Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Aftermath Analysis!


  • This topic is locked This topic is locked
9 replies to this topic

#1 noshmirror

noshmirror

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 07 August 2007 - 03:03 AM

hi guys, good site you got here
i got a massive virus invasion and got most cleaned up with spyware doctor and winhound was still hanging around so i used noahd's program to remove it. Worked beautifully, thank you noahd!

this is my log, posted to be checked for any bag guys still hanging around

thank you guys in advance

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:56:18 AM, on 8/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings...vzTCPConfig.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...IOS/tgctlcm.cab
O16 - DPF: {06D59DC6-5304-432D-A1CE-67E531410F9F} (CHListFactory Object) - http://solomon-web/BusinessPortal/UI/Resul...ebBehaviors.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://192.168.3.193/kxhcm10.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1184225370140
O16 - DPF: {737D14F8-4090-11D4-AE0E-0010830243BD} (SysVerChk Control) - http://pointa.autodesk.com/portal/lang/neutral/SysVerChk.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - http://pointa.autodesk.com/portal/lang/enu/InstBanr.Ocx
O16 - DPF: {BA11E984-66D3-11D3-9196-006008105FA5} (SDClientHelper Class) - http://solomon-sql/solweb/SDClientTools.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - http://pointa.autodesk.com/portal/lang/enu/InstFred.Ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: awtqqro - awtqqro.dll (file missing)
O20 - Winlogon Notify: hggdcyw - hggdcyw.dll (file missing)
O20 - Winlogon Notify: jkklk - C:\WINDOWS\
O20 - Winlogon Notify: urqpooo - urqpooo.dll (file missing)
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SolidWorks SolidNetWork License Manager - Unknown owner - C:\Program Files\SolidWorks SolidNetWork License Manager\lmgrd.exe (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Sweep for Windows NT Network (SWEEPNET) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Sweep for Windows NT Update (SWEEPUPDATE) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12487 bytes

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 07 August 2007 - 08:16 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum noshmirror :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
This will change from what we know in 2006 read this article:
http://www.clickz.com/news/article.php/3561546

You are well advised to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:

Viewpoint
Viewpoint Manager
Viewpoint Media Player


--------------------------------------------

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log.
Posted Image
Posted Image

#3 noshmirror

noshmirror
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 07 August 2007 - 10:40 AM

hey thanks richie
no more "view" stuff

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 07 August 2007 - 12:17 PM

Carry on with the Combofix instructions please.
Posted Image
Posted Image

#5 noshmirror

noshmirror
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 16 August 2007 - 04:19 PM

NO!




jk


ComboFix 07-08-16.3 - "Don" 2007-08-16 14:06:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1508 [GMT -7:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\Casino.ico
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\cbxwttu.dll
C:\WINDOWS\system32\dgogppna.exe
C:\WINDOWS\system32\hlpsrv.exe
C:\WINDOWS\system32\iifghfe.dll
C:\WINDOWS\SYSTEM32\klkkj.bak1
C:\WINDOWS\SYSTEM32\klkkj.bak2
C:\WINDOWS\SYSTEM32\klkkj.ini
C:\WINDOWS\SYSTEM32\klkkj.ini2
C:\WINDOWS\SYSTEM32\klkkj.tmp
C:\WINDOWS\system32\ojchorex.exe
C:\WINDOWS\wnsxs~1
C:\WINDOWS\wnsxs~1\W?nSxS\


((((((((((((((((((((((((( Files Created from 2007-07-16 to 2007-08-16 )))))))))))))))))))))))))))))))


2007-08-16 14:05 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-10 21:08 <DIR> d-------- C:\DOCUME~1\Don\APPLIC~1\Elaborate Bytes
2007-08-06 23:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-06 20:14 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Share-to-Web Upload Folder
2007-08-06 20:10 <DIR> d-------- C:\WINDOWS\pss
2007-08-05 17:28 <DIR> d-------- C:\DOCUME~1\Don\APPLIC~1\Real
2007-08-05 13:20 83,024 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2007-08-05 13:20 57,424 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2007-08-05 13:20 53,840 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2007-08-05 13:20 39,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfileflt.sys
2007-08-05 13:20 29,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2007-08-05 12:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-08-05 06:47 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-08-05 02:01 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-08-05 02:01 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-08-05 02:01 <DIR> d-------- C:\DOCUME~1\Don\APPLIC~1\PC Tools
2007-08-05 01:59 <DIR> d-------- C:\Program Files\Google
2007-08-05 01:09 70,252 --a------ C:\Program Files\setup.exe
2007-08-04 12:44 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-04 11:20 138,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sp_rsdrv2.sys
2007-08-04 11:18 <DIR> d-------- C:\DOCUME~1\Don\APPLIC~1\Spyware Terminator
2007-08-04 11:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spyware Terminator
2007-08-04 10:33 6,466 --ahs---- C:\WINDOWS\SYSTEM32\rtutv.bak1
2007-08-04 10:29 <DIR> d-------- C:\Program Files\Crawler
2007-08-04 10:28 31,254 --a------ C:\WINDOWS\SYSTEM32\urqpooo.dll.ren
2007-08-04 01:40 1,729,712 --ahs---- C:\WINDOWS\SYSTEM32\ehhkj.bak2
2007-08-03 22:51 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-08-03 13:16 6,467 --ahs---- C:\WINDOWS\SYSTEM32\ehhkj.bak1
2007-08-03 00:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ATI
2007-08-03 00:02 <DIR> d-------- C:\Program Files\ATI Technologies
2007-08-02 22:44 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-31 10:51 <DIR> d-------- C:\Program Files\NCSoft
2007-07-30 13:22 <DIR> d-------- C:\DOCUME~1\Don\APPLIC~1\SecondLife
2007-07-24 12:13 <DIR> dr-h----- C:\DOCUME~1\Don\APPLIC~1\SecuROM
2007-07-24 10:47 <DIR> d-------- C:\DOCUME~1\Don\APPLIC~1\acccore
2007-07-24 09:01 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-07-24 01:15 <DIR> d-------- C:\Program Files\MSXML 6.0


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-16 14:14 --------- d-------- C:\Program Files\Sophos SWEEP for NT
2007-08-12 22:47 96256 --a------ C:\WINDOWS\system32\drivers\sptd1341.sys
2007-08-07 08:41 --------- d-------- C:\Program Files\Viewpoint
2007-08-05 17:30 --------- d-------- C:\Program Files\Common Files\Real
2007-08-04 14:12 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-04 00:28 --------- d-------- C:\Program Files\DAEMON Tools
2007-08-03 13:30 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-03 00:27 --------- d-------- C:\DOCUME~1\Don\APPLIC~1\SolidWorks
2007-07-28 22:19 --------- dr-h----- C:\DOCUME~1\Don\APPLIC~1\yahoo!
2007-07-24 12:13 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-07-24 01:15 --------- d-------- C:\DOCUME~1\Don\APPLIC~1\Skype
2007-07-12 15:40 --------- d-------- C:\Program Files\iPod
2007-07-12 15:34 --------- d-------- C:\Program Files\QuickTime
2007-07-12 15:30 --------- d-------- C:\Program Files\Common Files\Apple
2007-07-12 15:30 --------- d-------- C:\Program Files\Apple Software Update
2007-07-12 01:03 --------- d-------- C:\Program Files\MTV Networks
2007-07-12 00:56 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-07-08 09:59 --------- d-------- C:\Program Files\MSXML 4.0
2007-07-08 09:26 --------- d--h----- C:\Program Files\WindowsUpdate
2007-07-07 20:54 --------- d-------- C:\Program Files\Yahoo!
2007-07-07 12:20 --------- d-------- C:\Program Files\Verizon
2007-07-07 12:20 --------- d-------- C:\Program Files\Common Files\SupportSoft
2007-07-06 11:28 --------- d-------- C:\Program Files\Sony
2007-07-06 11:27 --------- d-------- C:\Program Files\Hewlett-Packard
2007-07-06 11:26 --------- d-------- C:\Program Files\Canon
2007-07-04 23:51 --------- d-------- C:\Program Files\Common Files\AOL
2007-07-04 23:44 --------- d-------- C:\DOCUME~1\Don\APPLIC~1\AOL
2007-06-26 19:27 44240 --a------ C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-06-26 18:59 344064 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-06-26 18:58 269312 --a------ C:\WINDOWS\system32\dllcache\ati2dvag.dll
2007-06-26 18:58 269312 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-06-26 18:58 2303488 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-06-26 18:58 2303488 --a------ C:\WINDOWS\system32\dllcache\ati2mtag.sys
2007-06-26 18:56 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-06-26 18:51 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2007-06-26 18:51 143360 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-06-26 18:51 122880 --a------ C:\WINDOWS\system32\Oemdspif.dll
2007-06-26 18:50 43520 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-06-26 18:50 118784 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-06-26 18:49 483328 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-06-26 18:48 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2007-06-26 18:44 8232960 --a------ C:\WINDOWS\system32\atioglx2.dll
2007-06-26 18:41 2940992 --a------ C:\WINDOWS\system32\dllcache\ati3duag.dll
2007-06-26 18:41 2940992 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-06-26 18:31 1519744 --a------ C:\WINDOWS\system32\dllcache\ativvaxx.dll
2007-06-26 18:31 1519744 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-06-26 18:19 5435392 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-06-26 18:17 266240 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-06-26 18:16 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-06-26 18:15 49152 --a------ C:\WINDOWS\system32\drivers\ati2erec.dll
2007-06-26 18:14 176128 --a------ C:\WINDOWS\system32\atiok3x2.dll
2007-06-26 18:10 376832 --a------ C:\WINDOWS\system32\dllcache\ati2cqag.dll
2007-06-26 18:10 376832 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-06-20 05:38 --------- d-------- C:\Program Files\Creative
2007-06-19 22:02 --------- d-------- C:\Program Files\TI Education
2007-06-19 22:02 --------- d-------- C:\Program Files\Common Files\TI Shared
2007-06-19 14:15 --------- d-------- C:\DOCUME~1\Don\APPLIC~1\Lionhead Studios
2007-06-18 05:32 98304 --a------ C:\WINDOWS\system32CmdLineExt.dll
2007-05-16 08:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 08:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 08:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 08:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 08:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 08:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2005-01-05 21:43 11701 --a--c--- C:\Program Files\SolidWorksswxJRNL.BAK


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 17:22]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2005-10-26 16:01]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2006-05-02 09:31]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 01:56]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 07:57]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-17 15:27]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [2002-11-22 12:48]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-11-22 12:50]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42]
"AGEIA PhysX SysTray"="C:\Program Files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 12:43]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"AdobeVersionCue"="C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-08-04 11:20]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-06-12 13:19]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2006-03-01 19:43]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-05 12:59]

C:\Documents and Settings\Don\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 12:36:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-14 17:44:34]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-05 12:59:13]
InterCheck Monitor.LNK - C:\Program Files\Sophos SWEEP for NT\ICMON.EXE [2006-02-15 06:38:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqqro]
awtqqro.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggdcyw]
hggdcyw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklk]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqpooo]
urqpooo.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe
R2 NetAlrt;NetAlrt;\??\C:\WINDOWS\System32\drivers\NetAlrt.sys
R2 PlatAlrt;PlatAlrt;\??\C:\WINDOWS\System32\drivers\PlatAlrt.sys
R3 Dot4 HPH11;Dot4 HPH11;C:\WINDOWS\system32\DRIVERS\hphid411.sys
R3 Dot4Print HPH11;Print Class Driver for IEEE-1284.4 HPH11;C:\WINDOWS\system32\DRIVERS\hphipr11.sys
R3 Dot4Storage HPH11;Storage Class Driver for IEEE-1284.4 (HPH11);C:\WINDOWS\system32\Drivers\hphs2k11.sys
R3 Dot4Usb HPH11;Dot4Usb HPH11;C:\WINDOWS\system32\drivers\hphius11.sys
R3 InterCheck Control;InterCheck Control;\??\C:\Program Files\Sophos SWEEP for NT\icntdrv5.sys
R3 InterCheck Filter;InterCheck Filter;\??\C:\Program Files\Sophos SWEEP for NT\icntflt5.sys
R3 InterCheck Support 01;InterCheck Support 01;\??\C:\Program Files\Sophos SWEEP for NT\icntst01.sys
R3 InterCheck Support 02;InterCheck Support 02;\??\C:\Program Files\Sophos SWEEP for NT\icntst02.sys
R3 InterCheck Support 03;InterCheck Support 03;\??\C:\Program Files\Sophos SWEEP for NT\icntst03.sys
R3 InterCheck Support 04;InterCheck Support 04;\??\C:\Program Files\Sophos SWEEP for NT\icntst04.sys
R3 InterCheck Support 05;InterCheck Support 05;\??\C:\Program Files\Sophos SWEEP for NT\icntst05.sys
R3 InterCheck Support 06;InterCheck Support 06;\??\C:\Program Files\Sophos SWEEP for NT\icntst06.sys
R3 InterCheck Support 07;InterCheck Support 07;\??\C:\Program Files\Sophos SWEEP for NT\icntst07.sys
R3 InterCheck Support 08;InterCheck Support 08;\??\C:\Program Files\Sophos SWEEP for NT\icntst08.sys
R3 InterCheck Support 09;InterCheck Support 09;\??\C:\Program Files\Sophos SWEEP for NT\icntst09.sys
R3 InterCheck Support 10;InterCheck Support 10;\??\C:\Program Files\Sophos SWEEP for NT\icntst10.sys
R3 InterCheck Support 11;InterCheck Support 11;\??\C:\Program Files\Sophos SWEEP for NT\icntst11.sys
R3 InterCheck Support 12;InterCheck Support 12;\??\C:\Program Files\Sophos SWEEP for NT\icntst12.sys
S2 SolidWorks SolidNetWork License Manager;SolidWorks SolidNetWork License Manager;C:\Program Files\SolidWorks SolidNetWork License Manager\lmgrd.exe
S2 SWEEPNET;Sweep for Windows NT Network;"C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE"
S2 SWEEPUPDATE;Sweep for Windows NT Update;"C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE"
S3 CtUsbMs;Creative HID USB Filter Driver;C:\WINDOWS\system32\DRIVERS\CtUsbMs.Sys
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys
S3 jswmidin;jswmidin;\??\C:\DOCUME~1\Don\LOCALS~1\Temp\jswmidin.sys
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\system32\drivers\NMSCFG.SYS
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM
S3 TIEHDUSB;TIEHDUSB;C:\WINDOWS\system32\drivers\tiehdusb.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04228dcf-e997-11d9-87d9-000d56c66eb9}]
AutoRun\command- M:\setupSNK.exe


Contents of the 'Scheduled Tasks' folder
2007-07-28 15:59:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-16 14:13:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-16 14:16:53 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-16 14:16

--- E O F ---

can i delete the program?

#6 noshmirror

noshmirror
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 16 August 2007 - 04:23 PM

what the heck? i cant delete it. You guys trick me or somethin?

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 16 August 2007 - 06:21 PM

Copy and paste ALL the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\SYSTEM32\rtutv.bak1
C:\WINDOWS\SYSTEM32\urqpooo.dll.ren
C:\WINDOWS\SYSTEM32\ehhkj.bak2
C:\WINDOWS\SYSTEM32\ehhkj.bak1
Folder::
C:\Program Files\Viewpoint
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqqro]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggdcyw]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklk]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqpooo]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#8 noshmirror

noshmirror
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 16 August 2007 - 06:48 PM

i refuse to do this! i have kaspersky....8 billion times better than some combofix....why do you keep insisting on combofix

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 16 August 2007 - 06:52 PM

Please follow my instructions or i'm afraid i'll have no option but to close this topic,sorry.
Posted Image
Posted Image

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 17 August 2007 - 03:54 AM

*This topic is closed*
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users