Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

It Started With Spy Doctor


  • This topic is locked This topic is locked
12 replies to this topic

#1 bidkev

bidkev

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 18 August 2007 - 02:03 AM

Hi, my first post but I've been here a few times via google :thumbsup:

I'm running CA anti virus and currently a trial version of their spyware when previously I had used ad aware and Xsoft spy se. I'm also running Zone alarm but despite these measures I managed to pick up the dreaded spy doctor.

Somehow, by way of google and sites such as this, I managed to remove it without having to resort to sending a log for the perusal of others. However, shortly after it's removal, CA started informing me of infections such as win 32/vundolgeneric although vundofix consistently failed to find these. After a while, CA was finding other files with other names such as System 32\geeba.dll and was no longer alerting me to the vundolgeneric files. It invariably found 3 files, 2 that it stated it had deleted and the other infected. Eventually, my computer went to a crawl with the inevitable crashes.

I went into safe mode and reloaded windows and now, although the programmes seem to be running ok, browsing is slow and there is a lot of activity via the modem when I am not browsing.

Also, on reloading windows, it dropped all the updates and is now telling me that there are 77 updates, which for some reason, it cannot load.

Sorry this is so long, but I'm trying to give you as much info as possible in the hope that you can help me out. I'm a self-taught old fart who would greatly appreciate any help you can offer.

Cheers

kev


My log is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:42:16 PM, on 8/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: (no name) - {6D55F78D-57E0-7A56-9975-02E12506D1B4} - C:\Program Files\Ccwfullt\ktwuwjer.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {C84D8A0A-E708-42B6-90CA-9C30956A87C6} - C:\WINDOWS\system32\nnnollk.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus Photo RX510] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE" /P24 "EPSON Stylus Photo RX510" /O6 "USB001" /M "Stylus Photo RX510"
O4 - HKLM\..\Run: [USB2Check] "RUNDLL32.EXE" "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Adobe Form Control) - http://www.ato.gov.au/formflow/codebase/FormCtl.cab
O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - http://www.ato.gov.au/formflow/codebase/plsspeller.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159256529781
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (Adobe Script Object) - http://www.ato.gov.au/formflow/codebase/scriptobject.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Adobe Soft Font Installer) - http://www.ato.gov.au/formflow/codebase/fontinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{073880C3-E854-4A74-B4A9-C14A97D23EE4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{57B5BB50-5FF2-45F7-BABD-3964B61C2B67}: NameServer = 85.255.114.89,85.255.112.82
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C619AE8-940B-4836-821B-C994BEEA596B}: NameServer = 85.255.114.89,85.255.112.82
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9EE5B2C-755C-4B02-B4E4-FF070E9DA691}: NameServer = 85.255.114.89,85.255.112.82
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{073880C3-E854-4A74-B4A9-C14A97D23EE4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{073880C3-E854-4A74-B4A9-C14A97D23EE4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: nnnollk - C:\WINDOWS\SYSTEM32\nnnollk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7642 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:39 PM

Posted 18 August 2007 - 07:18 AM

Hi,

You are dealing with several different infections...

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\Program Files\Ccwfullt\ktwuwjer.dll

Select it and click ok:
Then click the Send File button below.

Then, * Please download FixwareOut from the following site:
http://download.bleepingcomputer.com/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads, it will open a log with the name report.txt
I need that log later.

Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 bidkev

bidkev
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 18 August 2007 - 06:55 PM

Hi miekiemous :thumbsup:

Here is my combofix log and hijackthis log as requested. Thanks for your help thus far.

kev



ComboFix 07-08-17.2 - "kevin" 2007-08-19 9:16:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.558 [GMT 10:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\d.exe
C:\DOCUME~1\USER\APPLIC~1\AntiSpywareBot
C:\DOCUME~1\USER\APPLIC~1\AntiSpywareBot\Log\log_2007_08_12_09_08_35.log
C:\DOCUME~1\USER\APPLIC~1\AntiSpywareBot\Log\log_2007_08_12_09_08_39.log
C:\DOCUME~1\USER\APPLIC~1\AntiSpywareBot\Settings\CustomScan.stg
C:\DOCUME~1\USER\APPLIC~1\AntiSpywareBot\Settings\IgnoreList.stg
C:\DOCUME~1\USER\APPLIC~1\AntiSpywareBot\Settings\ScanInfo.stg
C:\DOCUME~1\USER\APPLIC~1\AntiSpywareBot\Settings\ScanResults.stg
C:\DOCUME~1\USER\APPLIC~1\AntiSpywareBot\Settings\SelectedFolders.stg
C:\DOCUME~1\USER\APPLIC~1\AntiSpywareBot\Settings\Settings.stg
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe~
C:\WINDOWS\system32\xpdx.sys
C:\WINDOWS\Tasks.\AntiSpywareBot Scheduled Scan.job


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ASC3550U
-------\LEGACY_NTMLSVC
-------\LEGACY_NWSAPAGENT
-------\nm
-------\NwSapAgent
-------\xpdx


((((((((((((((((((((((((( Files Created from 2007-07-18 to 2007-08-18 )))))))))))))))))))))))))))))))


2007-08-19 09:12 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-19 09:01 8,755 --a------ C:\dnsbak.reg
2007-08-18 16:23 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-18 15:33 <DIR> d-------- C:\DOCUME~1\kevin\APPLIC~1\MailWasherPro
2007-08-18 14:49 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-08-18 14:48 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-08-18 13:06 <DIR> d-------- C:\DOCUME~1\kevin\APPLIC~1\wsInspector
2007-08-18 09:28 1,310,720 --ah----- C:\DOCUME~1\kevin\NTUSER.DAT
2007-08-18 09:26 <DIR> d-------- C:\WINDOWS\Prefetch
2007-08-18 09:15 69,632 --a------ C:\WINDOWS\ALCMTR.EXE
2007-08-18 09:06 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-08-18 09:06 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-08-17 17:33 <DIR> d-------- C:\WINDOWS\pss
2007-08-16 09:35 <DIR> d-------- C:\Program Files\RegScrubXP
2007-08-15 17:33 43,542 --a------ C:\WINDOWS\system32\nnnollk.dll
2007-08-14 20:29 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-08-14 15:17 77,312 --a------ C:\WINDOWS\ua2.dll
2007-08-12 19:08 <DIR> d-------- C:\Program Files\XoftSpySE
2007-08-12 15:54 20,480 --a------ C:\WINDOWS\system32\winbjt32.dll
2007-08-12 15:54 1,536 --a------ C:\lhxfu.exe
2007-08-12 14:40 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-08-12 14:40 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-08-12 14:40 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-08-12 14:40 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-08-12 14:40 153,088 --a------ C:\WINDOWS\system32\unrar3.dll
2007-08-12 14:40 <DIR> d-------- C:\DOCUME~1\USER\APPLIC~1\Simply Super Software
2007-08-12 14:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Simply Super Software
2007-08-12 10:58 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-12 10:29 <DIR> d-------- C:\Program Files\Artweaver 0.4
2007-08-12 10:29 <DIR> d-------- C:\DOCUME~1\USER\APPLIC~1\Artweaver
2007-08-12 09:26 164 --a------ C:\install.dat
2007-08-12 09:18 <DIR> d-------- C:\DOCUME~1\USER\APPLIC~1\GetRightToGo
2007-08-12 08:52 <DIR> d-------- C:\ROCHE0410
2007-08-11 17:18 3,966 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-11 17:17 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-11 17:17 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-11 11:25 <DIR> d-------- C:\VundoFix Backups
2007-08-11 07:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-11 07:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-11 07:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-10 22:11 <DIR> d-------- C:\Program Files\InterMute
2007-08-10 22:04 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-10 19:38 <DIR> d-------- C:\WINDOWS\system32\iieldknh
2007-08-10 19:37 <DIR> d-------- C:\Program Files\Ccwfullt
2007-08-10 07:25 <DIR> d-------- C:\Program Files\pwhibevq
2007-08-09 20:16 <DIR> d-------- C:\DOCUME~1\USER\APPLIC~1\Inkscape
2007-08-09 20:15 <DIR> d-------- C:\Program Files\Inkscape
2007-08-04 09:36 <DIR> d--h----- C:\CWDS2Temp
2007-07-31 06:43 <DIR> d-------- C:\Program Files\Veoh Networks
2007-07-28 11:09 <DIR> d-------- C:\DOCUME~1\USER\APPLIC~1\Ulead Systems
2007-07-28 10:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
2007-07-28 10:21 49,152 --a------ C:\WINDOWS\system32\INETWH32.dll
2007-07-28 10:21 1,056,768 --a------ C:\WINDOWS\system32\ROBOEX32.DLL
2007-07-28 10:21 <DIR> d-------- C:\Program Files\Ulead Systems
2007-07-28 10:21 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
2007-07-28 10:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ulead Systems
2007-07-28 10:14 <DIR> d-------- C:\Program Files\Free Notes & Office Ink
2007-07-28 10:13 93,856 --a------ C:\WINDOWS\RmTablet.exe
2007-07-28 10:13 77,824 --a------ C:\WINDOWS\system32\WINTAB32.DLL
2007-07-28 10:13 77,472 --a------ C:\WINDOWS\system32\Tblfunc.dll
2007-07-28 10:13 73,376 --a------ C:\WINDOWS\system32\Funckey.dll
2007-07-28 10:13 65,184 --a------ C:\WINDOWS\system32\TBLMOUSE.EXE
2007-07-28 10:13 49,152 --a------ C:\WINDOWS\system32\ATWinLog.dll
2007-07-28 10:13 36,864 --a------ C:\WINDOWS\system32\UTBLFILT.DLL
2007-07-28 10:13 22,528 --a------ C:\WINDOWS\system32\drivers\aiptektp.sys
2007-07-28 10:13 1,753,088 --a------ C:\WINDOWS\system32\TblRes.dll
2007-07-28 10:13 <DIR> d-------- C:\WINDOWS\udtablet
2007-07-28 10:13 <DIR> d-------- C:\WINDOWS\calib_da
2007-07-28 10:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tablet
2007-07-28 08:42 <DIR> d-------- C:\DOCUME~1\USER\APPLIC~1\EPSON
2007-07-24 07:48 879,832 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2007-07-24 07:48 108,360 --a------ C:\WINDOWS\system32\drivers\veteboot.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-19 09:29 --------- d-------- C:\Program Files\lg_fwupdate
2007-08-18 15:33 --------- d-------- C:\Program Files\MailWasher
2007-08-17 15:21 --------- d-------- C:\Program Files\Startup Inspector for Windows
2007-08-14 20:29 --------- d-------- C:\Program Files\CA
2007-08-14 15:18 --------- d-------- C:\Program Files\Online Services
2007-08-14 07:45 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-12 20:23 --------- d-------- C:\Program Files\EPSON
2007-08-12 20:19 --------- d-------- C:\Program Files\Ahead
2007-08-12 20:18 --------- d-------- C:\Program Files\ArcSoft
2007-08-12 07:52 --------- d-------- C:\Program Files\CCleaner
2007-08-11 07:20 --------- d-------- C:\Program Files\Lavasoft
2007-08-07 18:21 69632 --a------ C:\WINDOWS\system32\realbap1.dll
2007-08-07 18:21 45568 --a------ C:\WINDOWS\system32\realbsf1.dll
2007-08-06 07:25 --------- d-------- C:\Program Files\Join ME
2007-07-28 10:20 --------- d-------- C:\Program Files\Common Files\InstallShield
2006-12-01 21:20 535 --a------ C:\Program Files\Shortcut to OUTLOOK.EXE.lnk
2004-10-01 15:00 40960 --a------ C:\Program Files\Uninstall_CDS.exe
2001-04-04 18:11 1499904 -ra------ C:\Program Files\INSTMSIW.EXE
2001-04-04 18:11 1489152 -ra------ C:\Program Files\INSTMSI.EXE
2001-03-02 00:38 3485184 -ra------ C:\Program Files\PROPLUS.MSI
2001-03-02 00:35 306688 -ra------ C:\Program Files\OWC10.MSI
2001-03-01 15:35 224771818 -rah----- C:\Program Files\OFFICE1.CAB
2001-02-17 23:35 46496 --a------ C:\Program Files\OUTLOOK.EXE


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D55F78D-57E0-7A56-9975-02E12506D1B4}]
2007-08-10 19:37 106496 --a------ C:\Program Files\Ccwfullt\ktwuwjer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84D8A0A-E708-42B6-90CA-9C30956A87C6}]
2007-08-15 17:33 43542 --a------ C:\WINDOWS\system32\nnnollk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 20:04 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-18 12:49]
"EPSON Stylus Photo RX510"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.exe" [2003-09-12 13:00]
"USB2Check"="RUNDLL32.exe" [2006-02-28 22:00 C:\WINDOWS\system32\rundll32.exe]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-14 20:43]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-05-03 07:06]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-04-07 15:34]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 15:40]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-02-28 22:00]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2006-02-28 22:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 22:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 22:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 22:00]
"nwiz"="nwiz.exe" [2006-07-18 12:49 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-07-18 12:49 C:\WINDOWS\system32\nvmctray.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-18 16:27 C:\WINDOWS\RTHDCPL.EXE]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-23 23:38]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 22:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-02 08:20:17]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C84D8A0A-E708-42B6-90CA-9C30956A87C6}"= C:\WINDOWS\system32\nnnollk.dll [2007-08-15 17:33 43542]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnollk]
nnnollk.dll 2007-08-15 17:33 43542 C:\WINDOWS\system32\nnnollk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
"C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN

S1 aiptektp;Pen Pad;C:\WINDOWS\system32\DRIVERS\aiptektp.sys
S3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe"
S3 qcusbser;ZTE USB Device for Legacy Serial Communication;C:\WINDOWS\system32\DRIVERS\ZTEusbser.sys


Contents of the 'Scheduled Tasks' folder
2007-08-14 12:37:21 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as USER at 8 29 PM.job - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
2007-08-18 23:30:35 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe
2007-08-12 07:29:38 C:\WINDOWS\Tasks\XoftSpy.job - C:\Program Files\XoftSpy\XoftSpy.exe
2007-08-18 23:27:42 C:\WINDOWS\Tasks\XoftSpySE 2.job - C:\Program Files\XoftSpySE\XoftSpy.exe
2007-08-12 09:08:40 C:\WINDOWS\Tasks\XoftSpySE.job - C:\Program Files\XoftSpySE\XoftSpy.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-19 09:29:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-19 9:42:48 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-19 09:42

--- E O F ---

..............................................................................................................................................................................
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:43 AM, on 8/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: (no name) - {6D55F78D-57E0-7A56-9975-02E12506D1B4} - C:\Program Files\Ccwfullt\ktwuwjer.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {C84D8A0A-E708-42B6-90CA-9C30956A87C6} - C:\WINDOWS\system32\nnnollk.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus Photo RX510] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE" /P24 "EPSON Stylus Photo RX510" /O6 "USB001" /M "Stylus Photo RX510"
O4 - HKLM\..\Run: [USB2Check] "RUNDLL32.EXE" "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Adobe Form Control) - http://www.ato.gov.au/formflow/codebase/FormCtl.cab
O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - http://www.ato.gov.au/formflow/codebase/plsspeller.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159256529781
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (Adobe Script Object) - http://www.ato.gov.au/formflow/codebase/scriptobject.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Adobe Soft Font Installer) - http://www.ato.gov.au/formflow/codebase/fontinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{073880C3-E854-4A74-B4A9-C14A97D23EE4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{073880C3-E854-4A74-B4A9-C14A97D23EE4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{073880C3-E854-4A74-B4A9-C14A97D23EE4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: nnnollk - C:\WINDOWS\SYSTEM32\nnnollk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7135 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:39 PM

Posted 19 August 2007 - 01:26 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\nnnollk.dll
C:\WINDOWS\system32\winbjt32.dll
C:\lhxfu.exe

Folder::
C:\VundoFix Backups
C:\WINDOWS\system32\iieldknh
C:\Program Files\Ccwfullt
C:\Program Files\pwhibevq

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D55F78D-57E0-7A56-9975-02E12506D1B4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84D8A0A-E708-42B6-90CA-9C30956A87C6}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C84D8A0A-E708-42B6-90CA-9C30956A87C6}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnollk]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 bidkev

bidkev
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 19 August 2007 - 07:47 AM

Hi again,

The logs as requested

kev



ComboFix 07-08-17.2 - "kevin" 2007-08-19 9:16:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.558 [GMT 10:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\d.exe
C:\DOCUME~1\USER\APPLIC~1\AntiSpywareBot
C:\DOCUME~1\USER\APPLIC~1\AntiSpywareBot\Log\log_2007_08_12_09_08_35.log
C:\DOCUME~1\USER\APPLIC~1\AntiSpywareBot\Log\log_2007_08_12_09_08_39.log
C:\DOCUME~1\USER\APPLIC~1\AntiSpywareBot\Settings\CustomScan.stg
C:\DOCUME~1\USER\APPLIC~1\AntiSpywareBot\Settings\IgnoreList.stg
C:\DOCUME~1\USER\APPLIC~1\AntiSpywareBot\Settings\ScanInfo.stg
C:\DOCUME~1\USER\APPLIC~1\AntiSpywareBot\Settings\ScanResults.stg
C:\DOCUME~1\USER\APPLIC~1\AntiSpywareBot\Settings\SelectedFolders.stg
C:\DOCUME~1\USER\APPLIC~1\AntiSpywareBot\Settings\Settings.stg
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe~
C:\WINDOWS\system32\xpdx.sys
C:\WINDOWS\Tasks.\AntiSpywareBot Scheduled Scan.job


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ASC3550U
-------\LEGACY_NTMLSVC
-------\LEGACY_NWSAPAGENT
-------\nm
-------\NwSapAgent
-------\xpdx


((((((((((((((((((((((((( Files Created from 2007-07-18 to 2007-08-18 )))))))))))))))))))))))))))))))


2007-08-19 09:12 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-19 09:01 8,755 --a------ C:\dnsbak.reg
2007-08-18 16:23 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-18 15:33 <DIR> d-------- C:\DOCUME~1\kevin\APPLIC~1\MailWasherPro
2007-08-18 14:49 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-08-18 14:48 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-08-18 13:06 <DIR> d-------- C:\DOCUME~1\kevin\APPLIC~1\wsInspector
2007-08-18 09:28 1,310,720 --ah----- C:\DOCUME~1\kevin\NTUSER.DAT
2007-08-18 09:26 <DIR> d-------- C:\WINDOWS\Prefetch
2007-08-18 09:15 69,632 --a------ C:\WINDOWS\ALCMTR.EXE
2007-08-18 09:06 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-08-18 09:06 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-08-17 17:33 <DIR> d-------- C:\WINDOWS\pss
2007-08-16 09:35 <DIR> d-------- C:\Program Files\RegScrubXP
2007-08-15 17:33 43,542 --a------ C:\WINDOWS\system32\nnnollk.dll
2007-08-14 20:29 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-08-14 15:17 77,312 --a------ C:\WINDOWS\ua2.dll
2007-08-12 19:08 <DIR> d-------- C:\Program Files\XoftSpySE
2007-08-12 15:54 20,480 --a------ C:\WINDOWS\system32\winbjt32.dll
2007-08-12 15:54 1,536 --a------ C:\lhxfu.exe
2007-08-12 14:40 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-08-12 14:40 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-08-12 14:40 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-08-12 14:40 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-08-12 14:40 153,088 --a------ C:\WINDOWS\system32\unrar3.dll
2007-08-12 14:40 <DIR> d-------- C:\DOCUME~1\USER\APPLIC~1\Simply Super Software
2007-08-12 14:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Simply Super Software
2007-08-12 10:58 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-12 10:29 <DIR> d-------- C:\Program Files\Artweaver 0.4
2007-08-12 10:29 <DIR> d-------- C:\DOCUME~1\USER\APPLIC~1\Artweaver
2007-08-12 09:26 164 --a------ C:\install.dat
2007-08-12 09:18 <DIR> d-------- C:\DOCUME~1\USER\APPLIC~1\GetRightToGo
2007-08-12 08:52 <DIR> d-------- C:\ROCHE0410
2007-08-11 17:18 3,966 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-11 17:17 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-11 17:17 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-11 11:25 <DIR> d-------- C:\VundoFix Backups
2007-08-11 07:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-11 07:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-11 07:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-10 22:11 <DIR> d-------- C:\Program Files\InterMute
2007-08-10 22:04 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-10 19:38 <DIR> d-------- C:\WINDOWS\system32\iieldknh
2007-08-10 19:37 <DIR> d-------- C:\Program Files\Ccwfullt
2007-08-10 07:25 <DIR> d-------- C:\Program Files\pwhibevq
2007-08-09 20:16 <DIR> d-------- C:\DOCUME~1\USER\APPLIC~1\Inkscape
2007-08-09 20:15 <DIR> d-------- C:\Program Files\Inkscape
2007-08-04 09:36 <DIR> d--h----- C:\CWDS2Temp
2007-07-31 06:43 <DIR> d-------- C:\Program Files\Veoh Networks
2007-07-28 11:09 <DIR> d-------- C:\DOCUME~1\USER\APPLIC~1\Ulead Systems
2007-07-28 10:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
2007-07-28 10:21 49,152 --a------ C:\WINDOWS\system32\INETWH32.dll
2007-07-28 10:21 1,056,768 --a------ C:\WINDOWS\system32\ROBOEX32.DLL
2007-07-28 10:21 <DIR> d-------- C:\Program Files\Ulead Systems
2007-07-28 10:21 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
2007-07-28 10:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ulead Systems
2007-07-28 10:14 <DIR> d-------- C:\Program Files\Free Notes & Office Ink
2007-07-28 10:13 93,856 --a------ C:\WINDOWS\RmTablet.exe
2007-07-28 10:13 77,824 --a------ C:\WINDOWS\system32\WINTAB32.DLL
2007-07-28 10:13 77,472 --a------ C:\WINDOWS\system32\Tblfunc.dll
2007-07-28 10:13 73,376 --a------ C:\WINDOWS\system32\Funckey.dll
2007-07-28 10:13 65,184 --a------ C:\WINDOWS\system32\TBLMOUSE.EXE
2007-07-28 10:13 49,152 --a------ C:\WINDOWS\system32\ATWinLog.dll
2007-07-28 10:13 36,864 --a------ C:\WINDOWS\system32\UTBLFILT.DLL
2007-07-28 10:13 22,528 --a------ C:\WINDOWS\system32\drivers\aiptektp.sys
2007-07-28 10:13 1,753,088 --a------ C:\WINDOWS\system32\TblRes.dll
2007-07-28 10:13 <DIR> d-------- C:\WINDOWS\udtablet
2007-07-28 10:13 <DIR> d-------- C:\WINDOWS\calib_da
2007-07-28 10:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tablet
2007-07-28 08:42 <DIR> d-------- C:\DOCUME~1\USER\APPLIC~1\EPSON
2007-07-24 07:48 879,832 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2007-07-24 07:48 108,360 --a------ C:\WINDOWS\system32\drivers\veteboot.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-19 09:29 --------- d-------- C:\Program Files\lg_fwupdate
2007-08-18 15:33 --------- d-------- C:\Program Files\MailWasher
2007-08-17 15:21 --------- d-------- C:\Program Files\Startup Inspector for Windows
2007-08-14 20:29 --------- d-------- C:\Program Files\CA
2007-08-14 15:18 --------- d-------- C:\Program Files\Online Services
2007-08-14 07:45 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-12 20:23 --------- d-------- C:\Program Files\EPSON
2007-08-12 20:19 --------- d-------- C:\Program Files\Ahead
2007-08-12 20:18 --------- d-------- C:\Program Files\ArcSoft
2007-08-12 07:52 --------- d-------- C:\Program Files\CCleaner
2007-08-11 07:20 --------- d-------- C:\Program Files\Lavasoft
2007-08-07 18:21 69632 --a------ C:\WINDOWS\system32\realbap1.dll
2007-08-07 18:21 45568 --a------ C:\WINDOWS\system32\realbsf1.dll
2007-08-06 07:25 --------- d-------- C:\Program Files\Join ME
2007-07-28 10:20 --------- d-------- C:\Program Files\Common Files\InstallShield
2006-12-01 21:20 535 --a------ C:\Program Files\Shortcut to OUTLOOK.EXE.lnk
2004-10-01 15:00 40960 --a------ C:\Program Files\Uninstall_CDS.exe
2001-04-04 18:11 1499904 -ra------ C:\Program Files\INSTMSIW.EXE
2001-04-04 18:11 1489152 -ra------ C:\Program Files\INSTMSI.EXE
2001-03-02 00:38 3485184 -ra------ C:\Program Files\PROPLUS.MSI
2001-03-02 00:35 306688 -ra------ C:\Program Files\OWC10.MSI
2001-03-01 15:35 224771818 -rah----- C:\Program Files\OFFICE1.CAB
2001-02-17 23:35 46496 --a------ C:\Program Files\OUTLOOK.EXE


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D55F78D-57E0-7A56-9975-02E12506D1B4}]
2007-08-10 19:37 106496 --a------ C:\Program Files\Ccwfullt\ktwuwjer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84D8A0A-E708-42B6-90CA-9C30956A87C6}]
2007-08-15 17:33 43542 --a------ C:\WINDOWS\system32\nnnollk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 20:04 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-18 12:49]
"EPSON Stylus Photo RX510"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.exe" [2003-09-12 13:00]
"USB2Check"="RUNDLL32.exe" [2006-02-28 22:00 C:\WINDOWS\system32\rundll32.exe]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-14 20:43]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-05-03 07:06]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-04-07 15:34]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 15:40]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-02-28 22:00]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2006-02-28 22:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 22:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 22:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 22:00]
"nwiz"="nwiz.exe" [2006-07-18 12:49 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-07-18 12:49 C:\WINDOWS\system32\nvmctray.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-18 16:27 C:\WINDOWS\RTHDCPL.EXE]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-23 23:38]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 22:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-02 08:20:17]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C84D8A0A-E708-42B6-90CA-9C30956A87C6}"= C:\WINDOWS\system32\nnnollk.dll [2007-08-15 17:33 43542]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnollk]
nnnollk.dll 2007-08-15 17:33 43542 C:\WINDOWS\system32\nnnollk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
"C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN

S1 aiptektp;Pen Pad;C:\WINDOWS\system32\DRIVERS\aiptektp.sys
S3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe"
S3 qcusbser;ZTE USB Device for Legacy Serial Communication;C:\WINDOWS\system32\DRIVERS\ZTEusbser.sys


Contents of the 'Scheduled Tasks' folder
2007-08-14 12:37:21 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as USER at 8 29 PM.job - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
2007-08-18 23:30:35 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe
2007-08-12 07:29:38 C:\WINDOWS\Tasks\XoftSpy.job - C:\Program Files\XoftSpy\XoftSpy.exe
2007-08-18 23:27:42 C:\WINDOWS\Tasks\XoftSpySE 2.job - C:\Program Files\XoftSpySE\XoftSpy.exe
2007-08-12 09:08:40 C:\WINDOWS\Tasks\XoftSpySE.job - C:\Program Files\XoftSpySE\XoftSpy.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-19 09:29:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-19 9:42:48 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-19 09:42

--- E O F ---
................................................................................................................................................................................


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:09 PM, on 8/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus Photo RX510] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE" /P24 "EPSON Stylus Photo RX510" /O6 "USB001" /M "Stylus Photo RX510"
O4 - HKLM\..\Run: [USB2Check] "RUNDLL32.EXE" "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Adobe Form Control) - http://www.ato.gov.au/formflow/codebase/FormCtl.cab
O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - http://www.ato.gov.au/formflow/codebase/plsspeller.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159256529781
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (Adobe Script Object) - http://www.ato.gov.au/formflow/codebase/scriptobject.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Adobe Soft Font Installer) - http://www.ato.gov.au/formflow/codebase/fontinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{073880C3-E854-4A74-B4A9-C14A97D23EE4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{073880C3-E854-4A74-B4A9-C14A97D23EE4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{073880C3-E854-4A74-B4A9-C14A97D23EE4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7015 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:39 PM

Posted 19 August 2007 - 11:08 AM

Hi,

You posted the same log from Combofix as before. I really need the contents of C:\combofix.txt, not any other combofix textfile present there, because they are the previous logs.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 bidkev

bidkev
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 19 August 2007 - 03:58 PM

Oops, sorry about that :thumbsup:

Hope this is the one.

kev



ComboFix 07-08-17.2 - "kevin" 2007-08-19 21:58:06.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.559 [GMT 10:00]
Command switches used :: C:\Documents and Settings\kevin\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\nnnollk.dll
C:\WINDOWS\system32\winbjt32.dll
C:\lhxfu.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\lhxfu.exe
C:\Program Files\Ccwfullt
C:\Program Files\Ccwfullt\ktwuwjer.dll
C:\Program Files\pwhibevq
C:\Program Files\pwhibevq\hypmrwnk.dll
C:\VundoFix Backups
C:\WINDOWS\system32\iieldknh
C:\WINDOWS\system32\iieldknh\bg1.gif
C:\WINDOWS\system32\iieldknh\bgtop.gif
C:\WINDOWS\system32\iieldknh\bottom1.gif
C:\WINDOWS\system32\iieldknh\essentials.gif
C:\WINDOWS\system32\iieldknh\icon1.ico
C:\WINDOWS\system32\iieldknh\install1.gif
C:\WINDOWS\system32\iieldknh\left1.gif
C:\WINDOWS\system32\iieldknh\li.gif
C:\WINDOWS\system32\iieldknh\logo.gif
C:\WINDOWS\system32\iieldknh\main.htm
C:\WINDOWS\system32\iieldknh\mainframe.htm
C:\WINDOWS\system32\iieldknh\reinstall1.gif
C:\WINDOWS\system32\iieldknh\right1.gif
C:\WINDOWS\system32\iieldknh\s1.htm
C:\WINDOWS\system32\iieldknh\s2.htm
C:\WINDOWS\system32\iieldknh\s3.htm
C:\WINDOWS\system32\iieldknh\SMTop1.gif
C:\WINDOWS\system32\iieldknh\SMTop2.gif
C:\WINDOWS\system32\iieldknh\SMTop3.gif
C:\WINDOWS\system32\iieldknh\SMTop4.gif
C:\WINDOWS\system32\iieldknh\soft1_off.gif
C:\WINDOWS\system32\iieldknh\soft1_off_ext.gif
C:\WINDOWS\system32\iieldknh\soft1_on.gif
C:\WINDOWS\system32\iieldknh\soft1_on_ext.gif
C:\WINDOWS\system32\iieldknh\soft2_off.gif
C:\WINDOWS\system32\iieldknh\soft2_off_ext.gif
C:\WINDOWS\system32\iieldknh\soft2_on.gif
C:\WINDOWS\system32\iieldknh\soft2_on_ext.gif
C:\WINDOWS\system32\iieldknh\soft3_off.gif
C:\WINDOWS\system32\iieldknh\soft3_off_ext.gif
C:\WINDOWS\system32\iieldknh\soft3_on.gif
C:\WINDOWS\system32\iieldknh\soft3_on_ext.gif
C:\WINDOWS\system32\iieldknh\softbottom_off.gif
C:\WINDOWS\system32\iieldknh\softbottom_on.gif
C:\WINDOWS\system32\iieldknh\softleft_off.gif
C:\WINDOWS\system32\iieldknh\softleft_on.gif
C:\WINDOWS\system32\iieldknh\top1.gif
C:\WINDOWS\system32\iieldknh\top2.gif
C:\WINDOWS\system32\iieldknh\turnoff1.gif
C:\WINDOWS\system32\iieldknh\turnon1.gif
C:\WINDOWS\system32\nnnollk.dll
C:\WINDOWS\system32\winbjt32.dll


((((((((((((((((((((((((( Files Created from 2007-07-19 to 2007-08-19 )))))))))))))))))))))))))))))))


2007-08-19 17:36 <DIR> d-------- C:\DOCUME~1\kevin\APPLIC~1\ArcSoft
2007-08-19 17:26 <DIR> d-------- C:\DOCUME~1\kevin\APPLIC~1\EPSON
2007-08-19 17:24 <DIR> d-------- C:\DOCUME~1\kevin\APPLIC~1\Smart Panel
2007-08-19 09:12 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-19 09:01 8,755 --a------ C:\dnsbak.reg
2007-08-18 15:33 <DIR> d-------- C:\DOCUME~1\kevin\APPLIC~1\MailWasherPro
2007-08-18 14:49 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-08-18 14:48 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-08-18 13:06 <DIR> d-------- C:\DOCUME~1\kevin\APPLIC~1\wsInspector
2007-08-18 09:28 1,310,720 --ah----- C:\DOCUME~1\kevin\NTUSER.DAT
2007-08-18 09:26 <DIR> d-------- C:\WINDOWS\Prefetch
2007-08-18 09:15 69,632 --a------ C:\WINDOWS\ALCMTR.EXE
2007-08-18 09:06 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-08-18 09:06 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-08-17 17:33 <DIR> d-------- C:\WINDOWS\pss
2007-08-16 09:35 <DIR> d-------- C:\Program Files\RegScrubXP
2007-08-14 20:29 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-08-14 15:17 77,312 --a------ C:\WINDOWS\ua2.dll
2007-08-12 19:08 <DIR> d-------- C:\Program Files\XoftSpySE
2007-08-12 14:40 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-08-12 14:40 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-08-12 14:40 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-08-12 14:40 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-08-12 14:40 153,088 --a------ C:\WINDOWS\system32\unrar3.dll
2007-08-12 14:40 <DIR> d-------- C:\DOCUME~1\USER\APPLIC~1\Simply Super Software
2007-08-12 14:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Simply Super Software
2007-08-12 10:58 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-12 10:29 <DIR> d-------- C:\Program Files\Artweaver 0.4
2007-08-12 10:29 <DIR> d-------- C:\DOCUME~1\USER\APPLIC~1\Artweaver
2007-08-12 09:26 164 --a------ C:\install.dat
2007-08-12 09:18 <DIR> d-------- C:\DOCUME~1\USER\APPLIC~1\GetRightToGo
2007-08-12 08:52 <DIR> d-------- C:\ROCHE0410
2007-08-11 17:18 3,966 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-11 17:17 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-11 17:17 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-11 07:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-11 07:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-11 07:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-10 22:11 <DIR> d-------- C:\Program Files\InterMute
2007-08-10 22:04 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-09 20:16 <DIR> d-------- C:\DOCUME~1\USER\APPLIC~1\Inkscape
2007-08-09 20:15 <DIR> d-------- C:\Program Files\Inkscape
2007-08-04 09:36 <DIR> d--h----- C:\CWDS2Temp
2007-07-31 06:43 <DIR> d-------- C:\Program Files\Veoh Networks
2007-07-28 11:09 <DIR> d-------- C:\DOCUME~1\USER\APPLIC~1\Ulead Systems
2007-07-28 10:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
2007-07-28 10:21 49,152 --a------ C:\WINDOWS\system32\INETWH32.dll
2007-07-28 10:21 1,056,768 --a------ C:\WINDOWS\system32\ROBOEX32.DLL
2007-07-28 10:21 <DIR> d-------- C:\Program Files\Ulead Systems
2007-07-28 10:21 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
2007-07-28 10:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ulead Systems
2007-07-28 10:14 <DIR> d-------- C:\Program Files\Free Notes & Office Ink
2007-07-28 10:13 93,856 --a------ C:\WINDOWS\RmTablet.exe
2007-07-28 10:13 77,824 --a------ C:\WINDOWS\system32\WINTAB32.DLL
2007-07-28 10:13 77,472 --a------ C:\WINDOWS\system32\Tblfunc.dll
2007-07-28 10:13 73,376 --a------ C:\WINDOWS\system32\Funckey.dll
2007-07-28 10:13 65,184 --a------ C:\WINDOWS\system32\TBLMOUSE.EXE
2007-07-28 10:13 49,152 --a------ C:\WINDOWS\system32\ATWinLog.dll
2007-07-28 10:13 36,864 --a------ C:\WINDOWS\system32\UTBLFILT.DLL
2007-07-28 10:13 22,528 --a------ C:\WINDOWS\system32\drivers\aiptektp.sys
2007-07-28 10:13 1,753,088 --a------ C:\WINDOWS\system32\TblRes.dll
2007-07-28 10:13 <DIR> d-------- C:\WINDOWS\udtablet
2007-07-28 10:13 <DIR> d-------- C:\WINDOWS\calib_da
2007-07-28 10:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tablet
2007-07-28 08:42 <DIR> d-------- C:\DOCUME~1\USER\APPLIC~1\EPSON
2007-07-24 07:48 879,832 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2007-07-24 07:48 108,360 --a------ C:\WINDOWS\system32\drivers\veteboot.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-19 22:17 --------- d-------- C:\Program Files\lg_fwupdate
2007-08-19 17:26 --------- d-------- C:\Program Files\Smart Panel
2007-08-18 15:33 --------- d-------- C:\Program Files\MailWasher
2007-08-17 15:21 --------- d-------- C:\Program Files\Startup Inspector for Windows
2007-08-14 20:29 --------- d-------- C:\Program Files\CA
2007-08-14 15:18 --------- d-------- C:\Program Files\Online Services
2007-08-14 07:45 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-12 20:23 --------- d-------- C:\Program Files\EPSON
2007-08-12 20:19 --------- d-------- C:\Program Files\Ahead
2007-08-12 20:18 --------- d-------- C:\Program Files\ArcSoft
2007-08-12 07:52 --------- d-------- C:\Program Files\CCleaner
2007-08-11 07:20 --------- d-------- C:\Program Files\Lavasoft
2007-08-07 18:21 69632 --a------ C:\WINDOWS\system32\realbap1.dll
2007-08-07 18:21 45568 --a------ C:\WINDOWS\system32\realbsf1.dll
2007-08-06 07:25 --------- d-------- C:\Program Files\Join ME
2007-07-28 10:20 --------- d-------- C:\Program Files\Common Files\InstallShield
2006-12-01 21:20 535 --a------ C:\Program Files\Shortcut to OUTLOOK.EXE.lnk
2004-10-01 15:00 40960 --a------ C:\Program Files\Uninstall_CDS.exe
2001-04-04 18:11 1499904 -ra------ C:\Program Files\INSTMSIW.EXE
2001-04-04 18:11 1489152 -ra------ C:\Program Files\INSTMSI.EXE
2001-03-02 00:38 3485184 -ra------ C:\Program Files\PROPLUS.MSI
2001-03-02 00:35 306688 -ra------ C:\Program Files\OWC10.MSI
2001-03-01 15:35 224771818 -rah----- C:\Program Files\OFFICE1.CAB
2001-02-17 23:35 46496 --a------ C:\Program Files\OUTLOOK.EXE


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 20:04 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-18 12:49]
"EPSON Stylus Photo RX510"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.exe" [2003-09-12 13:00]
"USB2Check"="RUNDLL32.exe" [2006-02-28 22:00 C:\WINDOWS\system32\rundll32.exe]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-14 20:43]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-05-03 07:06]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-04-07 15:34]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 15:40]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-02-28 22:00]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2006-02-28 22:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 22:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 22:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 22:00]
"nwiz"="nwiz.exe" [2006-07-18 12:49 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-07-18 12:49 C:\WINDOWS\system32\nvmctray.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-18 16:27 C:\WINDOWS\RTHDCPL.EXE]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-23 23:38]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 22:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-02 08:20:17]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
"C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN

S1 aiptektp;Pen Pad;C:\WINDOWS\system32\DRIVERS\aiptektp.sys
S3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe"
S3 qcusbser;ZTE USB Device for Legacy Serial Communication;C:\WINDOWS\system32\DRIVERS\ZTEusbser.sys


Contents of the 'Scheduled Tasks' folder
2007-08-14 12:37:21 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as USER at 8 29 PM.job - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
2007-08-19 12:15:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe
2007-08-12 07:29:38 C:\WINDOWS\Tasks\XoftSpy.job - C:\Program Files\XoftSpy\XoftSpy.exe
2007-08-19 12:16:04 C:\WINDOWS\Tasks\XoftSpySE 2.job - C:\Program Files\XoftSpySE\XoftSpy.exe
2007-08-12 09:08:40 C:\WINDOWS\Tasks\XoftSpySE.job - C:\Program Files\XoftSpySE\XoftSpy.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-19 22:17:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-19 22:30:41 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-19 22:30
C:\ComboFix2.txt ... 2007-08-19 09:42

--- E O F ---

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:39 PM

Posted 19 August 2007 - 11:29 PM

Hi,

Delete the C:\Qoobox folder...

Your logs look clean again.
Let me know in your next reply how things are now...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 bidkev

bidkev
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 21 August 2007 - 04:23 AM

Hi,

Delete the C:\Qoobox folder...

Your logs look clean again.
Let me know in your next reply how things are now...


Things seem back to normal now, thank you very much, although it still won't allow the windows updates that disappeared when I reloaded windows. They are still on my task bar but won't load into windows.

kev

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:39 PM

Posted 21 August 2007 - 06:16 AM

Hi,

Just go to the Windows update site and download the updates from there..
To do this, go to start > all programs > Windows Updates.
This will open the Windows updates pages. Download and install all updates from there.
Then reboot afterwards.

Also make sure your firewall isn't interfering with the updates.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 bidkev

bidkev
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 21 August 2007 - 07:15 AM

Hi,

Just go to the Windows update site and download the updates from there..
To do this, go to start > all programs > Windows Updates.
This will open the Windows updates pages. Download and install all updates from there.
Then reboot afterwards.

Also make sure your firewall isn't interfering with the updates.


Hi,

It's done. :thumbsup: Once again, thanks for your help.

kev

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:39 PM

Posted 21 August 2007 - 08:01 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:39 PM

Posted 22 August 2007 - 05:22 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users