} - C:\WINNT\system32\ifadsuld.dll
O2 - BHO: (no name) - {70a44d10-be7a-41d6-b8db-27c936ecbf8c} - C:\WINNT\system32\hbfiais.dll
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\system32\WinNB58.dll (file missing)
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\system32\WinNB58.dll (file missing)
O4 - HKLM\..\Run: [tkvrbuvA] C:\WINNT\tkvrbuvA.exe
O4 - HKCU\..\Run: [Haus] "C:\DOCUME~1\Ian\APPLIC~1\SEMBLY~1\svchost.exe" -vt yazb
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.0\webbuying.exe
O4 - HKCU\..\Run: [Mtthgk] "C:\Documents and Settings\Ian\Application Data\??mantec\mshta.exe"
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe (file missing)


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Next, please find and delete the following files (if present):

C:\WINNT\system32\ifadsuld.dll
C:\WINNT\system32\winpfz32.sys
C:\WINNT\tkvrbuvA.exe
C:\WINNT\retadpu572.exe
C:\WINNT\retadpu1000106.exe
C:\WINNT\rau001978.exe
C:\WINNT\system32\hbfiais.dll
C:\WINNT\b122.exe
C:\WINNT\dls0523pmw.exe

And these folders:

C:\WINNT\system32\win
C:\WINNT\system32\L9
C:\WINNT\system32\L7
C:\WINNT\system32\L5
C:\WINNT\system32\L3
C:\WINNT\system32\L11
C:\WINNT\system32\L1
C:\WINNT\system32\b02FdUe
C:\Temp\tn3
C:\Temp\brr
C:\Temp\0c2
C:\Program Files\Web Buying

Click on Start | Run and type: services.msc
In the list of services look for: Net Agent
Right click on it and hit Properties.
In the drop down box next to "startup type" choose: disabled
OK your way out.

Next, run HijackThis, but instead of scanning, click on the "None of the above, just start the program" button.
At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select Delete an NT Service
Copy/paste the following into the box that opens, and press OK:
Net Agent

Reboot into Normal Mode again.

Then scan once more with HijackThis and post back the new log.
Thanks,
Charles

Edited by rookie147, 24 July 2007 - 05:36 AM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#6 deroock

deroock
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 25 July 2007 - 12:50 AM

here's the latest hijackthis log, thanks.....

Logfile of HijackThis v1.99.1
Scan saved at 10:42:36 PM, on 7/24/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\starter.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TangoManager.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.lib.ucdavis.edu/proxy/pacserve
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.netscape.com"); (C:\Documents and Settings\Ian\Application Data\Mozilla\Profiles\default\kninjy3u.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ian\Application Data\Mozilla\Profiles\default\kninjy3u.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\SYSTEM32\starter.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/packages/GSManager.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://hsmail2.ucdmc.ucdavis.edu/iNotes6W.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {47F59200-8783-11D2-8343-00A0C945A819} (RFXInstMgr Class) - http://greetingcenter.richfx.com/download/twophase.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_0.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.biz/fvlite/fvliteY.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://www.rockefellercenter.com/viewer/wg_webeye.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://luckynugget.microgaming.com/luckynugget/FlashAX.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://hsmail2.ucdmc.ucdavis.edu/dwa7W.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\System32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe

#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 25 July 2007 - 03:27 AM

Could I have another Combofix log too, please?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#8 deroock

deroock
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 25 July 2007 - 11:17 AM

I don't know if it's typical, but I always have to run combofix twice before it gives a log. Here it is:

"Ian" - Wed 2007-07-25 9:01:32 Service Pack 4
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Ian\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\ldcore.dll
C:\WINNT\system32\ldinfo.ldr
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\Ian
C:\qoobox\purity\C\DOCUME~1\Ian\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\Ian\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\Ian\APPLIC~1\MANTEC~1
C:\qoobox\purity\C\DOCUME~1\Ian\APPLIC~1\SEMBLY~1
C:\qoobox\purity\C\DOCUME~1\Ian\APPLIC~1\SMANTE~1
C:\qoobox\purity\C\DOCUME~1\Ian\MYDOCU~1\YSTEM3~1
C:\qoobox\purity\C\WINNT\CROSOF~1
C:\qoobox\purity\C\WINNT\RACLE~1
C:\qoobox\purity\C\WINNT\STEM~1


((((((((((((((((((((((((((((((( Files Created from 2007-06-25 to 2007-07-25 ))))))))))))))))))))))))))))))))))


2007-07-25 08:58 94,208 --a------ C:\WINNT\system32\dnsersnd.dll
2007-07-25 08:58 9,769 --a------ C:\WINNT\zmmlc0578.exe
2007-07-25 08:58 6,689 --a------ C:\WINNT\system32\ldcore.dll
2007-07-25 08:58 19,968 --a------ C:\WINNT\system32\winwgz32.dll
2007-07-25 08:58 <DIR> d-------- C:\WINNT\system32\b06FdUe
2007-07-24 22:55 932 --a------ C:\WINNT\system32\winpfz32.sys
2007-07-24 22:55 786,352 -r-hs---- C:\WINNT\tkvrbuvA.exe
2007-07-24 22:55 65,536 --a------ C:\WINNT\dls0523pmw.exe
2007-07-24 22:55 60,928 --a------ C:\WINNT\system32\irkjdhnx.dll
2007-07-24 22:55 54,784 --a------ C:\WINNT\tkvrbuv.exe
2007-07-24 22:55 49,168 --a------ C:\WINNT\system32\modsregk.exe
2007-07-24 22:55 49,152 --a------ C:\WINNT\TISKY009.exe
2007-07-24 22:55 39,424 --a------ C:\WINNT\retadpu1000106.exe
2007-07-24 22:55 34,816 --a------ C:\WINNT\rau001978.exe
2007-07-24 22:55 192,617 --a------ C:\WINNT\system32\mwinpndt.exe
2007-07-24 22:55 <DIR> d-------- C:\WINNT\system32\win
2007-07-24 22:55 <DIR> d-------- C:\WINNT\system32\T7
2007-07-24 22:55 <DIR> d-------- C:\WINNT\system32\T5
2007-07-24 22:55 <DIR> d-------- C:\WINNT\system32\T3
2007-07-24 22:55 <DIR> d-------- C:\WINNT\system32\T11
2007-07-24 22:55 <DIR> d-------- C:\WINNT\system32\T1
2007-07-24 22:55 <DIR> d-------- C:\Temp\tn3
2007-07-24 22:55 <DIR> d-------- C:\Temp\0c2
2007-07-24 22:54 39,424 --a------ C:\WINNT\retadpu572.exe
2007-07-24 22:54 <DIR> d-------- C:\WINNT\system32\b02FdUe
2007-07-24 22:54 <DIR> d-------- C:\Temp\brr
2007-07-22 22:21 <DIR> d-------- C:\Program Files\WinPop
2007-07-06 11:40 192,512 --a------ C:\WINNT\g4356cbvy63.exe
2007-06-25 05:54 53,248 --a------ C:\WINNT\uni_eh44.exe
2007-06-25 05:53 53,248 --a------ C:\WINNT\uninst1014.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-07-25 08:59 16 --a------ C:\DOCUME~1\Ian\APPLIC~1\.rdr.ini
2007-06-14 03:54 163840 --a------ C:\Program Files\ttc.dll
2007-06-14 01:22 2231 --a------ C:\Program Files\folder.js
2007-06-08 13:47 5120 --a------ C:\WINNT\system32\nsis.library.regtool.v2.{75d33490-33d9-4bc6-abd7-2d69d0c8b1fa}.exe
2007-04-25 03:40 7952 --a------ C:\WINNT\system32\svchost.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4efb-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
{191A38FE-A23E-8FBA-1A61-8A8DCC51D3C0} C:\WINNT\system32\irkjdhnx.dll
{6C73FB2F-B9CF-425D-A828-A0F557BCD3B8} \
{AE7CD045-E861-484f-8273-0445EE161910} C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
{BDF3E430-B101-42AD-A544-FADC6B084872} C:\Program Files\Norton AntiVirus\NavShExt.dll
{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} C:\WINNT\system32\dnsersnd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"EnsoniqMixer"="C:\\WINNT\\SYSTEM32\\starter.exe"
"LWBMOUSE"="C:\\Program Files\\Browser Mouse\\Browser Mouse\\1.0\\lwbwheel.exe"
"Synchronization Manager"="mobsync.exe /logon"
"TangoManager"="C:\\PROGRA~1\\FRONTI~1\\FRONTI~1\\app\\TANGOM~1.EXE"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"LogitechVideo[inspector]"="C:\\Program Files\\Logitech\\Video\\InstallHelper.exe /inspect"
"LogitechCommunicationsManager"="\"C:\\Program Files\\Common Files\\Logitech\\LComMgr\\Communications_Helper.exe\""
"LVCOMSX"="\"C:\\Program Files\\Common Files\\Logitech\\LComMgr\\LVComSX.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"CountrySelection"="pctptt.exe"
"tkvrbuvA"="C:\\WINNT\\tkvrbuvA.exe"
"{97-7B-B3-37-ZN}"="C:\\winnt\\system32\\modsregk.exe SKY009"
"g4356cbvy63"="C:\\WINNT\\g4356cbvy63"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"WinPop"="C:\\Program Files\\WinPop\\winpop.exe"
"Haus"="\"C:\\DOCUME~1\\Ian\\APPLIC~1\\SMANTE~1\\wuauboot.exe\" -vt yazb"
"Oxxkym"="C:\\WINNT\\??stem\\arpa.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="Microsoft AntiSpyware Service Hook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwgz32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="c:\winnt\system32\ldcore.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Synchronization Manager"="mobsync.exe /logon"
"CountrySelection"="pctptt.exe"
"LoadQM"="loadqm.exe"
"Adaptec DirectCD"="C:\\PROGRA~1\\HPCD-W~1\\DirectCD\\directcd.exe"
"HP CD-Writer"="C:\\Program Files\\HP CD-Writer\\Mmenu\\hpcdtray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
WmdmPmSN



Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\AppleSoftwareUpdate.job
C:\WINNT\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-25 09:05:30
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: Wed 2007-07-25 9:05:57
C:\ComboFix-quarantined-files.txt ... 07-07-25 09:05
C:\ComboFix2.txt ... 07-07-23 19:14
C:\ComboFix3.txt ... 07-04-29 19:45

#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 25 July 2007 - 11:54 AM

Hi again,
Please download the OTMoveIt by OldTimer.
  • Save it to your Desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    • C:\WINNT\system32\b06FdUe
      C:\WINNT\system32\win
      C:\WINNT\system32\T7
      C:\WINNT\system32\T5
      C:\WINNT\system32\T3
      C:\WINNT\system32\T11
      C:\WINNT\system32\T1
      C:\Temp\tn3
      C:\Temp\0c2
      C:\WINNT\system32\b02FdUe
      C:\Temp\brr
      C:\WINNT\system32\dnsersnd.dll
      C:\WINNT\zmmlc0578.exe
      C:\WINNT\system32\ldcore.dll
      C:\WINNT\system32\winwgz32.dll
      C:\WINNT\system32\winpfz32.sys
      C:\WINNT\tkvrbuvA.exe
      C:\WINNT\dls0523pmw.exe
      C:\WINNT\system32\irkjdhnx.dll
      C:\WINNT\tkvrbuv.exe
      C:\WINNT\system32\modsregk.exe
      C:\WINNT\TISKY009.exe
      C:\WINNT\retadpu1000106.exe
      C:\WINNT\rau001978.exe
      C:\WINNT\system32\mwinpndt.exe
      C:\WINNT\retadpu572.exe
      C:\WINNT\g4356cbvy63.exe
      C:\WINNT\uni_eh44.exe
      C:\WINNT\uninst1014.exe
      C:\Program Files\ttc.dll
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post back the following in your next reply:OTMoveit log
New combofix report
New HijackThis log

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#10 deroock

deroock
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 25 July 2007 - 08:43 PM

The moveit program had to reset to complete moving all files, so I lost the log. The one I'm posting is after repeating the process. It looks like it can't find any of the files.....I assume this is good..... here are the 3 log files:

File/Folder C:\WINNT\system32\b06FdUe not found.
File/Folder C:\WINNT\system32\win not found.
File/Folder C:\WINNT\system32\T7 not found.
File/Folder C:\WINNT\system32\T5 not found.
File/Folder C:\WINNT\system32\T3 not found.
File/Folder C:\WINNT\system32\T11 not found.
File/Folder C:\WINNT\system32\T1 not found.
File/Folder C:\Temp\tn3 not found.
File/Folder C:\Temp\0c2 not found.
File/Folder C:\WINNT\system32\b02FdUe not found.
File/Folder C:\Temp\brr not found.
File/Folder C:\WINNT\system32\dnsersnd.dll not found.
File/Folder C:\WINNT\zmmlc0578.exe not found.
File/Folder C:\WINNT\system32\ldcore.dll not found.
File/Folder C:\WINNT\system32\winwgz32.dll not found.
File/Folder C:\WINNT\system32\winpfz32.sys not found.
File/Folder C:\WINNT\tkvrbuvA.exe not found.
File/Folder C:\WINNT\dls0523pmw.exe not found.
File/Folder C:\WINNT\system32\irkjdhnx.dll not found.
File/Folder C:\WINNT\tkvrbuv.exe not found.
File/Folder C:\WINNT\system32\modsregk.exe not found.
File/Folder C:\WINNT\TISKY009.exe not found.
File/Folder C:\WINNT\retadpu1000106.exe not found.
File/Folder C:\WINNT\rau001978.exe not found.
File/Folder C:\WINNT\system32\mwinpndt.exe not found.
File/Folder C:\WINNT\retadpu572.exe not found.
File/Folder C:\WINNT\g4356cbvy63.exe not found.
File/Folder C:\WINNT\uni_eh44.exe not found.
File/Folder C:\WINNT\uninst1014.exe not found.
File/Folder C:\Program Files\ttc.dll not found.

Created on 07/25/2007 18:05:42


"Ian" - Wed 07/25/2007 18:06:41 Service Pack 4
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Ian\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\Ian
C:\qoobox\purity\C\DOCUME~1\Ian\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\Ian\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\Ian\APPLIC~1\MANTEC~1
C:\qoobox\purity\C\DOCUME~1\Ian\APPLIC~1\SEMBLY~1
C:\qoobox\purity\C\DOCUME~1\Ian\APPLIC~1\SMANTE~1
C:\qoobox\purity\C\DOCUME~1\Ian\MYDOCU~1\YSTEM3~1
C:\qoobox\purity\C\WINNT\CROSOF~1
C:\qoobox\purity\C\WINNT\RACLE~1
C:\qoobox\purity\C\WINNT\STEM~1


((((((((((((((((((((((((((((((( Files Created from 2002-01-07 to 20/25/2007 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2012/18/04 08:32p 38229 --------- C:\WINNT\system32\drivers\StMp3Rec.sys
2012/14/99 11:00p 10064 --a------ C:\WINNT\system32\drivers\dxapi.sys
2012/11/99 12:00a 9680 --a------ C:\WINNT\system32\drivers\netdtect.sys
2012/11/99 12:00a 88816 --a------ C:\WINNT\system32\drivers\lvcam.sys
2012/11/99 12:00a 8016 --a------ C:\WINNT\system32\drivers\rasacd.sys
2012/11/99 12:00a 79120 --a------ C:\WINNT\system32\drivers\lvcodek.sys
2012/11/99 12:00a 6512 --a------ C:\WINNT\system32\drivers\parvdm.sys
2012/11/99 12:00a 6032 --a------ C:\WINNT\system32\drivers\rootmdm.sys
2012/11/99 12:00a 59280 --a------ C:\WINNT\system32\drivers\vdmindvd.sys
2012/11/99 12:00a 58480 --a------ C:\WINNT\system32\drivers\nwlnkspx.sys
2012/11/99 12:00a 57904 --a------ C:\WINNT\system32\drivers\atmarpc.sys
2012/11/99 12:00a 52048 --a------ C:\WINNT\system32\drivers\tosdvd.sys
2012/11/99 12:00a 4240 --a------ C:\WINNT\system32\drivers\wmilib.sys
2012/11/99 12:00a 4240 --a------ C:\WINNT\system32\drivers\mnmdd.sys
2012/11/99 12:00a 4080 --a------ C:\WINNT\system32\drivers\beep.sys
2012/11/99 12:00a 40432 --a------ C:\WINNT\system32\drivers\ndproxy.sys
2012/11/99 12:00a 37040 --a------ C:\WINNT\system32\drivers\npfs.sys
2012/11/99 12:00a 35344 --a------ C:\WINNT\system32\drivers\nwlnkfwd.sys
2012/11/99 12:00a 35024 --a------ C:\WINNT\system32\drivers\rawwan.sys
2012/11/99 12:00a 34416 --a------ C:\WINNT\system32\drivers\ipfltdrv.sys
2012/11/99 12:00a 33456 --a------ C:\WINNT\system32\drivers\netbios.sys
2012/11/99 12:00a 2800 --a------ C:\WINNT\system32\drivers\null.sys
2012/11/99 12:00a 272496 --a------ C:\WINNT\system32\drivers\cinemst2.sys
2012/11/99 12:00a 23888 --a------ C:\WINNT\system32\drivers\usbcamd.sys
2012/11/99 12:00a 22000 --a------ C:\WINNT\system32\drivers\tsbvcap.sys
2012/11/99 12:00a 21712 --a------ C:\WINNT\system32\drivers\rca.sys
2012/11/99 12:00a 21328 --a------ C:\WINNT\system32\drivers\msfs.sys
2012/11/99 12:00a 19984 --a------ C:\WINNT\system32\drivers\ipinip.sys
2012/11/99 12:00a 19088 --a------ C:\WINNT\system32\drivers\cdaudio.sys
2012/11/99 12:00a 17424 --a------ C:\WINNT\system32\drivers\lvsound.sys
2012/11/99 12:00a 16880 --a------ C:\WINNT\system32\drivers\raspti.sys
2012/11/99 12:00a 15120 --a------ C:\WINNT\system32\drivers\usbintel.sys
2012/11/99 12:00a 14832 --a------ C:\WINNT\system32\drivers\smclib.sys
2012/11/99 12:00a 13968 --a------ C:\WINNT\system32\drivers\vga.sys
2012/11/99 12:00a 12880 --a------ C:\WINNT\system32\drivers\class2.sys
2012/11/99 12:00a 12560 --a------ C:\WINNT\system32\drivers\nwlnkflt.sys
2012/11/99 12:00a 12368 --a------ C:\WINNT\system32\drivers\fsvga.sys
2012/11/99 12:00a 12016 --a------ C:\WINNT\system32\drivers\ws2ifsl.sys
2012/11/99 12:00a 105840 --a------ C:\WINNT\system32\drivers\streams.sys
2012/11/99 12:00a 102160 --a------ C:\WINNT\system32\drivers\nbf.sys
2012/11/02 11:14p 7424 --a------ C:\WINNT\system32\drivers\mskssrv.sys
2012/11/02 11:14p 5504 --a------ C:\WINNT\system32\drivers\mstee.sys
2012/11/02 11:14p 5248 --a------ C:\WINNT\system32\drivers\mspclock.sys
2012/11/02 11:14p 4096 --a------ C:\WINNT\system32\drivers\swenum.sys
2012/11/02 11:14p 130304 --a------ C:\WINNT\system32\drivers\ks.sys
2012/08/01 02:00p 183872 --a------ C:\WINNT\system32\drivers\NAVAP.SYS
2012/07/99 01:48p 111552 --a------ C:\WINNT\system32\drivers\WEECAMKE.SYS
2012/04/01 12:17p 412800 -ra------ C:\WINNT\system32\drivers\sbpci.sys
2011/26/04 03:48p 28400 --a------ C:\WINNT\system32\drivers\SECDRV.SYS
2010/28/99 02:24p 51152 --a------ C:\WINNT\system32\drivers\DMusic.sys
2010/28/03 02:02a 20016 --------- C:\WINNT\system32\drivers\pxhelp20.sys
2010/22/00 08:23p 4421 --a------ C:\WINNT\system32\drivers\hpcd2K.sys
2010/21/99 01:52p 8720 --a------ C:\WINNT\system32\drivers\hidgame.sys
2010/12/99 03:57p 68912 --a------ C:\WINNT\system32\drivers\USBAUDIO.sys
2010/05/02 12:02p 50518 --a------ C:\WINNT\system32\drivers\pwd_2k.sys
2010/05/02 12:02p 222048 --a------ C:\WINNT\system32\drivers\CDUDF.SYS
2010/05/02 12:02p 17286 --a------ C:\WINNT\system32\drivers\mmc_2k.sys
2009/27/01 08:13p 22866 --a------ C:\WINNT\system32\drivers\SISAGP.SYS
2009/25/99 09:36a 4816 --a------ C:\WINNT\system32\drivers\MSPQM.sys
2009/25/99 09:35a 2832 --a------ C:\WINNT\system32\drivers\msmpu401.sys
2009/25/99 09:34a 16144 --a------ C:\WINNT\system32\drivers\MODEMCSA.sys
2009/25/99 02:35a 2896 --a------ C:\WINNT\system32\drivers\audstub.sys
2009/25/03 09:47a 16509 --a------ C:\WINNT\system32\drivers\PalmUSBD.sys
2009/19/06 03:44p 15664 --a------ C:\WINNT\system32\drivers\GEARAspiWDM.sys
2009/05/06 08:03a 3968 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2009/01/05 12:11p 16768 --a------ C:\WINNT\system32\drivers\LVPrcMon.sys
2007/30/02 03:06p 8552 --a------ C:\WINNT\system32\drivers\asctrm.sys
2007/19/03 11:30a 28276 --a------ C:\WINNT\system32\drivers\MxlW2k.sys
2007/17/02 08:53a 16877 --a------ C:\WINNT\system32\drivers\ASPI32.SYS
2007/16/01 07:38a 18051 -ra------ C:\WINNT\system32\drivers\NdusbMsn.sys
2007/09/04 03:27a 48512 --a------ C:\WINNT\system32\drivers\stream.sys
2007/09/04 01:58a 83968 --a------ C:\WINNT\system32\drivers\nabtsfec.sys
2007/09/04 01:58a 56832 --a------ C:\WINNT\system32\drivers\msdv.sys
2007/09/04 01:58a 18688 --a------ C:\WINNT\system32\drivers\wstcodec.sys
2007/09/04 01:58a 16384 --a------ C:\WINNT\system32\drivers\ccdecode.sys
2007/09/04 01:58a 15104 --a------ C:\WINNT\system32\drivers\mpe.sys
2007/09/04 01:58a 14976 --a------ C:\WINNT\system32\drivers\streamip.sys
2007/09/04 01:58a 11392 --a------ C:\WINNT\system32\drivers\bdasup.sys
2007/09/04 01:58a 10880 --a------ C:\WINNT\system32\drivers\slip.sys
2007/09/04 01:58a 10112 --a------ C:\WINNT\system32\drivers\ndisip.sys
2006/26/06 09:33a 23472 --a------ C:\WINNT\system32\drivers\LVPr2Mon.sys
2006/26/06 09:33a 1952816 --a------ C:\WINNT\system32\drivers\LVMVdrv.sys
2006/26/06 09:33a 1587632 --a------ C:\WINNT\system32\drivers\Lvckap.sys
2006/22/06 02:29p 720176 --a------ C:\WINNT\system32\drivers\LV302AV.SYS
2006/22/06 02:29p 38960 --a------ C:\WINNT\system32\drivers\LVUSBSta.sys
2006/22/06 02:29p 12080 --a------ C:\WINNT\system32\drivers\lv302af.sys
2006/19/03 11:05a 9808 --a------ C:\WINNT\system32\drivers\gameenum.sys
2006/19/03 11:05a 93360 --a------ C:\WINNT\system32\drivers\ndiswan.sys
2006/19/03 11:05a 9200 --a------ C:\WINNT\system32\drivers\ndistapi.sys
2006/19/03 11:05a 91408 --a------ C:\WINNT\system32\drivers\NWLNKIPX.SYS
2006/19/03 11:05a 87888 --a------ C:\WINNT\system32\drivers\mup.sys
2006/19/03 11:05a 86672 --a------ C:\WINNT\system32\drivers\atapi.sys
2006/19/03 11:05a 7728 --a------ C:\WINNT\system32\drivers\diskperf.sys
2006/19/03 11:05a 7600 --a------ C:\WINNT\system32\drivers\fs_rec.sys
2006/19/03 11:05a 74192 --a------ C:\WINNT\system32\drivers\SCSIPORT.SYS
2006/19/03 11:05a 73872 --a------ C:\WINNT\system32\drivers\wdmaud.sys
2006/19/03 11:05a 7312 --a------ C:\WINNT\system32\drivers\dmload.sys
2006/19/03 11:05a 71888 --a------ C:\WINNT\system32\drivers\ksecdd.sys
2006/19/03 11:05a 67120 --a------ C:\WINNT\system32\drivers\ipnat.sys
2006/19/03 11:05a 65520 --a------ C:\WINNT\system32\drivers\nwlnknb.sys
2006/19/03 11:05a 64304 --a------ C:\WINNT\system32\drivers\ipsec.sys
2006/19/03 11:05a 62736 --a------ C:\WINNT\system32\drivers\serial.sys
2006/19/03 11:05a 62672 --a------ C:\WINNT\system32\drivers\udfs.sys
2006/19/03 11:05a 61680 --a------ C:\WINNT\system32\drivers\cdfs.sys
2006/19/03 11:05a 60496 --a------ C:\WINNT\system32\drivers\psched.sys
2006/19/03 11:05a 60208 --a------ C:\WINNT\system32\drivers\parallel.sys
2006/19/03 11:05a 59312 --a------ C:\WINNT\system32\drivers\pci.sys
2006/19/03 11:05a 57296 --a------ C:\WINNT\system32\drivers\irda.sys
2006/19/03 11:05a 57264 --a------ C:\WINNT\system32\drivers\mf.sys
2006/19/03 11:05a 56112 --a------ C:\WINNT\system32\drivers\DLC.SYS
2006/19/03 11:05a 53552 --a------ C:\WINNT\system32\drivers\swmidi.sys
2006/19/03 11:05a 534192 --a------ C:\WINNT\system32\drivers\ntfs.sys
2006/19/03 11:05a 52112 --a------ C:\WINNT\system32\drivers\rasl2tp.sys
2006/19/03 11:05a 50640 --a------ C:\WINNT\system32\drivers\videoprt.sys
2006/19/03 11:05a 49776 --------- C:\WINNT\system32\drivers\usbhub20.sys
2006/19/03 11:05a 48496 --a------ C:\WINNT\system32\drivers\atmlane.sys
2006/19/03 11:05a 48464 --a------ C:\WINNT\system32\drivers\raspptp.sys
2006/19/03 11:05a 47568 --a------ C:\WINNT\system32\drivers\sysaudio.sys
2006/19/03 11:05a 46992 --a------ C:\WINNT\system32\drivers\isapnp.sys
2006/19/03 11:05a 46992 --a------ C:\WINNT\system32\drivers\i8042prt.sys
2006/19/03 11:05a 418640 --a------ C:\WINNT\system32\drivers\mrxsmb.sys
2006/19/03 11:05a 40752 --a------ C:\WINNT\system32\drivers\1394bus.sys
2006/19/03 11:05a 40176 --a------ C:\WINNT\system32\drivers\usbhub.sys
2006/19/03 11:05a 37680 --a------ C:\WINNT\system32\drivers\ohci1394.sys
2006/19/03 11:05a 37552 --a------ C:\WINNT\system32\drivers\nmnt.sys
2006/19/03 11:05a 369104 --a------ C:\WINNT\system32\drivers\dmboot.sys
2006/19/03 11:05a 35344 --a------ C:\WINNT\system32\drivers\redbook.sys
2006/19/03 11:05a 34832 --a------ C:\WINNT\system32\drivers\classpnp.sys
2006/19/03 11:05a 34704 --a------ C:\WINNT\system32\drivers\msgpc.sys
2006/19/03 11:05a 332144 --a------ C:\WINNT\system32\drivers\tcpip.sys
2006/19/03 11:05a 331088 --a------ C:\WINNT\system32\drivers\atmuni.sys
2006/19/03 11:05a 32272 --a------ C:\WINNT\system32\drivers\wanarp.sys
2006/19/03 11:05a 3088 --a------ C:\WINNT\system32\drivers\pciide.sys
2006/19/03 11:05a 30768 --a------ C:\WINNT\system32\drivers\DISK.SYS
2006/19/03 11:05a 29264 --a------ C:\WINNT\system32\drivers\mountmgr.sys
2006/19/03 11:05a 29168 --a------ C:\WINNT\system32\drivers\modem.sys
2006/19/03 11:05a 27984 --a------ C:\WINNT\system32\drivers\cdrom.sys
2006/19/03 11:05a 27440 --a------ C:\WINNT\system32\drivers\efs.sys
2006/19/03 11:05a 26256 --a------ C:\WINNT\system32\drivers\fdc.sys
2006/19/03 11:05a 25104 --a------ C:\WINNT\system32\drivers\parport.sys
2006/19/03 11:05a 24784 --a------ C:\WINNT\system32\drivers\openhci.sys
2006/19/03 11:05a 24752 --a------ C:\WINNT\system32\drivers\hidclass.sys
2006/19/03 11:05a 24528 --a------ C:\WINNT\system32\drivers\kbdclass.sys
2006/19/03 11:05a 244944 --a------ C:\WINNT\system32\drivers\SRV.SYS
2006/19/03 11:05a 23056 --a------ C:\WINNT\system32\drivers\hidparse.sys
2006/19/03 11:05a 22064 --a------ C:\WINNT\system32\drivers\sonydcam.sys
2006/19/03 11:05a 22064 --a------ C:\WINNT\system32\drivers\pciidex.sys
2006/19/03 11:05a 21872 --a------ C:\WINNT\system32\drivers\usbprint.sys
2006/19/03 11:05a 21776 --a------ C:\WINNT\system32\drivers\mouclass.sys
2006/19/03 11:05a 20688 --a------ C:\WINNT\system32\drivers\usbd.sys
2006/19/03 11:05a 20208 --------- C:\WINNT\system32\drivers\msircomm.sys
2006/19/03 11:05a 19952 --a------ C:\WINNT\system32\drivers\irsir.sys
2006/19/03 11:05a 19920 --a------ C:\WINNT\system32\drivers\rasirda.sys
2006/19/03 11:05a 19728 --------- C:\WINNT\system32\drivers\usbehci.sys
2006/19/03 11:05a 19312 --a------ C:\WINNT\system32\drivers\flpydisk.sys
2006/19/03 11:05a 17840 --a------ C:\WINNT\system32\drivers\asyncmac.sys
2006/19/03 11:05a 17680 --a------ C:\WINNT\system32\drivers\ptilink.sys
2006/19/03 11:05a 174800 --a------ C:\WINNT\system32\drivers\rdbss.sys
2006/19/03 11:05a 173232 --a------ C:\WINNT\system32\drivers\UPDATE.SYS
2006/19/03 11:05a 170928 --a------ C:\WINNT\system32\drivers\ndis.sys
2006/19/03 11:05a 168624 --a------ C:\WINNT\system32\drivers\netbt.sys
2006/19/03 11:05a 163120 --a------ C:\WINNT\system32\drivers\acpi.sys
2006/19/03 11:05a 16240 --a------ C:\WINNT\system32\drivers\tdi.sys
2006/19/03 11:05a 161072 --a------ C:\WINNT\system32\drivers\nwrdr.sys
2006/19/03 11:05a 148400 --a------ C:\WINNT\system32\drivers\sfmatalk.sys
2006/19/03 11:05a 148304 --a------ C:\WINNT\system32\drivers\kmixer.sys
2006/19/03 11:05a 148208 --a------ C:\WINNT\system32\drivers\portcls.sys
2006/19/03 11:05a 14288 --a------ C:\WINNT\system32\drivers\diskdump.sys
2006/19/03 11:05a 14160 --a------ C:\WINNT\system32\drivers\serenum.sys
2006/19/03 11:05a 140496 --a------ C:\WINNT\system32\drivers\fastfat.sys
2006/19/03 11:05a 138288 --------- C:\WINNT\system32\drivers\usbport.sys
2006/19/03 11:05a 137936 --a------ C:\WINNT\system32\drivers\dmio.sys
2006/19/03 11:05a 12592 --a------ C:\WINNT\system32\drivers\usbscan.sys
2006/19/03 11:05a 120240 --a------ C:\WINNT\system32\drivers\AFD.SYS
2006/19/03 11:05a 11984 --------- C:\WINNT\system32\drivers\ndisuio.sys
2006/19/03 11:05a 11792 --a------ C:\WINNT\system32\drivers\partmgr.sys
2006/19/03 11:05a 115504 --a------ C:\WINNT\system32\drivers\ftdisk.sys
2006/19/03 11:05a 11536 --a------ C:\WINNT\system32\drivers\acpiec.sys
2006/19/03 11:05a 109584 --a------ C:\WINNT\system32\drivers\pcmcia.sys
2006/19/03 11:05a 10928 --a------ C:\WINNT\system32\drivers\tape.sys
2006/19/03 11:05a 10384 --a------ C:\WINNT\system32\drivers\sfloppy.sys
2006/19/03 11:05a 10288 --------- C:\WINNT\system32\drivers\irenum.sys
2006/17/03 03:39a 9856 --------- C:\WINNT\system32\drivers\pfc.sys
2006/15/00 12:03a 206368 --a------ C:\WINNT\system32\drivers\UdfReadr.sys
2006/12/04 06:20p 58000 --a------ C:\WINNT\system32\drivers\cdr4_2K.sys
2006/12/04 06:20p 23420 --a------ C:\WINNT\system32\drivers\cdralw2k.sys
2005/26/00 07:37p 28224 --a------ C:\WINNT\system32\drivers\SONYPVM1.SYS
2005/26/00 07:36p 5606 --a------ C:\WINNT\system32\drivers\SONYPVU1.SYS
2005/22/01 02:56p 34272 --a------ C:\WINNT\system32\drivers\FastNIC.sys
2005/16/01 07:23p 772921 -ra------ C:\WINNT\system32\drivers\nv4_mini.sys
2005/04/01 08:05a 33616 --a------ C:\WINNT\system32\drivers\fips.sys
2004/22/07 09:46p 76560 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2004/12/01 07:52p 270536 -ra------ C:\WINNT\system32\drivers\cmaudio.sys
2003/19/02 09:29a 14165 --------- C:\WINNT\system32\drivers\Pclepci.sys
2002/26/02 09:40a 58224 --a------ C:\WINNT\system32\drivers\SYMEVENT.SYS
2002/17/00 10:20a 1025288 --a------ C:\WINNT\system32\drivers\LTSM.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4efb-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
{6C73FB2F-B9CF-425D-A828-A0F557BCD3B8} \
{AE7CD045-E861-484f-8273-0445EE161910} C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
{BDF3E430-B101-42AD-A544-FADC6B084872} C:\Program Files\Norton AntiVirus\NavShExt.dll
{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} C:\WINNT\system32\dnsersnd.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"EnsoniqMixer"="C:\\WINNT\\SYSTEM32\\starter.exe"
"LWBMOUSE"="C:\\Program Files\\Browser Mouse\\Browser Mouse\\1.0\\lwbwheel.exe"
"Synchronization Manager"="mobsync.exe /logon"
"TangoManager"="C:\\PROGRA~1\\FRONTI~1\\FRONTI~1\\app\\TANGOM~1.EXE"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"LogitechVideo[inspector]"="C:\\Program Files\\Logitech\\Video\\InstallHelper.exe /inspect"
"LogitechCommunicationsManager"="\"C:\\Program Files\\Common Files\\Logitech\\LComMgr\\Communications_Helper.exe\""
"LVCOMSX"="\"C:\\Program Files\\Common Files\\Logitech\\LComMgr\\LVComSX.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"CountrySelection"="pctptt.exe"
"tkvrbuvA"="C:\\WINNT\\tkvrbuvA.exe"
"{97-7B-B3-37-ZN}"="C:\\winnt\\system32\\modsregk.exe SKY009"
"g4356cbvy63"="C:\\WINNT\\g4356cbvy63"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"WinPop"="C:\\Program Files\\WinPop\\winpop.exe"
"Haus"="\"C:\\DOCUME~1\\Ian\\APPLIC~1\\SMANTE~1\\wuauboot.exe\" -vt yazb"
"Oxxkym"="C:\\WINNT\\??stem\\arpa.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="Microsoft AntiSpyware Service Hook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwgz32

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Synchronization Manager"="mobsync.exe /logon"
"CountrySelection"="pctptt.exe"
"LoadQM"="loadqm.exe"
"Adaptec DirectCD"="C:\\PROGRA~1\\HPCD-W~1\\DirectCD\\directcd.exe"
"HP CD-Writer"="C:\\Program Files\\HP CD-Writer\\Mmenu\\hpcdtray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
WmdmPmSN



Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\AppleSoftwareUpdate.job
C:\WINNT\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-25 18:10:53
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: Wed 07/25/2007 18:11:23
C:\ComboFix-quarantined-files.txt ... 07/25/07 06:11p
C:\ComboFix2.txt ... 07/25/07 09:05a
C:\ComboFix3.txt ... 07/23/07 07:14p



Logfile of HijackThis v1.99.1
Scan saved at 6:36:56 PM, on 7/25/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\starter.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TangoManager.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Netscape\Netscape 6\Netscp.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.lib.ucdavis.edu/proxy/pacserve
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.netscape.com"); (C:\Documents and Settings\Ian\Application Data\Mozilla\Profiles\default\kninjy3u.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ian\Application Data\Mozilla\Profiles\default\kninjy3u.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6C73FB2F-B9CF-425D-A828-A0F557BCD3B8} - \
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINNT\system32\dnsersnd.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\SYSTEM32\starter.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [tkvrbuvA] C:\WINNT\tkvrbuvA.exe
O4 - HKLM\..\Run: [{97-7B-B3-37-ZN}] C:\winnt\system32\modsregk.exe SKY009
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINNT\g4356cbvy63
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [Haus] "C:\DOCUME~1\Ian\APPLIC~1\SMANTE~1\wuauboot.exe" -vt yazb
O4 - HKCU\..\Run: [Oxxkym] C:\WINNT\??stem\arpa.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/packages/GSManager.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://hsmail2.ucdmc.ucdavis.edu/iNotes6W.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {47F59200-8783-11D2-8343-00A0C945A819} (RFXInstMgr Class) - http://greetingcenter.richfx.com/download/twophase.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_0.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.biz/fvlite/fvliteY.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://www.rockefellercenter.com/viewer/wg_webeye.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://luckynugget.microgaming.com/luckynugget/FlashAX.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://hsmail2.ucdmc.ucdavis.edu/dwa7W.cab
O20 - Winlogon Notify: winwgz32 - winwgz32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe (file missing)
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\System32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe

#11 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 26 July 2007 - 02:50 AM

There should be a logfile located in C:\_OTMoveIt\MovedFiles.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#12 deroock

deroock
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 26 July 2007 - 10:28 AM

That's where it was hiding.... thanks, here it is:

Folder cleanup failed. C:\WINNT\system32\b06FdUe scheduled to be deleted on reboot.
C:\WINNT\system32\win moved successfully.
C:\WINNT\system32\T7 moved successfully.
C:\WINNT\system32\T5 moved successfully.
C:\WINNT\system32\T3 moved successfully.
C:\WINNT\system32\T11 moved successfully.
C:\WINNT\system32\T1 moved successfully.
C:\Temp\tn3 moved successfully.
C:\Temp\0c2 moved successfully.
C:\WINNT\system32\b02FdUe moved successfully.
C:\Temp\brr moved successfully.
LoadLibrary failed for C:\WINNT\system32\dnsersnd.dll
C:\WINNT\system32\dnsersnd.dll NOT unregistered.
C:\WINNT\system32\dnsersnd.dll moved successfully.
C:\WINNT\zmmlc0578.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINNT\system32\ldcore.dll
C:\WINNT\system32\ldcore.dll NOT unregistered.
File move failed. C:\WINNT\system32\ldcore.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINNT\system32\winwgz32.dll
C:\WINNT\system32\winwgz32.dll NOT unregistered.
C:\WINNT\system32\winwgz32.dll moved successfully.
C:\WINNT\system32\winpfz32.sys moved successfully.
C:\WINNT\tkvrbuvA.exe moved successfully.
C:\WINNT\dls0523pmw.exe moved successfully.
C:\WINNT\system32\irkjdhnx.dll unregistered successfully.
C:\WINNT\system32\irkjdhnx.dll moved successfully.
C:\WINNT\tkvrbuv.exe moved successfully.
C:\WINNT\system32\modsregk.exe moved successfully.
C:\WINNT\TISKY009.exe moved successfully.
C:\WINNT\retadpu1000106.exe moved successfully.
C:\WINNT\rau001978.exe moved successfully.
C:\WINNT\system32\mwinpndt.exe moved successfully.
C:\WINNT\retadpu572.exe moved successfully.
C:\WINNT\g4356cbvy63.exe moved successfully.
C:\WINNT\uni_eh44.exe moved successfully.
C:\WINNT\uninst1014.exe moved successfully.
DllUnregisterServer procedure not found in C:\Program Files\ttc.dll
C:\Program Files\ttc.dll NOT unregistered.
C:\Program Files\ttc.dll moved successfully.

Created on 07/25/2007 17:52:05

#13 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 26 July 2007 - 11:59 AM

Thanks for the log.
Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O2 - BHO: (no name) - {6C73FB2F-B9CF-425D-A828-A0F557BCD3B8} - \
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINNT\system32\dnsersnd.dll (file missing)
O4 - HKLM\..\Run: [tkvrbuvA] C:\WINNT\tkvrbuvA.exe
O4 - HKLM\..\Run: [{97-7B-B3-37-ZN}] C:\winnt\system32\modsregk.exe SKY009
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINNT\g4356cbvy63
O4 - HKCU\..\Run: [Haus] "C:\DOCUME~1\Ian\APPLIC~1\SMANTE~1\wuauboot.exe" -vt yazb
O4 - HKCU\..\Run: [Oxxkym] C:\WINNT\??stem\arpa.exe
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O20 - Winlogon Notify: winwgz32 - winwgz32.dll (file missing)
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe (file missing)


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

Backup the Registry:
Navigate to Start | Run and paste the following:
regedit /e c:\registrybackup.reg
Now click OK
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwgz32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Haus"=-
"Oxxkym"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"tkvrbuvA"=-
"{97-7B-B3-37-ZN}"=-
"g4356cbvy63"=-

Save this as fix.reg Choose to save as *all files and place it on your Desktop.
It should look like this: Posted Image
Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

Reboot, then scan again with HiajckThis and post back the new log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#14 deroock

deroock
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 27 July 2007 - 07:09 PM

Thanks for continuing to help.... here's the latest log:

Logfile of HijackThis v1.99.1
Scan saved at 5:05:10 PM, on 7/27/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
C:\WINNT\tkvrbuv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\starter.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TangoManager.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\retadpu1000106.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\Web Buying\v1.8.0\webbuying.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
c:\winnt\system32\modsregk.exe
C:\WINNT\system32\mwinpndt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\b104.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINNT\SWFu\command.exe
C:\Program Files\Netscape\Netscape 6\Netscp.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.lib.ucdavis.edu/proxy/pacserve
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.netscape.com"); (C:\Documents and Settings\Ian\Application Data\Mozilla\Profiles\default\kninjy3u.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ian\Application Data\Mozilla\Profiles\default\kninjy3u.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {32edddc4-f927-4965-9d6c-95e65020350f} - C:\WINNT\system32\hbfiais.dll
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\system32\WinNB58.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C1E32B32-E39C-4F57-9EF2-779A45239376} - \
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\system32\WinNB58.dll
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\SYSTEM32\starter.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [runner1] C:\WINNT\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [tkvrbuvA] C:\WINNT\tkvrbuvA.exe
O4 - HKLM\..\Run: [{97-7B-B3-37-ZN}] c:\winnt\system32\modsregk.exe SKY009
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINNT\system32\mwinpndt.exe SKY009
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.0\webbuying.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: TA_Start.lnk = C:\WINNT\TISKY009.exe
O4 - Startup: Think-Adz.lnk = C:\WINNT\system32\mwinpndt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/packages/GSManager.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://hsmail2.ucdmc.ucdavis.edu/iNotes6W.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {47F59200-8783-11D2-8343-00A0C945A819} (RFXInstMgr Class) - http://greetingcenter.richfx.com/download/twophase.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_0.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.biz/fvlite/fvliteY.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://www.rockefellercenter.com/viewer/wg_webeye.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://luckynugget.microgaming.com/luckynugget/FlashAX.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://hsmail2.ucdmc.ucdavis.edu/dwa7W.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\SWFu\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\System32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\tkvrbuv.exe

#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 28 July 2007 - 02:21 AM

Since the malware seems to keep coming back, I'd like you to run a couple of scanners that go a little deeper:

Download F-Secure Blacklight and save it to your Desktop.
Double click on blbeta.exe to start the program.
Accept the user agreement and click Next.
Click Scan. You will then see a list of all the items found.
Do not choose to rename any yet! I want to see the log first because legitimate items can also be present.
BlackLight will have created a log on your Desktop named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
Post that log in your next reply.

Download Silent Runners and extract it to a new folder on your Desktop.
Run the Silent Runners.vbs file.
You will receive a prompt: "Do you want to skip supplementary searches?" - click "NO."
If your antivirus has a script blocker, you will get a warning asking if you want to allow Silent Runners.vbs to run.
This script is not malicious so please allow it.
A text file will appear in the folder - it's not done, let it run. (It won't appear to be doing anything!)
Once the "All Done!" prompt flashes up, open the text file, and copy & paste it in your next reply.

Please include both of the above log and a new HijackThis log in your reply.
Thanks,
Charles

Edited by rookie147, 28 July 2007 - 02:21 AM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users