Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans Virtumonde, Generic5, Clicker, Yazzle


  • Please log in to reply
7 replies to this topic

#1 harryp

harryp

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 20 August 2007 - 10:32 AM

Hello

Never had this happen before so not sure what to do been having some popups and various programmes trying to scan my computer. I have ZoneAlarm, Spybot, AVG, Combofix, Hijackthis and Ad-Aware working to try and solve the problem but it still isn't resolved yet I was recommended this programmes so I hope they are good ones to use.


My Hijack this report

Scan saved at 16:27, on 2007-08-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\ASUS\ASUS DH Remote\AsDhRemote.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJackThis_v2.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\System32\svchost.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {803BC0E7-779C-4520-8367-491DC99CD861} - C:\WINDOWS\system32\pmnnk.dll
O2 - BHO: (no name) - {8DC13F33-719B-46C9-A590-6FA097E0570F} - C:\WINDOWS\system32\hggfcdd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {C84D8A0A-E708-42B6-90CA-9C30956A87C6} - C:\WINDOWS\system32\opnnnmm.dll (file missing)
O2 - BHO: (no name) - {CF350603-0DEA-40F4-9B0D-A5F1A00289B1} - C:\WINDOWS\system32\vtsqq.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [Ai Quicker Help] "C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: hggfcdd - C:\WINDOWS\SYSTEM32\hggfcdd.dll
O20 - Winlogon Notify: opnnnmm - opnnnmm.dll (file missing)
O20 - Winlogon Notify: pmnnk - C:\WINDOWS\system32\pmnnk.dll
O20 - Winlogon Notify: vtsqq - C:\WINDOWS\system32\vtsqq.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Wireless Adapter Configurator - Unknown owner - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe

My Combofix Log it seems to have pick up on Yazzle but I'm not sure if it's completely gone yet.


Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1519 [GMT 1:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\system32\winopn32.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\npf


((((((((((((((((((((((((( Files Created from 2007-07-20 to 2007-08-20 )))))))))))))))))))))))))))))))


2007-08-20 15:00 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-20 15:00 1,424,812 --a------ C:\Program Files\ComboFix.exe
2007-08-20 14:19 94,720 --a------ C:\WINDOWS\system32\drvhuj.dll
2007-08-20 14:19 43,542 --a------ C:\WINDOWS\system32\hggfcdd.dll
2007-08-20 14:19 15,360 --a------ C:\WINDOWS\system32\drvhujr.dll
2007-08-20 13:43 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-19 12:52 94,720 --a------ C:\WINDOWS\system32\drvval.dll
2007-08-19 12:52 43,542 --a------ C:\WINDOWS\system32\urqqooo.dll
2007-08-19 12:52 15,360 --a------ C:\WINDOWS\system32\drvvalr.dll
2007-08-19 12:50 <DIR> d-------- C:\DOCUME~1\Rebecca\APPLIC~1\Google
2007-08-19 12:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-19 12:49 878,224 --a------ C:\Program Files\Google Updater.exe
2007-08-19 12:49 <DIR> d-------- C:\Program Files\Google
2007-08-19 12:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-08-19 12:42 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-08-19 12:35 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-19 12:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-08-19 12:05 111,616 --a------ C:\VundoFix.exe
2007-08-19 12:05 <DIR> d-------- C:\VundoFix Backups
2007-08-19 11:21 94,720 --a------ C:\WINDOWS\system32\drvjiv.dll
2007-08-19 11:21 15,360 --a------ C:\WINDOWS\system32\drvjivr.dll
2007-08-19 11:20 43,542 --a------ C:\WINDOWS\system32\byxyvvt.dll
2007-08-19 00:48 15,360 --a------ C:\WINDOWS\system32\drvlewr.dll
2007-08-19 00:47 43,542 --a------ C:\WINDOWS\system32\nnnmnml.dll
2007-08-18 13:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-16 22:19 2,720,456 --a------ C:\Program Files\ccsetup141.exe
2007-08-16 18:35 <DIR> d-------- C:\DOCUME~1\Rebecca\APPLIC~1\Jasc
2007-08-12 22:46 <DIR> d-------- C:\DOCUME~1\Rebecca\APPLIC~1\TSO
2007-08-12 19:21 <DIR> d-------- C:\Program Files\DSA Theory Test
2007-08-08 15:12 <DIR> d-------- C:\DOCUME~1\Rebecca\APPLIC~1\OpenOffice.org2
2007-08-08 15:11 <DIR> d-------- C:\Program Files\OpenOffice.org 2.2
2007-08-08 15:10 <DIR> d-------- C:\Program Files\OpenOffice.org 2.2 Installation Files
2007-08-08 14:52 114,006,347 --a------ C:\Program Files\OOo_2.2.1_Win32Intel_install_wJRE_en-US.exe
2007-08-04 15:01 192,512 --a------ C:\WINDOWS\InZU31.exe
2007-08-04 15:01 15,172 --a------ C:\WINDOWS\system32\drivers\PzWDM.sys
2007-08-04 15:01 <DIR> d-------- C:\Program Files\ONES Trial (E)
2007-08-04 14:00 43 --a------ C:\RUNME.bat
2007-08-04 13:41 <DIR> d-------- C:\Program Files\AskTBar
2007-08-04 12:21 <DIR> d-------- C:\New Folder
2007-08-04 10:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-08-04 10:39 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-08-04 10:32 5,248 --a------ C:\WINDOWS\system32\drivers\Vax347s.sys
2007-08-04 10:32 159,616 --a------ C:\WINDOWS\system32\drivers\Vax347b.sys
2007-08-04 10:32 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-07-27 00:06 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-27 00:06 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-27 00:06 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-27 00:06 144,704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-27 00:06 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-27 00:03 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-27 00:03 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-27 00:03 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-27 00:03 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-27 00:03 740,442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-27 00:03 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-27 00:03 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-27 00:03 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-27 00:03 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-27 00:03 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-27 00:03 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-27 00:03 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-27 00:03 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-20 14:58 7787 --a------ C:\Program Files\hijackthis.log
2007-08-20 14:14 8704 --ahs---- C:\Program Files\Thumbs.db
2007-08-16 22:47 --------- d-------- C:\Program Files\Google Toolbar
2007-08-12 19:23 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-09 11:20 --------- d-------- C:\Program Files\SpeedFan
2007-08-09 01:19 --------- d-------- C:\DOCUME~1\Rebecca\APPLIC~1\uTorrent
2007-08-04 14:41 --------- d-------- C:\Program Files\u
2007-07-31 00:17 --------- d-------- C:\Program Files\DivX
2007-07-30 17:16 224048 --a------ C:\Program Files\utorrent.exe
2007-07-27 00:06 43528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-07-27 00:06 129784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-07-27 00:06 120056 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-07-27 00:06 118520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-07-18 22:30 --------- d-------- C:\DOCUME~1\Rebecca\APPLIC~1\MetaProducts
2007-07-14 01:33 --------- d-------- C:\Program Files\Last.fm
2007-07-03 11:35 --------- d-------- C:\Program Files\Winamp
2007-07-03 06:38 22186192 --a------ C:\Program Files\DivXInstaller.exe
2007-07-02 22:06 4363872 --a------ C:\Program Files\DivXWebPlayerInstaller.exe
2007-07-02 20:41 2560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-06-26 13:01 --------- d-------- C:\DOCUME~1\Rebecca\APPLIC~1\SlySoft
2007-06-26 07:06 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-23 15:13 1781784 --a------ C:\Program Files\SetupAnyDVD6165.exe
2007-06-22 14:54 99904 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-06-20 22:08 93128 --a------ C:\WINDOWS\system32\ElbyCDIO.dll
2007-06-19 14:37 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-17 18:27 5087768 --a------ C:\Program Files\icsetup.exe
2007-06-13 12:26 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 10:48 882489 --a------ C:\Program Files\pg2-050918-nt.exe
2007-06-13 10:48 1119484 --a------ C:\Program Files\pg2-050918-x64.exe
2007-06-10 14:31 2719216 --a------ C:\Program Files\ccsetup140.exe
2007-06-04 12:56 1163592 --a------ C:\Program Files\install_flash_player.exe
2007-05-14 22:17 20006472 --a------ C:\Program Files\QuickTimeInstaller.exe
2007-05-13 13:05 2714784 --a------ C:\Program Files\ccsetup139.exe
2007-04-24 21:15 760708 --a------ C:\Program Files\ac3filter_1_11.exe
2007-04-24 13:19 4322304 --a------ C:\Program Files\aawsepersonal.exe
2007-04-20 13:12 6448349 --a------ C:\Program Files\realalt152.exe
2007-04-05 12:04 719240 --a------ C:\Program Files\WindowsXP-KB935448-x86-ENU.exe
2007-04-04 19:40 184168776 --a------ C:\Program Files\Nero-7.8.5.0_eng_trial.exe
2007-04-02 16:17 2685104 --a------ C:\Program Files\ccsetup138.exe
2007-04-01 22:21 83043496 --a------ C:\Program Files\PowerDVD_Trial.exe
2007-03-30 21:27 2126396 --a------ C:\Program Files\ac3filter_1_30b.zip
2007-03-30 20:23 19169009 --a------ C:\Program Files\Cole2k.Media.-.Codec.Pack.V6.0.9.-Advanced-.32Bit.Setup.exe
2007-03-30 20:18 80020 --a------ C:\Program Files\ac3file_0_4b.exe
2007-03-30 12:00 40738456 --a------ C:\Program Files\zlsSetup_70_337_000_en.exe
2007-03-27 13:15 2139213 --a------ C:\Program Files\ac3filter_1_30b.exe
2007-03-25 16:08 2951802 --a------ C:\Program Files\EClea2_0.exe
2007-03-18 01:54 1988088 --a------ C:\Program Files\GPassInstall.exe
2007-03-11 21:16 110592 --a------ C:\Program Files\fe.exe
2007-03-08 10:03 1308216 --a------ C:\Program Files\HiJackThis_v2.exe
2007-03-02 21:24 72950 --a------ C:\Program Files\installer.exe
2007-03-02 20:21 6718976 --a------ C:\Program Files\winamp533_full_emusic-7plus.exe
2007-02-17 23:39 9895199 --a------ C:\Program Files\VeohSetup-3.1.0.1067.exe
2007-02-14 13:49 21822168 --a------ C:\Program Files\AdbeRdr80_en_US.exe
2007-02-14 13:48 7050552 --a------ C:\Program Files\psa30se_en_us.exe
2007-02-03 13:05 3782589 --a------ C:\Program Files\LastFM_Win_1.1.3.0.exe
2007-01-31 00:10 3161845 --a------ C:\Program Files\mp3-to-mp3.exe
2007-01-03 00:48 38201 --a------ C:\Program Files\uninstall.exe
2006-12-27 18:11 2599088 --a------ C:\Program Files\Shockwave_Installer_Slim.exe
2006-12-23 14:23 13714856 --a------ C:\Program Files\zlsSetup_65_737_000_en.exe
2006-12-23 13:57 13707688 --a------ C:\Program Files\zlsSetup_65_722_000_en.exe
2006-12-23 13:43 12252367 --a------ C:\Program Files\AVG7QT.DAT
2006-12-23 13:38 17674296 --a------ C:\Program Files\avg75free_432a861.exe
2006-12-22 02:36 23510720 --a------ C:\Program Files\dotnetfx.exe
2006-12-22 02:32 36321776 --a------ C:\Program Files\278.exe
2006-12-04 21:58 5900416 --a------ C:\Program Files\Firefox Setup 2.0.exe
2006-11-23 21:49 6653000 --a------ C:\Program Files\winamp532_full_emusic-7plus.exe
2006-10-31 21:03 3195563 --a------ C:\Program Files\LastFM_Win_1.0.7_en.exe
2006-10-21 02:00 2838528 --a------ C:\Program Files\fraps.exe
2006-10-21 02:00 110592 --a------ C:\Program Files\fraps.dll
2006-10-21 01:59 122880 --a------ C:\Program Files\frapslcd.dll
2006-10-21 01:56 56320 --a------ C:\Program Files\fraps64.dll
2006-10-21 01:56 293376 --a------ C:\Program Files\fraps64.dat
2006-10-21 01:26 1859 --a------ C:\Program Files\README.HTM
2006-10-20 15:32 10765 --a------ C:\Program Files\changes.txt
2006-05-04 19:43 38379746 --a------ C:\Program Files\powerdvd-7_Multi.exe
2006-04-29 20:46 179 --a------ C:\Program Files\Free-Codecs.txt
2006-01-16 16:48 28 --a------ C:\Program Files\Studio 8 Serial.txt
2005-11-10 12:15 5790379 --a------ C:\Program Files\ac3decoder_install.exe
2005-10-31 16:56 700416 --a------ C:\Program Files\StubInstaller.exe
2005-10-26 13:48 777 --a------ C:\Program Files\trial_setup.ini
2002-06-29 22:12 8244 --a------ C:\Program Files\LICENSE.TXT
2002-06-29 22:11 272 --a------ C:\Program Files\FILE_ID.DIZ
2004-07-13 04:05:58 2,282 --sha-w C:\WINDOWS\system32\Dap\Secure.bat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8DC13F33-719B-46C9-A590-6FA097E0570F}]
2007-08-20 14:19 43542 --a------ C:\WINDOWS\system32\hggfcdd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84D8A0A-E708-42B6-90CA-9C30956A87C6}]
C:\WINDOWS\system32\opnnnmm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF350603-0DEA-40F4-9B0D-A5F1A00289B1}]
C:\WINDOWS\system32\vtsqq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 08:34 C:\WINDOWS\RTHDCPL.exe]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-29 03:07]
"Ai Quicker Help"="C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe" [2006-07-19 10:52]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 10:12]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-08-16 23:21]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-08-08 15:10]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-06-23 12:13]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-19 12:49]

C:\Documents and Settings\Rebecca\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 17:54:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe [2006-12-22 01:08:00]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-19 12:49:50]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-07-01 21:11:38]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C84D8A0A-E708-42B6-90CA-9C30956A87C6}"= C:\WINDOWS\system32\opnnnmm.dll [ ]
"{8DC13F33-719B-46C9-A590-6FA097E0570F}"= C:\WINDOWS\system32\hggfcdd.dll [2007-08-20 14:19 43542]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggfcdd]
hggfcdd.dll 2007-08-20 14:19 43542 C:\WINDOWS\system32\hggfcdd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnnmm]
opnnnmm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqq]
C:\WINDOWS\system32\vtsqq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Rebecca^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Rebecca\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
"C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Valve\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

R0 JGOGO;JMicron Hot-Plug Driver;C:\WINDOWS\system32\DRIVERS\JGOGO.sys
R0 JRAID;JRAID;C:\WINDOWS\system32\DRIVERS\jraid.sys
R0 PzWDM;PzWDM;C:\WINDOWS\system32\Drivers\PzWDM.sys
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys
R3 SjyPkt;SjyPkt;\??\C:\WINDOWS\System32\Drivers\SjyPkt.sys
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\C:\WINDOWS\System32\DRIVERS\ASPI32.sys


Contents of the 'Scheduled Tasks' folder
2007-08-17 09:55:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


Hope all that helps I don't really know the significance of any of it :thumbsup:

Thanks

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 20 August 2007 - 06:44 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum harryp :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Copy and paste ALL the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\drvhuj.dll
C:\WINDOWS\system32\hggfcdd.dll
C:\WINDOWS\system32\drvhujr.dll
C:\WINDOWS\system32\drvval.dll
C:\WINDOWS\system32\urqqooo.dll
C:\WINDOWS\system32\drvvalr.dll
C:\WINDOWS\system32\drvjiv.dll
C:\WINDOWS\system32\drvjivr.dll
C:\WINDOWS\system32\byxyvvt.dll
C:\WINDOWS\system32\drvlewr.dll
C:\WINDOWS\system32\nnnmnml.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8DC13F33-719B-46C9-A590-6FA097E0570F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84D8A0A-E708-42B6-90CA-9C30956A87C6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF350603-0DEA-40F4-9B0D-A5F1A00289B1}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C84D8A0A-E708-42B6-90CA-9C30956A87C6}"=-
"{8DC13F33-719B-46C9-A590-6FA097E0570F}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggfcdd]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnnmm]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqq]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#3 harryp

harryp
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 20 August 2007 - 08:00 PM

Hi Richie

Thanks for the help

Combo log

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1553 [GMT 1:00]
Command switches used :: C:\Documents and Settings\Rebecca\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\drvhuj.dll
C:\WINDOWS\system32\hggfcdd.dll
C:\WINDOWS\system32\drvhujr.dll
C:\WINDOWS\system32\drvval.dll
C:\WINDOWS\system32\urqqooo.dll
C:\WINDOWS\system32\drvvalr.dll
C:\WINDOWS\system32\drvjiv.dll
C:\WINDOWS\system32\drvjivr.dll
C:\WINDOWS\system32\byxyvvt.dll
C:\WINDOWS\system32\drvlewr.dll
C:\WINDOWS\system32\nnnmnml.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\byxyvvt.dll
C:\WINDOWS\system32\drvhuj.dll
C:\WINDOWS\system32\drvhujr.dll
C:\WINDOWS\system32\drvjiv.dll
C:\WINDOWS\system32\drvjivr.dll
C:\WINDOWS\system32\drvlewr.dll
C:\WINDOWS\system32\drvval.dll
C:\WINDOWS\system32\drvvalr.dll
C:\WINDOWS\system32\hggfcdd.dll
C:\WINDOWS\system32\nnnmnml.dll
C:\WINDOWS\system32\urqqooo.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\npf


((((((((((((((((((((((((( Files Created from 2007-07-21 to 2007-08-21 )))))))))))))))))))))))))))))))


2007-08-20 15:16 6,513 --ahs---- C:\WINDOWS\system32\knnmp.bak1
2007-08-20 15:16 298,080 --a------ C:\WINDOWS\system32\pmnnk.dll
2007-08-20 15:00 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-20 15:00 1,424,812 --a------ C:\Program Files\ComboFix.exe
2007-08-20 13:43 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-19 12:50 <DIR> d-------- C:\DOCUME~1\Rebecca\APPLIC~1\Google
2007-08-19 12:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-19 12:49 878,224 --a------ C:\Program Files\Google Updater.exe
2007-08-19 12:49 <DIR> d-------- C:\Program Files\Google
2007-08-19 12:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-08-19 12:42 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-08-19 12:35 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-19 12:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-08-19 12:05 111,616 --a------ C:\VundoFix.exe
2007-08-19 12:05 <DIR> d-------- C:\VundoFix Backups
2007-08-18 13:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-16 22:19 2,720,456 --a------ C:\Program Files\ccsetup141.exe
2007-08-16 18:35 <DIR> d-------- C:\DOCUME~1\Rebecca\APPLIC~1\Jasc
2007-08-12 22:46 <DIR> d-------- C:\DOCUME~1\Rebecca\APPLIC~1\TSO
2007-08-12 19:21 <DIR> d-------- C:\Program Files\DSA Theory Test
2007-08-08 15:12 <DIR> d-------- C:\DOCUME~1\Rebecca\APPLIC~1\OpenOffice.org2
2007-08-08 15:11 <DIR> d-------- C:\Program Files\OpenOffice.org 2.2
2007-08-08 15:10 <DIR> d-------- C:\Program Files\OpenOffice.org 2.2 Installation Files
2007-08-08 14:52 114,006,347 --a------ C:\Program Files\OOo_2.2.1_Win32Intel_install_wJRE_en-US.exe
2007-08-04 15:01 192,512 --a------ C:\WINDOWS\InZU31.exe
2007-08-04 15:01 15,172 --a------ C:\WINDOWS\system32\drivers\PzWDM.sys
2007-08-04 15:01 <DIR> d-------- C:\Program Files\ONES Trial (E)
2007-08-04 14:00 43 --a------ C:\RUNME.bat
2007-08-04 13:41 <DIR> d-------- C:\Program Files\AskTBar
2007-08-04 12:21 <DIR> d-------- C:\New Folder
2007-08-04 10:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-08-04 10:39 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-08-04 10:32 5,248 --a------ C:\WINDOWS\system32\drivers\Vax347s.sys
2007-08-04 10:32 159,616 --a------ C:\WINDOWS\system32\drivers\Vax347b.sys
2007-08-04 10:32 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-07-27 00:06 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-27 00:06 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-27 00:06 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-27 00:06 144,704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-27 00:06 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-27 00:03 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-27 00:03 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-27 00:03 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-27 00:03 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-27 00:03 740,442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-27 00:03 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-27 00:03 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-27 00:03 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-27 00:03 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-27 00:03 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-27 00:03 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-27 00:03 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-27 00:03 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-20 16:27 7763 --a------ C:\Program Files\hijackthis.log
2007-08-20 15:29 8704 --ahs---- C:\Program Files\Thumbs.db
2007-08-16 22:47 --------- d-------- C:\Program Files\Google Toolbar
2007-08-12 19:23 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-09 11:20 --------- d-------- C:\Program Files\SpeedFan
2007-08-04 14:41 --------- d-------- C:\Program Files\u
2007-07-31 00:17 --------- d-------- C:\Program Files\DivX
2007-07-30 17:16 224048 --a------ C:\Program Files\utorrent.exe
2007-07-27 00:06 43528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-07-27 00:06 129784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-07-27 00:06 120056 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-07-27 00:06 118520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-07-18 22:30 --------- d-------- C:\DOCUME~1\Rebecca\APPLIC~1\MetaProducts
2007-07-14 01:33 --------- d-------- C:\Program Files\Last.fm
2007-07-03 11:35 --------- d-------- C:\Program Files\Winamp
2007-07-03 06:38 22186192 --a------ C:\Program Files\DivXInstaller.exe
2007-07-02 22:06 4363872 --a------ C:\Program Files\DivXWebPlayerInstaller.exe
2007-07-02 20:41 2560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-06-26 13:01 --------- d-------- C:\DOCUME~1\Rebecca\APPLIC~1\SlySoft
2007-06-26 07:06 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-23 15:13 1781784 --a------ C:\Program Files\SetupAnyDVD6165.exe
2007-06-22 14:54 99904 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-06-20 22:08 93128 --a------ C:\WINDOWS\system32\ElbyCDIO.dll
2007-06-19 14:37 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-17 18:27 5087768 --a------ C:\Program Files\icsetup.exe
2007-06-13 12:26 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 10:48 882489 --a------ C:\Program Files\pg2-050918-nt.exe
2007-06-13 10:48 1119484 --a------ C:\Program Files\pg2-050918-x64.exe
2007-06-10 14:31 2719216 --a------ C:\Program Files\ccsetup140.exe
2007-06-04 12:56 1163592 --a------ C:\Program Files\install_flash_player.exe
2007-05-14 22:17 20006472 --a------ C:\Program Files\QuickTimeInstaller.exe
2007-05-13 13:05 2714784 --a------ C:\Program Files\ccsetup139.exe
2007-04-24 21:15 760708 --a------ C:\Program Files\ac3filter_1_11.exe
2007-04-24 13:19 4322304 --a------ C:\Program Files\aawsepersonal.exe
2007-04-20 13:12 6448349 --a------ C:\Program Files\realalt152.exe
2007-04-08 19:40 359112 --a------ C:\Program Files\LimeWireWin.exe
2007-04-05 12:04 719240 --a------ C:\Program Files\WindowsXP-KB935448-x86-ENU.exe
2007-04-04 19:40 184168776 --a------ C:\Program Files\Nero-7.8.5.0_eng_trial.exe
2007-04-02 16:17 2685104 --a------ C:\Program Files\ccsetup138.exe
2007-04-01 22:21 83043496 --a------ C:\Program Files\PowerDVD_Trial.exe
2007-03-30 21:27 2126396 --a------ C:\Program Files\ac3filter_1_30b.zip
2007-03-30 20:23 19169009 --a------ C:\Program Files\Cole2k.Media.-.Codec.Pack.V6.0.9.-Advanced-.32Bit.Setup.exe
2007-03-30 20:18 80020 --a------ C:\Program Files\ac3file_0_4b.exe
2007-03-30 12:00 40738456 --a------ C:\Program Files\zlsSetup_70_337_000_en.exe
2007-03-27 13:15 2139213 --a------ C:\Program Files\ac3filter_1_30b.exe
2007-03-25 16:08 2951802 --a------ C:\Program Files\EClea2_0.exe
2007-03-18 01:54 1988088 --a------ C:\Program Files\GPassInstall.exe
2007-03-11 21:16 110592 --a------ C:\Program Files\fe.exe
2007-03-08 10:03 1308216 --a------ C:\Program Files\HiJackThis_v2.exe
2007-03-02 21:24 72950 --a------ C:\Program Files\installer.exe
2007-03-02 20:21 6718976 --a------ C:\Program Files\winamp533_full_emusic-7plus.exe
2007-02-17 23:39 9895199 --a------ C:\Program Files\VeohSetup-3.1.0.1067.exe
2007-02-14 13:49 21822168 --a------ C:\Program Files\AdbeRdr80_en_US.exe
2007-02-14 13:48 7050552 --a------ C:\Program Files\psa30se_en_us.exe
2007-02-03 13:05 3782589 --a------ C:\Program Files\LastFM_Win_1.1.3.0.exe
2007-01-31 00:10 3161845 --a------ C:\Program Files\mp3-to-mp3.exe
2007-01-03 00:48 38201 --a------ C:\Program Files\uninstall.exe
2006-12-27 18:11 2599088 --a------ C:\Program Files\Shockwave_Installer_Slim.exe
2006-12-23 14:23 13714856 --a------ C:\Program Files\zlsSetup_65_737_000_en.exe
2006-12-23 13:57 13707688 --a------ C:\Program Files\zlsSetup_65_722_000_en.exe
2006-12-23 13:43 12252367 --a------ C:\Program Files\AVG7QT.DAT
2006-12-23 13:38 17674296 --a------ C:\Program Files\avg75free_432a861.exe
2006-12-22 02:36 23510720 --a------ C:\Program Files\dotnetfx.exe
2006-12-22 02:32 36321776 --a------ C:\Program Files\278.exe
2006-12-04 21:58 5900416 --a------ C:\Program Files\Firefox Setup 2.0.exe
2006-11-23 21:49 6653000 --a------ C:\Program Files\winamp532_full_emusic-7plus.exe
2006-10-31 21:03 3195563 --a------ C:\Program Files\LastFM_Win_1.0.7_en.exe
2006-10-21 02:00 2838528 --a------ C:\Program Files\fraps.exe
2006-10-21 02:00 110592 --a------ C:\Program Files\fraps.dll
2006-10-21 01:59 122880 --a------ C:\Program Files\frapslcd.dll
2006-10-21 01:56 56320 --a------ C:\Program Files\fraps64.dll
2006-10-21 01:56 293376 --a------ C:\Program Files\fraps64.dat
2006-10-21 01:26 1859 --a------ C:\Program Files\README.HTM
2006-10-20 15:32 10765 --a------ C:\Program Files\changes.txt
2006-05-04 19:43 38379746 --a------ C:\Program Files\powerdvd-7_Multi.exe
2006-04-29 20:46 179 --a------ C:\Program Files\Free-Codecs.txt
2006-01-16 16:48 28 --a------ C:\Program Files\Studio 8 Serial.txt
2005-11-10 12:15 5790379 --a------ C:\Program Files\ac3decoder_install.exe
2005-10-31 16:56 700416 --a------ C:\Program Files\StubInstaller.exe
2005-10-26 13:48 777 --a------ C:\Program Files\trial_setup.ini
2002-06-29 22:12 8244 --a------ C:\Program Files\LICENSE.TXT
2002-06-29 22:11 272 --a------ C:\Program Files\FILE_ID.DIZ
2004-07-13 04:05:58 2,282 --sha-w C:\WINDOWS\system32\Dap\Secure.bat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{427B1275-E8C8-437B-B507-A9D3B92E1517}]
2007-08-20 15:16 298080 --a------ C:\WINDOWS\system32\pmnnk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 08:34 C:\WINDOWS\RTHDCPL.exe]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-29 03:07]
"Ai Quicker Help"="C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe" [2006-07-19 10:52]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 10:12]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-08-16 23:21]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-08-08 15:10]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-06-23 12:13]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-19 12:49]

C:\Documents and Settings\Rebecca\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 17:54:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe [2006-12-22 01:08:00]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-19 12:49:50]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-07-01 21:11:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnk]
C:\WINDOWS\system32\pmnnk.dll 2007-08-20 15:16 298080 C:\WINDOWS\system32\pmnnk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Rebecca^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Rebecca\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Rebecca^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Rebecca\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
"C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Valve\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

R0 JGOGO;JMicron Hot-Plug Driver;C:\WINDOWS\system32\DRIVERS\JGOGO.sys
R0 JRAID;JRAID;C:\WINDOWS\system32\DRIVERS\jraid.sys
R0 PzWDM;PzWDM;C:\WINDOWS\system32\Drivers\PzWDM.sys
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys
R3 SjyPkt;SjyPkt;\??\C:\WINDOWS\System32\Drivers\SjyPkt.sys
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\C:\WINDOWS\System32\DRIVERS\ASPI32.sys


Contents of the 'Scheduled Tasks' folder
2007-08-17 09:55:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-21 01:37:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-21 1:40:35 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-21 01:40

--- E O F ---


Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:59:32, on 21/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\ASUS\ASUS DH Remote\AsDhRemote.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [Ai Quicker Help] "C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Wireless Adapter Configurator - Unknown owner - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe

--
End of file - 6241 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 20 August 2007 - 08:14 PM

Copy and paste ALL the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\knnmp.bak1
C:\WINDOWS\system32\pmnnk.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{427B1275-E8C8-437B-B507-A9D3B92E1517}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnk]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#5 harryp

harryp
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 20 August 2007 - 08:32 PM

Alright here it is,



Combo log

ComboFix 07-08-17.2 - "Rebecca" 2007-08-21 2:18:47.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1544 [GMT 1:00]
Command switches used :: C:\Documents and Settings\Rebecca\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\knnmp.bak1
C:\WINDOWS\system32\pmnnk.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\knnmp.bak1
C:\WINDOWS\system32\pmnnk.dll


((((((((((((((((((((((((( Files Created from 2007-07-21 to 2007-08-21 )))))))))))))))))))))))))))))))


2007-08-21 01:59 401,720 --a------ C:\Program Files\HiJackThis.exe
2007-08-20 15:00 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-20 15:00 1,424,812 --a------ C:\Program Files\ComboFix.exe
2007-08-20 13:43 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-19 12:50 <DIR> d-------- C:\DOCUME~1\Rebecca\APPLIC~1\Google
2007-08-19 12:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-19 12:49 878,224 --a------ C:\Program Files\Google Updater.exe
2007-08-19 12:49 <DIR> d-------- C:\Program Files\Google
2007-08-19 12:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-08-19 12:42 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-08-19 12:35 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-19 12:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-08-19 12:05 111,616 --a------ C:\VundoFix.exe
2007-08-19 12:05 <DIR> d-------- C:\VundoFix Backups
2007-08-18 13:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-16 22:19 2,720,456 --a------ C:\Program Files\ccsetup141.exe
2007-08-16 18:35 <DIR> d-------- C:\DOCUME~1\Rebecca\APPLIC~1\Jasc
2007-08-12 22:46 <DIR> d-------- C:\DOCUME~1\Rebecca\APPLIC~1\TSO
2007-08-12 19:21 <DIR> d-------- C:\Program Files\DSA Theory Test
2007-08-08 15:12 <DIR> d-------- C:\DOCUME~1\Rebecca\APPLIC~1\OpenOffice.org2
2007-08-08 15:11 <DIR> d-------- C:\Program Files\OpenOffice.org 2.2
2007-08-08 15:10 <DIR> d-------- C:\Program Files\OpenOffice.org 2.2 Installation Files
2007-08-08 14:52 114,006,347 --a------ C:\Program Files\OOo_2.2.1_Win32Intel_install_wJRE_en-US.exe
2007-08-04 15:01 192,512 --a------ C:\WINDOWS\InZU31.exe
2007-08-04 15:01 15,172 --a------ C:\WINDOWS\system32\drivers\PzWDM.sys
2007-08-04 15:01 <DIR> d-------- C:\Program Files\ONES Trial (E)
2007-08-04 14:00 43 --a------ C:\RUNME.bat
2007-08-04 13:41 <DIR> d-------- C:\Program Files\AskTBar
2007-08-04 12:21 <DIR> d-------- C:\New Folder
2007-08-04 10:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-08-04 10:39 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-08-04 10:32 5,248 --a------ C:\WINDOWS\system32\drivers\Vax347s.sys
2007-08-04 10:32 159,616 --a------ C:\WINDOWS\system32\drivers\Vax347b.sys
2007-08-04 10:32 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-07-27 00:06 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-27 00:06 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-27 00:06 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-27 00:06 144,704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-27 00:06 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-27 00:03 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-27 00:03 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-27 00:03 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-27 00:03 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-27 00:03 740,442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-27 00:03 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-27 00:03 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-27 00:03 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-27 00:03 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-27 00:03 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-27 00:03 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-27 00:03 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-27 00:03 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-21 02:17 8704 --ahs---- C:\Program Files\Thumbs.db
2007-08-21 01:59 6242 --a------ C:\Program Files\hijackthis.log
2007-08-16 22:47 --------- d-------- C:\Program Files\Google Toolbar
2007-08-12 19:23 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-09 11:20 --------- d-------- C:\Program Files\SpeedFan
2007-08-09 01:19 --------- d-------- C:\DOCUME~1\Rebecca\APPLIC~1\uTorrent
2007-08-04 14:41 --------- d-------- C:\Program Files\u
2007-07-31 00:17 --------- d-------- C:\Program Files\DivX
2007-07-30 17:16 224048 --a------ C:\Program Files\utorrent.exe
2007-07-27 00:06 43528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-07-27 00:06 129784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-07-27 00:06 120056 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-07-27 00:06 118520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-07-18 22:30 --------- d-------- C:\DOCUME~1\Rebecca\APPLIC~1\MetaProducts
2007-07-14 01:33 --------- d-------- C:\Program Files\Last.fm
2007-07-03 11:35 --------- d-------- C:\Program Files\Winamp
2007-07-03 06:38 22186192 --a------ C:\Program Files\DivXInstaller.exe
2007-07-02 22:06 4363872 --a------ C:\Program Files\DivXWebPlayerInstaller.exe
2007-07-02 20:41 2560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-06-26 13:01 --------- d-------- C:\DOCUME~1\Rebecca\APPLIC~1\SlySoft
2007-06-26 07:06 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-23 15:13 1781784 --a------ C:\Program Files\SetupAnyDVD6165.exe
2007-06-22 14:54 99904 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-06-20 22:08 93128 --a------ C:\WINDOWS\system32\ElbyCDIO.dll
2007-06-19 14:37 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-17 18:27 5087768 --a------ C:\Program Files\icsetup.exe
2007-06-13 12:26 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 10:48 882489 --a------ C:\Program Files\pg2-050918-nt.exe
2007-06-13 10:48 1119484 --a------ C:\Program Files\pg2-050918-x64.exe
2007-06-10 14:31 2719216 --a------ C:\Program Files\ccsetup140.exe
2007-06-04 12:56 1163592 --a------ C:\Program Files\install_flash_player.exe
2007-05-14 22:17 20006472 --a------ C:\Program Files\QuickTimeInstaller.exe
2007-05-13 13:05 2714784 --a------ C:\Program Files\ccsetup139.exe
2007-04-24 21:15 760708 --a------ C:\Program Files\ac3filter_1_11.exe
2007-04-24 13:19 4322304 --a------ C:\Program Files\aawsepersonal.exe
2007-04-20 13:12 6448349 --a------ C:\Program Files\realalt152.exe
2007-04-08 19:40 359112 --a------ C:\Program Files\LimeWireWin.exe
2007-04-05 12:04 719240 --a------ C:\Program Files\WindowsXP-KB935448-x86-ENU.exe
2007-04-04 19:40 184168776 --a------ C:\Program Files\Nero-7.8.5.0_eng_trial.exe
2007-04-02 16:17 2685104 --a------ C:\Program Files\ccsetup138.exe
2007-04-01 22:21 83043496 --a------ C:\Program Files\PowerDVD_Trial.exe
2007-03-30 21:27 2126396 --a------ C:\Program Files\ac3filter_1_30b.zip
2007-03-30 20:23 19169009 --a------ C:\Program Files\Cole2k.Media.-.Codec.Pack.V6.0.9.-Advanced-.32Bit.Setup.exe
2007-03-30 20:18 80020 --a------ C:\Program Files\ac3file_0_4b.exe
2007-03-30 12:00 40738456 --a------ C:\Program Files\zlsSetup_70_337_000_en.exe
2007-03-27 13:15 2139213 --a------ C:\Program Files\ac3filter_1_30b.exe
2007-03-25 16:08 2951802 --a------ C:\Program Files\EClea2_0.exe
2007-03-18 01:54 1988088 --a------ C:\Program Files\GPassInstall.exe
2007-03-11 21:16 110592 --a------ C:\Program Files\fe.exe
2007-03-02 21:24 72950 --a------ C:\Program Files\installer.exe
2007-03-02 20:21 6718976 --a------ C:\Program Files\winamp533_full_emusic-7plus.exe
2007-02-17 23:39 9895199 --a------ C:\Program Files\VeohSetup-3.1.0.1067.exe
2007-02-14 13:49 21822168 --a------ C:\Program Files\AdbeRdr80_en_US.exe
2007-02-14 13:48 7050552 --a------ C:\Program Files\psa30se_en_us.exe
2007-02-03 13:05 3782589 --a------ C:\Program Files\LastFM_Win_1.1.3.0.exe
2007-01-31 00:10 3161845 --a------ C:\Program Files\mp3-to-mp3.exe
2007-01-03 00:48 38201 --a------ C:\Program Files\uninstall.exe
2006-12-27 18:11 2599088 --a------ C:\Program Files\Shockwave_Installer_Slim.exe
2006-12-23 14:23 13714856 --a------ C:\Program Files\zlsSetup_65_737_000_en.exe
2006-12-23 13:57 13707688 --a------ C:\Program Files\zlsSetup_65_722_000_en.exe
2006-12-23 13:43 12252367 --a------ C:\Program Files\AVG7QT.DAT
2006-12-23 13:38 17674296 --a------ C:\Program Files\avg75free_432a861.exe
2006-12-22 02:36 23510720 --a------ C:\Program Files\dotnetfx.exe
2006-12-22 02:32 36321776 --a------ C:\Program Files\278.exe
2006-12-04 21:58 5900416 --a------ C:\Program Files\Firefox Setup 2.0.exe
2006-11-23 21:49 6653000 --a------ C:\Program Files\winamp532_full_emusic-7plus.exe
2006-10-31 21:03 3195563 --a------ C:\Program Files\LastFM_Win_1.0.7_en.exe
2006-10-21 02:00 2838528 --a------ C:\Program Files\fraps.exe
2006-10-21 02:00 110592 --a------ C:\Program Files\fraps.dll
2006-10-21 01:59 122880 --a------ C:\Program Files\frapslcd.dll
2006-10-21 01:56 56320 --a------ C:\Program Files\fraps64.dll
2006-10-21 01:56 293376 --a------ C:\Program Files\fraps64.dat
2006-10-21 01:26 1859 --a------ C:\Program Files\README.HTM
2006-10-20 15:32 10765 --a------ C:\Program Files\changes.txt
2006-05-04 19:43 38379746 --a------ C:\Program Files\powerdvd-7_Multi.exe
2006-04-29 20:46 179 --a------ C:\Program Files\Free-Codecs.txt
2006-01-16 16:48 28 --a------ C:\Program Files\Studio 8 Serial.txt
2005-11-10 12:15 5790379 --a------ C:\Program Files\ac3decoder_install.exe
2005-10-31 16:56 700416 --a------ C:\Program Files\StubInstaller.exe
2005-10-26 13:48 777 --a------ C:\Program Files\trial_setup.ini
2002-06-29 22:12 8244 --a------ C:\Program Files\LICENSE.TXT
2002-06-29 22:11 272 --a------ C:\Program Files\FILE_ID.DIZ
2004-07-13 04:05:58 2,282 --sha-w C:\WINDOWS\system32\Dap\Secure.bat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 08:34 C:\WINDOWS\RTHDCPL.exe]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-29 03:07]
"Ai Quicker Help"="C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe" [2006-07-19 10:52]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 10:12]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-08-16 23:21]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-08-08 15:10]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-06-23 12:13]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-19 12:49]

C:\Documents and Settings\Rebecca\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 17:54:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe [2006-12-22 01:08:00]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-19 12:49:50]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-07-01 21:11:38]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Rebecca^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Rebecca\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Rebecca^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Rebecca\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
"C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Valve\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

R0 JGOGO;JMicron Hot-Plug Driver;C:\WINDOWS\system32\DRIVERS\JGOGO.sys
R0 JRAID;JRAID;C:\WINDOWS\system32\DRIVERS\jraid.sys
R0 PzWDM;PzWDM;C:\WINDOWS\system32\Drivers\PzWDM.sys
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys
R3 SjyPkt;SjyPkt;\??\C:\WINDOWS\System32\Drivers\SjyPkt.sys
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\C:\WINDOWS\System32\DRIVERS\ASPI32.sys

*Newly Created Service* - SJYPKT

Contents of the 'Scheduled Tasks' folder
2007-08-17 09:55:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-21 02:23:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-21 2:25:51 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-21 02:25
C:\ComboFix2.txt ... 2007-08-21 01:40

--- E O F ---


Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:28:13, on 21/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\ASUS\ASUS DH Remote\AsDhRemote.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\abc.bat.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [Ai Quicker Help] "C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Wireless Adapter Configurator - Unknown owner - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe

--
End of file - 6737 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 21 August 2007 - 01:50 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.


Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.


Download the trial version of Spy Sweeper:
http://www.webroot.com/shoppingcart/tryme....&vcode=DT14

Install it using the Standard Install option.
You will be asked for your e-mail address,it's safe to give it.
If you receive alerts from your firewall,allow all activities for Spy Sweeper.

You will be prompted to check for updated definitions,please do so,this may take several minutes so please be patient.

Once the updates have been installed,click on 'Options' and check/enable 'Full Sweep [Reccommended]'.
Click on 'Sweep',then 'Start Full Sweep' and allow it to fully scan your system.

When the sweep has finished,click 'Select All' and then click 'Quarantine Selected'.
Under the 'Summary' tab, select 'View Session Log'.
Click 'Save to File' and save the log to your desktop.

Exit Spy Sweeper.
Restart your pc,then copy and paste the SpySweeper log into your next reply.

Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed,disable your current antivirus program,then click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.
*Note*
Don't forget to re-enable your antivirus program.

Also post a new Hijackthis log.
Let me know how your pc is running now please.

Edited by RichieUK, 21 August 2007 - 01:51 AM.

Posted Image
Posted Image

#7 harryp

harryp
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 21 August 2007 - 08:36 AM

Hi again Richie

Have changed the Hijack this entry and the other things.

Surprisingly Spy Sweeper seemed to come back with nothing, here's the log

***************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:29:25, on 21/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\ASUS\ASUS DH Remote\AsDhRemote.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\abc.bat.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [JMB36X Configure] "C:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [Ai Quicker Help] "C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Wireless Adapter Configurator - Unknown owner - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe

--
End of file - 7165 bytes
12:17: | Start of Session, 21 August 2007 |
12:17: Spy Sweeper 5.5.7.48 started
12:17: Spy Sweeper 5.5.7.48 started
12:18: Spyware Definitions: 972
12:18: License Check Status (0): Success
12:18: Shield States
IE Tracking Cookies Shield: Off
IE Hijack Shield: On
System Services Shield: On
Execution Shield: On
File System Shield: On
IE Favorites Shield: On
Windows Messenger Service Shield: On
ActiveX Shield: On
Internet Communication Shield: On
Hosts File Shield: On
Common Ad Sites: Off
Startup Shield: On
Alternate Data Stream (ADS) Execution Shield: On
IE Security Shield: On
BHO Shield: On
12:18: Informational: ShieldEmail: Start monitoring port 110 for mail activities
E-mail Attachment: On
12:18: Informational: ShieldEmail: Start monitoring port 25 for mail activities
Keylogger: Off
12:19: Tamper Detection
Source: C:\DOCUME~1\REBECCA\LOCALS~1\TEMP\IS-EFD7B.TMP\IS-F27JS.TMP
Target:
Operation: File Access
12:33: Warning: no filename sent to VerifyFileSignature
12:33: BHO Shield: found: -- BHO installation allowed at user request
12:44: ApplicationMinimized - ENTER
12:44: ApplicationMinimized - EXIT
12:44: Sweep initiated using definitions version 972
12:44: Start Full Sweep
12:44: Starting Memory Sweep
12:47: Memory Sweep Complete, Elapsed Time: 00:02:30
12:47: Starting Registry Sweep
12:47: Registry Sweep Complete, Elapsed Time:00:00:04
12:47: Starting Cookie Sweep
12:47: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:47: Starting File Sweep
12:47: Warning: SweepDirectories: Cannot find directory "a:". This directory was not added to the list of paths to be scanned.
12:48: ApplicationMinimized - ENTER
12:48: ApplicationMinimized - EXIT
12:58: ApplicationMinimized - ENTER
12:58: ApplicationMinimized - EXIT
13:02: ApplicationMinimized - ENTER
13:02: ApplicationMinimized - EXIT
13:05: Warning: Failed to open file "c:\documents and settings\rebecca\application data\mozilla\firefox\profiles\p3re5vtc.default\parent.lock". The operation completed successfully
13:05: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms729d8cf1-f804-4742-bdf6-0276be43f930.tmp". The operation completed successfully
13:05: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms039eb39d-26c9-4387-9e78-52362f8ec9c4.tmp". The operation completed successfully
13:05: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms2d2d5421-757a-499c-900b-033c78644487.tmp". The operation completed successfully
13:05: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms90e4145b-5e04-4971-867e-d5eeb5e0157b.tmp". The operation completed successfully
13:05: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms8409725c-4f5b-4e38-b2e3-e2006f16eaf6.tmp". The operation completed successfully
13:05: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms60ba6eb8-0507-4570-93e8-befa1d3edc2e.tmp". The operation completed successfully
13:05: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms18637286-ad37-4686-9e29-80079c910592.tmp". The operation completed successfully
13:05: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsa7acfeb4-9441-48eb-bc5d-69454672b8ed.tmp". The operation completed successfully
13:05: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsb4e58115-d8f1-418b-bd9e-eab238e73525.tmp". The operation completed successfully
13:05: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms95d9da18-5783-454e-bb93-de3dae77756d.tmp". The operation completed successfully
13:05: Warning: Failed to open file "c:\documents and settings\rebecca\cookies\rebecca@elliman[2].txt". The operation completed successfully
13:06: Warning: SweepDirectories: Cannot find directory "d:". This directory was not added to the list of paths to be scanned.
13:06: Warning: SweepDirectories: Cannot find directory "e:". This directory was not added to the list of paths to be scanned.
13:06: Warning: SweepDirectories: Cannot find directory "f:". This directory was not added to the list of paths to be scanned.
13:07: File Sweep Complete, Elapsed Time: 00:20:10
13:07: Full Sweep has completed. Elapsed time 00:23:03
13:07: Traces Found: 0
13:07: None



BitDefender Online results

BitDefender Online Scanner



Scan report generated at: Tue, Aug 21, 2007 - 14:05:29





Scan path: A:\;C:\;D:\;E:\;F:\;







Statistics

Time
00:51:58

Files
304423

Folders
6406

Boot Sectors
2

Archives
7555

Packed Files
8761




Results

Identified Viruses
8

Infected Files
13

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
13




Engines Info

Virus Definitions
749408

Engine build
AVCORE v1.0 (build 2411) (i386) (Jul 9 2007 12:10:22)

Scan plugins
14

Archive plugins
37

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\QooBox\Quarantine\C\WINDOWS\system32\winopn32.dll.vir
Infected with: Trojan.Mezzia.AU

C:\QooBox\Quarantine\C\WINDOWS\system32\winopn32.dll.vir
Deleted

C:\QooBox\Quarantine\catchme2007-08-21_ 22316.21.zip=>pmnnk.dll
Infected with: DeepScan:Generic.Virtumonde.1.521AED21

C:\QooBox\Quarantine\catchme2007-08-21_ 22316.21.zip=>pmnnk.dll
Disinfection failed

C:\QooBox\Quarantine\catchme2007-08-21_ 22316.21.zip=>pmnnk.dll
Deleted

C:\QooBox\Quarantine\catchme2007-08-21_ 22316.21.zip
Updated

C:\RUNME.bat
Infected with: Trojan.ConHook.X

C:\RUNME.bat
Disinfection failed

C:\RUNME.bat
Deleted

C:\System Volume Information\_restore{5B205E5C-F2A6-4C98-A9E6-4729F536F62F}\RP154\A0087780.bat
Infected with: Trojan.ConHook.X

C:\System Volume Information\_restore{5B205E5C-F2A6-4C98-A9E6-4729F536F62F}\RP154\A0087780.bat
Disinfection failed

C:\System Volume Information\_restore{5B205E5C-F2A6-4C98-A9E6-4729F536F62F}\RP154\A0087780.bat
Deleted

C:\System Volume Information\_restore{5B205E5C-F2A6-4C98-A9E6-4729F536F62F}\RP159\A0089964.exe
Infected with: Trojan.Fotomoto.A

C:\System Volume Information\_restore{5B205E5C-F2A6-4C98-A9E6-4729F536F62F}\RP159\A0089964.exe
Deleted

C:\System Volume Information\_restore{5B205E5C-F2A6-4C98-A9E6-4729F536F62F}\RP159\A0089988.exe=>(NSIS o)=>lzma_solid_nsis0006
Detected with: Adware.Softomate.DU

C:\System Volume Information\_restore{5B205E5C-F2A6-4C98-A9E6-4729F536F62F}\RP159\A0089988.exe=>(NSIS o)=>lzma_solid_nsis0006
Disinfection failed

C:\System Volume Information\_restore{5B205E5C-F2A6-4C98-A9E6-4729F536F62F}\RP159\A0089988.exe=>(NSIS o)=>lzma_solid_nsis0006
Deleted

C:\System Volume Information\_restore{5B205E5C-F2A6-4C98-A9E6-4729F536F62F}\RP159\A0089988.exe=>(NSIS o)
Update failed

C:\System Volume Information\_restore{5B205E5C-F2A6-4C98-A9E6-4729F536F62F}\RP161\A0091591.dll
Infected with: DeepScan:Generic.Virtumonde.1.07CA9543

C:\System Volume Information\_restore{5B205E5C-F2A6-4C98-A9E6-4729F536F62F}\RP161\A0091591.dll
Disinfection failed

C:\System Volume Information\_restore{5B205E5C-F2A6-4C98-A9E6-4729F536F62F}\RP161\A0091591.dll
Deleted

C:\System Volume Information\_restore{5B205E5C-F2A6-4C98-A9E6-4729F536F62F}\RP163\A0092699.dll
Infected with: Trojan.Mezzia.AU

C:\System Volume Information\_restore{5B205E5C-F2A6-4C98-A9E6-4729F536F62F}\RP163\A0092699.dll
Deleted

C:\System Volume Information\_restore{5B205E5C-F2A6-4C98-A9E6-4729F536F62F}\RP165\A0094048.dll
Infected with: DeepScan:Generic.Virtumonde.1.521AED21

C:\System Volume Information\_restore{5B205E5C-F2A6-4C98-A9E6-4729F536F62F}\RP165\A0094048.dll
Disinfection failed

C:\System Volume Information\_restore{5B205E5C-F2A6-4C98-A9E6-4729F536F62F}\RP165\A0094048.dll
Deleted

C:\System Volume Information\_restore{5B205E5C-F2A6-4C98-A9E6-4729F536F62F}\RP171\A0094620.bat
Infected with: Trojan.ConHook.X

C:\System Volume Information\_restore{5B205E5C-F2A6-4C98-A9E6-4729F536F62F}\RP171\A0094620.bat
Disinfection failed

C:\System Volume Information\_restore{5B205E5C-F2A6-4C98-A9E6-4729F536F62F}\RP171\A0094620.bat
Deleted

C:\WINDOWS\system32\Dap\mssvchost.exe
Detected with: Application.Firedaemon.O

C:\WINDOWS\system32\Dap\mssvchost.exe
Disinfection failed

C:\WINDOWS\system32\Dap\mssvchost.exe
Deleted

C:\WINDOWS\system32\Dap\WindowsUpdate.exe
Detected with: Application.Servu.Daemon.CF

C:\WINDOWS\system32\Dap\WindowsUpdate.exe
Disinfection failed

C:\WINDOWS\system32\Dap\WindowsUpdate.exe
Deleted

C:\WINDOWS\system32\mi1.exe=>(NSIS o)=>bzip2_nsis0009=>(NSIS o)=>lzma_solid_nsis0006
Detected with: Adware.Softomate.DU

C:\WINDOWS\system32\mi1.exe=>(NSIS o)=>bzip2_nsis0009=>(NSIS o)=>lzma_solid_nsis0006
Disinfection failed

C:\WINDOWS\system32\mi1.exe=>(NSIS o)=>bzip2_nsis0009=>(NSIS o)=>lzma_solid_nsis0006
Deleted

C:\WINDOWS\system32\mi1.exe=>(NSIS o)=>bzip2_nsis0009=>(NSIS o)
Update failed

Hijackthis results

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:29:25, on 21/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\ASUS\ASUS DH Remote\AsDhRemote.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\abc.bat.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [JMB36X Configure] "C:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [Ai Quicker Help] "C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Wireless Adapter Configurator - Unknown owner - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe

--
End of file - 7165 bytes



As far as computer preformance goes it's been fine for a while haven't had a pop up for a bit. I haven't had any warnings from AVG for a while, although I see BitDefender Online Scanner picked up on some. I guess it's still infected but performance has improved!

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 21 August 2007 - 08:45 AM

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
ComboFix.exe
C:\Qoobox
C:\VundoFix Backups

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.


Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users