Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis


  • Please log in to reply
3 replies to this topic

#1 Tony3

Tony3

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 30 July 2007 - 01:15 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:30 PM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\lxamsp32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ISM\ISMModule.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Yahoo!\Common\unypc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll
O2 - BHO: (no name) - {938A8A03-A938-4019-B764-03FF8D167D79} - C:\WINDOWS\system32\hagpuxbs.dll
O2 - BHO: BndDrive BHO Class - {9815DA81-2E0C-478c-90E4-06E474E704D0} - C:\Program Files\ISM\BndDrive.dll
O2 - BHO: (no name) - {A9F8951A-F20F-4565-9435-C6ACFBE8C904} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\hqxlesbk.dll",forkonce
O4 - HKLM\..\RunOnce: [UNSB] C:\PROGRA~1\Yahoo!\browser\unsb.exe /S
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Simple Star PhotoShow Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ISMModule] "C:\Program Files\ISM\ISMModule.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Snapfish Picture Mover.lnk = C:\Program Files\Snapfish Picture Mover\SnapfishPictureMover.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex...wareControl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100639736003
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O20 - Winlogon Notify: byxvtqr - byxvtqr.dll (file missing)
O20 - Winlogon Notify: xxwtt - C:\WINDOWS\system32\xxwtt.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx1\PXAgent.exe

--
End of file - 8965 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 31 July 2007 - 03:33 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Tony3 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log.
Posted Image
Posted Image

#3 Tony3

Tony3
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 10 August 2007 - 12:32 PM

thanks for looking


ComboFix 07-08-02.3 - "Kelly" 2007-08-10 12:20:40.2 [GMT -5:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True


((((((((((((((((((((((((( Files Created from 2007-07-10 to 2007-08-10 )))))))))))))))))))))))))))))))


2007-08-10 11:23 26,176 --a------ C:\WINDOWS\system32\3PCjQ2vS.exe
2007-08-02 16:58 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-30 21:27 84,992 --a------ C:\WINDOWS\WebAssist.dll
2007-07-28 10:29 8,704 --a------ C:\WINDOWS\system32\sporder.dll
2007-07-23 15:05 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-23 06:24 1,729,684 --ahs---- C:\WINDOWS\system32\ttwxx.bak2
2007-07-22 10:46 6,488 --ahs---- C:\WINDOWS\system32\ttwxx.bak1
2007-07-22 10:40 <DIR> d-------- C:\WINDOWS\system32\b02FdUe
2007-07-22 10:40 <DIR> d-------- C:\Temp\brr
2007-07-14 20:36 7,291 --a------ C:\sysafoi.exe
2007-07-14 20:34 7,291 --a------ C:\sysspog.exe
2007-07-14 17:54 <DIR> d-------- C:\Program Files\ISM


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-30 23:27 --------- d-------- C:\Program Files\Take The Plunge
2007-07-30 23:22 --------- d-------- C:\DOCUME~1\Kelly\APPLIC~1\Simple Star
2007-07-30 21:34 --------- d-------- C:\Program Files\Common Files\Research In Motion
2007-07-30 21:23 --------- d-------- C:\Program Files\Yahoo!
2007-07-30 21:22 --------- d-------- C:\Program Files\SBC Yahoo!
2007-07-30 14:32 --------- d-------- C:\Program Files\IrfanView
2007-07-29 19:08 37556 --a------ C:\WINDOWS\system32\nvModes.dat
2007-07-09 10:26 --------- d-------- C:\DOCUME~1\Kelly\APPLIC~1\Prevx
2007-06-24 22:07 --------- d-------- C:\Program Files\Free Offers from Freeze.com
2007-06-23 22:15 --------- d-------- C:\DOCUME~1\Kelly\APPLIC~1\Snapfish
2007-06-02 13:57 77312 --a------ C:\WINDOWS\ua2.dll
2006-01-18 09:58 22376 --a------ C:\DOCUME~1\Kelly\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-07-30 23:31 84992 --a------ C:\WINDOWS\WebAssist.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9815DA81-2E0C-478c-90E4-06E474E704D0}]
2007-07-11 15:02 192512 --a------ C:\Program Files\ISM\BndDrive.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A9F8951A-F20F-4565-9435-C6ACFBE8C904}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2003-02-24 15:35 C:\WINDOWS\system32\pctspk.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-02-10 10:27]
"nwiz"="nwiz.exe" [2003-02-10 10:27 C:\WINDOWS\system32\nwiz.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-20 16:42]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 01:52]
"IPInSightMonitor 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 01:52]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"lxamsp32.exe"="lxamsp32.exe" [2001-10-21 19:12 C:\WINDOWS\system32\LXAMSP32.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"LexPPS.exe"="C:\WINDOWS\system32\lexpps.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"Simple Star PhotoShow Media Manager"="C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe" []
"Yahoo! Pager"="1" []
"ISMModule2"="C:\Program Files\ISM\ISMModule2.exe" [2007-08-09 12:14]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxvtqr]
byxvtqr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxwtt]
C:\WINDOWS\system32\xxwtt.dll

R0 PrevxDriver;PREVX Kernel Mode Agent;C:\WINDOWS\system32\DRIVERS\pxfsf.sys
R1 PREVXTdi;PREVX TDI filter;C:\WINDOWS\system32\DRIVERS\pxtdi.sys
R1 PXRDDriver;PREVX Rootkitscan driver;C:\WINDOWS\system32\DRIVERS\pxrd.sys
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
S0 IFPUSB;iRiver Internet Audio Player IFP-100;C:\WINDOWS\system32\DRIVERS\ifpusb.sys
S3 PREVXEmulator;PREVX Emulator driver;C:\WINDOWS\system32\DRIVERS\PxEmu.sys
S3 RimUsb;BlackBerry Device;C:\WINDOWS\system32\Drivers\RimUsb.sys


Contents of the 'Scheduled Tasks' folder
2007-07-30 02:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-03 05:00:00 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\system32\D8Mq2ih7.exe
2007-08-09 14:00:01 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\system32\D8Mq2ih7.exe
2007-08-03 20:12:49 C:\WINDOWS\Tasks\At100.job
2007-08-03 20:12:49 C:\WINDOWS\Tasks\At101.job - C:\WINDOWS\system32\X6xfc2ef.exe
2007-08-03 20:12:49 C:\WINDOWS\Tasks\At102.job - C:\WINDOWS\system32\X6xfc2ef.exe
2007-08-03 20:12:49 C:\WINDOWS\Tasks\At103.job - C:\WINDOWS\system32\X6xfc2ef.exe
2007-08-09 12:00:00 C:\WINDOWS\Tasks\At104.job - C:\WINDOWS\system32\X6xfc2ef.exe
2007-08-09 13:00:00 C:\WINDOWS\Tasks\At105.job - C:\WINDOWS\system32\X6xfc2ef.exe
2007-08-09 14:00:01 C:\WINDOWS\Tasks\At106.job - C:\WINDOWS\system32\X6xfc2ef.exe
2007-08-10 15:00:00 C:\WINDOWS\Tasks\At107.job - C:\WINDOWS\system32\X6xfc2ef.exe
2007-08-09 16:00:00 C:\WINDOWS\Tasks\At108.job - C:\WINDOWS\system32\X6xfc2ef.exe
2007-08-10 17:00:00 C:\WINDOWS\Tasks\At109.job - C:\WINDOWS\system32\X6xfc2ef.exe
2007-08-10 15:00:00 C:\WINDOWS\Tasks\At11.job
2007-08-09 18:00:00 C:\WINDOWS\Tasks\At110.job - C:\WINDOWS\system32\X6xfc2ef.exe
2007-08-09 19:00:00 C:\WINDOWS\Tasks\At111.job - C:\WINDOWS\system32\X6xfc2ef.exe
2007-08-09 20:00:00 C:\WINDOWS\Tasks\At112.job - C:\WINDOWS\system32\X6xfc2ef.exe
2007-08-09 21:00:00 C:\WINDOWS\Tasks\At113.job - C:\WINDOWS\system32\X6xfc2ef.exe
2007-08-03 20:12:50 C:\WINDOWS\Tasks\At114.job - C:\WINDOWS\system32\X6xfc2ef.exe
2007-08-03 20:12:50 C:\WINDOWS\Tasks\At115.job - C:\WINDOWS\system32\X6xfc2ef.exe
2007-08-04 00:41:47 C:\WINDOWS\Tasks\At116.job - C:\WINDOWS\system32\X6xfc2ef.exe
2007-08-05 01:01:08 C:\WINDOWS\Tasks\At117.job - C:\WINDOWS\system32\X6xfc2ef.exe
2007-08-10 02:00:00 C:\WINDOWS\Tasks\At118.job - C:\WINDOWS\system32\X6xfc2ef.exe
2007-08-10 03:00:00 C:\WINDOWS\Tasks\At119.job - C:\WINDOWS\system32\X6xfc2ef.exe
2007-08-09 16:00:00 C:\WINDOWS\Tasks\At12.job
2007-08-03 20:12:50 C:\WINDOWS\Tasks\At120.job
2007-08-10 17:00:01 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\system32\D8Mq2ih7.exe
2007-08-09 18:00:00 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\system32\D8Mq2ih7.exe
2007-08-09 19:00:00 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\system32\D8Mq2ih7.exe
2007-08-09 20:00:00 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\system32\D8Mq2ih7.exe
2007-08-09 21:00:00 C:\WINDOWS\Tasks\At17.job
2007-08-02 22:00:00 C:\WINDOWS\Tasks\At18.job
2007-08-02 23:00:00 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\system32\D8Mq2ih7.exe
2007-08-03 06:00:00 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\system32\D8Mq2ih7.exe
2007-08-04 00:00:00 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\system32\D8Mq2ih7.exe
2007-08-05 01:00:00 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\system32\D8Mq2ih7.exe
2007-08-10 02:00:00 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\system32\D8Mq2ih7.exe
2007-08-10 03:00:00 C:\WINDOWS\Tasks\At23.job
2007-08-03 04:00:00 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\system32\D8Mq2ih7.exe
2007-08-03 05:00:00 C:\WINDOWS\Tasks\At25.job - C:\WINDOWS\system32\fl8P5R60.exe
2007-08-03 06:00:00 C:\WINDOWS\Tasks\At26.job - C:\WINDOWS\system32\fl8P5R60.exe
2007-08-03 07:00:00 C:\WINDOWS\Tasks\At27.job - C:\WINDOWS\system32\fl8P5R60.exe
2007-08-03 08:00:00 C:\WINDOWS\Tasks\At28.job - C:\WINDOWS\system32\fl8P5R60.exe
2007-08-03 09:00:00 C:\WINDOWS\Tasks\At29.job - C:\WINDOWS\system32\fl8P5R60.exe
2007-08-03 07:00:00 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\system32\D8Mq2ih7.exe
2007-07-06 10:00:00 C:\WINDOWS\Tasks\At30.job - C:\WINDOWS\system32\fl8P5R60.exe
2007-07-20 11:00:00 C:\WINDOWS\Tasks\At31.job - C:\WINDOWS\system32\fl8P5R60.exe
2007-08-09 12:00:00 C:\WINDOWS\Tasks\At32.job - C:\WINDOWS\system32\fl8P5R60.exe
2007-08-09 13:00:00 C:\WINDOWS\Tasks\At33.job - C:\WINDOWS\system32\fl8P5R60.exe
2007-08-09 14:00:01 C:\WINDOWS\Tasks\At34.job - C:\WINDOWS\system32\fl8P5R60.exe
2007-08-10 15:00:00 C:\WINDOWS\Tasks\At35.job - C:\WINDOWS\system32\fl8P5R60.exe
2007-08-09 16:00:00 C:\WINDOWS\Tasks\At36.job - C:\WINDOWS\system32\fl8P5R60.exe
2007-08-10 17:00:01 C:\WINDOWS\Tasks\At37.job - C:\WINDOWS\system32\fl8P5R60.exe
2007-08-09 18:00:00 C:\WINDOWS\Tasks\At38.job
2007-08-09 19:00:00 C:\WINDOWS\Tasks\At39.job - C:\WINDOWS\system32\fl8P5R60.exe
2007-08-03 08:00:00 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32\D8Mq2ih7.exe
2007-08-09 20:00:00 C:\WINDOWS\Tasks\At40.job - C:\WINDOWS\system32\fl8P5R60.exe
2007-08-09 21:00:00 C:\WINDOWS\Tasks\At41.job - C:\WINDOWS\system32\fl8P5R60.exe
2007-08-02 22:00:00 C:\WINDOWS\Tasks\At42.job - C:\WINDOWS\system32\fl8P5R60.exe
2007-08-02 23:00:00 C:\WINDOWS\Tasks\At43.job - C:\WINDOWS\system32\fl8P5R60.exe
2007-08-04 00:00:00 C:\WINDOWS\Tasks\At44.job - C:\WINDOWS\system32\fl8P5R60.exe
2007-08-05 01:00:00 C:\WINDOWS\Tasks\At45.job - C:\WINDOWS\system32\fl8P5R60.exe
2007-08-10 02:00:00 C:\WINDOWS\Tasks\At46.job - C:\WINDOWS\system32\fl8P5R60.exe
2007-08-10 03:00:00 C:\WINDOWS\Tasks\At47.job
2007-08-03 04:00:00 C:\WINDOWS\Tasks\At48.job
2007-08-03 05:00:00 C:\WINDOWS\Tasks\At49.job
2007-08-03 09:00:00 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\system32\D8Mq2ih7.exe
2007-08-03 06:00:00 C:\WINDOWS\Tasks\At50.job - C:\WINDOWS\system32\3V32yHj1.exe
2007-08-03 07:00:00 C:\WINDOWS\Tasks\At51.job - C:\WINDOWS\system32\3V32yHj1.exe
2007-08-03 08:00:00 C:\WINDOWS\Tasks\At52.job - C:\WINDOWS\system32\3V32yHj1.exe
2007-08-03 09:00:00 C:\WINDOWS\Tasks\At53.job
2007-07-27 20:49:01 C:\WINDOWS\Tasks\At54.job - C:\WINDOWS\system32\3V32yHj1.exe
2007-07-27 20:49:01 C:\WINDOWS\Tasks\At55.job - C:\WINDOWS\system32\3V32yHj1.exe
2007-08-09 12:00:00 C:\WINDOWS\Tasks\At56.job - C:\WINDOWS\system32\3V32yHj1.exe
2007-08-09 13:00:00 C:\WINDOWS\Tasks\At57.job
2007-08-09 14:00:01 C:\WINDOWS\Tasks\At58.job - C:\WINDOWS\system32\3V32yHj1.exe
2007-08-10 15:00:00 C:\WINDOWS\Tasks\At59.job - C:\WINDOWS\system32\3V32yHj1.exe
2007-07-06 10:00:00 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\system32\D8Mq2ih7.exe
2007-08-09 16:00:00 C:\WINDOWS\Tasks\At60.job - C:\WINDOWS\system32\3V32yHj1.exe
2007-08-10 17:00:01 C:\WINDOWS\Tasks\At61.job - C:\WINDOWS\system32\3V32yHj1.exe
2007-08-09 18:00:00 C:\WINDOWS\Tasks\At62.job - C:\WINDOWS\system32\3V32yHj1.exe
2007-08-09 19:00:00 C:\WINDOWS\Tasks\At63.job - C:\WINDOWS\system32\3V32yHj1.exe
2007-08-09 20:00:00 C:\WINDOWS\Tasks\At64.job - C:\WINDOWS\system32\3V32yHj1.exe
2007-08-09 21:00:00 C:\WINDOWS\Tasks\At65.job - C:\WINDOWS\system32\3V32yHj1.exe
2007-08-02 22:00:00 C:\WINDOWS\Tasks\At66.job - C:\WINDOWS\system32\3V32yHj1.exe
2007-08-02 23:00:00 C:\WINDOWS\Tasks\At67.job - C:\WINDOWS\system32\3V32yHj1.exe
2007-08-04 00:00:00 C:\WINDOWS\Tasks\At68.job - C:\WINDOWS\system32\3V32yHj1.exe
2007-08-05 01:00:00 C:\WINDOWS\Tasks\At69.job - C:\WINDOWS\system32\3V32yHj1.exe
2007-07-20 11:00:00 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32\D8Mq2ih7.exe
2007-08-10 02:00:00 C:\WINDOWS\Tasks\At70.job - C:\WINDOWS\system32\3V32yHj1.exe
2007-08-10 03:00:00 C:\WINDOWS\Tasks\At71.job - C:\WINDOWS\system32\3V32yHj1.exe
2007-08-03 04:00:00 C:\WINDOWS\Tasks\At72.job - C:\WINDOWS\system32\3V32yHj1.exe
2007-08-03 05:00:00 C:\WINDOWS\Tasks\At73.job
2007-08-03 06:00:00 C:\WINDOWS\Tasks\At74.job
2007-08-03 07:00:00 C:\WINDOWS\Tasks\At75.job - C:\WINDOWS\system32\5F3jmqPf.exe
2007-08-03 08:00:00 C:\WINDOWS\Tasks\At76.job - C:\WINDOWS\system32\5F3jmqPf.exe
2007-08-03 09:00:00 C:\WINDOWS\Tasks\At77.job - C:\WINDOWS\system32\5F3jmqPf.exe
2007-07-30 13:55:06 C:\WINDOWS\Tasks\At78.job - C:\WINDOWS\system32\5F3jmqPf.exe
2007-07-30 13:55:06 C:\WINDOWS\Tasks\At79.job - C:\WINDOWS\system32\5F3jmqPf.exe
2007-08-09 12:00:00 C:\WINDOWS\Tasks\At8.job
2007-08-09 12:00:00 C:\WINDOWS\Tasks\At80.job - C:\WINDOWS\system32\5F3jmqPf.exe
2007-08-09 13:00:00 C:\WINDOWS\Tasks\At81.job
2007-08-09 14:00:01 C:\WINDOWS\Tasks\At82.job - C:\WINDOWS\system32\5F3jmqPf.exe
2007-08-10 15:00:00 C:\WINDOWS\Tasks\At83.job - C:\WINDOWS\system32\5F3jmqPf.exe
2007-08-09 16:00:00 C:\WINDOWS\Tasks\At84.job - C:\WINDOWS\system32\5F3jmqPf.exe
2007-08-10 17:00:01 C:\WINDOWS\Tasks\At85.job - C:\WINDOWS\system32\5F3jmqPf.exe
2007-08-09 18:00:00 C:\WINDOWS\Tasks\At86.job - C:\WINDOWS\system32\5F3jmqPf.exe
2007-08-09 19:00:00 C:\WINDOWS\Tasks\At87.job - C:\WINDOWS\system32\5F3jmqPf.exe
2007-08-09 20:00:00 C:\WINDOWS\Tasks\At88.job - C:\WINDOWS\system32\5F3jmqPf.exe
2007-08-09 21:00:00 C:\WINDOWS\Tasks\At89.job - C:\WINDOWS\system32\5F3jmqPf.exe
2007-08-09 13:00:00 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\system32\D8Mq2ih7.exe
2007-08-02 22:00:00 C:\WINDOWS\Tasks\At90.job - C:\WINDOWS\system32\5F3jmqPf.exe
2007-08-02 23:00:00 C:\WINDOWS\Tasks\At91.job - C:\WINDOWS\system32\5F3jmqPf.exe
2007-08-04 00:00:00 C:\WINDOWS\Tasks\At92.job
2007-08-05 01:00:00 C:\WINDOWS\Tasks\At93.job - C:\WINDOWS\system32\5F3jmqPf.exe
2007-08-10 02:00:00 C:\WINDOWS\Tasks\At94.job - C:\WINDOWS\system32\5F3jmqPf.exe
2007-08-10 03:00:00 C:\WINDOWS\Tasks\At95.job - C:\WINDOWS\system32\5F3jmqPf.exe
2007-08-03 04:00:00 C:\WINDOWS\Tasks\At96.job - C:\WINDOWS\system32\5F3jmqPf.exe
2007-08-03 20:12:51 C:\WINDOWS\Tasks\At97.job - C:\WINDOWS\system32\X6xfc2ef.exe
2007-08-03 20:12:51 C:\WINDOWS\Tasks\At98.job - C:\WINDOWS\system32\X6xfc2ef.exe
2007-08-03 20:12:51 C:\WINDOWS\Tasks\At99.job - C:\WINDOWS\system32\X6xfc2ef.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-10 12:26:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-10 12:27:51
C:\ComboFix-quarantined-files.txt ... 2007-08-10 12:27

--- E O F ---










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:00 PM, on 8/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll
O2 - BHO: BndDrive BHO Class - {9815DA81-2E0C-478c-90E4-06E474E704D0} - C:\Program Files\ISM\BndDrive.dll
O2 - BHO: (no name) - {A9F8951A-F20F-4565-9435-C6ACFBE8C904} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LexPPS.exe] C:\WINDOWS\system32\lexpps.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Simple Star PhotoShow Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ISMModule2] "C:\Program Files\ISM\ISMModule2.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Snapfish Picture Mover.lnk = C:\Program Files\Snapfish Picture Mover\SnapfishPictureMover.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex...wareControl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100639736003
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O20 - Winlogon Notify: byxvtqr - byxvtqr.dll (file missing)
O20 - Winlogon Notify: xxwtt - C:\WINDOWS\system32\xxwtt.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx1\PXAgent.exe

--
End of file - 7711 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 10 August 2007 - 03:03 PM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\sysafoi.exe
C:\sysspog.exe
C:\WINDOWS\system32\ttwxx.bak2
C:\WINDOWS\system32\ttwxx.bak1
C:\Temp\brr
C:\WINDOWS\system32\b02FdUe
C:\Program Files\Free Offers from Freeze.com


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image.

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

------------------------------------------------------------

Download SmitfraudFix (by S!Ri),to your desktop.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Double click on Smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt

Post the smitfraudfix report into your next reply.

------------------------------------------------------------

Double click on Combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users