Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumonde


  • Please log in to reply
9 replies to this topic

#1 scooterpd

scooterpd

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 30 July 2007 - 05:51 PM

I have tried numerous times to remove Virtumonde using Spybot S&D, but to no avail. The pop-ups are getting a little ridiculous, so I am looking to remove Virtumonde any way possible. My HijackThis log is below...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:36:13 AM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netvibes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/go/notebookaccessories
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\ujbyvbsb.dll",sitypnow
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI6DCE~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk (file missing)
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - D:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - D:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{03C95FB3-E732-4423-9C54-13C8A4F1C795}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{8240C5DD-F3B8-4E52-95EF-30F40988AD54}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D5DBFE7-8575-422C-AFC0-A2D801702B6B}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{03C95FB3-E732-4423-9C54-13C8A4F1C795}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{03C95FB3-E732-4423-9C54-13C8A4F1C795}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\Program Files\a-squared Free\a2service.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9544 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 31 July 2007 - 03:56 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum scooterpd :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 scooterpd

scooterpd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 02 August 2007 - 12:05 PM

ok, richie. here are the combofix and hijackthis logs...

ComboFix 07-08-02.3 - "Scott Shields" 2007-08-02 9:53:30.1 [GMT -7:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\efhkj.bak1
C:\WINDOWS\system32\efhkj.bak2
C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini2
C:\WINDOWS\system32\efhkj.tmp
C:\WINDOWS\system32\fcccbcd.dll
C:\WINDOWS\system32\gamthrri.dll
C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\pymlosut.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NWSAPAGENT
-------\NwSapAgent


((((((((((((((((((((((((( Files Created from 2007-07-02 to 2007-08-02 )))))))))))))))))))))))))))))))


2007-08-02 09:50 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-02 08:58 125,504 --a------ C:\WINDOWS\system32\anxdyrfg.dll
2007-08-02 08:58 <DIR> d-------- C:\Program Files\PandoBar
2007-07-30 10:45 <DIR> d-------- C:\Program Files\IZArc
2007-07-30 10:33 <DIR> d-------- C:\Program Files\7-Zip
2007-07-30 10:05 4,608 --a------ C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-07-30 10:05 27,648 --a------ C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-07-30 10:05 23,040 --a------ C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-07-30 10:05 17,408 --a------ C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-07-30 10:05 116,224 --a------ C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-07-30 10:03 99,865 --a------ C:\WINDOWS\system32\dllcache\xlog.exe
2007-07-30 10:03 8,192 --a------ C:\WINDOWS\system32\dllcache\wshirda.dll
2007-07-30 10:03 19,455 --a------ C:\WINDOWS\system32\dllcache\wvchntxx.sys
2007-07-30 10:03 19,328 --a------ C:\WINDOWS\system32\dllcache\wstcodec.sys
2007-07-30 10:03 16,970 --a------ C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-07-30 10:03 12,063 --a------ C:\WINDOWS\system32\dllcache\wsiintxx.sys
2007-07-30 10:02 221,184 --a------ C:\WINDOWS\system32\dllcache\wmpns.dll
2007-07-30 10:02 154,624 --a------ C:\WINDOWS\system32\dllcache\wlluc48.sys
2007-07-30 10:01 87,040 --a------ C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-07-30 10:01 771,581 --a------ C:\WINDOWS\system32\dllcache\winacisa.sys
2007-07-30 10:01 53,760 --a------ C:\WINDOWS\system32\dllcache\wiamsmud.dll
2007-07-30 10:01 41,600 --a------ C:\WINDOWS\system32\dllcache\weitekp9.dll
2007-07-30 10:01 34,890 --a------ C:\WINDOWS\system32\dllcache\wlandrv2.sys
2007-07-30 10:01 31,232 --a------ C:\WINDOWS\system32\dllcache\weitekp9.sys
2007-07-30 10:00 701,386 --a------ C:\WINDOWS\system32\dllcache\wdhaalba.sys
2007-07-30 10:00 64,605 --a------ C:\WINDOWS\system32\dllcache\vvoice.sys
2007-07-30 10:00 48,256 --a------ C:\WINDOWS\system32\dllcache\w32.dll
2007-07-30 10:00 35,871 --a------ C:\WINDOWS\system32\dllcache\wbfirdma.sys
2007-07-30 10:00 33,599 --a------ C:\WINDOWS\system32\dllcache\watv04nt.sys
2007-07-30 10:00 31,744 --a------ C:\WINDOWS\system32\dllcache\wceusbsh.sys
2007-07-30 10:00 29,311 --a------ C:\WINDOWS\system32\dllcache\watv01nt.sys
2007-07-30 10:00 25,471 --a------ C:\WINDOWS\system32\dllcache\watv10nt.sys
2007-07-30 10:00 23,615 --a------ C:\WINDOWS\system32\dllcache\wch7xxnt.sys
2007-07-30 10:00 22,271 --a------ C:\WINDOWS\system32\dllcache\watv06nt.sys
2007-07-30 10:00 19,551 --a------ C:\WINDOWS\system32\dllcache\watv02nt.sys
2007-07-30 10:00 19,528 --a------ C:\WINDOWS\system32\dllcache\w840nd.sys
2007-07-30 10:00 19,016 --a------ C:\WINDOWS\system32\dllcache\w926nd.sys
2007-07-30 10:00 16,925 --a------ C:\WINDOWS\system32\dllcache\w940nd.sys
2007-07-30 10:00 13,568 --a------ C:\WINDOWS\system32\dllcache\wacompen.sys
2007-07-30 10:00 12,415 --a------ C:\WINDOWS\system32\dllcache\wadv01nt.sys
2007-07-30 10:00 12,127 --a------ C:\WINDOWS\system32\dllcache\wadv02nt.sys
2007-07-30 10:00 11,935 --a------ C:\WINDOWS\system32\dllcache\wadv11nt.sys
2007-07-30 10:00 11,871 --a------ C:\WINDOWS\system32\dllcache\wadv09nt.sys
2007-07-30 10:00 11,807 --a------ C:\WINDOWS\system32\dllcache\wadv07nt.sys
2007-07-30 10:00 11,775 --a------ C:\WINDOWS\system32\dllcache\wadv05nt.sys
2007-07-30 10:00 11,295 --a------ C:\WINDOWS\system32\dllcache\wadv08nt.sys
2007-07-30 09:59 765,884 --a------ C:\WINDOWS\system32\dllcache\usrti.sys
2007-07-30 09:59 7,556 --a------ C:\WINDOWS\system32\dllcache\usroslba.sys
2007-07-30 09:59 687,999 --a------ C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2007-07-30 09:59 604,253 --a------ C:\WINDOWS\system32\dllcache\vmodem.sys
2007-07-30 09:59 53,760 --a------ C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-07-30 09:59 397,502 --a------ C:\WINDOWS\system32\dllcache\vpctcom.sys
2007-07-30 09:59 249,402 --a------ C:\WINDOWS\system32\dllcache\vinwm.sys
2007-07-30 09:59 24,576 --a------ C:\WINDOWS\system32\dllcache\viairda.sys
2007-07-30 09:59 113,762 --a------ C:\WINDOWS\system32\dllcache\usrpda.sys
2007-07-30 09:59 11,325 --a------ C:\WINDOWS\system32\dllcache\vchnt5.dll
2007-07-30 09:58 94,720 --a------ C:\WINDOWS\system32\dllcache\umaxud32.dll
2007-07-30 09:58 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys
2007-07-30 09:58 794,399 --a------ C:\WINDOWS\system32\dllcache\usr1806v.sys
2007-07-30 09:58 793,598 --a------ C:\WINDOWS\system32\dllcache\usr1806.sys
2007-07-30 09:58 78,464 --a------ C:\WINDOWS\system32\dllcache\usbvideo.sys
2007-07-30 09:58 59,264 --a------ C:\WINDOWS\system32\dllcache\usbaudio.sys
2007-07-30 09:58 32,384 --a------ C:\WINDOWS\system32\dllcache\usb101et.sys
2007-07-30 09:58 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-07-30 09:58 28,160 --a------ C:\WINDOWS\system32\dllcache\umaxu40.dll
2007-07-30 09:58 26,624 --a------ C:\WINDOWS\system32\dllcache\umaxu22.dll
2007-07-30 09:58 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2007-07-30 09:58 25,600 --a------ C:\WINDOWS\system32\dllcache\usbser.sys
2007-07-30 09:58 224,802 --a------ C:\WINDOWS\system32\dllcache\usr1807a.sys
2007-07-30 09:58 17,024 --a------ C:\WINDOWS\system32\dllcache\usbohci.sys
2007-07-30 09:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2007-07-30 09:58 12,672 --a------ C:\WINDOWS\system32\dllcache\usb8023x.sys
2007-07-30 09:57 69,632 --a------ C:\WINDOWS\system32\dllcache\umaxu12.dll
2007-07-30 09:57 525,568 --a------ C:\WINDOWS\system32\dllcache\tridxp.dll
2007-07-30 09:57 50,688 --a------ C:\WINDOWS\system32\dllcache\umaxscan.dll
2007-07-30 09:57 50,176 --a------ C:\WINDOWS\system32\dllcache\umaxp60.dll
2007-07-30 09:57 47,616 --a------ C:\WINDOWS\system32\dllcache\umaxcam.dll
2007-07-30 09:57 44,672 --a------ C:\WINDOWS\system32\dllcache\uagp35.sys
2007-07-30 09:57 22,912 --a------ C:\WINDOWS\system32\dllcache\umaxpcls.sys
2007-07-30 09:57 216,064 --a------ C:\WINDOWS\system32\dllcache\um34scan.dll
2007-07-30 09:57 211,968 --a------ C:\WINDOWS\system32\dllcache\um54scan.dll
2007-07-30 09:57 166,784 --a------ C:\WINDOWS\system32\dllcache\tridxpm.sys
2007-07-30 09:57 159,232 --a------ C:\WINDOWS\system32\dllcache\tridkbm.sys
2007-07-30 09:57 14,336 --a------ C:\WINDOWS\system32\dllcache\tsprof.exe
2007-07-30 09:57 11,520 --a------ C:\WINDOWS\system32\dllcache\twotrack.sys
2007-07-30 09:56 82,432 --a------ C:\WINDOWS\system32\dllcache\tp4mon.exe
2007-07-30 09:56 81,408 --a------ C:\WINDOWS\system32\dllcache\tgiul50.dll
2007-07-30 09:56 440,576 --a------ C:\WINDOWS\system32\dllcache\tridkb.dll
2007-07-30 09:56 42,496 --a------ C:\WINDOWS\system32\dllcache\tp4res.dll
2007-07-30 09:56 34,375 --a------ C:\WINDOWS\system32\dllcache\tpro4.sys
2007-07-30 09:56 315,520 --a------ C:\WINDOWS\system32\dllcache\trid3d.dll
2007-07-30 09:56 31,744 --a------ C:\WINDOWS\system32\dllcache\tp4.dll
2007-07-30 09:56 28,232 --a------ C:\WINDOWS\system32\dllcache\tos4mo.sys
2007-07-30 09:56 241,664 --a------ C:\WINDOWS\system32\dllcache\tosdvd02.sys
2007-07-30 09:56 230,912 --a------ C:\WINDOWS\system32\dllcache\tosdvd03.sys
2007-07-30 09:56 222,336 --a------ C:\WINDOWS\system32\dllcache\trid3dm.sys
2007-07-30 09:56 19,464 --a------ C:\WINDOWS\system32\dllcache\tdspx.sys
2007-07-30 09:56 149,376 --a------ C:\WINDOWS\system32\dllcache\tffsport.sys
2007-07-30 09:56 138,528 --a------ C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2007-07-30 09:56 123,995 --a------ C:\WINDOWS\system32\dllcache\tjisdn.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-02 09:03 --------- d-------- C:\DOCUME~1\SCOTTS~1\APPLIC~1\AdobeUM
2007-08-02 09:02 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-01 21:00 --------- d-------- C:\DOCUME~1\SCOTTS~1\APPLIC~1\MP3Downloads
2007-07-30 17:22 --------- d-------- C:\DOCUME~1\SCOTTS~1\APPLIC~1\.purple
2007-07-30 12:37 --------- d-------- C:\Program Files\NOTEPAD 2.0.18
2007-07-27 17:05 --------- d-------- C:\Program Files\QuickTime
2007-07-27 15:40 --------- d-------- C:\Program Files\Desktop Sidebar
2007-07-23 20:52 --------- d-------- C:\DOCUME~1\SCOTTS~1\APPLIC~1\Lavasoft
2007-07-06 11:00 --------- d-------- C:\DOCUME~1\SCOTTS~1\APPLIC~1\OpenOffice.org2
2007-06-27 18:43 --------- d-------- C:\DOCUME~1\SCOTTS~1\APPLIC~1\gtk-2.0
2007-06-26 01:27 363520 --a------ C:\WINDOWS\system32\dllcache\w3svc.dll
2007-06-18 18:00 --------- d-------- C:\Program Files\Pando Networks
2007-06-17 08:56 --------- d-------- C:\Program Files\Pidgin
2007-06-08 22:12 --------- d-------- C:\Program Files\Microsoft Bootvis
2007-05-16 08:12 86528 --a------ C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 08:12 85504 --a------ C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 08:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 08:12 683520 --a------ C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 08:12 510976 --a------ C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 08:12 1314816 --a------ C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-12 17:15 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-05-04 05:59 3064320 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2006-11-14 09:46 727837 --a------ C:\Program Files\SetupEasyCleaner.exe
2006-10-26 12:08 96865977 --a------ C:\Program Files\open office.org install for ppt.exe
2006-08-27 15:01 0 --a------ C:\DOCUME~1\SCOTTS~1\APPLIC~1\wklnhst.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 22:56]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 19:49]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-15 11:26]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-04-15 11:26]
"nwiz"="nwiz.exe" [2006-04-15 11:26 C:\WINDOWS\system32\nwiz.exe]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 22:46]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-04-11 21:54]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 13:38]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-02-22 08:03]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 10:23]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 22:02 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 18:22]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

R0 iaStor;Intel AHCI Controller;C:\WINDOWS\system32\DRIVERS\iaStor.sys
R1 eabfiltr;eabfiltr;C:\WINDOWS\system32\DRIVERS\eabfiltr.sys
R1 SRTSP;SRTSP;C:\WINDOWS\system32\Drivers\SRTSP.SYS
R1 SRTSPX;SRTSPX;C:\WINDOWS\system32\Drivers\SRTSPX.SYS
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI;C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
R2 ehSched;Media Center Scheduler Service;C:\WINDOWS\eHome\ehSched.exe
R3 E100B;Intel® PRO Network Connection Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 ehRecvr;Media Center Receiver Service;C:\WINDOWS\eHome\ehRecvr.exe
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
R3 HBtnKey;HBtnKey;C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
R3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;C:\WINDOWS\system32\drivers\CHDAud.sys
R3 HSF_DPV;HSF_DPV;C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
R3 HSFHWAZL;HSFHWAZL;C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
R3 MQAC;Message Queuing access control;\??\C:\WINDOWS\system32\drivers\mqac.sys
R3 NETw3x32;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows XP 32 Bit;C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
R3 RMCAST;Reliable Multicast Protocol driver;\??\C:\WINDOWS\system32\drivers\RMCast.sys
R3 sdbus;sdbus;C:\WINDOWS\system32\DRIVERS\sdbus.sys
R3 SynTP;Synaptics TouchPad Driver;C:\WINDOWS\system32\DRIVERS\SynTP.sys
R3 tifm21;tifm21;C:\WINDOWS\system32\drivers\tifm21.sys
S2 IISADMIN;IIS Admin;C:\WINDOWS\system32\inetsrv\inetinfo.exe
S2 McrdSvc;Media Center Extender Service;C:\WINDOWS\ehome\mcrdsvc.exe
S2 MSMQ;Message Queuing;C:\WINDOWS\system32\mqsvc.exe
S2 MSMQTriggers;Message Queuing Triggers;C:\WINDOWS\system32\mqtgsvc.exe
S3 eabusb;eabusb;C:\WINDOWS\system32\DRIVERS\eabusb.sys
S3 MHN;MHN;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 MHNDRV;MHN driver;C:\WINDOWS\system32\DRIVERS\mhndrv.sys
S3 SRTSPL;SRTSPL;C:\WINDOWS\system32\Drivers\SRTSPL.SYS
S3 usbbus;LGE CDMA Composite USB Device;C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
S3 UsbDiag;LGE CDMA USB Serial Port;C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
S3 USBModem;LGE CDMA USB Modem;C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
S3 w39n51;Intel® PRO/Wireless 3945ABG Adapter Driver;C:\WINDOWS\system32\DRIVERS\w39n51.sys
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3c04b866-7c2e-11db-b665-001302ae93f4}]
AutoRun\command- G:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3c04b867-7c2e-11db-b665-001302ae93f4}]
AutoRun\command- G:\setupSNK.exe

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-08-02 16:59:59 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe
2007-07-28 03:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Scott Shields.job - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-02 09:57:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000288

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-02 10:00:39 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-02 10:00

--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:20 AM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\Program Files\NOTEPAD 2.0.18\Notepad2.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netvibes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/go/notebookaccessories
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI6DCE~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - D:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - D:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{03C95FB3-E732-4423-9C54-13C8A4F1C795}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{8240C5DD-F3B8-4E52-95EF-30F40988AD54}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D5DBFE7-8575-422C-AFC0-A2D801702B6B}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{03C95FB3-E732-4423-9C54-13C8A4F1C795}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{03C95FB3-E732-4423-9C54-13C8A4F1C795}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\Program Files\a-squared Free\a2service.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9913 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 02 August 2007 - 01:47 PM

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.exe
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:
C:\WINDOWS\system32\anxdyrfg.dll
Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

--------------------------------------------------------

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

-------------------------------------------------------

Please run this online virus scan:Activescan using Internet Explorer.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes,click the See Report button, then Save Report, and save it to your desktop.
Copy and paste that report into your next reply.

Also post a new Hijackthis log.
Posted Image
Posted Image

#5 scooterpd

scooterpd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 03 August 2007 - 12:14 AM

sorry it took so long, but here you go...

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/02/2007 at 08:18 PM

Application Version : 3.9.1008

Core Rules Database Version : 3278
Trace Rules Database Version: 1289

Scan type : Complete Scan
Total Scan Time : 01:09:15

Memory items scanned : 454
Memory threats detected : 0
Registry items scanned : 6318
Registry threats detected : 0
File items scanned : 47930
File threats detected : 7

Adware.Tracking Cookie
C:\Documents and Settings\Scott Shields\Cookies\scott shields@revsci[2].txt
C:\Documents and Settings\Scott Shields\Cookies\scott shields@questionmarket[2].txt
C:\Documents and Settings\Scott Shields\Cookies\scott shields@specificclick[2].txt
C:\Documents and Settings\Scott Shields\Cookies\scott shields@2o7[1].txt
C:\Documents and Settings\Scott Shields\Cookies\scott shields@atwola[1].txt

Adware.ClickSpring/Yazzle
C:\PROGRAM FILES\POOLSV\YAZZLEBUNDLE-1549.EXE

Trojan.Downloader-Gen/HitItQuitIt
C:\SYSTEM VOLUME INFORMATION\_RESTORE{92EC12A7-009B-4D77-899D-FF91068A8284}\RP95\A0012316.DLL


ACTIVE SCAN REPORT...

Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Scott Shields\Desktop\ComboFix.exe[nircmd.exe]
Hacktool:HackTool/KillProcWin.A Not disinfected C:\Documents and Settings\Scott Shields\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0D.dat[simple_killw.exe]
Spyware:Spyware/PeoplePC Not disinfected C:\Program Files\Online Services\PeoplePC\ISP5900\Dll\RAS.DLL
Adware:Adware/Yazzle Not disinfected C:\Program Files\poolsv\k11u72.exe
Adware:Adware/WebSearch Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\pymlosut.dll.vir
Virus:Trj/Passtealer.ED Disinfected C:\QooBox\Quarantine\catchme2007-08-02_ 95732.56.zip[fcccbcd.dll]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\agjltgfv.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\mvfsokri.dll


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:41 PM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NOTEPAD 2.0.18\Notepad2.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat
C:\Program Files\Maxthon\Maxthon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netvibes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/go/notebookaccessories
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI6DCE~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - D:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - D:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{03C95FB3-E732-4423-9C54-13C8A4F1C795}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{8240C5DD-F3B8-4E52-95EF-30F40988AD54}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D5DBFE7-8575-422C-AFC0-A2D801702B6B}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{03C95FB3-E732-4423-9C54-13C8A4F1C795}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{03C95FB3-E732-4423-9C54-13C8A4F1C795}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\Program Files\a-squared Free\a2service.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10876 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 03 August 2007 - 06:24 AM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\Program Files\poolsv
C:\WINDOWS\system32\agjltgfv.dll
C:\WINDOWS\system32\mvfsokri.dll
C:\Documents and Settings\Scott Shields\Local Settings\Application Data\Wildtangent


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

-----------------------------------------------------

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

Restart your pc,post a fresh Hijackthis log.
Let me know how your pc is running now.
Posted Image
Posted Image

#7 scooterpd

scooterpd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 03 August 2007 - 05:59 PM

ok richie, here is the OTMoveIt log...

C:\Program Files\poolsv moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\agjltgfv.dll
C:\WINDOWS\system32\agjltgfv.dll NOT unregistered.
C:\WINDOWS\system32\agjltgfv.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\mvfsokri.dll
C:\WINDOWS\system32\mvfsokri.dll NOT unregistered.
C:\WINDOWS\system32\mvfsokri.dll moved successfully.
C:\Documents and Settings\Scott Shields\Local Settings\Application Data\Wildtangent\Cdacache\00\00 moved successfully.
C:\Documents and Settings\Scott Shields\Local Settings\Application Data\Wildtangent\Cdacache\00 moved successfully.
C:\Documents and Settings\Scott Shields\Local Settings\Application Data\Wildtangent\Cdacache moved successfully.
C:\Documents and Settings\Scott Shields\Local Settings\Application Data\Wildtangent moved successfully.

Created on 08/03/2007 15:24:21

and a fresh HiJackThis log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:19 PM, on 8/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Trend Micro\HijackThis\abc.bat
C:\Program Files\NOTEPAD 2.0.18\Notepad2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netvibes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/go/notebookaccessories
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI6DCE~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - D:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - D:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{03C95FB3-E732-4423-9C54-13C8A4F1C795}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{8240C5DD-F3B8-4E52-95EF-30F40988AD54}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D5DBFE7-8575-422C-AFC0-A2D801702B6B}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{03C95FB3-E732-4423-9C54-13C8A4F1C795}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{03C95FB3-E732-4423-9C54-13C8A4F1C795}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\Program Files\a-squared Free\a2service.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10810 bytes

so my pc seems to be running a lot better. thank you very much. i have a couple quick questions if you dont mind.
1. is there anything else i should do to ensure this doesnt happen again?
2. throughout this process i have downloaded numerous apps to my desktop (combofix.exe, killbox.exe, SUPERAntiSpywareFreeEdition, and OTMoveIt). Should i keep any of these on my pc or is it safe to remove them?
3. is it ok now to rename abc.bat back to its original HijackThis.exe

thank you very much for your patience and expertise. i appreciate it.

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 03 August 2007 - 06:13 PM

3. is it ok now to rename abc.bat back to its original HijackThis.exe

Yes go ahead,you can do that now if you wish.

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
Combofix.exe
KillBox.exe
OTMoveIt.exe

C:\_OTMoveIt
C:\QOOBOX
C:\!Killbox

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

-----------------------------------------------------

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#9 scooterpd

scooterpd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 03 August 2007 - 07:25 PM

thanks for all your help once again. my pc thanks you. one last question, if you dont mind.
1. i am looking to get rid of all of my NORTON crapware and switch over to AVG. do you have any suggestions as to how to remove NORTON completely?

thanks again for all your help with this.

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 03 August 2007 - 07:52 PM

To uninstall Norton,if there’s no uninstaller available in Add\Remove Programs then you’ll need to download and run the Norton Removal Tool:
http://service1.symantec.com/SUPPORT/tsgen...005033108162039
*Please Note*
The Norton Removal Tool will remove all Norton/Symantec products from your pc.

Then delete:
C:\Program Files\Norton Internet Security
C:\Program Files\Common Files\Symantec Shared

After doing the above there may possibly be a Symantec service or two still showing in your Hijackthis log,you'll have to remove those manually.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users