Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Winfixer/virtunonde (popups Of Antivrus Software And Online Poker)


  • Please log in to reply
8 replies to this topic

#1 shawnb1

shawnb1

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 12 August 2007 - 01:32 PM

A few days back the virtunmonde worm got into my system. I have spyware doctor running on my pc and it immediately detected the worm. I ran a scan and deleted the infections but I was still bombarded with pop-ups about anti virus software and online poker.
Next, i downloaded the virtunmonde fixer/removal tool and ran it. It detected 4 instances of the worm within dll files and removed them. I then an AVG anti virus AND lavasoft adaware.
However i am STILL recieving these popups. Everytime i run spyware it detects a single infection Its strange because spyware doctor used to alert me specifically about the virtunmode worm but ever since i ran the removal tool those alerts have stopped. Yet i still get the same popups i did when spyware doctor detected the worm.
Im extremely desperate now since nothing seems to be working.

I have posted the hijackhis log below. Please advise me on what I should do next. I GREATLY appreciate any help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:14:49, on 12/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Farooq\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179439193953
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O20 - Winlogon Notify: geedb - C:\WINDOWS\system32\geedb.dll (file missing)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8932 bytes

BC AdBot (Login to Remove)

 


#2 shawnb1

shawnb1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 12 August 2007 - 01:38 PM

By the way, that infection which keeps on replicating itself everytime i scan with spydoctor is titled "Dialer.Instant_Access".

#3 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:08:18 PM

Posted 15 August 2007 - 01:59 AM

Hello shawnb1,

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Posted Image

#4 shawnb1

shawnb1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 04 September 2007 - 04:04 PM

Many apologies for the late reply. Was out of town on business.

Here is the ComboFix log as you asked:


((((((((((((((((((((((((( Files Created from 2007-08-04 to 2007-09-04 )))))))))))))))))))))))))))))))


2007-09-02 21:50 <DIR> d-------- C:\DOCUME~1\I4573~1.HAM\APPLIC~1\Genie-Soft
2007-09-02 21:49 <DIR> d-------- C:\Program Files\Genie-Soft
2007-09-02 18:48 4,245,008 --a------ C:\WINDOWS\system32\qtp-mt334.dll
2007-09-02 18:48 38,448 --a------ C:\WINDOWS\system32\drivers\hotcore3.sys
2007-09-02 18:48 247,824 --a------ C:\WINDOWS\system32\prgiso.dll
2007-09-02 18:48 13,840 --a------ C:\WINDOWS\system32\wnaspi32.dll
2007-09-02 18:48 <DIR> d-------- C:\Program Files\Paragon Software
2007-09-01 12:33 <DIR> d-------- C:\DOCUME~1\I4573~1.HAM\APPLIC~1\InterVideo
2007-09-01 12:31 <DIR> d-------- C:\Program Files\InterVideo Information Service
2007-09-01 12:31 <DIR> d-------- C:\Program Files\Common Files\Ulead
2007-09-01 12:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
2007-09-01 12:28 <DIR> d-------- C:\Program Files\Common Files\InterVideo
2007-09-01 12:27 <DIR> d-------- C:\Program Files\InterVideo
2007-09-01 12:24 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-09-01 12:24 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2007-09-01 12:24 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2007-09-01 12:24 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-09-01 12:24 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-09-01 12:24 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-09-01 12:24 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-09-01 12:24 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2007-09-01 12:24 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-09-01 12:24 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-09-01 12:24 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-09-01 12:24 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-09-01 12:24 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-09-01 12:24 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-09-01 12:24 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2007-09-01 12:24 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-09-01 12:23 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-09-01 12:23 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-09-01 12:23 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-09-01 12:23 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-09-01 12:23 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-09-01 12:23 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-09-01 12:23 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-09-01 12:14 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-08-28 21:18 <DIR> d-------- C:\DOCUME~1\I4573~1.HAM\hob_jportal
2007-08-28 21:18 <DIR> d-------- C:\DOCUME~1\I4573~1.HAM\hob
2007-08-28 21:18 <DIR> d-------- C:\DOCUME~1\I4573~1.HAM\APPLIC~1\Juniper Networks
2007-08-26 11:05 15,360 --a------ C:\WINDOWS\system32\drivers\NetMotCM.sys
2007-08-21 19:58 0 --a------ C:\WINDOWS\nsreg.dat
2007-08-21 19:58 <DIR> d-------- C:\DOCUME~1\I4573~1.HAM\APPLIC~1\Talkback
2007-08-21 19:50 <DIR> d-------- C:\DOCUME~1\I4573~1.HAM\APPLIC~1\MSN6
2007-08-21 19:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MSN6
2007-08-20 19:56 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-08-20 19:53 <DIR> d-------- C:\DOCUME~1\I4573~1.HAM\.SunDownloadManager
2007-08-19 18:38 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-08-16 19:15 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-15 18:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-15 18:39 <DIR> d-------- C:\DOCUME~1\I4573~1.HAM\APPLIC~1\SUPERAntiSpyware.com
2007-08-15 18:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-15 18:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-12 18:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-12 18:04 <DIR> d-------- C:\WINDOWS\CSC
2007-08-12 00:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Tools
2007-08-11 22:16 <DIR> d-------- C:\VundoFix Backups
2007-08-10 18:27 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
2007-08-10 18:27 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll
2007-08-10 18:27 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
2007-08-10 18:27 285 --a------ C:\WINDOWS\EReg072.dat
2007-08-10 18:27 2,272 --a------ C:\WINDOWS\system32\w95inf16.dll
2007-08-10 18:27 194,320 --a------ C:\WINDOWS\system32\qcut.dll
2007-08-10 18:27 182,032 --a------ C:\WINDOWS\system32\dxtmsft3.dll
2007-08-10 18:27 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
2007-08-10 18:25 <DIR> d-------- C:\Sshock2
2007-08-10 18:01 <DIR> d-------- C:\Program Files\PowerISO
2007-08-09 08:23 <DIR> d-------- C:\SAVE
2007-08-09 08:16 <DIR> d-------- C:\Sierra
2007-08-08 23:53 <DIR> d--h----- C:\Program Files\uTorrent
2007-08-08 23:53 <DIR> d-------- C:\DOCUME~1\I4573~1.HAM\APPLIC~1\uTorrent
2007-08-07 23:59 314,368 --a------ C:\WINDOWS\uninst.exe
2007-08-07 23:56 <DIR> d-------- C:\DOCUME~1\I4573~1.HAM\WINDOWS
2007-08-07 19:22 510 --a------ C:\WINDOWS\eReg.dat
2007-08-07 19:08 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-06 20:19 <DIR> d-------- C:\Program Files\MagicISO
2007-08-06 19:53 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-08-06 19:39 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-08-06 19:28 682,232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-08-05 20:30 <DIR> d--h----- C:\WINDOWS\PIF
2007-08-04 22:31 <DIR> d-------- C:\Program Files\EA GAMES
2007-08-04 09:51 <DIR> d-------- C:\DOCUME~1\I4573~1.HAM\APPLIC~1\.BitTornado


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-04 11:58 --------- d-------- C:\Program Files\Spyware Doctor
2007-09-02 18:48 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-01 12:27 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-08-31 00:01 --------- d-------- C:\Program Files\HP
2007-08-27 14:46 --------- d-------- C:\DOCUME~1\I4573~1.HAM\APPLIC~1\AdobeUM
2007-08-07 19:23 28400 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-08-04 09:51 --------- d-------- C:\DOCUME~1\I4573~1.HAM\APPLIC~1\.BitTornado
2007-08-04 00:10 --------- d-------- C:\Program Files\Azureus
2007-08-04 00:10 --------- d-------- C:\DOCUME~1\I4573~1.HAM\APPLIC~1\Azureus
2007-07-30 19:19 92504 --a--c--- C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a--c--- C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a--c--- C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a--c--- C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a--c--- C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a--c--- C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a--c--- C:\WINDOWS\system32\dllcache\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-19 07:59 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-15 11:18 --------- d-------- C:\DOCUME~1\I4573~1.HAM\APPLIC~1\DivX
2007-07-15 11:17 --------- d-------- C:\Program Files\DivX
2007-07-13 00:31 765952 --a--c--- C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-07 19:26 --------- d-------- C:\DOCUME~1\I4573~1.HAM\APPLIC~1\LimeWire
2007-07-07 18:02 --------- d-------- C:\DOCUME~1\I4573~1.HAM\APPLIC~1\Real
2007-07-07 17:00 --------- d-------- C:\DOCUME~1\I4573~1.HAM\APPLIC~1\Help
2007-07-05 13:06 --------- d-------- C:\Program Files\AC3Filter
2007-07-02 20:41 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-02 20:41 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-02 20:41 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-02 20:41 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-02 20:41 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-02 20:41 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-02 20:41 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-02 20:37 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-02 20:37 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-02 20:37 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-02 20:37 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-02 20:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-02 20:37 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-02 20:37 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-02 20:37 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-02 20:37 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-02 20:37 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-02 20:37 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-02 20:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-02 20:36 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-07-02 20:36 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-06-27 15:34 823808 --a--c--- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 15:34 671232 --a--c--- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 15:34 6058496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 15:34 52224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 15:34 477696 --a--c--- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 15:34 459264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 15:34 44544 -----c--- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 15:34 384512 -----c--- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 15:34 383488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 15:34 27648 --a--c--- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 15:34 267776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 15:34 232960 -----c--- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 15:34 230400 -----c--- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 15:34 193024 --a--c--- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 15:34 153088 -----c--- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 15:34 132608 --a--c--- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 15:34 124928 -----c--- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 15:34 1152000 --a--c--- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 15:34 105984 -----c--- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 15:34 102400 -----c--- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 09:27 63488 -----c--- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 09:27 625152 -----c--- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 09:27 13824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 08:00 161792 --a--c--- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 09:27 363520 -----c--- C:\WINDOWS\system32\dllcache\w3svc.dll
2007-06-26 07:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 07:08 1104896 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 14:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 14:31 282112 -----c--- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 11:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 11:23 1033216 -----c--- C:\WINDOWS\system32\dllcache\explorer.exe
2005-05-11 23:36 12288 --------- C:\WINDOWS\Fonts.\RandFont.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-04 00:56]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-03-03 16:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 16:06 C:\WINDOWS\system32\ptipbmf.dll]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2003-11-10 16:06]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-06-27 13:54]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-18 10:19]
"HPHUPD08"="C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 18:35]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34]
"GBMLite7Agent"="C:\Program Files\Genie-Soft\GBMLite7\GBMAgent.exe" [2007-02-27 09:09]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"InstantTray"="C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe" [2004-05-06 15:14]
"IW_Drop_Icon"="C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2004-07-30 15:10]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-04 12:03]
"GBMLite7Agent"="C:\Program Files\Genie-Soft\GBMLite7\GBMAgent.exe" [2007-02-27 09:09]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-06-04 12:03:45]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-05-19 01:32:40]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2007-05-19 01:32:40]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys
R0 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys
R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys
R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys
R0 VOBID;VOBID;C:\WINDOWS\system32\DRIVERS\vobid.sys
R1 vobcom;vobcom;C:\WINDOWS\system32\drivers\vobcom.sys
R1 vobiw;vobiw;C:\WINDOWS\system32\drivers\vobiw.sys
R2 GDI23880;Genesis Video Capture;C:\WINDOWS\system32\drivers\gdi2vid.sys
R2 GDI2BTS;Genesis BDA Transport Capture;C:\WINDOWS\system32\drivers\gdi2bts.sys
R2 GDI2IR;Genesis InfraRed;C:\WINDOWS\system32\drivers\gdi2ir.sys
R2 GDI2XBAR;Genesis Crossbar;C:\WINDOWS\system32\drivers\gdi2xbr.sys
R3 cdrdrv;Cdrdrv;C:\WINDOWS\system32\Drivers\Cdrdrv.sys
R3 GDI2BDA;Black Gold Signature BDA DVB Tuner/Demod;C:\WINDOWS\system32\drivers\gdi2bda.sys
S2 GDI323880;Black Gold Video Capture;C:\WINDOWS\system32\drivers\gdi2vbb.sys
S2 GDI3XBR;Black Gold Signature Crossbar;C:\WINDOWS\system32\drivers\gdi2xbb.sys
S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c78640e1-fe1e-11db-9e99-806d6172696f}]
AutoRun\command- D:\Launch.exe


Contents of the 'Scheduled Tasks' folder
2007-07-03 14:29:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-04 21:59:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-04 22:00:11
C:\ComboFix-quarantined-files.txt ... 2007-09-04 22:00
C:\ComboFix2.txt ... 2007-08-16 19:26
C:\ComboFix3.txt ... 2007-08-16 19:20

--- E O F ---


And here's the log from HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:03:44, on 04/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Genie-Soft\GBMLite7\GBMAgent.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\ehome\ehRec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Farooq\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [GBMLite7Agent] C:\Program Files\Genie-Soft\GBMLite7\GBMAgent.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [GBMLite7Agent] C:\Program Files\Genie-Soft\GBMLite7\GBMAgent.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179439193953
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9249 bytes



Thanks for any help you can offer.

#5 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:08:18 PM

Posted 05 September 2007 - 11:01 AM

Hello shawnb1,

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Posted Image

#6 shawnb1

shawnb1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 08 September 2007 - 08:48 AM

Here's the Activescan report:



Incident Status Location

Spyware:Cookie/888 Not disinfected C:\Documents and Settings\I.Hameed\Cookies\i.hameed@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\I.Hameed\Cookies\i.hameed@888[2].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\I.Hameed\Cookies\i.hameed@cdfreaks[1].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\I.Hameed\Cookies\i.hameed@club.cdfreaks[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\I.Hameed\Cookies\i.hameed@gamearena.com[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\I.Hameed\Cookies\i.hameed@searchportal.information[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\I.Hameed\Cookies\i.hameed@toplist[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\I.Hameed\Cookies\i.hameed@uol.com[1].txt
Spyware:Cookie/ademails Not disinfected C:\Documents and Settings\I.Hameed\Cookies\i.hameed@www.ademails[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Farooq\ComboFix.exe[nircmd.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\Farooq\Magic ISO Maker 5.4 + Serial\Magic ISO Maker 5.4 Build 239.exe
Adware:Adware/eZula Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\qknbrust.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\awtqoll.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\vtstt.dll.bad
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe

Hopefully this stuff can be purged since it seems to be able to replicate itself.

#7 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:08:18 PM

Posted 16 September 2007 - 12:41 PM

Hello shawnb1,

For some reason I did not recieve a topic notification reply for you topic, I apologize for the delay in getting back to you :thumbsup:

Using Windows Explorer delete the following folders (if present): (To get into Windows Explorer, right click the START button and select "explore.")

C:\Farooq\Magic ISO Maker 5.4 + Serial
C:\QooBox

Please post back with a new HijackThis log and an update on how your computer is running.
Posted Image

#8 shawnb1

shawnb1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 18 September 2007 - 01:14 PM

Its alright. Ive had the same problem where I dont recieve an email notification when somebody replies to one of my topics.

I deleted those two folders and the following is the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:10:54, on 18/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehRec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Farooq\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179439193953
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7571 bytes



The system seem relatively stable. I deleted this stuff very recently so will have to take a wait and see approach.

It is a little slow though. Loading times seem a little too prolonged.

So does the log look alright?

#9 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:08:18 PM

Posted 18 September 2007 - 09:37 PM

Hello shawnb1,

Your log looks good, if you wish we can disable some non-essential programs from startup to improve performance?
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users