Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Win Antispyware And Virtumonde Plus Others


  • This topic is locked This topic is locked
9 replies to this topic

#1 hatdog

hatdog

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 06 August 2007 - 09:17 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:40 PM, on 8/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\WINNT\svhost.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\ScsiAccess.EXE
C:\Program Files\SBC LightSpeed Self Support Tool\bin\mpbtn.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINNT\system32\fccawtr.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: (no name) - {B3928513-EE09-44B8-AE48-075B652A736F} - C:\WINNT\system32\awvvs.dll (file missing)
O2 - BHO: H - {B61C6CA3-77BF-4299-AB70-5019FCD4AF09} - park31.dll (file missing)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINNT\system32\frlkyrvt.dll (file missing)
O2 - BHO: (no name) - {D512DB84-E23F-420E-B21C-C5322DD48651} - \
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [{ZN}] C:\WINNT\TISKY009.exe SKY009
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINNT\system32\fmhxpoky.dll",sitypnow
O4 - HKLM\..\Run: [svhost] "C:\WINNT\svhost.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Policies\Explorer\Run: [vxdkq.exe] C:\WINNT\system\vxdkq.exe
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update Time] wuam.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update Time] wuam.exe (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\WINNT\TISKY009.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099097392297
O16 - DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} (Image Uploader Control) - http://meijer.lifepics.com/net/Uploader/LPUploader41.cab
O20 - Winlogon Notify: awvvs - C:\WINNT\system32\awvvs.dll (file missing)
O20 - Winlogon Notify: fccawtr - fccawtr.dll (file missing)
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINNT\system32\YPCSER~1.EXE

--
End of file - 12196 bytes

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:54 PM

Posted 07 August 2007 - 04:59 AM

Hello and welcome aboard :thumbsup:

Please download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#3 hatdog

hatdog
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 07 August 2007 - 05:52 PM

Here is the log from combofix!

ComboFix 07-08-07.6 - "Owner" 2007-08-07 17:26:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.43 [GMT -4:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Owner\APPLIC~1\..\err.log
C:\DOCUME~1\Owner\Desktop.\internet explorer.lnk
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\poolsv\k11u72.exe
C:\Program Files\poolsv\svhost.exe
C:\Program Files\poolsv\YazzleBundle-1549.exe
C:\Program Files\svhost
C:\temp\0c2
C:\temp\0c2\tmpFF.log
C:\temp\brr
C:\temp\brr\tmpZTF.log
C:\WINNT\b122.exe
C:\WINNT\system32\b02FdUe
C:\WINNT\system32\b10FdUe
C:\WINNT\system32\boa.dat
C:\WINNT\system32\drivers\fopn.sys
C:\WINNT\system32\G1
C:\WINNT\system32\G11
C:\WINNT\system32\G3
C:\WINNT\system32\G7
C:\WINNT\system32\win
C:\WINNT\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_FOPN


((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))


2007-08-07 17:24 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-07 17:10 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\PCToolsFirewallPlus
2007-08-06 22:09 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-06 22:02 55,904 --a------ C:\WINNT\system32\drivers\pctfw.sys
2007-08-06 22:02 100,448 --a------ C:\WINNT\system32\drivers\pctfw1.sys
2007-08-06 22:02 <DIR> d-------- C:\Program Files\PC Tools Firewall Plus
2007-08-05 16:33 <DIR> d-------- C:\WINNT\CAVTemp
2007-08-05 16:23 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Bitdefender
2007-08-05 15:50 81,984 --a------ C:\WINNT\system32\bdod.bin
2007-08-05 15:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-07-30 10:11 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-30 10:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-30 10:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-30 09:59 1 --a------ C:\WINNT\system32\ps.dat
2007-07-30 09:13 49,152 --a------ C:\WINNT\system32\park31.dll
2007-07-30 08:45 <DIR> d-------- C:\qrnt
2007-07-30 08:31 1,737,953 --ahs---- C:\WINNT\system32\svvwa.ini2
2007-07-28 18:48 1,735,099 --ahs---- C:\WINNT\system32\svvwa.bak1
2007-07-22 22:27 26,787 --a------ C:\WINNT\system32\drivers\vetmonnt.sys
2007-07-22 22:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CA
2007-07-22 22:25 95,344 --a------ C:\WINNT\system32\ISafeIf.dll
2007-07-22 22:25 879,832 --a------ C:\WINNT\system32\drivers\VetEFile.sys
2007-07-22 22:25 74,864 --a------ C:\WINNT\system32\VetRedir.dll
2007-07-22 22:25 74,864 --a------ C:\WINNT\system32\iSafProd.dll
2007-07-22 22:25 243,824 --a------ C:\WINNT\unicows.dll
2007-07-22 22:25 21,031 --a------ C:\WINNT\system32\drivers\Vet-Filt.sys
2007-07-22 22:25 15,735 --a------ C:\WINNT\system32\drivers\VetFDDNT.sys
2007-07-22 22:25 15,478 --a------ C:\WINNT\system32\drivers\Vet-Rec.sys
2007-07-22 22:25 115,824 --a------ C:\WINNT\UnVet32.exe
2007-07-22 22:25 111,728 --a------ C:\WINNT\AVShlExt.dll
2007-07-22 22:25 108,360 --a------ C:\WINNT\system32\drivers\VetEBoot.sys
2007-07-22 22:24 86,016 --a------ C:\WINNT\system32\YPcservice.exe
2007-07-22 22:24 131,072 --a------ C:\WINNT\system32\ypclsp.dll
2007-07-22 21:59 <DIR> d---s---- C:\DOCUME~1\NETWOR~1\UserData
2007-07-22 21:58 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Yahoo!


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-22 22:25 --------- d-------- C:\Program Files\Yahoo!
2007-07-22 22:15 --------- d-------- C:\Program Files\Symantec
2007-07-22 22:15 --------- d-------- C:\Program Files\Norton AntiVirus
2007-07-22 22:15 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-22 22:15 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Symantec
2007-06-07 21:51 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Viewpoint
2007-05-16 11:12 86528 --------- C:\WINNT\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --------- C:\WINNT\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINNT\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINNT\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINNT\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINNT\system32\dllcache\msoe.dll
2005-02-11 23:43 57096 --a------ C:\DOCUME~1\Owner\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3928513-EE09-44B8-AE48-075B652A736F}]
C:\WINNT\system32\awvvs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B61C6CA3-77BF-4299-AB70-5019FCD4AF09}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D512DB84-E23F-420E-B21C-C5322DD48651}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GWMDMMSG"="GWMDMMSG.exe" [2002-08-06 17:24 C:\WINNT\GWMDMMSG.exe]
"Keyboard Preload Check"="C:\OEMDRVRS\KEYB\Preload.exe" []
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 22:21]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-14 18:26]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19]
"Motive SmartBridge"="C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 04:52]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2007-07-22 22:25]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2007-07-22 22:25]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 10:43]
"BDMCon"="C:\Program Files\Softwin\BitDefender10\bdmcon.exe" [2007-08-05 16:48]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [2007-04-28 08:13]
"HotKeysCmds"="C:\WINNT\System32\hkcmd.exe" [2002-05-14 22:20]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-03 20:50]
"HPDJ Taskbar Utility"="C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 07:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-02-10 18:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 13:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-01 18:11]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft Update Time"=wuam.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-06-25 07:25:38]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2002-12-18 12:58:03]
SBC Self Support Tool.lnk - C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe [2007-04-10 21:50:58]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2006-10-03 14:04:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"vxdkq.exe"=C:\WINNT\system\vxdkq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvvs]
C:\WINNT\system32\awvvs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccawtr]
fccawtr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

R1 Cdr4_xp;Cdr4_xp;C:\WINNT\system32\drivers\Cdr4_xp.sys
R1 cdudf_xp;cdudf_xp;C:\WINNT\system32\drivers\cdudf_xp.sys
R1 DcCam;Kodak Camera Proxy;C:\WINNT\system32\DRIVERS\DcCam.sys
R1 pwd_2k;pwd_2k;C:\WINNT\system32\drivers\pwd_2k.sys
R1 Sk9920nt;PS/2 Keyboard Filter Driver for NT 4.0;C:\WINNT\system32\DRIVERS\Sk9920nt.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINNT\system32\drivers\UdfReadr_xp.sys
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINNT\system32\drivers\dcfs2k.sys
R2 NMSSvc;Intel® NMS;C:\WINNT\System32\NMSSvc.exe
R2 RioPNP;RioPNP;C:\WINNT\system32\drivers\RioPNP.sys
R3 GTWModem;GTW V.92 Voicemodem;C:\WINNT\system32\DRIVERS\GWMDM.sys
R3 mmc_2K;mmc_2K;C:\WINNT\system32\drivers\mmc_2K.sys
R3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINNT\system32\drivers\NMSCFG.SYS
R3 Sk99202k;PS/2 Keyboard Filter Driver for Win2000;C:\WINNT\system32\DRIVERS\Sk99202k.sys
R3 wanatw;WAN Miniport (ATW);C:\WINNT\system32\DRIVERS\wanatw4.sys
S1 Exportit;Exportit;C:\WINNT\system32\DRIVERS\exportit.sys
S2 .NET Connection Service;.NET Framework Service;C:\WINNT\svchost.exe
S3 BCMModem;BCM V.90 56K Modem;C:\WINNT\system32\DRIVERS\BCMDM.sys
S3 DcFpoint;DcFpoint;C:\WINNT\system32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINNT\system32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINNT\system32\DRIVERS\DcPTP.sys
S3 dvd_2K;dvd_2K;C:\WINNT\system32\drivers\dvd_2K.sys
S3 PalmUSBD;PalmUSBD;C:\WINNT\system32\drivers\PalmUSBD.sys
S3 PCDRDRV;Pcdr Helper Driver;\??\C:\Atf\Qctest\PCDoc\PCDRDRV.sys
S3 PcdrNt;PcdrNt;C:\WINNT\system32\drivers\PcdrNt.sys

*Newly Created Service* - NMSCFG
*Newly Created Service* - NMSSVC

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 18:18:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-07 18:36:20 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-07 18:35

--- E O F ---

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:54 PM

Posted 08 August 2007 - 01:02 AM

Hi again :thumbsup:

Please copy the following text in the quotebox below to a blank notepad file. Make sure the filetype is set to "All Files" and save it as Removeservice.bat to your desktop.

@echo off
sc stop ".NET Framework Service"
sc delete ".NET Connection Service"
exit


Double-click on Removeservice.bat, a window will pop up and close. This is normal.

======

Next.. Open notepad again and copy/paste the text in the quotebox into it

Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft Update Time"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"vxdkq.exe"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvvs]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccawtr]

File::
C:\WINNT\system\vxdkq.exe
C:\WINNT\system32\awvvs.dll
C:\WINNT\system32\fccawtr.dll
C:\WINNT\system32\bdod.bin
C:\WINNT\system32\park31.dll
C:\WINNT\system32\svvwa.ini2
C:\WINNT\system32\svvwa.bak1
C:\WINNT\svchost.exe

Folder::
C:\qrnt


Save it as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#5 hatdog

hatdog
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 09 August 2007 - 12:47 PM

Hello! Here is the log. Thanks for your help so far. Keep up the good work!!!

ComboFix 07-08-07.6 - "Owner" 2007-08-09 12:41:25.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.43 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt

FILE::
C:\WINNT\system\vxdkq.exe
C:\WINNT\system32\awvvs.dll
C:\WINNT\system32\fccawtr.dll
C:\WINNT\system32\bdod.bin
C:\WINNT\system32\park31.dll
C:\WINNT\system32\svvwa.ini2
C:\WINNT\system32\svvwa.bak1
C:\WINNT\svchost.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\qrnt
C:\WINNT\system32\bdod.bin
C:\WINNT\system32\park31.dll
C:\WINNT\system32\svvwa.bak1
C:\WINNT\system32\svvwa.ini2


((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))


2007-08-09 12:53 81,984 --a------ C:\WINNT\system32\bdod.bin
2007-08-07 17:24 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-07 17:10 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\PCToolsFirewallPlus
2007-08-06 22:09 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-06 22:02 55,904 --a------ C:\WINNT\system32\drivers\pctfw.sys
2007-08-06 22:02 100,448 --a------ C:\WINNT\system32\drivers\pctfw1.sys
2007-08-06 22:02 <DIR> d-------- C:\Program Files\PC Tools Firewall Plus
2007-08-05 16:33 <DIR> d-------- C:\WINNT\CAVTemp
2007-08-05 16:23 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Bitdefender
2007-08-05 15:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-07-30 10:11 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-30 10:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-30 10:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-30 09:59 1 --a------ C:\WINNT\system32\ps.dat
2007-07-22 22:27 26,787 --a------ C:\WINNT\system32\drivers\vetmonnt.sys
2007-07-22 22:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CA
2007-07-22 22:25 95,344 --a------ C:\WINNT\system32\ISafeIf.dll
2007-07-22 22:25 879,832 --a------ C:\WINNT\system32\drivers\VetEFile.sys
2007-07-22 22:25 74,864 --a------ C:\WINNT\system32\VetRedir.dll
2007-07-22 22:25 74,864 --a------ C:\WINNT\system32\iSafProd.dll
2007-07-22 22:25 243,824 --a------ C:\WINNT\unicows.dll
2007-07-22 22:25 21,031 --a------ C:\WINNT\system32\drivers\Vet-Filt.sys
2007-07-22 22:25 15,735 --a------ C:\WINNT\system32\drivers\VetFDDNT.sys
2007-07-22 22:25 15,478 --a------ C:\WINNT\system32\drivers\Vet-Rec.sys
2007-07-22 22:25 115,824 --a------ C:\WINNT\UnVet32.exe
2007-07-22 22:25 111,728 --a------ C:\WINNT\AVShlExt.dll
2007-07-22 22:25 108,360 --a------ C:\WINNT\system32\drivers\VetEBoot.sys
2007-07-22 22:24 86,016 --a------ C:\WINNT\system32\YPcservice.exe
2007-07-22 22:24 131,072 --a------ C:\WINNT\system32\ypclsp.dll
2007-07-22 21:59 <DIR> d---s---- C:\DOCUME~1\NETWOR~1\UserData
2007-07-22 21:58 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Yahoo!


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-22 22:25 --------- d-------- C:\Program Files\Yahoo!
2007-07-22 22:15 --------- d-------- C:\Program Files\Symantec
2007-07-22 22:15 --------- d-------- C:\Program Files\Norton AntiVirus
2007-07-22 22:15 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-22 22:15 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Symantec
2007-05-16 11:12 86528 --------- C:\WINNT\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --------- C:\WINNT\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINNT\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINNT\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINNT\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINNT\system32\dllcache\msoe.dll
2005-02-11 23:43 57096 --a------ C:\DOCUME~1\Owner\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3928513-EE09-44B8-AE48-075B652A736F}]
C:\WINNT\system32\awvvs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B61C6CA3-77BF-4299-AB70-5019FCD4AF09}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D512DB84-E23F-420E-B21C-C5322DD48651}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GWMDMMSG"="GWMDMMSG.exe" [2002-08-06 17:24 C:\WINNT\GWMDMMSG.exe]
"Keyboard Preload Check"="C:\OEMDRVRS\KEYB\Preload.exe" []
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 22:21]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-14 18:26]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19]
"Motive SmartBridge"="C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 04:52]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2007-07-22 22:25]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2007-07-22 22:25]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 10:43]
"BDMCon"="C:\Program Files\Softwin\BitDefender10\bdmcon.exe" [2007-08-05 16:48]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [2007-04-28 08:13]
"HotKeysCmds"="C:\WINNT\System32\hkcmd.exe" [2002-05-14 22:20]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-03 20:50]
"HPDJ Taskbar Utility"="C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 07:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-02-10 18:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 13:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-01 18:11]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-06-25 07:25:38]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2002-12-18 12:58:03]
SBC Self Support Tool.lnk - C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe [2007-04-10 21:50:58]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2006-10-03 14:04:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

R1 Cdr4_xp;Cdr4_xp;C:\WINNT\system32\drivers\Cdr4_xp.sys
R1 cdudf_xp;cdudf_xp;C:\WINNT\system32\drivers\cdudf_xp.sys
R1 DcCam;Kodak Camera Proxy;C:\WINNT\system32\DRIVERS\DcCam.sys
R1 pwd_2k;pwd_2k;C:\WINNT\system32\drivers\pwd_2k.sys
R1 Sk9920nt;PS/2 Keyboard Filter Driver for NT 4.0;C:\WINNT\system32\DRIVERS\Sk9920nt.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINNT\system32\drivers\UdfReadr_xp.sys
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINNT\system32\drivers\dcfs2k.sys
R2 NMSSvc;Intel® NMS;C:\WINNT\System32\NMSSvc.exe
R2 RioPNP;RioPNP;C:\WINNT\system32\drivers\RioPNP.sys
R3 GTWModem;GTW V.92 Voicemodem;C:\WINNT\system32\DRIVERS\GWMDM.sys
R3 mmc_2K;mmc_2K;C:\WINNT\system32\drivers\mmc_2K.sys
R3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINNT\system32\drivers\NMSCFG.SYS
R3 Sk99202k;PS/2 Keyboard Filter Driver for Win2000;C:\WINNT\system32\DRIVERS\Sk99202k.sys
R3 wanatw;WAN Miniport (ATW);C:\WINNT\system32\DRIVERS\wanatw4.sys
S1 Exportit;Exportit;C:\WINNT\system32\DRIVERS\exportit.sys
S3 BCMModem;BCM V.90 56K Modem;C:\WINNT\system32\DRIVERS\BCMDM.sys
S3 DcFpoint;DcFpoint;C:\WINNT\system32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINNT\system32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINNT\system32\DRIVERS\DcPTP.sys
S3 dvd_2K;dvd_2K;C:\WINNT\system32\drivers\dvd_2K.sys
S3 PalmUSBD;PalmUSBD;C:\WINNT\system32\drivers\PalmUSBD.sys
S3 PCDRDRV;Pcdr Helper Driver;\??\C:\Atf\Qctest\PCDoc\PCDRDRV.sys
S3 PcdrNt;PcdrNt;C:\WINNT\system32\drivers\PcdrNt.sys

*Newly Created Service* - NMSCFG
*Newly Created Service* - NMSSVC

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 12:55:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-09 13:10:58 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-09 13:10
C:\ComboFix2.txt ... 2007-08-07 18:36

--- E O F ---

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:54 PM

Posted 09 August 2007 - 12:50 PM

Please post a fresh HijackThis log. How is the system running now? Still having issues? :thumbsup:
Hi there, stranger!

#7 hatdog

hatdog
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 09 August 2007 - 08:19 PM

Hello again,
Here is th hijack this log. The computer seems to be running faster, and I am not getting all the pop ups. The pop up asking me if I want to run, save or cancel the winantispy ware has completely stopped. But, the computer will not sleep. It is constanly running unless I shut it down. Any suggestions? Thank you!!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:27 PM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\ScsiAccess.EXE
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\SBC LightSpeed Self Support Tool\bin\mpbtn.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: (no name) - {B3928513-EE09-44B8-AE48-075B652A736F} - C:\WINNT\system32\awvvs.dll (file missing)
O2 - BHO: H - {B61C6CA3-77BF-4299-AB70-5019FCD4AF09} - park31.dll (file missing)
O2 - BHO: (no name) - {D512DB84-E23F-420E-B21C-C5322DD48651} - \
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099097392297
O16 - DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} (Image Uploader Control) - http://meijer.lifepics.com/net/Uploader/LPUploader41.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINNT\system32\YPCSER~1.EXE

--
End of file - 10564 bytes

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:54 PM

Posted 10 August 2007 - 03:11 AM

Do you mean standby mode? If it's this what you mean you should be able to change it as follows;

Right-click somewhere on your desktop and go to Properties.
Go to the Screensaver tab, and click on Power saving (OR something similar, trying to translate from finnish -- not sure if it's exactly named like that)
On the first tab, you should be able to set the time limits (e.g; how many minutes it takes for the computer to shutdown the screen when unused)
Then on the last tab, you should be able to check the box next to sleep/standby/whatevermode.

If this wasn't what you mean maybe this helps: http://www.swan.ac.uk/university/TheCampus...wehelp/PCusage/

Lets finish the cleaning :thumbsup:

Please run a scan with HijackThis and check the following objects for removal:

O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: (no name) - {B3928513-EE09-44B8-AE48-075B652A736F} - C:\WINNT\system32\awvvs.dll (file missing)
O2 - BHO: H - {B61C6CA3-77BF-4299-AB70-5019FCD4AF09} - park31.dll (file missing)
O2 - BHO: (no name) - {D512DB84-E23F-420E-B21C-C5322DD48651} - \


Hit FIX CHECKED. Exit HijackThis and reboot.

===

Your log is clean.

Please read here how to clear old restore points and create a new one.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware:

Prevention Programs:
  • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known adsites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Other necessary Programs:
  • Firewall <= A firewall is definitely a must have. Two good free versions are Kerio Personal Firewall and ZoneLabs. (Note to only use 1 at-the-time)
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice:
So how did I get infected in the first place?
Hi there, stranger!

#9 hatdog

hatdog
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 11 August 2007 - 09:45 PM

Thank you so much for your help!! You all do a great service helping people like me! Keep up the good work.

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:54 PM

Posted 12 August 2007 - 03:21 AM

Since this issue appears to be resolved, this Topic has been closed. Should you need this Topic reopened, please PM a Staff member. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users