Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Generic Trojan?


  • Please log in to reply
5 replies to this topic

#1 phatchauza

phatchauza

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 02 August 2007 - 06:15 PM

Hello first off, haha.. I'm using Windows XP SP1
anyways, the problem I have is every time I use IE (version 6) I get a bunch of pop ups. I'll check on my IE Internet Options and under "Privacy", it's set to "Accept all Cookies" which I usually have set on Medium.. I'll change it back, but a few minutes later or if I reopen IE, it changes to Accept All again. And I'm not sure if this was only caused by the virus, but it changed my clock in my notification area to military time :| My internet also seems noticeably slower as well. And, now I've started to use Firefox and only gotten one pop up so far :D

Some of the sites that pop up..

http://ww.smableeps.com/adn-02.html
http://www.fvx.com/stuff/


well, according to XoftSpySE, I have a Generic Trojan - I:\\WINDOWS\System32\ssqrp.dll - but it can't remove it.

Log File from HijackThis

----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:15, on 2007-08-02
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
I:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
I:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
I:\PROGRA~1\Grisoft\AVG7\avgemc.exe
I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
I:\Program Files\Symantec AntiVirus\DefWatch.exe
I:\WINDOWS\System32\nvsvc32.exe
I:\WINDOWS\system32\slserv.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Symantec AntiVirus\Rtvscan.exe
I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\zHotkey.exe
I:\Program Files\eM\Bay Reader\Shwicon2k.exe
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\PROGRA~1\SYMANT~1\VPTray.exe
I:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
I:\WINDOWS\System32\LVCOMSX.EXE
I:\Program Files\Logitech\Video\LogiTray.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\Program Files\HP\HP Software Update\HPWuSchd.exe
I:\PROGRA~1\Grisoft\AVG7\avgcc.exe
I:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
I:\Program Files\Messenger\msmsgs.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\Program Files\Logitech\Video\FxSvr2.exe
I:\Program Files\MSN Messenger\msnmsgr.exe
I:\Program Files\MSN Messenger\usnsvc.exe
I:\Program Files\AIM\aim.exe
I:\Program Files\iTunes\iTunes.exe
I:\Program Files\Mozilla Firefox\firefox.exe
I:\Program Files\XoftSpySE\XoftSpy.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.70:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - I:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [showicon2k] I:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] I:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] I:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "I:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [LClock] I:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [LVCOMSX] I:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] I:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] I:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "I:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "I:\WINDOWS\System32\piakshmn.dll",forkonce
O4 - HKLM\..\Run: [AVG7_CC] I:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "I:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AIM] I:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BitTorrent] "I:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "I:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MSMSGS] "I:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "I:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] I:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] I:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = I:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = I:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: ImTranslator - I:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - I:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - I:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - I:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1185635837796
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - I:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - I:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - I:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - I:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SmartLinkService (SLService) - - I:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - I:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7843 bytes



Thanks in advance :thumbsup:

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 02 August 2007 - 08:45 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum phatchauza :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

-----------------------------------------------

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


-----------------------------------------------

Now go to:
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 phatchauza

phatchauza
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 02 August 2007 - 09:48 PM

VundoFix Log


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.11

Scan started at 10:07:51 PM 08/02/07

Listing files found while scanning....

I:\WINDOWS\System32\prqss.bak1
I:\WINDOWS\System32\prqss.bak2
I:\WINDOWS\System32\prqss.ini
I:\WINDOWS\System32\ssqrp.dll

Beginning removal...

Attempting to delete I:\WINDOWS\System32\prqss.bak1
I:\WINDOWS\System32\prqss.bak1 Has been deleted!

Attempting to delete I:\WINDOWS\System32\prqss.bak2
I:\WINDOWS\System32\prqss.bak2 Has been deleted!

Attempting to delete I:\WINDOWS\System32\prqss.ini
I:\WINDOWS\System32\prqss.ini Has been deleted!

Attempting to delete I:\WINDOWS\System32\ssqrp.dll
I:\WINDOWS\System32\ssqrp.dll Has been deleted!

Performing Repairs to the registry.
Done!


--------------------------------------------------------------------------



ComboFix Log


ComboFix 07-08-03.4 - "Tammy" 2007-08-02 22:24:33.1 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.True
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


I:\DOCUME~1\Tammy\Desktop.\internet explorer.lnk
I:\WINDOWS\system32\khciniiy.dll
I:\WINDOWS\system32\opnlihh.dll
I:\WINDOWS\system32\utuitxwp.dll


((((((((((((((((((((((((( Files Created from 2007-07-03 to 2007-08-03 )))))))))))))))))))))))))))))))


2007-08-02 22:07 <DIR> d-------- I:\VundoFix Backups
2007-08-02 18:05 51,200 --a------ I:\WINDOWS\nircmd.exe
2007-08-02 17:59 <DIR> d-------- I:\Program Files\Trend Micro
2007-08-02 12:36 125,504 --a------ I:\WINDOWS\system32\piakshmn.dll
2007-08-02 01:57 <DIR> d-------- I:\Program Files\Lavasoft
2007-08-02 01:57 <DIR> d-------- I:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-02 01:56 <DIR> d-------- I:\Program Files\Common Files\Wise Installation Wizard
2007-08-02 01:53 <DIR> d-------- I:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-02 01:13 <DIR> d-------- I:\Program Files\XoftSpySE
2007-08-02 01:09 <DIR> d-------- I:\Program Files\Panicware
2007-08-02 00:54 <DIR> d-------- I:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-08-01 12:40 125,504 --a------ I:\WINDOWS\system32\rxapxsht.dll
2007-08-01 10:55 593,408 --a------ I:\WINDOWS\system32\h323msp.dll
2007-08-01 10:55 593,408 -----c--- I:\WINDOWS\system32\dllcache\xpsp2res.dll
2007-08-01 10:55 548,352 --a------ I:\WINDOWS\system32\rtcdll.dll
2007-08-01 10:55 439,808 --a------ I:\WINDOWS\system32\ipnathlp.dll
2007-08-01 10:55 40,960 -----c--- I:\WINDOWS\system32\dllcache\evtgprov.dll
2007-08-01 10:55 26,112 --a------ I:\WINDOWS\system32\xpsp1hfm.exe
2007-07-29 14:47 <DIR> d-------- I:\DOCUME~1\Tammy\APPLIC~1\GTek
2007-07-29 14:47 <DIR> d-------- I:\DOCUME~1\ALLUSE~1\APPLIC~1\Gtek
2007-07-28 11:33 95,232 --a--c--- I:\WINDOWS\system32\dllcache\6to4svc.dll
2007-07-28 11:33 95,232 --a------ I:\WINDOWS\system32\6to4svc.dll
2007-07-28 11:33 83,456 --a--c--- I:\WINDOWS\system32\dllcache\netsh.exe
2007-07-28 11:33 83,456 --a--c--- I:\WINDOWS\system32\dllcache\iphlpapi.dll
2007-07-28 11:33 83,456 --a------ I:\WINDOWS\system32\netsh.exe
2007-07-28 11:33 82,432 -----c--- I:\WINDOWS\system32\dllcache\fldrclnr.dll
2007-07-28 11:33 8,353,280 -----c--- I:\WINDOWS\system32\dllcache\shell32.dll
2007-07-28 11:33 700,928 -----c--- I:\WINDOWS\system32\dllcache\sxs.dll
2007-07-28 11:33 70,656 --a--c--- I:\WINDOWS\system32\dllcache\ws2_32.dll
2007-07-28 11:33 70,656 --a------ I:\WINDOWS\system32\ws2_32.dll
2007-07-28 11:33 595,968 --a------ I:\WINDOWS\system32\xpsp2res.dll
2007-07-28 11:33 561,664 -----c--- I:\WINDOWS\system32\dllcache\comctl32.dll
2007-07-28 11:33 54,272 --a--c--- I:\WINDOWS\system32\dllcache\ipv6mon.dll
2007-07-28 11:33 54,272 --a------ I:\WINDOWS\system32\ipv6mon.dll
2007-07-28 11:33 48,640 --a--c--- I:\WINDOWS\system32\dllcache\ipv6.exe
2007-07-28 11:33 48,640 --a------ I:\WINDOWS\system32\ipv6.exe
2007-07-28 11:33 458,752 -----c--- I:\WINDOWS\system32\dllcache\jscript.dll
2007-07-28 11:33 340,480 -----c--- I:\WINDOWS\system32\dllcache\tcpip.sys
2007-07-28 11:33 321,536 -----c--- I:\WINDOWS\system32\dllcache\srv.sys
2007-07-28 11:33 31,232 --a--c--- I:\WINDOWS\system32\dllcache\inetmib1.dll
2007-07-28 11:33 31,232 --a------ I:\WINDOWS\system32\inetmib1.dll
2007-07-28 11:33 205,120 --a--c--- I:\WINDOWS\system32\dllcache\tcpip6.sys
2007-07-28 11:33 159,232 --a------ I:\WINDOWS\system32\xpob2res.dll
2007-07-28 11:33 13,312 --a--c--- I:\WINDOWS\system32\dllcache\wship6.dll
2007-07-28 11:33 13,312 --a------ I:\WINDOWS\system32\wship6.dll
2007-07-28 11:33 11,776 --a--c--- I:\WINDOWS\system32\dllcache\tunmp.sys
2007-07-28 11:33 11,776 --a------ I:\WINDOWS\system32\drivers\tunmp.sys
2007-07-28 11:33 103,936 -----c--- I:\WINDOWS\system32\dllcache\dhcpcsvc.dll
2007-07-28 11:33 1,351,680 -----c--- I:\WINDOWS\system32\dllcache\shdocvw.dll
2007-07-28 11:33 1,110,528 --a------ I:\WINDOWS\system32\msxml3.dll
2007-07-28 11:33 1,110,528 -----c--- I:\WINDOWS\system32\dllcache\msxml3.dll
2007-07-28 11:33 1,027,072 -----c--- I:\WINDOWS\system32\dllcache\browseui.dll
2007-07-28 11:32 98,304 --a------ I:\WINDOWS\system32\polstore.dll
2007-07-28 11:32 98,304 -----c--- I:\WINDOWS\system32\dllcache\polstore.dll
2007-07-28 11:32 74,368 -----c--- I:\WINDOWS\system32\dllcache\ipsec.sys
2007-07-28 11:32 72,704 -----c--- I:\WINDOWS\system32\dllcache\hlink.dll
2007-07-28 11:32 68,608 --a------ I:\WINDOWS\system32\mscms.dll
2007-07-28 11:32 64,512 -----c--- I:\WINDOWS\system32\dllcache\ciodm.dll
2007-07-28 11:32 364,544 --a------ I:\WINDOWS\system32\ipsmsnap.dll
2007-07-28 11:32 364,544 -----c--- I:\WINDOWS\system32\dllcache\ipsmsnap.dll
2007-07-28 11:32 334,848 --a------ I:\WINDOWS\system32\ipsecsnp.dll
2007-07-28 11:32 334,848 -----c--- I:\WINDOWS\system32\dllcache\ipsecsnp.dll
2007-07-28 11:32 29,184 --a------ I:\WINDOWS\system32\winipsec.dll
2007-07-28 11:32 29,184 -----c--- I:\WINDOWS\system32\dllcache\winipsec.dll
2007-07-28 11:32 257,536 --a------ I:\WINDOWS\system32\oakley.dll
2007-07-28 11:32 257,536 -----c--- I:\WINDOWS\system32\dllcache\oakley.dll
2007-07-28 11:32 183,808 -----c--- I:\WINDOWS\system32\dllcache\gptext.dll
2007-07-28 11:32 169,984 -----c--- I:\WINDOWS\system32\dllcache\rasmans.dll
2007-07-28 11:32 159,744 --a------ I:\WINDOWS\system32\ipsecsvc.dll
2007-07-28 11:32 159,744 -----c--- I:\WINDOWS\system32\dllcache\ipsecsvc.dll
2007-07-28 11:32 1,350,144 -----c--- I:\WINDOWS\system32\dllcache\query.dll
2007-07-28 11:30 991,232 --a------ I:\WINDOWS\system32\esent.dll
2007-07-28 11:30 928,768 -----c--- I:\WINDOWS\system32\dllcache\kernel32.dll
2007-07-28 11:30 64,000 --a------ I:\WINDOWS\system32\webclnt.dll
2007-07-28 11:30 16,384 --a------ I:\WINDOWS\system32\linkinfo.dll
2007-07-28 11:29 53,248 --a------ I:\WINDOWS\system32\spoolsv.exe
2007-07-28 11:29 36,864 --a------ I:\WINDOWS\system32\mf3216.dll
2007-07-28 11:29 285,184 --a------ I:\WINDOWS\system32\kerberos.dll
2007-07-28 11:29 238,592 --a------ I:\WINDOWS\system32\tapisrv.dll
2007-07-28 11:29 199,936 -----c--- I:\WINDOWS\system32\dllcache\rmcast.sys
2007-07-28 11:29 154,624 --a------ I:\WINDOWS\system32\netman.dll
2007-07-28 11:28 974,336 --a------ I:\WINDOWS\system32\msdtctm.dll
2007-07-28 11:28 92,160 --a------ I:\WINDOWS\system32\cscdll.dll
2007-07-28 11:28 92,160 -----c--- I:\WINDOWS\system32\dllcache\cscdll.dll
2007-07-28 11:28 83,456 --a------ I:\WINDOWS\system32\mtxoci.dll
2007-07-28 11:28 64,512 --a------ I:\WINDOWS\system32\mtxclu.dll
2007-07-28 11:28 6,144 -----c--- I:\WINDOWS\system32\dllcache\rasadhlp.dll
2007-07-28 11:28 493,056 --a------ I:\WINDOWS\system32\hypertrm.dll
2007-07-28 11:28 433,152 -----c--- I:\WINDOWS\system32\dllcache\mrxsmb.sys
2007-07-28 11:28 368,640 --a------ I:\WINDOWS\system32\msdtcprx.dll
2007-07-28 11:28 166,656 -----c--- I:\WINDOWS\system32\dllcache\rdbss.sys
2007-07-28 11:28 140,288 -----c--- I:\WINDOWS\system32\dllcache\dnsapi.dll
2007-07-28 11:28 111,104 --a------ I:\WINDOWS\system32\umpnpmgr.dll
2007-07-28 11:28 11,776 --a------ I:\WINDOWS\system32\xolehlp.dll
2007-07-28 11:26 53,760 --a------ I:\WINDOWS\system32\authz.dll
2007-07-28 11:20 7,680 --a------ I:\WINDOWS\system32\bitsprx2.dll
2007-07-28 11:20 7,680 -----c--- I:\WINDOWS\system32\dllcache\bitsprx2.dll
2007-07-28 11:20 7,168 --a------ I:\WINDOWS\system32\bitsprx3.dll
2007-07-28 11:20 7,168 -----c--- I:\WINDOWS\system32\dllcache\bitsprx3.dll
2007-07-28 11:20 331,776 --a------ I:\WINDOWS\system32\winhttp.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-02 22:31 --------- d-------- I:\Program Files\Symantec AntiVirus
2007-08-02 16:37 2916 --a------ I:\DOCUME~1\Tammy\APPLIC~1\wklnhst.dat
2007-08-02 01:27 --------- d-------- I:\Program Files\Common Files\Pictures
2007-08-01 14:06 --------- d-------- I:\DOCUME~1\Tammy\APPLIC~1\LimeWire
2007-08-01 10:30 --------- d-------- I:\Program Files\Messenger
2007-08-01 10:23 --------- d-------- I:\Program Files\Common Files\Movies
2007-07-31 23:13 --------- d-------- I:\Program Files\XoftSpy
2007-07-28 20:55 1392671 --a------ I:\WINDOWS\system32\msvbvm60.dll
2007-07-24 11:40 --------- d-------- I:\Program Files\mIRC
2007-07-16 17:45 --------- d--h----- I:\Program Files\InstallShield Installation Information
2007-07-16 17:24 --------- d-------- I:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2007-07-16 17:23 --------- d-------- I:\Program Files\MEDIC
2007-07-16 17:21 --------- d-------- I:\Program Files\545 Studios
2007-07-13 20:22 --------- d-------- I:\Program Files\Magic Video Converter
2007-07-09 18:14 43 --a------ I:\WINDOWS\popcinfo.dat
2007-06-24 22:05 --------- d-------- I:\DOCUME~1\Tammy\APPLIC~1\BitTorrent
2007-06-24 15:12 --------- d-------- I:\Program Files\DivX
2007-06-15 15:11 --------- d-------- I:\Program Files\Apple Software Update
2007-06-13 22:59 --------- d-------- I:\Program Files\Common Files\AVSMedia
2007-06-13 18:11 --------- d-------- I:\DOCUME~1\Tammy\APPLIC~1\AVSMedia
2007-06-05 19:26 --------- d-------- I:\Program Files\Movie Maker
2007-06-04 15:18 9344 --a------ I:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8320 --a------ I:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6272 --a------ I:\WINDOWS\system32\drivers\AWRTPD.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3B1D148D-A216-EA88-1814-FE8DBD5085EF}]
I:\WINDOWS\System32\yqnlptmv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6EBB97CE-6426-441D-8584-42EBFE51E5E6}]
I:\WINDOWS\System32\ssqrp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CHotkey"="zHotkey.exe" [2003-06-03 12:01 I:\WINDOWS\zHotkey.exe]
"showicon2k"="I:\Program Files\\eM\Bay Reader\Shwicon2k.exe" [2003-07-03 22:55]
"NvCplDaemon"="I:\WINDOWS\System32\NvCpl.dll" [2003-03-02 21:44]
"nwiz"="nwiz.exe" [2003-03-02 21:44 I:\WINDOWS\system32\nwiz.exe]
"NWEReboot"="" []
"NeroFilterCheck"="I:\WINDOWS\System32\NeroCheck.exe" [2001-07-09 11:50]
"ccApp"="I:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 21:31]
"vptray"="I:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-10-06 18:56]
"SunJavaUpdateSched"="I:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"UnlockerAssistant"="I:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-03-03 04:39]
"LClock"="I:\Program Files\LClock\LClock.exe" []
"LVCOMSX"="I:\WINDOWS\System32\LVCOMSX.EXE" [2005-07-19 17:32]
"LogitechVideoRepair"="I:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24]
"LogitechVideoTray"="I:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14]
"QuickTime Task"="I:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="I:\Program Files\iTunes\iTunesHelper.exe" [2007-07-09 22:32]
"HP Software Update"="I:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 17:28]
"AVG7_CC"="I:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-02 00:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="I:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-10 10:44]
"AIM"="I:\Program Files\AIM\aim.exe" [2006-08-01 16:35]
"BitTorrent"="I:\Program Files\BitTorrent\bittorrent.exe" [2007-03-01 19:11]
"LogitechSoftwareUpdate"="I:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44]
"MSMSGS"="I:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18]
"PopUpStopperFreeEdition"="I:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 11:10]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"NvMediaCenter"=RUNDLL32.EXE I:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

I:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - I:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-03-19 11:03:18]
WinZip Quick Pick.lnk - I:\Program Files\WinZip\WZQKPICK.EXE [2007-03-19 10:50:17]

R3 Mtlmnt5;Mtlmnt5;I:\WINDOWS\System32\DRIVERS\Mtlmnt5.sys
R3 nvax;Service for NVIDIA® nForce™ Audio Enumerator;I:\WINDOWS\System32\drivers\nvax.sys
R3 NVENET;NVIDIA nForce MCP Networking Controller Driver;I:\WINDOWS\System32\DRIVERS\NVENET.sys
R3 nvnforce;Service for NVIDIA® nForce™ Audio;I:\WINDOWS\System32\drivers\nvapu.sys
R3 pepifilter;Volume Adapter;I:\WINDOWS\System32\DRIVERS\lv302af.sys
R3 PID_08A0;QuickCam IM(PID_08A0);I:\WINDOWS\System32\DRIVERS\LV302AV.SYS
R3 Slntamr;SmartLink AMR_PCI Driver;I:\WINDOWS\System32\DRIVERS\slntamr.sys
R3 SlWdmSup;SlWdmSup;I:\WINDOWS\System32\DRIVERS\SlWdmSup.sys
R3 SunkFilt;Alcor Micro Corp - 9360;\??\I:\WINDOWS\System32\Drivers\sunkfilt.sys
S3 Mtlstrm;Mtlstrm;I:\WINDOWS\System32\DRIVERS\Mtlstrm.sys
S3 NtMtlFax;NtMtlFax;I:\WINDOWS\System32\DRIVERS\NtMtlFax.sys
S3 RecAgent;recagent;\??\I:\WINDOWS\System32\DRIVERS\RecAgent.sys
S3 SaiHFF0C;SaiHFF0C;I:\WINDOWS\System32\DRIVERS\SaiHFF0C.sys
S3 SaiUFF0C;SaiUFF0C;I:\WINDOWS\System32\DRIVERS\SaiUFF0C.sys
S3 SlNtHal;SlNtHal;I:\WINDOWS\System32\DRIVERS\Slnthal.sys
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;I:\WINDOWS\System32\DRIVERS\rt2500usb.sys


Contents of the 'Scheduled Tasks' folder
2007-07-27 16:21:09 I:\WINDOWS\Tasks\AppleSoftwareUpdate.job - I:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-07-08 21:10:41 I:\WINDOWS\Tasks\XoftSpy.job - I:\Program Files\XoftSpy\XoftSpy.exe
2007-08-03 02:32:21 I:\WINDOWS\Tasks\XoftSpySE 2.job - I:\Program Files\XoftSpySE\XoftSpy.exe
2007-08-02 05:13:06 I:\WINDOWS\Tasks\XoftSpySE.job - I:\Program Files\XoftSpySE\XoftSpy.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-02 22:32:31
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-02 22:35:02 - machine was rebooted
I:\ComboFix-quarantined-files.txt ... 2007-08-02 22:34

--- E O F ---


-------------------------------------------------------------------------------------------------------------------



HijackThis Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:28 PM, on 8/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
I:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
I:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
I:\PROGRA~1\Grisoft\AVG7\avgemc.exe
I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
I:\Program Files\Symantec AntiVirus\DefWatch.exe
I:\WINDOWS\System32\nvsvc32.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Symantec AntiVirus\Rtvscan.exe
I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\zHotkey.exe
I:\Program Files\eM\Bay Reader\Shwicon2k.exe
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\PROGRA~1\SYMANT~1\VPTray.exe
I:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
I:\Program Files\Unlocker\UnlockerAssistant.exe
I:\WINDOWS\System32\LVCOMSX.EXE
I:\Program Files\Logitech\Video\LogiTray.exe
I:\Program Files\QuickTime\qttask.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\Program Files\HP\HP Software Update\HPWuSchd.exe
I:\PROGRA~1\Grisoft\AVG7\avgcc.exe
I:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
I:\Program Files\AIM\aim.exe
I:\Program Files\BitTorrent\bittorrent.exe
I:\Program Files\Messenger\msmsgs.exe
I:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\Program Files\WinZip\WZQKPICK.EXE
I:\Program Files\Logitech\Video\FxSvr2.exe
I:\WINDOWS\system32\notepad.exe
I:\Program Files\internet explorer\iexplore.exe
I:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.70:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {3B1D148D-A216-EA88-1814-FE8DBD5085EF} - I:\WINDOWS\System32\yqnlptmv.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6EBB97CE-6426-441D-8584-42EBFE51E5E6} - I:\WINDOWS\System32\ssqrp.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - I:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [showicon2k] I:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] I:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] I:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "I:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [LClock] I:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [LVCOMSX] I:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] I:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] I:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "I:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [AVG7_CC] I:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "I:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AIM] I:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BitTorrent] "I:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "I:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MSMSGS] "I:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "I:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] I:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] I:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = I:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = I:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: ImTranslator - I:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - I:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - I:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - I:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1185635837796
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - I:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - I:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - I:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - I:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SmartLinkService (SLService) - - I:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - I:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8412 bytes




:thumbsup:

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 03 August 2007 - 04:37 AM

Copy and paste ALL the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
I:\WINDOWS\system32\piakshmn.dll
I:\WINDOWS\system32\rxapxsht.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3B1D148D-A216-EA88-1814-FE8DBD5085EF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6EBB97CE-6426-441D-8584-42EBFE51E5E6}]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 phatchauza

phatchauza
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 03 August 2007 - 10:26 AM

ComboFix Log

ComboFix 07-08-03.4 - "Tammy" 2007-08-03 11:22:23.2 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.True
Command switches used :: I:\Documents and Settings\Tammy\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


I:\WINDOWS\system32\piakshmn.dll
I:\WINDOWS\system32\rxapxsht.dll


((((((((((((((((((((((((( Files Created from 2007-07-03 to 2007-08-03 )))))))))))))))))))))))))))))))


2007-08-02 22:07 <DIR> d-------- I:\VundoFix Backups
2007-08-02 18:05 51,200 --a------ I:\WINDOWS\nircmd.exe
2007-08-02 17:59 <DIR> d-------- I:\Program Files\Trend Micro
2007-08-02 01:57 <DIR> d-------- I:\Program Files\Lavasoft
2007-08-02 01:57 <DIR> d-------- I:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-02 01:56 <DIR> d-------- I:\Program Files\Common Files\Wise Installation Wizard
2007-08-02 01:53 <DIR> d-------- I:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-02 01:13 <DIR> d-------- I:\Program Files\XoftSpySE
2007-08-02 01:09 <DIR> d-------- I:\Program Files\Panicware
2007-08-02 00:54 <DIR> d-------- I:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-08-01 10:55 593,408 --a------ I:\WINDOWS\system32\h323msp.dll
2007-08-01 10:55 593,408 -----c--- I:\WINDOWS\system32\dllcache\xpsp2res.dll
2007-08-01 10:55 548,352 --a------ I:\WINDOWS\system32\rtcdll.dll
2007-08-01 10:55 439,808 --a------ I:\WINDOWS\system32\ipnathlp.dll
2007-08-01 10:55 40,960 -----c--- I:\WINDOWS\system32\dllcache\evtgprov.dll
2007-08-01 10:55 26,112 --a------ I:\WINDOWS\system32\xpsp1hfm.exe
2007-07-29 14:47 <DIR> d-------- I:\DOCUME~1\Tammy\APPLIC~1\GTek
2007-07-29 14:47 <DIR> d-------- I:\DOCUME~1\ALLUSE~1\APPLIC~1\Gtek
2007-07-28 11:33 95,232 --a--c--- I:\WINDOWS\system32\dllcache\6to4svc.dll
2007-07-28 11:33 95,232 --a------ I:\WINDOWS\system32\6to4svc.dll
2007-07-28 11:33 83,456 --a--c--- I:\WINDOWS\system32\dllcache\netsh.exe
2007-07-28 11:33 83,456 --a--c--- I:\WINDOWS\system32\dllcache\iphlpapi.dll
2007-07-28 11:33 83,456 --a------ I:\WINDOWS\system32\netsh.exe
2007-07-28 11:33 82,432 -----c--- I:\WINDOWS\system32\dllcache\fldrclnr.dll
2007-07-28 11:33 8,353,280 -----c--- I:\WINDOWS\system32\dllcache\shell32.dll
2007-07-28 11:33 700,928 -----c--- I:\WINDOWS\system32\dllcache\sxs.dll
2007-07-28 11:33 70,656 --a--c--- I:\WINDOWS\system32\dllcache\ws2_32.dll
2007-07-28 11:33 70,656 --a------ I:\WINDOWS\system32\ws2_32.dll
2007-07-28 11:33 595,968 --a------ I:\WINDOWS\system32\xpsp2res.dll
2007-07-28 11:33 561,664 -----c--- I:\WINDOWS\system32\dllcache\comctl32.dll
2007-07-28 11:33 54,272 --a--c--- I:\WINDOWS\system32\dllcache\ipv6mon.dll
2007-07-28 11:33 54,272 --a------ I:\WINDOWS\system32\ipv6mon.dll
2007-07-28 11:33 48,640 --a--c--- I:\WINDOWS\system32\dllcache\ipv6.exe
2007-07-28 11:33 48,640 --a------ I:\WINDOWS\system32\ipv6.exe
2007-07-28 11:33 458,752 -----c--- I:\WINDOWS\system32\dllcache\jscript.dll
2007-07-28 11:33 340,480 -----c--- I:\WINDOWS\system32\dllcache\tcpip.sys
2007-07-28 11:33 321,536 -----c--- I:\WINDOWS\system32\dllcache\srv.sys
2007-07-28 11:33 31,232 --a--c--- I:\WINDOWS\system32\dllcache\inetmib1.dll
2007-07-28 11:33 31,232 --a------ I:\WINDOWS\system32\inetmib1.dll
2007-07-28 11:33 205,120 --a--c--- I:\WINDOWS\system32\dllcache\tcpip6.sys
2007-07-28 11:33 159,232 --a------ I:\WINDOWS\system32\xpob2res.dll
2007-07-28 11:33 13,312 --a--c--- I:\WINDOWS\system32\dllcache\wship6.dll
2007-07-28 11:33 13,312 --a------ I:\WINDOWS\system32\wship6.dll
2007-07-28 11:33 11,776 --a--c--- I:\WINDOWS\system32\dllcache\tunmp.sys
2007-07-28 11:33 11,776 --a------ I:\WINDOWS\system32\drivers\tunmp.sys
2007-07-28 11:33 103,936 -----c--- I:\WINDOWS\system32\dllcache\dhcpcsvc.dll
2007-07-28 11:33 1,351,680 -----c--- I:\WINDOWS\system32\dllcache\shdocvw.dll
2007-07-28 11:33 1,110,528 --a------ I:\WINDOWS\system32\msxml3.dll
2007-07-28 11:33 1,110,528 -----c--- I:\WINDOWS\system32\dllcache\msxml3.dll
2007-07-28 11:33 1,027,072 -----c--- I:\WINDOWS\system32\dllcache\browseui.dll
2007-07-28 11:32 98,304 --a------ I:\WINDOWS\system32\polstore.dll
2007-07-28 11:32 98,304 -----c--- I:\WINDOWS\system32\dllcache\polstore.dll
2007-07-28 11:32 74,368 -----c--- I:\WINDOWS\system32\dllcache\ipsec.sys
2007-07-28 11:32 72,704 -----c--- I:\WINDOWS\system32\dllcache\hlink.dll
2007-07-28 11:32 68,608 --a------ I:\WINDOWS\system32\mscms.dll
2007-07-28 11:32 64,512 -----c--- I:\WINDOWS\system32\dllcache\ciodm.dll
2007-07-28 11:32 364,544 --a------ I:\WINDOWS\system32\ipsmsnap.dll
2007-07-28 11:32 364,544 -----c--- I:\WINDOWS\system32\dllcache\ipsmsnap.dll
2007-07-28 11:32 334,848 --a------ I:\WINDOWS\system32\ipsecsnp.dll
2007-07-28 11:32 334,848 -----c--- I:\WINDOWS\system32\dllcache\ipsecsnp.dll
2007-07-28 11:32 29,184 --a------ I:\WINDOWS\system32\winipsec.dll
2007-07-28 11:32 29,184 -----c--- I:\WINDOWS\system32\dllcache\winipsec.dll
2007-07-28 11:32 257,536 --a------ I:\WINDOWS\system32\oakley.dll
2007-07-28 11:32 257,536 -----c--- I:\WINDOWS\system32\dllcache\oakley.dll
2007-07-28 11:32 183,808 -----c--- I:\WINDOWS\system32\dllcache\gptext.dll
2007-07-28 11:32 169,984 -----c--- I:\WINDOWS\system32\dllcache\rasmans.dll
2007-07-28 11:32 159,744 --a------ I:\WINDOWS\system32\ipsecsvc.dll
2007-07-28 11:32 159,744 -----c--- I:\WINDOWS\system32\dllcache\ipsecsvc.dll
2007-07-28 11:32 1,350,144 -----c--- I:\WINDOWS\system32\dllcache\query.dll
2007-07-28 11:30 991,232 --a------ I:\WINDOWS\system32\esent.dll
2007-07-28 11:30 928,768 -----c--- I:\WINDOWS\system32\dllcache\kernel32.dll
2007-07-28 11:30 64,000 --a------ I:\WINDOWS\system32\webclnt.dll
2007-07-28 11:30 16,384 --a------ I:\WINDOWS\system32\linkinfo.dll
2007-07-28 11:29 53,248 --a------ I:\WINDOWS\system32\spoolsv.exe
2007-07-28 11:29 36,864 --a------ I:\WINDOWS\system32\mf3216.dll
2007-07-28 11:29 285,184 --a------ I:\WINDOWS\system32\kerberos.dll
2007-07-28 11:29 238,592 --a------ I:\WINDOWS\system32\tapisrv.dll
2007-07-28 11:29 199,936 -----c--- I:\WINDOWS\system32\dllcache\rmcast.sys
2007-07-28 11:29 154,624 --a------ I:\WINDOWS\system32\netman.dll
2007-07-28 11:28 974,336 --a------ I:\WINDOWS\system32\msdtctm.dll
2007-07-28 11:28 92,160 --a------ I:\WINDOWS\system32\cscdll.dll
2007-07-28 11:28 92,160 -----c--- I:\WINDOWS\system32\dllcache\cscdll.dll
2007-07-28 11:28 83,456 --a------ I:\WINDOWS\system32\mtxoci.dll
2007-07-28 11:28 64,512 --a------ I:\WINDOWS\system32\mtxclu.dll
2007-07-28 11:28 6,144 -----c--- I:\WINDOWS\system32\dllcache\rasadhlp.dll
2007-07-28 11:28 493,056 --a------ I:\WINDOWS\system32\hypertrm.dll
2007-07-28 11:28 433,152 -----c--- I:\WINDOWS\system32\dllcache\mrxsmb.sys
2007-07-28 11:28 368,640 --a------ I:\WINDOWS\system32\msdtcprx.dll
2007-07-28 11:28 166,656 -----c--- I:\WINDOWS\system32\dllcache\rdbss.sys
2007-07-28 11:28 140,288 -----c--- I:\WINDOWS\system32\dllcache\dnsapi.dll
2007-07-28 11:28 111,104 --a------ I:\WINDOWS\system32\umpnpmgr.dll
2007-07-28 11:28 11,776 --a------ I:\WINDOWS\system32\xolehlp.dll
2007-07-28 11:26 53,760 --a------ I:\WINDOWS\system32\authz.dll
2007-07-28 11:20 7,680 --a------ I:\WINDOWS\system32\bitsprx2.dll
2007-07-28 11:20 7,680 -----c--- I:\WINDOWS\system32\dllcache\bitsprx2.dll
2007-07-28 11:20 7,168 --a------ I:\WINDOWS\system32\bitsprx3.dll
2007-07-28 11:20 7,168 -----c--- I:\WINDOWS\system32\dllcache\bitsprx3.dll
2007-07-28 11:20 331,776 --a------ I:\WINDOWS\system32\winhttp.dll
2007-07-28 11:20 17,408 --a------ I:\WINDOWS\system32\qmgrprxy.dll
2007-07-28 11:20 <DIR> d-------- I:\WINDOWS\system32\bits


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-02 22:31 --------- d-------- I:\Program Files\Symantec AntiVirus
2007-08-02 16:37 2916 --a------ I:\DOCUME~1\Tammy\APPLIC~1\wklnhst.dat
2007-08-02 01:27 --------- d-------- I:\Program Files\Common Files\Pictures
2007-08-01 14:06 --------- d-------- I:\DOCUME~1\Tammy\APPLIC~1\LimeWire
2007-08-01 10:30 --------- d-------- I:\Program Files\Messenger
2007-08-01 10:23 --------- d-------- I:\Program Files\Common Files\Movies
2007-07-31 23:13 --------- d-------- I:\Program Files\XoftSpy
2007-07-28 20:55 1392671 --a------ I:\WINDOWS\system32\msvbvm60.dll
2007-07-24 11:40 --------- d-------- I:\Program Files\mIRC
2007-07-16 17:45 --------- d--h----- I:\Program Files\InstallShield Installation Information
2007-07-16 17:24 --------- d-------- I:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2007-07-16 17:23 --------- d-------- I:\Program Files\MEDIC
2007-07-16 17:21 --------- d-------- I:\Program Files\545 Studios
2007-07-13 20:22 --------- d-------- I:\Program Files\Magic Video Converter
2007-07-09 18:14 43 --a------ I:\WINDOWS\popcinfo.dat
2007-06-24 22:05 --------- d-------- I:\DOCUME~1\Tammy\APPLIC~1\BitTorrent
2007-06-24 15:12 --------- d-------- I:\Program Files\DivX
2007-06-15 15:11 --------- d-------- I:\Program Files\Apple Software Update
2007-06-13 22:59 --------- d-------- I:\Program Files\Common Files\AVSMedia
2007-06-13 18:11 --------- d-------- I:\DOCUME~1\Tammy\APPLIC~1\AVSMedia
2007-06-05 19:26 --------- d-------- I:\Program Files\Movie Maker
2007-06-04 15:18 9344 --a------ I:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8320 --a------ I:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6272 --a------ I:\WINDOWS\system32\drivers\AWRTPD.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CHotkey"="zHotkey.exe" [2003-06-03 12:01 I:\WINDOWS\zHotkey.exe]
"showicon2k"="I:\Program Files\\eM\Bay Reader\Shwicon2k.exe" [2003-07-03 22:55]
"NvCplDaemon"="I:\WINDOWS\System32\NvCpl.dll" [2003-03-02 21:44]
"nwiz"="nwiz.exe" [2003-03-02 21:44 I:\WINDOWS\system32\nwiz.exe]
"NWEReboot"="" []
"NeroFilterCheck"="I:\WINDOWS\System32\NeroCheck.exe" [2001-07-09 11:50]
"ccApp"="I:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 21:31]
"vptray"="I:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-10-06 18:56]
"SunJavaUpdateSched"="I:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"UnlockerAssistant"="I:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-03-03 04:39]
"LClock"="I:\Program Files\LClock\LClock.exe" []
"LVCOMSX"="I:\WINDOWS\System32\LVCOMSX.EXE" [2005-07-19 17:32]
"LogitechVideoRepair"="I:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24]
"LogitechVideoTray"="I:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14]
"QuickTime Task"="I:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="I:\Program Files\iTunes\iTunesHelper.exe" [2007-07-09 22:32]
"HP Software Update"="I:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 17:28]
"AVG7_CC"="I:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-02 00:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="I:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-10 10:44]
"AIM"="I:\Program Files\AIM\aim.exe" [2006-08-01 16:35]
"BitTorrent"="I:\Program Files\BitTorrent\bittorrent.exe" [2007-03-01 19:11]
"LogitechSoftwareUpdate"="I:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44]
"MSMSGS"="I:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18]
"PopUpStopperFreeEdition"="I:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 11:10]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"NvMediaCenter"=RUNDLL32.EXE I:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

I:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - I:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-03-19 11:03:18]
WinZip Quick Pick.lnk - I:\Program Files\WinZip\WZQKPICK.EXE [2007-03-19 10:50:17]

R3 Mtlmnt5;Mtlmnt5;I:\WINDOWS\System32\DRIVERS\Mtlmnt5.sys
R3 nvax;Service for NVIDIA® nForce™ Audio Enumerator;I:\WINDOWS\System32\drivers\nvax.sys
R3 NVENET;NVIDIA nForce MCP Networking Controller Driver;I:\WINDOWS\System32\DRIVERS\NVENET.sys
R3 nvnforce;Service for NVIDIA® nForce™ Audio;I:\WINDOWS\System32\drivers\nvapu.sys
R3 pepifilter;Volume Adapter;I:\WINDOWS\System32\DRIVERS\lv302af.sys
R3 PID_08A0;QuickCam IM(PID_08A0);I:\WINDOWS\System32\DRIVERS\LV302AV.SYS
R3 Slntamr;SmartLink AMR_PCI Driver;I:\WINDOWS\System32\DRIVERS\slntamr.sys
R3 SlWdmSup;SlWdmSup;I:\WINDOWS\System32\DRIVERS\SlWdmSup.sys
R3 SunkFilt;Alcor Micro Corp - 9360;\??\I:\WINDOWS\System32\Drivers\sunkfilt.sys
S3 Mtlstrm;Mtlstrm;I:\WINDOWS\System32\DRIVERS\Mtlstrm.sys
S3 NtMtlFax;NtMtlFax;I:\WINDOWS\System32\DRIVERS\NtMtlFax.sys
S3 RecAgent;recagent;\??\I:\WINDOWS\System32\DRIVERS\RecAgent.sys
S3 SaiHFF0C;SaiHFF0C;I:\WINDOWS\System32\DRIVERS\SaiHFF0C.sys
S3 SaiUFF0C;SaiUFF0C;I:\WINDOWS\System32\DRIVERS\SaiUFF0C.sys
S3 SlNtHal;SlNtHal;I:\WINDOWS\System32\DRIVERS\Slnthal.sys
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;I:\WINDOWS\System32\DRIVERS\rt2500usb.sys


Contents of the 'Scheduled Tasks' folder
2007-07-27 16:21:09 I:\WINDOWS\Tasks\AppleSoftwareUpdate.job - I:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-07-08 21:10:41 I:\WINDOWS\Tasks\XoftSpy.job - I:\Program Files\XoftSpy\XoftSpy.exe
2007-08-03 02:32:21 I:\WINDOWS\Tasks\XoftSpySE 2.job - I:\Program Files\XoftSpySE\XoftSpy.exe
2007-08-02 05:13:06 I:\WINDOWS\Tasks\XoftSpySE.job - I:\Program Files\XoftSpySE\XoftSpy.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-03 11:25:06
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-03 11:25:48
I:\ComboFix-quarantined-files.txt ... 2007-08-03 11:25
I:\ComboFix2.txt ... 2007-08-02 22:35

--- E O F ---



-----------------------------------------------------------------



HijackThis Log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:36 AM, on 8/3/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
I:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
I:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
I:\PROGRA~1\Grisoft\AVG7\avgemc.exe
I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
I:\Program Files\Symantec AntiVirus\DefWatch.exe
I:\WINDOWS\System32\nvsvc32.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Symantec AntiVirus\Rtvscan.exe
I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
I:\WINDOWS\zHotkey.exe
I:\Program Files\eM\Bay Reader\Shwicon2k.exe
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\PROGRA~1\SYMANT~1\VPTray.exe
I:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
I:\WINDOWS\System32\LVCOMSX.EXE
I:\Program Files\Logitech\Video\LogiTray.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\Program Files\HP\HP Software Update\HPWuSchd.exe
I:\PROGRA~1\Grisoft\AVG7\avgcc.exe
I:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
I:\Program Files\AIM\aim.exe
I:\Program Files\Messenger\msmsgs.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\Program Files\Logitech\Video\FxSvr2.exe
I:\Program Files\MSN Messenger\msnmsgr.exe
I:\Program Files\MSN Messenger\usnsvc.exe
I:\Program Files\iTunes\iTunes.exe
I:\Program Files\Mozilla Firefox\firefox.exe
I:\WINDOWS\explorer.exe
I:\WINDOWS\system32\notepad.exe
I:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.70:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - I:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [showicon2k] I:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] I:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] I:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "I:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [LClock] I:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [LVCOMSX] I:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] I:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] I:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "I:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [AVG7_CC] I:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "I:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AIM] I:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BitTorrent] "I:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "I:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MSMSGS] "I:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "I:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] I:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] I:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = I:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = I:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: ImTranslator - I:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - I:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - I:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - I:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1185635837796
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - I:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - I:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - I:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - I:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SmartLinkService (SLService) - - I:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - I:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8099 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 03 August 2007 - 10:48 AM

You have Symantec AntiVirus and AVG7 Antivirus installed.
Not a good idea to have more than one antivirus program installed on your computer.
Each program may interpret the actions of the other as viral, therefore giving you false virus warnings about virus-related activities.
It could also lead to system slowdowns and other problems within the operating system,due to the two conflicting with each other.
You should uninstall one or the other as soon as possible,then restart your pc.

If you decide to uninstall Norton,if there’s no uninstaller available in Add\Remove Programs then you’’ll need to download and run the Norton Removal Tool:
http://service1.symantec.com/SUPPORT/tsgen...005033108162039
*Please Note*
The Norton Removal Tool will remove all Norton/Symantec products from your pc.

--------------------------------------------------

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Do you recognise the following proxy entry,if you don't recognise it fix it as well:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.70:8080
--------------------------------------------------

Other than the above your log is clean :thumbsup:
Find and delete:
VundoFix.exe
Combofix.exe

I:\VundoFix Backups
I:\QOOBOX

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

------------------------------------------------

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [I:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users