Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

(Solved)Having Trouble Getting Rid Of Some Spyware


  • This topic is locked This topic is locked
18 replies to this topic

#1 Enkili

Enkili

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 06 August 2007 - 07:19 PM

Hi guys,

I am new to the forum and I am having a really hard time getting rid of some spyware. I following the preperation guide to use before posting.

Here is my hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:49 PM, on 8/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\WINDOWS\lezshnyA.exe
C:\WINDOWS\g4356cbvy63.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ECURIT~1\mshta.exe
C:\Documents and Settings\Johnny Ondara\Application Data\A?pPatch\j?vaw.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Win2000Launcher] C:\Documents and Settings\Johnny Ondara\Desktop\Stuff\Games\redistLauncher\Launcher.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [\\TORRIS9999\EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P39 "\\TORRIS9999\EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Auto EPSON Stylus CX4200 Series on DAVID-PC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P43 "Auto EPSON Stylus CX4200 Series on DAVID-PC" /O37 "\\DAVID-PC\EPSON Stylus CX4200 Series" /M "Stylus CX4200"
O4 - HKLM\..\Run: [lezshnyA] C:\WINDOWS\lezshnyA.exe
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINDOWS\g4356cbvy63
O4 - HKLM\..\Run: [WinCore32.exe] C:\WINDOWS\system32\WinCore32.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\vtbdgfdh.dll",forkonce
O4 - HKCU\..\Run: [\\TORRIS9999\EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P39 "\\TORRIS9999\EPSON Stylus CX4200 Series" /M "Stylus CX4200" /EF "HKCU"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Eoan] "C:\WINDOWS\system32\ECURIT~1\mshta.exe" -vt yazb
O4 - HKCU\..\Run: [Yca] "C:\Documents and Settings\Johnny Ondara\Application Data\A?pPatch\j?vaw.exe"
O4 - HKUS\S-1-5-19\..\Run: [WinCore32.exe] C:\WINDOWS\system32\WinCore32.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WinCore32.exe] C:\WINDOWS\system32\WinCore32.exe (User 'NETWORK SERVICE')
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...090/mcfscan.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\win_5m2.dll c:\windows\system32\ldcore.dll
O21 - SSODL: MuqnUJuB - {1C59787F-B6F3-D2D5-C5BF-D62E57C2BF11} - C:\WINDOWS\system32\qcap.dll
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\xuve.html

--
End of file - 6453 bytes

BC AdBot (Login to Remove)

 


#2 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:02:44 AM

Posted 06 August 2007 - 08:16 PM

Hi Enkili and welcome to Bleeping Computer Forums.

My name is Trevuren and I will be helping you with your problem.


Please download this file - combofix.exe by sUBs and place it on your Desktop.

Now go START, then RUN and copy/paste the entire content of the following quotebox into the runbox:

"%userprofile%\Desktop\ComboFix.exe /KillAll"



This will start ComboFix. When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log

Notes:
1. Do not mouse-click combofix's window while it is running. That may cause it to stall.

2. I recommend that you reboot your system after having posted the logs in question because many of your programs that should start automatically will not because they have temporarily been disabled.


Regards,

Trevuren

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#3 Enkili

Enkili
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 06 August 2007 - 09:48 PM

Thank you for the welcome and the fast reply.

I copy/pasted what was in the quote box but I kept getting an error message about it not being able to find the path and/or filename so I just double clicked on the combofix icon itself. I am not sure if I could have done it that way but it seemed to be the only way to get combofix to work.

Here is the log for combofix:

ComboFix 07-08-07.2 - "Johnny Ondara" 2007-08-06 21:32:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1571 [GMT -5:00]

ADS removed - svchost.exe: deleted 58880 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\JOHNNY~1\APPLIC~1.\appatc~1
C:\DOCUME~1\JOHNNY~1\APPLIC~1.\appatc~1\j?vaw.exe
C:\DOCUME~1\JOHNNY~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\BFEJ8FMP\www.broadcaster.com
C:\DOCUME~1\JOHNNY~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\JOHNNY~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\LOCALS~1\APPLIC~1\install.dat
C:\DOCUME~1\NETWOR~1\APPLIC~1\install.dat
C:\Documents and Settings\All Users.\documents\settings
C:\Program Files\Internet Explorer\xuve.html
C:\Program Files\NetMeeting\qubojyry2.dll
C:\Program Files\NetMeeting\qubojyry4444.dll
C:\Program Files\NetMeeting\qubojyry5555.dll
C:\Program Files\NetMeeting\qubojyry83122.dll
C:\Program Files\outerinfo
C:\Program Files\Windows Media Player\qubojyry4444.dll
C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\DOWNLO~1\UWA7P_0001_N91M0809NetInstaller.exe
C:\WINDOWS\g32.txt
C:\WINDOWS\pppatc~1
C:\WINDOWS\pppatc~1\??erinit.exe
C:\WINDOWS\system32\2142651541.dll
C:\WINDOWS\system32\2142670341.dll
C:\WINDOWS\system32\babxcbrg.dll
C:\WINDOWS\system32\byxxyab.dll
C:\WINDOWS\system32\config\system~1\applic~1\install.dat
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\drivers\ApiMon.sys
C:\WINDOWS\system32\ecurit~1
C:\WINDOWS\system32\F2
C:\WINDOWS\system32\F3
C:\WINDOWS\system32\fnevseax.exe
C:\WINDOWS\system32\hekbkeje.exe
C:\WINDOWS\system32\hjkmp.bak1
C:\WINDOWS\system32\hjkmp.bak2
C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\hjkmp.ini2
C:\WINDOWS\system32\hjkmp.tmp
C:\WINDOWS\system32\hxeguxqr.exe
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\reginig_sc.exe
C:\WINDOWS\system32\reginix86g.exe
C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\tttss.bak1
C:\WINDOWS\system32\tttss.bak2
C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\uninst1014.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS


((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))


2007-08-06 21:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-06 19:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-08-06 19:16 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-06 18:59 125,504 --a------ C:\WINDOWS\system32\vtbdgfdh.dll
2007-08-06 00:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-05 23:41 0 --a------ C:\WINDOWS\nsreg.dat
2007-08-05 22:01 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-08-05 22:01 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-08-05 22:01 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-08-05 22:01 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-08-05 22:01 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-08-05 22:01 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-08-05 22:01 <DIR> d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\PC Tools
2007-08-05 22:00 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-05 21:16 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-08-05 21:06 <DIR> d-------- C:\DOCUME~1\JOHNNY~1\.housecall6.6
2007-08-05 16:04 51,200 --a------ C:\WINDOWS\system32\rasterx.dll
2007-08-05 16:04 51,200 --a------ C:\WINDOWS\system32\fertbuk.dll
2007-08-05 16:02 968,952 --a------ C:\WINDOWS\system32\Outerinfo-1832.exe
2007-08-05 16:02 86,056 --a------ C:\WINDOWS\system32\install.exe
2007-08-05 16:02 53,248 --a------ C:\WINDOWS\system32\ie_ban.exe
2007-08-05 16:02 224,654 --a------ C:\WINDOWS\system32\Setup155.exe
2007-08-05 16:02 192,624 --a------ C:\WINDOWS\system32\kwinoqdt.exe
2007-08-05 16:02 169,147 --a------ C:\WINDOWS\TTC-5555.exe
2007-08-05 16:02 <DIR> d-------- C:\WINDOWS\system32\f06WtR
2007-08-05 15:42 4,096 --a------ C:\WINDOWS\system32\drivers\ohciusb.sys
2007-08-05 15:42 236,352 -r-hs---- C:\WINDOWS\lezshnyA.exe
2007-08-05 15:42 <DIR> d--h----- C:\Program Files\BHO
2007-08-05 15:42 <DIR> d-------- C:\WINDOWS\system32\f02WtR
2007-08-05 15:42 <DIR> d-------- C:\WINDOWS\system32\configs
2007-08-05 15:42 <DIR> d-------- C:\Temp\fse
2007-08-05 15:42 <DIR> d-------- C:\Temp\1cb
2007-08-05 15:42 <DIR> d-------- C:\Temp
2007-07-18 21:17 <DIR> d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\U3
2007-07-14 13:46 <DIR> d-------- C:\Program Files\Dota Keys
2007-07-06 14:40 192,512 --a------ C:\WINDOWS\g4356cbvy63.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-05 22:53 --------- d-------- C:\Program Files\DAEMON Tools
2007-08-05 22:36 --------- d-------- C:\Program Files\Trillian
2007-08-05 20:46 --------- d-------- C:\Program Files\QuickTime
2007-08-05 20:43 --------- d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\GetRightToGo
2007-08-05 20:40 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-05 16:04 14336 --a--c--- C:\WINDOWS\system32\dllcache\svchost.exe
2007-08-05 16:04 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-08-01 21:02 --------- d-------- C:\Program Files\Starcraft
2007-07-29 21:24 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-07-16 21:29 --------- d-------- C:\Program Files\MySpace
2007-07-15 12:20 --------- d-------- C:\Program Files\Magic Workstation
2007-07-14 23:06 --------- d-------- C:\Program Files\Zoom Player
2007-07-13 21:20 --------- d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\Skype
2007-07-04 01:07 --------- d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\MySpace
2007-07-03 19:11 967 --a------ C:\WINDOWS\ScUnin.pif
2007-07-03 19:11 94208 --a------ C:\WINDOWS\ScUnin.exe
2007-07-03 19:11 35382 --a------ C:\WINDOWS\scunin.dat
2007-06-18 20:33 22584 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-06-18 20:32 99904 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-06-13 23:02 --------- d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\Apple Computer
2007-05-18 22:43 63040 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-05-18 19:00 21840 --a--c-t- C:\WINDOWS\system32\SIntfNT.dll
2007-05-18 19:00 17212 --a--c-t- C:\WINDOWS\system32\SIntf32.dll
2007-05-18 19:00 12067 --a--c-t- C:\WINDOWS\system32\SIntf16.dll
2006-02-20 01:35 19936 --a--c--- C:\DOCUME~1\JOHNNY~1\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0EEDB1E5-5765-4a2a-9D72-CB5213D756C0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46DA8EC4-3D0A-1BF9-2F74-3DB60D41F1E9}]
C:\WINDOWS\system32\fvpk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7295B7A9-96DE-4C94-B02E-39EB9C97E6B5}]
2007-08-06 21:39 0 d-------- C:\Program Files\NetMeeting\

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{991EF04C-93CF-469b-A2BE-CC1B3347566F}]
C:\Program Files\BHO\plugin.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F54F73BC-E0E8-49E7-B69E-7C7732B28B34}]
C:\Program Files\Outlook Express\tema.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-09-04 14:59 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-11-07 19:53]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 17:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-17 20:46]
"Win2000Launcher"="C:\Documents and Settings\Johnny Ondara\Desktop\Stuff\Games\redistLauncher\Launcher.exe" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22]
"nwiz"="nwiz.exe" [2006-10-22 13:22 C:\WINDOWS\system32\nwiz.exe]
"\\TORRIS9999\EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [2005-03-07 22:00]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22]
"Auto EPSON Stylus CX4200 Series on DAVID-PC"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [2005-03-07 22:00]
"lezshnyA"="C:\WINDOWS\lezshnyA.exe" [1989-12-12 10:10]
"g4356cbvy63"="C:\WINDOWS\g4356cbvy63" []
"WinCore32.exe"="C:\WINDOWS\system32\WinCore32.exe" []
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\TORRIS9999\EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [2005-03-07 22:00]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 17:29]
"Eoan"="C:\WINDOWS\system32\ECURIT~1\mshta.exe" []
"Yca"="C:\Documents and Settings\Johnny Ondara\Application Data\A?pPatch\j?vaw.exe" []

C:\Documents and Settings\Johnny Ondara\Start Menu\Programs\Startup\
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [2007-07-19]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2005-09-03 17:04:31]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Internet Explorer\xuve.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"MuqnUJuB"= {1C59787F-B6F3-D2D5-C5BF-D62E57C2BF11} - C:\WINDOWS\system32\qcap.dll [2004-08-04 00:56 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnmkk]
nnnnmkk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkjh]
C:\WINDOWS\system32\pmkjh.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SATARAID5.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SATARAID5.lnk
backup=C:\WINDOWS\pss\SATARAID5.lnkCommon Startup

R0 Si3114r5;SiI-3114 SoftRaid 5 Controller;C:\WINDOWS\system32\DRIVERS\Si3114r5.sys
R0 SiFilter;SATALink driver accelerator;C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys
R1 AmdK8;AMD Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R1 aslm75;aslm75;\??\C:\WINDOWS\system32\drivers\aslm75.sys
R1 avgio;avgio;\??\C:\Program Files\AntiVir PersonalEdition Classic\avgio.sys
R1 avipbb;avipbb;C:\WINDOWS\system32\DRIVERS\avipbb.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R1 ssmdrv;ssmdrv;C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
R2 ohciusb;Open Host Controller Miniport USB Driver;\??\C:\WINDOWS\system32\drivers\ohciusb.sys
R2 SVKP;SVKP;\??\C:\WINDOWS\system32\SVKP.sys
R3 avgntflt;avgntflt;\??\C:\Program Files\AntiVir PersonalEdition Classic\avgntflt.sys
R3 L8042Kbd;Logitech SetPoint Keyboard Driver;C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
R3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
R3 LMouKE;Logitech SetPoint Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\system32\drivers\msmpu401.sys
R3 MTsensor;ATK0110 ACPI UTILITY;C:\WINDOWS\system32\DRIVERS\ASACPI.sys
R3 nvax;Service for NVIDIA® nForce™ Audio Enumerator;C:\WINDOWS\system32\drivers\nvax.sys
R3 nvnforce;Service for NVIDIA® nForce™ Audio;C:\WINDOWS\system32\drivers\nvapu.sys
S0 AmdAcpi;AmdAcpi Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\AmdAcpi.sys
S1 amdtools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\amdtools.sys
S3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\drivers\bcgame.sys
S3 IKFileFlt;File Filter Driver;C:\WINDOWS\system32\drivers\ikfileflt.sys
S3 IKFileSec;File Security Driver;C:\WINDOWS\system32\drivers\ikfilesec.sys
S3 IkSysFlt;System Filter Driver;C:\WINDOWS\system32\drivers\iksysflt.sys
S3 IKSysSec;System Security Driver;C:\WINDOWS\system32\drivers\iksyssec.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\autoplay.exe


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-06 21:41:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\TORRIS9999\\EPSON Stylus CX4200 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAEA.EXE /P39 \"\\\\TORRIS9999\\EPSON Stylus CX4200 Series\" /O6 \"USB001\" /M \"Stylus CX4200\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\TORRIS9999\\EPSON Stylus CX4200 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAEA.EXE /P39 \"\\\\TORRIS9999\\EPSON Stylus CX4200 Series\" /M \"Stylus CX4200\" /EF \"HKCU\""

Completion time: 2007-08-06 21:43:10 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-06 21:43

--- E O F ---




and here is the Hijackthis Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:48 PM, on 8/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\WINDOWS\lezshnyA.exe
C:\WINDOWS\g4356cbvy63.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Editor plugin - {0EEDB1E5-5765-4a2a-9D72-CB5213D756C0} - rasterx.dll (file missing)
O2 - BHO: (no name) - {46DA8EC4-3D0A-1BF9-2F74-3DB60D41F1E9} - C:\WINDOWS\system32\fvpk.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7295B7A9-96DE-4C94-B02E-39EB9C97E6B5} - C:\Program Files\NetMeeting\
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: support - {991EF04C-93CF-469b-A2BE-CC1B3347566F} - C:\Program Files\BHO\plugin.dll (file missing)
O2 - BHO: 0 - {F54F73BC-E0E8-49E7-B69E-7C7732B28B34} - C:\Program Files\Outlook Express\tema.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Win2000Launcher] C:\Documents and Settings\Johnny Ondara\Desktop\Stuff\Games\redistLauncher\Launcher.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [\\TORRIS9999\EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P39 "\\TORRIS9999\EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [Adobe Phot

#4 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:02:44 AM

Posted 06 August 2007 - 10:28 PM

Please post your entire HijackThis log. The bottom half is missing from your post.

Thanks,

Trevuren
Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#5 Enkili

Enkili
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 06 August 2007 - 10:35 PM

OOps sorry here it is

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:20 PM, on 8/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\WINDOWS\lezshnyA.exe
C:\WINDOWS\g4356cbvy63.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Dota Keys\source\DotaKeys.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Editor plugin - {0EEDB1E5-5765-4a2a-9D72-CB5213D756C0} - rasterx.dll (file missing)
O2 - BHO: (no name) - {46DA8EC4-3D0A-1BF9-2F74-3DB60D41F1E9} - C:\WINDOWS\system32\fvpk.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7295B7A9-96DE-4C94-B02E-39EB9C97E6B5} - C:\Program Files\NetMeeting\
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: support - {991EF04C-93CF-469b-A2BE-CC1B3347566F} - C:\Program Files\BHO\plugin.dll (file missing)
O2 - BHO: 0 - {F54F73BC-E0E8-49E7-B69E-7C7732B28B34} - C:\Program Files\Outlook Express\tema.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Win2000Launcher] C:\Documents and Settings\Johnny Ondara\Desktop\Stuff\Games\redistLauncher\Launcher.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [\\TORRIS9999\EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P39 "\\TORRIS9999\EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Auto EPSON Stylus CX4200 Series on DAVID-PC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P43 "Auto EPSON Stylus CX4200 Series on DAVID-PC" /O37 "\\DAVID-PC\EPSON Stylus CX4200 Series" /M "Stylus CX4200"
O4 - HKLM\..\Run: [lezshnyA] C:\WINDOWS\lezshnyA.exe
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINDOWS\g4356cbvy63
O4 - HKLM\..\Run: [WinCore32.exe] C:\WINDOWS\system32\WinCore32.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [\\TORRIS9999\EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P39 "\\TORRIS9999\EPSON Stylus CX4200 Series" /M "Stylus CX4200" /EF "HKCU"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Eoan] "C:\WINDOWS\system32\ECURIT~1\mshta.exe" -vt yazb
O4 - HKCU\..\Run: [Yca] "C:\Documents and Settings\Johnny Ondara\Application Data\A?pPatch\j?vaw.exe"
O4 - HKUS\S-1-5-19\..\Run: [WinCore32.exe] C:\WINDOWS\system32\WinCore32.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WinCore32.exe] C:\WINDOWS\system32\WinCore32.exe (User 'NETWORK SERVICE')
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...090/mcfscan.cab
O20 - Winlogon Notify: nnnnmkk - nnnnmkk.dll (file missing)
O20 - Winlogon Notify: pmkjh - C:\WINDOWS\system32\pmkjh.dll (file missing)
O21 - SSODL: MuqnUJuB - {1C59787F-B6F3-D2D5-C5BF-D62E57C2BF11} - C:\WINDOWS\system32\qcap.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\xuve.html

--
End of file - 7888 bytes

#6 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:02:44 AM

Posted 06 August 2007 - 11:02 PM

A. Please Disable Spyware Doctor for it may interfere with our fix

1. From within Spyware Doctor, click the "OnGuard" button on the left side.
2. Uncheck "Activate OnGuard"
3. Please remember to re-enable it once we have finished our work.



B. Please RUN HijackThis
  • Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: Editor plugin - {0EEDB1E5-5765-4a2a-9D72-CB5213D756C0} - rasterx.dll (file missing)
    O2 - BHO: (no name) - {46DA8EC4-3D0A-1BF9-2F74-3DB60D41F1E9} - C:\WINDOWS\system32\fvpk.dll (file missing)
    O2 - BHO: (no name) - {7295B7A9-96DE-4C94-B02E-39EB9C97E6B5} - C:\Program Files\NetMeeting\
    O2 - BHO: support - {991EF04C-93CF-469b-A2BE-CC1B3347566F} - C:\Program Files\BHO\plugin.dll (file missing)
    O2 - BHO: 0 - {F54F73BC-E0E8-49E7-B69E-7C7732B28B34} - C:\Program Files\Outlook Express\tema.dll (file missing)
    O4 - HKLM\..\Run: [lezshnyA] C:\WINDOWS\lezshnyA.exe
    O4 - HKLM\..\Run: [g4356cbvy63] C:\WINDOWS\g4356cbvy63
    O4 - HKLM\..\Run: [WinCore32.exe] C:\WINDOWS\system32\WinCore32.exe
    O4 - HKCU\..\Run: [Eoan] "C:\WINDOWS\system32\ECURIT~1\mshta.exe" -vt yazb
    O4 - HKCU\..\Run: [Yca] "C:\Documents and Settings\Johnny Ondara\Application Data\A?pPatch\j?vaw.exe"
    O4 - HKUS\S-1-5-19\..\Run: [WinCore32.exe] C:\WINDOWS\system32\WinCore32.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [WinCore32.exe] C:\WINDOWS\system32\WinCore32.exe (User 'NETWORK SERVICE')
    O20 - Winlogon Notify: nnnnmkk - nnnnmkk.dll (file missing)
    O20 - Winlogon Notify: pmkjh - C:\WINDOWS\system32\pmkjh.dll (file missing)
    O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\xuve.html


  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.


C. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/index.php?showtopic=103086&st=0&gopid=587811&#entry587811

Collect::
C:\WINDOWS\system32\vtbdgfdh.dll
C:\WINDOWS\system32\rasterx.dll
C:\WINDOWS\system32\fertbuk.dll
C:\WINDOWS\system32\Outerinfo-1832.exe
C:\WINDOWS\system32\ie_ban.exe
C:\WINDOWS\system32\Setup155.exe
C:\WINDOWS\system32\kwinoqdt.exe
C:\WINDOWS\system32\SIntfNT.dll
C:\WINDOWS\system32\SIntf32.dll
C:\WINDOWS\system32\SIntf16.dll
C:\WINDOWS\g4356cbvy63.exe
C:\WINDOWS\lezshnyA.exe
C:\WINDOWS\system32\drivers\ohciusb.sys

File::
C:\WINDOWS\system32\install.exe
C:\Windows\system32\nnnnmkk.dll
C:\WINDOWS\system32\pmkjh.dll 
C:\Program Files\Internet Explorer\xuve.html
C:\WINDOWS\TTC-5555.exe

Folder::
C:\Temp
C:\WINDOWS\system32\f02WtR
C:\Program Files\BHO
C:\WINDOWS\system32\f06WtR


Driver::
SVKP

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. Additonally, ComboFix will generate the following files on your desktop
  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm
6. ComboFix may need to reboot to finish its work. Let it.

7. When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

8. Next, a window will popup prompting you to "Submit Files for further analysis". Click "OK"

9. Your system's browser will automatically respond by loading the CF-Submit.htm file and open a window :
  • Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"
10. Once the file has been submitted, you may DELETE both files on your desktop.

11. Post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#7 Enkili

Enkili
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 07 August 2007 - 10:10 PM

Here is my Combofix.txt

ComboFix 07-08-07.2 - "Johnny Ondara" 2007-08-07 22:02:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1634 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Johnny Ondara\Desktop\CFScript.txt

FILE::
C:\WINDOWS\system32\install.exe
C:\Windows\system32\nnnnmkk.dll
C:\WINDOWS\system32\pmkjh.dll
C:\Program Files\Internet Explorer\xuve.html
C:\WINDOWS\TTC-5555.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\BHO
C:\Temp
C:\Temp\1cb\syscheck.log
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\g4356cbvy63.exe
C:\WINDOWS\lezshnyA.exe
C:\WINDOWS\system32\drivers\ohciusb.sys
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\system32\f06WtR
C:\WINDOWS\system32\f06WtR\f06WtR1083.exe
C:\WINDOWS\system32\fertbuk.dll
C:\WINDOWS\system32\ie_ban.exe
C:\WINDOWS\system32\install.exe
C:\WINDOWS\system32\kwinoqdt.exe
C:\WINDOWS\system32\Outerinfo-1832.exe
C:\WINDOWS\system32\rasterx.dll
C:\WINDOWS\system32\Setup155.exe
C:\WINDOWS\system32\SIntf16.dll
C:\WINDOWS\system32\SIntf32.dll
C:\WINDOWS\system32\SIntfNT.dll
C:\WINDOWS\system32\vtbdgfdh.dll
C:\WINDOWS\TTC-5555.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_SVKP
-------\SVKP


((((((((((((((((((((((((( Files Created from 2007-07-08 to 2007-08-08 )))))))))))))))))))))))))))))))


2007-08-06 21:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-06 19:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-08-06 19:16 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-06 00:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-05 23:41 0 --a------ C:\WINDOWS\nsreg.dat
2007-08-05 22:01 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-08-05 22:01 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-08-05 22:01 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-08-05 22:01 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-08-05 22:01 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-08-05 22:01 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-08-05 22:01 <DIR> d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\PC Tools
2007-08-05 22:00 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-05 21:16 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-08-05 21:06 <DIR> d-------- C:\DOCUME~1\JOHNNY~1\.housecall6.6
2007-08-05 15:42 <DIR> d-------- C:\WINDOWS\system32\configs
2007-07-18 21:17 <DIR> d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\U3
2007-07-14 13:46 <DIR> d-------- C:\Program Files\Dota Keys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-07 21:59 --------- d-------- C:\Program Files\Trillian
2007-08-05 22:53 --------- d-------- C:\Program Files\DAEMON Tools
2007-08-05 20:46 --------- d-------- C:\Program Files\QuickTime
2007-08-05 20:43 --------- d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\GetRightToGo
2007-08-05 20:40 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-05 16:04 14336 --a--c--- C:\WINDOWS\system32\dllcache\svchost.exe
2007-08-05 16:04 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-08-01 21:02 --------- d-------- C:\Program Files\Starcraft
2007-07-29 21:24 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-07-16 21:29 --------- d-------- C:\Program Files\MySpace
2007-07-15 12:20 --------- d-------- C:\Program Files\Magic Workstation
2007-07-14 23:06 --------- d-------- C:\Program Files\Zoom Player
2007-07-13 21:20 --------- d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\Skype
2007-07-04 01:07 --------- d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\MySpace
2007-07-03 19:11 967 --a------ C:\WINDOWS\ScUnin.pif
2007-07-03 19:11 94208 --a------ C:\WINDOWS\ScUnin.exe
2007-07-03 19:11 35382 --a------ C:\WINDOWS\scunin.dat
2007-06-18 20:33 22584 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-06-18 20:32 99904 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-06-13 23:02 --------- d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\Apple Computer
2007-05-18 22:43 63040 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2006-02-20 01:35 19936 --a--c--- C:\DOCUME~1\JOHNNY~1\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-09-04 14:59 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-11-07 19:53]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 17:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-17 20:46]
"Win2000Launcher"="C:\Documents and Settings\Johnny Ondara\Desktop\Stuff\Games\redistLauncher\Launcher.exe" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22]
"nwiz"="nwiz.exe" [2006-10-22 13:22 C:\WINDOWS\system32\nwiz.exe]
"\\TORRIS9999\EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [2005-03-07 22:00]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22]
"Auto EPSON Stylus CX4200 Series on DAVID-PC"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [2005-03-07 22:00]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-06-27 13:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\TORRIS9999\EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [2005-03-07 22:00]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 17:29]

C:\Documents and Settings\Johnny Ondara\Start Menu\Programs\Startup\
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [2007-07-19]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2005-09-03 17:04:31]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"MuqnUJuB"= {1C59787F-B6F3-D2D5-C5BF-D62E57C2BF11} - C:\WINDOWS\system32\qcap.dll [2004-08-04 00:56 192512]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SATARAID5.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SATARAID5.lnk
backup=C:\WINDOWS\pss\SATARAID5.lnkCommon Startup

R0 Si3114r5;SiI-3114 SoftRaid 5 Controller;C:\WINDOWS\system32\DRIVERS\Si3114r5.sys
R0 SiFilter;SATALink driver accelerator;C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys
R1 AmdK8;AMD Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R1 aslm75;aslm75;\??\C:\WINDOWS\system32\drivers\aslm75.sys
R1 avgio;avgio;\??\C:\Program Files\AntiVir PersonalEdition Classic\avgio.sys
R1 avipbb;avipbb;C:\WINDOWS\system32\DRIVERS\avipbb.sys
R1 IKFileFlt;File Filter Driver;C:\WINDOWS\system32\drivers\ikfileflt.sys
R1 IKFileSec;File Security Driver;C:\WINDOWS\system32\drivers\ikfilesec.sys
R1 IkSysFlt;System Filter Driver;C:\WINDOWS\system32\drivers\iksysflt.sys
R1 IKSysSec;System Security Driver;C:\WINDOWS\system32\drivers\iksyssec.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R1 ssmdrv;ssmdrv;C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
R3 avgntflt;avgntflt;\??\C:\Program Files\AntiVir PersonalEdition Classic\avgntflt.sys
R3 L8042Kbd;Logitech SetPoint Keyboard Driver;C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
R3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
R3 LMouKE;Logitech SetPoint Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\system32\drivers\msmpu401.sys
R3 MTsensor;ATK0110 ACPI UTILITY;C:\WINDOWS\system32\DRIVERS\ASACPI.sys
R3 nvax;Service for NVIDIA® nForce™ Audio Enumerator;C:\WINDOWS\system32\drivers\nvax.sys
R3 nvnforce;Service for NVIDIA® nForce™ Audio;C:\WINDOWS\system32\drivers\nvapu.sys
S0 AmdAcpi;AmdAcpi Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\AmdAcpi.sys
S1 amdtools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\amdtools.sys
S2 ohciusb;Open Host Controller Miniport USB Driver;\??\C:\WINDOWS\system32\drivers\ohciusb.sys
S3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\drivers\bcgame.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\autoplay.exe


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 22:04:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\TORRIS9999\\EPSON Stylus CX4200 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAEA.EXE /P39 \"\\\\TORRIS9999\\EPSON Stylus CX4200 Series\" /O6 \"USB001\" /M \"Stylus CX4200\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\TORRIS9999\\EPSON Stylus CX4200 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAEA.EXE /P39 \"\\\\TORRIS9999\\EPSON Stylus CX4200 Series\" /M \"Stylus CX4200\" /EF \"HKCU\""

Completion time: 2007-08-07 22:06:01 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-07 22:05
C:\ComboFix2.txt ... 2007-08-06 21:43

--- E O F ---


Here is my New Hijackthis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:54 PM, on 8/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Win2000Launcher] C:\Documents and Settings\Johnny Ondara\Desktop\Stuff\Games\redistLauncher\Launcher.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [\\TORRIS9999\EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P39 "\\TORRIS9999\EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Auto EPSON Stylus CX4200 Series on DAVID-PC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P43 "Auto EPSON Stylus CX4200 Series on DAVID-PC" /O37 "\\DAVID-PC\EPSON Stylus CX4200 Series" /M "Stylus CX4200"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [\\TORRIS9999\EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P39 "\\TORRIS9999\EPSON Stylus CX4200 Series" /M "Stylus CX4200" /EF "HKCU"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...090/mcfscan.cab
O21 - SSODL: MuqnUJuB - {1C59787F-B6F3-D2D5-C5BF-D62E57C2BF11} - C:\WINDOWS\system32\qcap.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 6984 bytes

#8 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:02:44 AM

Posted 08 August 2007 - 11:40 AM

A. Open notepad and copy/paste the text in the quotebox below into it:

@echo off
cd %Windir%\catchme.exe
catchme.exe -a -d -f "C:\WINDOWS\system32\configs" >>C:\Files.txt
Notepad C:\files.txt
del peek.bat

Save this as peek.bat Choose to "Save type as - All Files"
It should look like this: Posted Image
Double click on peek.bat & allow it to run

Please include the results in your reply.


B. Please RUN HijackThis
  • Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System


  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in this thread so we can check how everything looks now. In addition, please tell me if there are any more malware problems that you are aware of.
Regards,

Trevuren

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#9 Enkili

Enkili
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 11 August 2007 - 04:38 PM

Sorry I have been away.
Here is the newest Hijack this log.

My computer is running pretty smooth. Every so often at start up I will get one popup but after that I don't get anymore.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:48 PM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Win2000Launcher] C:\Documents and Settings\Johnny Ondara\Desktop\Stuff\Games\redistLauncher\Launcher.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [\\TORRIS9999\EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P39 "\\TORRIS9999\EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Auto EPSON Stylus CX4200 Series on DAVID-PC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P43 "Auto EPSON Stylus CX4200 Series on DAVID-PC" /O37 "\\DAVID-PC\EPSON Stylus CX4200 Series" /M "Stylus CX4200"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [\\TORRIS9999\EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P39 "\\TORRIS9999\EPSON Stylus CX4200 Series" /M "Stylus CX4200" /EF "HKCU"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...090/mcfscan.cab
O21 - SSODL: MuqnUJuB - {1C59787F-B6F3-D2D5-C5BF-D62E57C2BF11} - C:\WINDOWS\system32\qcap.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 6373 bytes

#10 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:02:44 AM

Posted 11 August 2007 - 08:23 PM

A. Please perform the following test and post the results as requested in my last post:

A. Open notepad and copy/paste the text in the quotebox below into it:

@echo off
cd %Windir%\catchme.exe
catchme.exe -a -d -f "C:\WINDOWS\system32\configs" >>C:\Files.txt
Notepad C:\files.txt
del peek.bat

Save this as peek.bat Choose to "Save type as - All Files"
It should look like this: Posted Image
Double click on peek.bat & allow it to run

Please include the results in your reply.


B. Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply, along with a fresh HijackThis log
Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#11 Enkili

Enkili
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 12 August 2007 - 10:14 AM

Here is the Peek.bat log:

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 21:35:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning files ...

C:\WINDOWS\system32\configs\kmhp83122.exe
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 21:39:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning files ...

C:\WINDOWS\system32\configs\kmhp83122.exe
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 09:15:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning files ...

C:\WINDOWS\system32\configs\kmhp83122.exe
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 10:12:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning files ...

C:\WINDOWS\system32\configs\kmhp83122.exe
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 10:13:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning files ...

C:\WINDOWS\system32\configs\kmhp83122.exe



Here is the Kaspersky Scan Log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, August 12, 2007 10:12:34 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 12/08/2007
Kaspersky Anti-Virus database records: 378979
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 42245
Number of viruses found: 13
Number of infected objects: 31
Number of suspicious objects: 2
Duration of the scan process: 00:42:26

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1281OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Johnny Ondara\Application Data\Mozilla\Firefox\Profiles\e9wxa0ow.default\cert8.db Object is locked skipped
C:\Documents and Settings\Johnny Ondara\Application Data\Mozilla\Firefox\Profiles\e9wxa0ow.default\history.dat Object is locked skipped
C:\Documents and Settings\Johnny Ondara\Application Data\Mozilla\Firefox\Profiles\e9wxa0ow.default\key3.db Object is locked skipped
C:\Documents and Settings\Johnny Ondara\Application Data\Mozilla\Firefox\Profiles\e9wxa0ow.default\parent.lock Object is locked skipped
C:\Documents and Settings\Johnny Ondara\Application Data\Mozilla\Firefox\Profiles\e9wxa0ow.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Johnny Ondara\Application Data\Mozilla\Firefox\Profiles\e9wxa0ow.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Johnny Ondara\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Johnny Ondara\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Johnny Ondara\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Johnny Ondara\Local Settings\Application Data\Mozilla\Firefox\Profiles\e9wxa0ow.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Johnny Ondara\Local Settings\Application Data\Mozilla\Firefox\Profiles\e9wxa0ow.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Johnny Ondara\Local Settings\Application Data\Mozilla\Firefox\Profiles\e9wxa0ow.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Johnny Ondara\Local Settings\Application Data\Mozilla\Firefox\Profiles\e9wxa0ow.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Johnny Ondara\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Johnny Ondara\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Johnny Ondara\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Johnny Ondara\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MLSDCNCR\winud[1].exe Infected: Backdoor.Win32.Agent.aju skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\45IVW9AN\Outerinfo-1832[1].exe/data0004/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\45IVW9AN\Outerinfo-1832[1].exe/data0004 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\45IVW9AN\Outerinfo-1832[1].exe NSIS: infected - 2 skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CDQ3SH67\TTC-5555[1].exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CDQ3SH67\TTC-5555[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SLIV49MZ\winud[1].exe Infected: Backdoor.Win32.Agent.aju skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WLMNOD23\ie_ban[1].exe Infected: Trojan-Clicker.Win32.VB.po skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WLMNOD23\is67718[1].exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ks skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\NetMeeting\qubojyry2.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\Program Files\NetMeeting\qubojyry4444.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\Program Files\NetMeeting\qubojyry5555.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\Program Files\NetMeeting\qubojyry83122.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\QooBox\Quarantine\C\Program Files\Windows Media Player\qubojyry4444.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\QooBox\Quarantine\C\WINDOWS\DOWNLO~1\UWA7P_0001_N91M0809NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\f02WtR\f02WtR1065.exe.vir Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\f06WtR\f06WtR1083.exe.vir Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fnevseax.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hekbkeje.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hxeguxqr.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\install.exe.vir Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\QooBox\Quarantine\C\WINDOWS\TTC-4444.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\WINDOWS\TTC-4444.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\TTC-5555.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\WINDOWS\TTC-5555.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\catchme2007-08-06_214137.09.zip/byxxyab.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\catchme2007-08-06_214137.09.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\aspimgr.exe_ Infected: Backdoor.Win32.Agent.aju skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\configs\kmhp83122.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\WINDOWS\system32\configs\kmhp83122.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.


Here is a new Hijackthis Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:21 AM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Win2000Launcher] C:\Documents and Settings\Johnny Ondara\Desktop\Stuff\Games\redistLauncher\Launcher.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [\\TORRIS9999\EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P39 "\\TORRIS9999\EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Auto EPSON Stylus CX4200 Series on DAVID-PC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P43 "Auto EPSON Stylus CX4200 Series on DAVID-PC" /O37 "\\DAVID-PC\EPSON Stylus CX4200 Series" /M "Stylus CX4200"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [\\TORRIS9999\EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P39 "\\TORRIS9999\EPSON Stylus CX4200 Series" /M "Stylus CX4200" /EF "HKCU"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...090/mcfscan.cab
O21 - SSODL: MuqnUJuB - {1C59787F-B6F3-D2D5-C5BF-D62E57C2BF11} - C:\WINDOWS\system32\qcap.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 6520 bytes

#12 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:02:44 AM

Posted 12 August 2007 - 02:18 PM

A. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MLSDCNCR\winud[1].exe	
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\45IVW9AN\Outerinfo-1832[1].exe
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CDQ3SH67\TTC-5555[1].exe
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SLIV49MZ\winud[1].exe	
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WLMNOD23\ie_ban[1].exe	
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WLMNOD23\is67718[1].exe	
C:\WINDOWS\system32\aspimgr.exe_	
C:\WINDOWS\system32\configs\kmhp83122.exe



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
6. Also, please tell me how the system is running. If all seems well, just give me the OK and we will start the final cleanup procedures.


Trevuren

Edited by Trevuren, 12 August 2007 - 03:31 PM.

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#13 Enkili

Enkili
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 12 August 2007 - 02:48 PM

ComboFix 07-08-07.2 - "Johnny Ondara" 2007-08-12 14:45:45.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1582 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Johnny Ondara\Desktop\CFScript.txt


((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))


2007-08-12 09:21 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-12 09:21 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-12 09:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-06 21:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-06 19:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-08-06 19:16 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-06 00:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-05 23:41 0 --a------ C:\WINDOWS\nsreg.dat
2007-08-05 22:01 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-08-05 22:01 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-08-05 22:01 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-08-05 22:01 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-08-05 22:01 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-08-05 22:01 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-08-05 22:01 <DIR> d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\PC Tools
2007-08-05 22:00 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-05 21:16 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-08-05 21:06 <DIR> d-------- C:\DOCUME~1\JOHNNY~1\.housecall6.6
2007-08-05 15:42 <DIR> d-------- C:\WINDOWS\system32\configs
2007-07-18 21:17 <DIR> d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\U3
2007-07-14 13:46 <DIR> d-------- C:\Program Files\Dota Keys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-09 21:43 --------- d-------- C:\Program Files\Trillian
2007-08-05 22:53 --------- d-------- C:\Program Files\DAEMON Tools
2007-08-05 20:46 --------- d-------- C:\Program Files\QuickTime
2007-08-05 20:43 --------- d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\GetRightToGo
2007-08-05 20:40 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-05 16:04 14336 --a--c--- C:\WINDOWS\system32\dllcache\svchost.exe
2007-08-05 16:04 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-08-01 21:02 --------- d-------- C:\Program Files\Starcraft
2007-07-29 21:24 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-07-16 21:29 --------- d-------- C:\Program Files\MySpace
2007-07-15 12:20 --------- d-------- C:\Program Files\Magic Workstation
2007-07-14 23:06 --------- d-------- C:\Program Files\Zoom Player
2007-07-13 21:20 --------- d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\Skype
2007-07-04 01:07 --------- d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\MySpace
2007-07-03 19:11 967 --a------ C:\WINDOWS\ScUnin.pif
2007-07-03 19:11 94208 --a------ C:\WINDOWS\ScUnin.exe
2007-07-03 19:11 35382 --a------ C:\WINDOWS\scunin.dat
2007-06-18 20:33 22584 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-06-18 20:32 99904 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-06-13 23:02 --------- d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\Apple Computer
2007-05-18 22:43 63040 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2006-02-20 01:35 19936 --a--c--- C:\DOCUME~1\JOHNNY~1\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-09-04 14:59 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-11-07 19:53]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 17:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-17 20:46]
"Win2000Launcher"="C:\Documents and Settings\Johnny Ondara\Desktop\Stuff\Games\redistLauncher\Launcher.exe" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22]
"nwiz"="nwiz.exe" [2006-10-22 13:22 C:\WINDOWS\system32\nwiz.exe]
"\\TORRIS9999\EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [2005-03-07 22:00]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22]
"Auto EPSON Stylus CX4200 Series on DAVID-PC"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [2005-03-07 22:00]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\TORRIS9999\EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [2005-03-07 22:00]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 17:29]

C:\Documents and Settings\Johnny Ondara\Start Menu\Programs\Startup\
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [2007-07-19]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2005-09-03 17:04:31]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"MuqnUJuB"= {1C59787F-B6F3-D2D5-C5BF-D62E57C2BF11} - C:\WINDOWS\system32\qcap.dll [2004-08-04 00:56 192512]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SATARAID5.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SATARAID5.lnk
backup=C:\WINDOWS\pss\SATARAID5.lnkCommon Startup

R0 Si3114r5;SiI-3114 SoftRaid 5 Controller;C:\WINDOWS\system32\DRIVERS\Si3114r5.sys
R0 SiFilter;SATALink driver accelerator;C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys
R1 AmdK8;AMD Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R1 aslm75;aslm75;\??\C:\WINDOWS\system32\drivers\aslm75.sys
R1 avgio;avgio;\??\C:\Program Files\AntiVir PersonalEdition Classic\avgio.sys
R1 avipbb;avipbb;C:\WINDOWS\system32\DRIVERS\avipbb.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R1 ssmdrv;ssmdrv;C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
R3 avgntflt;avgntflt;\??\C:\Program Files\AntiVir PersonalEdition Classic\avgntflt.sys
R3 L8042Kbd;Logitech SetPoint Keyboard Driver;C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
R3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
R3 LMouKE;Logitech SetPoint Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\system32\drivers\msmpu401.sys
R3 MTsensor;ATK0110 ACPI UTILITY;C:\WINDOWS\system32\DRIVERS\ASACPI.sys
R3 nvax;Service for NVIDIA® nForce™ Audio Enumerator;C:\WINDOWS\system32\drivers\nvax.sys
R3 nvnforce;Service for NVIDIA® nForce™ Audio;C:\WINDOWS\system32\drivers\nvapu.sys
S0 AmdAcpi;AmdAcpi Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\AmdAcpi.sys
S1 amdtools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\amdtools.sys
S2 ohciusb;Open Host Controller Miniport USB Driver;\??\C:\WINDOWS\system32\drivers\ohciusb.sys
S3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\drivers\bcgame.sys
S3 IKFileFlt;File Filter Driver;C:\WINDOWS\system32\drivers\ikfileflt.sys
S3 IKFileSec;File Security Driver;C:\WINDOWS\system32\drivers\ikfilesec.sys
S3 IkSysFlt;System Filter Driver;C:\WINDOWS\system32\drivers\iksysflt.sys
S3 IKSysSec;System Security Driver;C:\WINDOWS\system32\drivers\iksyssec.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\autoplay.exe


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 14:46:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\TORRIS9999\\EPSON Stylus CX4200 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAEA.EXE /P39 \"\\\\TORRIS9999\\EPSON Stylus CX4200 Series\" /O6 \"USB001\" /M \"Stylus CX4200\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\TORRIS9999\\EPSON Stylus CX4200 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAEA.EXE /P39 \"\\\\TORRIS9999\\EPSON Stylus CX4200 Series\" /M \"Stylus CX4200\" /EF \"HKCU\""

Completion time: 2007-08-12 14:46:59
C:\ComboFix-quarantined-files.txt ... 2007-08-12 14:46
C:\ComboFix2.txt ... 2007-08-07 22:06
C:\ComboFix3.txt ... 2007-08-06 21:43

--- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:15 PM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dota Keys\source\DotaKeys.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Win2000Launcher] C:\Documents and Settings\Johnny Ondara\Desktop\Stuff\Games\redistLauncher\Launcher.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [\\TORRIS9999\EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P39 "\\TORRIS9999\EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Auto EPSON Stylus CX4200 Series on DAVID-PC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P43 "Auto EPSON Stylus CX4200 Series on DAVID-PC" /O37 "\\DAVID-PC\EPSON Stylus CX4200 Series" /M "Stylus CX4200"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [\\TORRIS9999\EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P39 "\\TORRIS9999\EPSON Stylus CX4200 Series" /M "Stylus CX4200" /EF "HKCU"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...090/mcfscan.cab
O21 - SSODL: MuqnUJuB - {1C59787F-B6F3-D2D5-C5BF-D62E57C2BF11} - C:\WINDOWS\system32\qcap.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 6645 bytes



My system seems to be running well. Thank you for the help.

#14 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:02:44 AM

Posted 12 August 2007 - 03:34 PM

I am sorry but the script I gave you to run contained a small error which prevented it from running properly. I put an "s" at the end of the word File::. I have since edited my post to correct the error. Now it will run as it should. Sorry, but I must ask you to run the corrected script and post the results as those infected files are still on your system.

Trevuren
Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#15 Enkili

Enkili
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 12 August 2007 - 03:49 PM

ComboFix 07-08-07.2 - "Johnny Ondara" 2007-08-12 15:48:34.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1582 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Johnny Ondara\Desktop\CFScript.txt

FILE::
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MLSDCNCR\winud[1].exe
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\45IVW9AN\Outerinfo-1832[1].exe
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CDQ3SH67\TTC-5555[1].exe
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SLIV49MZ\winud[1].exe
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WLMNOD23\ie_ban[1].exe
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WLMNOD23\is67718[1].exe
C:\WINDOWS\system32\aspimgr.exe_
C:\WINDOWS\system32\configs\kmhp83122.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MLSDCNCR\winud[1].exe
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\45IVW9AN\Outerinfo-1832[1].exe
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CDQ3SH67\TTC-5555[1].exe
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SLIV49MZ\winud[1].exe
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WLMNOD23\ie_ban[1].exe
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WLMNOD23\is67718[1].exe
C:\WINDOWS\system32\aspimgr.exe_
C:\WINDOWS\system32\configs\kmhp83122.exe


((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))


2007-08-12 09:21 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-12 09:21 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-12 09:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-06 21:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-06 19:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-08-06 19:16 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-06 00:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-05 23:41 0 --a------ C:\WINDOWS\nsreg.dat
2007-08-05 22:01 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-08-05 22:01 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-08-05 22:01 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-08-05 22:01 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-08-05 22:01 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-08-05 22:01 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-08-05 22:01 <DIR> d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\PC Tools
2007-08-05 22:00 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-05 21:16 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-08-05 21:06 <DIR> d-------- C:\DOCUME~1\JOHNNY~1\.housecall6.6
2007-08-05 15:42 <DIR> d-------- C:\WINDOWS\system32\configs
2007-07-18 21:17 <DIR> d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\U3
2007-07-14 13:46 <DIR> d-------- C:\Program Files\Dota Keys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-09 21:43 --------- d-------- C:\Program Files\Trillian
2007-08-05 22:53 --------- d-------- C:\Program Files\DAEMON Tools
2007-08-05 20:46 --------- d-------- C:\Program Files\QuickTime
2007-08-05 20:43 --------- d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\GetRightToGo
2007-08-05 20:40 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-05 16:04 14336 --a--c--- C:\WINDOWS\system32\dllcache\svchost.exe
2007-08-05 16:04 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-08-01 21:02 --------- d-------- C:\Program Files\Starcraft
2007-07-29 21:24 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-07-16 21:29 --------- d-------- C:\Program Files\MySpace
2007-07-15 12:20 --------- d-------- C:\Program Files\Magic Workstation
2007-07-14 23:06 --------- d-------- C:\Program Files\Zoom Player
2007-07-13 21:20 --------- d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\Skype
2007-07-04 01:07 --------- d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\MySpace
2007-07-03 19:11 967 --a------ C:\WINDOWS\ScUnin.pif
2007-07-03 19:11 94208 --a------ C:\WINDOWS\ScUnin.exe
2007-07-03 19:11 35382 --a------ C:\WINDOWS\scunin.dat
2007-06-18 20:33 22584 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-06-18 20:32 99904 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-06-13 23:02 --------- d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\Apple Computer
2007-05-18 22:43 63040 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2006-02-20 01:35 19936 --a--c--- C:\DOCUME~1\JOHNNY~1\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-09-04 14:59 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-11-07 19:53]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 17:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-17 20:46]
"Win2000Launcher"="C:\Documents and Settings\Johnny Ondara\Desktop\Stuff\Games\redistLauncher\Launcher.exe" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22]
"nwiz"="nwiz.exe" [2006-10-22 13:22 C:\WINDOWS\system32\nwiz.exe]
"\\TORRIS9999\EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [2005-03-07 22:00]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22]
"Auto EPSON Stylus CX4200 Series on DAVID-PC"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [2005-03-07 22:00]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\TORRIS9999\EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [2005-03-07 22:00]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 17:29]

C:\Documents and Settings\Johnny Ondara\Start Menu\Programs\Startup\
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [2007-07-19]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2005-09-03 17:04:31]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"MuqnUJuB"= {1C59787F-B6F3-D2D5-C5BF-D62E57C2BF11} - C:\WINDOWS\system32\qcap.dll [2004-08-04 00:56 192512]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SATARAID5.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SATARAID5.lnk
backup=C:\WINDOWS\pss\SATARAID5.lnkCommon Startup

R0 Si3114r5;SiI-3114 SoftRaid 5 Controller;C:\WINDOWS\system32\DRIVERS\Si3114r5.sys
R0 SiFilter;SATALink driver accelerator;C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys
R1 AmdK8;AMD Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R1 aslm75;aslm75;\??\C:\WINDOWS\system32\drivers\aslm75.sys
R1 avgio;avgio;\??\C:\Program Files\AntiVir PersonalEdition Classic\avgio.sys
R1 avipbb;avipbb;C:\WINDOWS\system32\DRIVERS\avipbb.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R1 ssmdrv;ssmdrv;C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
R3 avgntflt;avgntflt;\??\C:\Program Files\AntiVir PersonalEdition Classic\avgntflt.sys
R3 L8042Kbd;Logitech SetPoint Keyboard Driver;C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
R3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
R3 LMouKE;Logitech SetPoint Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\system32\drivers\msmpu401.sys
R3 MTsensor;ATK0110 ACPI UTILITY;C:\WINDOWS\system32\DRIVERS\ASACPI.sys
R3 nvax;Service for NVIDIA® nForce™ Audio Enumerator;C:\WINDOWS\system32\drivers\nvax.sys
R3 nvnforce;Service for NVIDIA® nForce™ Audio;C:\WINDOWS\system32\drivers\nvapu.sys
S0 AmdAcpi;AmdAcpi Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\AmdAcpi.sys
S1 amdtools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\amdtools.sys
S2 ohciusb;Open Host Controller Miniport USB Driver;\??\C:\WINDOWS\system32\drivers\ohciusb.sys
S3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\drivers\bcgame.sys
S3 IKFileFlt;File Filter Driver;C:\WINDOWS\system32\drivers\ikfileflt.sys
S3 IKFileSec;File Security Driver;C:\WINDOWS\system32\drivers\ikfilesec.sys
S3 IkSysFlt;System Filter Driver;C:\WINDOWS\system32\drivers\iksysflt.sys
S3 IKSysSec;System Security Driver;C:\WINDOWS\system32\drivers\iksyssec.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\autoplay.exe


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 15:48:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\TORRIS9999\\EPSON Stylus CX4200 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAEA.EXE /P39 \"\\\\TORRIS9999\\EPSON Stylus CX4200 Series\" /O6 \"USB001\" /M \"Stylus CX4200\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\TORRIS9999\\EPSON Stylus CX4200 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAEA.EXE /P39 \"\\\\TORRIS9999\\EPSON Stylus CX4200 Series\" /M \"Stylus CX4200\" /EF \"HKCU\""

Completion time: 2007-08-12 15:49:13
C:\ComboFix-quarantined-files.txt ... 2007-08-12 15:49
C:\ComboFix2.txt ... 2007-08-12 14:46
C:\ComboFix3.txt ... 2007-08-07 22:06

--- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:49:44 PM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dota Keys\source\DotaKeys.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Win2000Launcher] C:\Documents and Settings\Johnny Ondara\Desktop\Stuff\Games\redistLauncher\Launcher.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [\\TORRIS9999\EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P39 "\\TORRIS9999\EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Auto EPSON Stylus CX4200 Series on DAVID-PC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P43 "Auto EPSON Stylus CX4200 Series on DAVID-PC" /O37 "\\DAVID-PC\EPSON Stylus CX4200 Series" /M "Stylus CX4200"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [\\TORRIS9999\EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P39 "\\TORRIS9999\EPSON Stylus CX4200 Series" /M "Stylus CX4200" /EF "HKCU"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...090/mcfscan.cab
O21 - SSODL: MuqnUJuB - {1C59787F-B6F3-D2D5-C5BF-D62E57C2BF11} - C:\WINDOWS\system32\qcap.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 6611 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users