Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumondo


  • This topic is locked This topic is locked
13 replies to this topic

#1 walkerstewart

walkerstewart

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 21 August 2007 - 01:09 AM

Hi guys,

I have tried like hell to remove the stupid Virtumodno, however SpyBot and Defender continually report that it is still present (even though I continuously remove it).

I have gotten rid of all the annoying popups, but would now like a completely clean system (http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ was of great help).

The one thing I keep noticing is that there is always an IExplorer proccess started on restart, plus when running antivirus/spyware/disinfecting tools, my network connection drops in and out.

Any help would be appreciated.

Thanks,

Stewart Walker



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:00:32 PM, on 21/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\SearchIndexer.exe
\?\C:\IISDebugTools\_IISCHAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\TEMP\QT1ED9.EXE
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.byte.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Byte Information Technology
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxyserver:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 216.14.203.20 www.southerncrossnetwork.org.au
O1 - Hosts: 216.14.203.20 southerncrossnetwork.org.au
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: COM+ Service - {2BDEC973-B5AC-4e5b-8AB3-5A0500880DA2} - C:\WINDOWS\system32\winload.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {8DC13F33-719B-46C9-A590-6FA097E0570F} - C:\WINDOWS\system32\awvtutr.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: IE DevToolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Capture Page to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddLinkEntryFromDocument.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ninemsn Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll/search.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Capt&ure Target to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: Capture &Snippet to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentSelection.html
O8 - Extra context menu item: Capture Ima&ge to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: Capture Page and Selected &Links to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddSiteSnippetFromDocumentSelection.html
O8 - Extra context menu item: Capture Selected Ite&ms to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddMultipleEntriesFromDocumentSelection.html
O8 - Extra context menu item: Capture Site to &Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddSiteFromDocument.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-au\msntabres.dll/229?576ddffc36d74536b0655eb68574d051
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-au\msntabres.dll/230?576ddffc36d74536b0655eb68574d051
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet.byte.com.au
O15 - Trusted Zone: http://development.byte.com.au
O15 - Trusted Zone: http://intranet.byte.com.au
O15 - Trusted Zone: http://portal.byte.com.au
O15 - Trusted Zone: http://*.pdmsprod01
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.microsoftvirtuallabs.com/virtua...iveXClient1.cab
O16 - DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} (Photosynth Class) - http://media.labs.live.com/all/ps/_code_/Photosynth.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179468040664
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179467964568
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://knowledge.opentext.com/knowledgesup...ppro/isetup.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {F53270D3-0E32-48B7-B63B-159E33210F70} (Livelink ActiveX Control) - https://knowledge.opentext.com/knowledgesup...bexp/lledit.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = inside.byte.com.au
O17 - HKLM\Software\..\Telephony: DomainName = inside.byte.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = inside.byte.com.au
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: awvtutr - C:\WINDOWS\SYSTEM32\awvtutr.dll
O20 - Winlogon Notify: winppl32 - C:\WINDOWS\SYSTEM32\winppl32.dll
O22 - SharedTaskScheduler: COM+ Service - {2BDEC973-B5AC-4e5b-8AB3-5A0500880DA2} - C:\WINDOWS\system32\winload.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/stewartw/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.jpg
O24 - Desktop Component 2: (no name) - \\stewartslaptop\DownloadsOrdered
O24 - Desktop Component 3: (no name) - \\stewartslaptop\Resources
O24 - Desktop Component 4: (no name) - c:\Resources

--
End of file - 13120 bytes

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 21 August 2007 - 02:55 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum walkerstewart :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 walkerstewart

walkerstewart
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 21 August 2007 - 03:26 AM

Hi Richie,

Thanks for your fast response.

The results of the ComboFix log are listed below.


Signing Off for the night (6:30 in Australia).

Will await your response.

Thanks and Kind Regards,

Stewart Walker



ComboFix 07-08-17.2 - "stewartw" 2007-08-21 18:04:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1046 [GMT 10:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\mt_32.dll
C:\WINDOWS\system32\rrutv.bak1
C:\WINDOWS\system32\rrutv.ini
C:\WINDOWS\system32\vturr.dll
C:\WINDOWS\system32\winload.dll
C:\WINDOWS\system32\winppl32.dll


((((((((((((((((((((((((( Files Created from 2007-07-21 to 2007-08-21 )))))))))))))))))))))))))))))))


2007-08-21 18:03 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-21 16:45 6,473 ---hs---- C:\WINDOWS\system32\ddeeg.bak1
2007-08-21 15:43 93,696 --a------ C:\WINDOWS\system32\drvjow.dll
2007-08-21 15:43 43,542 --a------ C:\WINDOWS\system32\tussqno.dll
2007-08-21 15:43 15,360 --a------ C:\WINDOWS\system32\drvjowr.dll
2007-08-21 13:53 6,473 ---hs---- C:\WINDOWS\system32\sstwa.bak1
2007-08-21 13:48 93,696 --a------ C:\WINDOWS\system32\drvwet.dll
2007-08-21 13:48 43,542 --a------ C:\WINDOWS\system32\awvtutr.dll
2007-08-21 13:48 15,360 --a------ C:\WINDOWS\system32\drvwetr.dll
2007-08-20 13:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-20 11:37 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-20 11:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-20 11:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-20 11:08 <DIR> d-------- C:\DOCUME~1\ADMINI~1.BIT\APPLIC~1\Talkback
2007-08-20 10:29 6,473 ---hs---- C:\WINDOWS\system32\gfhkj.bak1
2007-08-20 09:26 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-08-20 09:00 298,080 --a------ C:\WINDOWS\system32\ddcyy.dll.vir
2007-08-17 17:45 6,473 ---hs---- C:\WINDOWS\system32\kjjlm.bak1
2007-08-17 16:09 6,473 ---hs---- C:\WINDOWS\system32\hhkmp.bak1
2007-08-17 14:57 6,473 ---hs---- C:\WINDOWS\system32\jjkmp.bak1
2007-08-17 13:44 6,513 ---hs---- C:\WINDOWS\system32\jlkkj.bak1
2007-08-17 13:39 95,232 --a------ C:\WINDOWS\system32\drvril.dll
2007-08-17 13:39 15,360 --a------ C:\WINDOWS\system32\drvrilr.dll
2007-08-17 13:38 43,542 --a------ C:\WINDOWS\system32\pmnommj.dll.vir
2007-08-17 10:25 <DIR> d-------- C:\VundoFix Backups
2007-08-17 10:16 <DIR> d-------- C:\DOCUME~1\stewartw\APPLIC~1\Uniblue
2007-08-17 09:16 <DIR> d-------- C:\Temp\Digital.Film.Tools.55mm.v7.5.for.Adobe.Photoshop-SCOTCH
2007-08-17 08:42 <DIR> d-------- C:\DOCUME~1\stewartw\APPLIC~1\RegClean
2007-08-16 17:45 3,046 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-16 17:08 <DIR> d-------- C:\Program Files\Windows Defender
2007-08-16 15:50 <DIR> d-------- C:\Program Files\Bonjour
2007-08-16 15:12 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-16 15:02 <DIR> d-------- C:\Temp\Adobe CS3
2007-08-16 15:01 43,542 --a------ C:\WINDOWS\system32\hggdedb.dll
2007-08-06 11:25 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-03 16:48 <DIR> d-------- C:\Program Files\Advanced Batch Converter
2007-07-26 10:18 <DIR> d-------- C:\Temp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-21 15:59 --------- d-------- C:\Program Files\Trend Micro
2007-08-20 11:53 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-20 11:53 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-17 14:23 --------- d-------- C:\DOCUME~1\stewartw\APPLIC~1\Skype
2007-08-15 10:10 --------- d-------- C:\Program Files\Microsoft Virtual PC
2007-07-26 09:46 --------- d-------- C:\DOCUME~1\stewartw\APPLIC~1\nView_Wallpaper
2007-07-13 17:27 --------- d-------- C:\DOCUME~1\stewartw\APPLIC~1\DameWare Development
2007-07-13 17:22 --------- d-------- C:\Program Files\DameWare Development
2007-07-06 08:51 --------- d-------- C:\Program Files\Trial123FileConvert
2007-07-05 11:35 --------- d-------- C:\Program Files\PDF Ripper
2007-07-05 11:23 --------- d-------- C:\Program Files\Universal Document Converter
2007-07-04 10:06 --------- d-------- C:\DOCUME~1\stewartw\APPLIC~1\LinkedIn
2007-07-04 10:05 --------- d-------- C:\Program Files\LinkedIn
2007-07-03 13:13 --------- d-------- C:\DOCUME~1\stewartw\APPLIC~1\Apple Computer
2007-07-03 11:43 --------- d-------- C:\Program Files\iTunes
2007-07-03 11:43 --------- d-------- C:\Program Files\iPod
2007-07-03 11:42 --------- d-------- C:\Program Files\Apple Software Update
2007-07-03 11:41 --------- d-------- C:\Program Files\Common Files\Apple
2007-06-26 16:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-22 17:11 204848 --a------ C:\WINDOWS\system32\gswin32c.exe
2007-06-22 17:11 196608 --a------ C:\WINDOWS\system32\Utility.dll
2007-06-22 17:11 151552 --a------ C:\WINDOWS\system32\scrrun.dll
2007-06-19 23:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 20:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-04-13 17:20 3024 --a------ C:\Program Files\Common Files\cfgbak.tgb
2006-07-05 14:21 880159 --a------ C:\Program Files\ndoc-bin-1.3.1-v15.zip


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8DC13F33-719B-46C9-A590-6FA097E0570F}]
2007-08-21 13:48 43542 --a------ C:\WINDOWS\system32\awvtutr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-12 12:19]
"nwiz"="nwiz.exe" [2006-07-12 12:19 C:\WINDOWS\system32\nwiz.exe]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2007-03-29 08:10]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-06-10 19:21]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 16:38]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\stewartw\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2006-05-31 15:57:25]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-10-19 13:55:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"=1 (0x1)
"ProfileQuotaMessage"=You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage.
"MaxProfileSize"=30000 (0x7530)
"WarnUser"=1 (0x1)
"WarnUserTimeout"=15 (0xf)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
Source= c:\Resources
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
"{8DC13F33-719B-46C9-A590-6FA097E0570F}"= C:\WINDOWS\system32\awvtutr.dll [2007-08-21 13:48 43542]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvtutr]
awvtutr.dll 2007-08-21 13:48 43542 C:\WINDOWS\system32\awvtutr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^stewartw^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=C:\Documents and Settings\stewartw\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=C:\WINDOWS\pss\Microsoft Office Groove.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\G6FTP Server Tray Monitor]
"C:\Program Files\Gene6 FTP Server\G6FTPTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnfolioStorage]
"C:\Program Files\Onfolio\onfserv.exe" nosignal

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UDC Integration]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"ufad-p2v"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"IXOS - Document Priority Calculator"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"spkrmon"=2 (0x2)

R1 vcdrom;Virtual CD-ROM Device Driver;\??\C:\WINDOWS\system32\drivers\VCdRom.sys
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
R2 SQLBrowser;SQL Server Browser;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
R2 TmPreFilter;Trend Micro PreFilter;\??\C:\Program Files\Trend Micro\Client Server Security Agent\TmPreFlt.sys
R2 vstor2-p2v30;Vstor2 P2V30 Virtual Storage Driver;\??\C:\Program Files\VMware\VMware Converter\vstor2-p2v30.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\system32\DRIVERS\point32.sys
S2 ntrtscan;Trend Micro Client/Server Security Agent RealTime Scan;C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
S2 tmlisten;Trend Micro Client/Server Security Agent Listener;C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS
S4 IXOS - Document Priority Calculator;IXOS - Document Priority Calculator;c:\dehworkflowintegration\pdmspriorityupdate\bin\pdmspriorityupdate.exe
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80
S4 ufad-p2v;VMware Converter Service;"C:\Program Files\VMware\VMware Converter\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Converter\\" -s ufad-p2v.xml

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-21 18:16:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-21 18:20:46 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-21 18:20

--- E O F ---

#4 walkerstewart

walkerstewart
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 21 August 2007 - 03:29 AM

And the next Hijack this log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:28, on 2007-08-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
\?\C:\IISDebugTools\_IISCHAgent.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\proquota.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.byte.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxyserver:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {8DC13F33-719B-46C9-A590-6FA097E0570F} - C:\WINDOWS\system32\awvtutr.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: IE DevToolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Capture Page to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddLinkEntryFromDocument.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ninemsn Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll/search.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Capt&ure Target to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: Capture &Snippet to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentSelection.html
O8 - Extra context menu item: Capture Ima&ge to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: Capture Page and Selected &Links to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddSiteSnippetFromDocumentSelection.html
O8 - Extra context menu item: Capture Selected Ite&ms to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddMultipleEntriesFromDocumentSelection.html
O8 - Extra context menu item: Capture Site to &Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddSiteFromDocument.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-au\msntabres.dll/229?576ddffc36d74536b0655eb68574d051
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-au\msntabres.dll/230?576ddffc36d74536b0655eb68574d051
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet.byte.com.au
O15 - Trusted Zone: http://development.byte.com.au
O15 - Trusted Zone: http://intranet.byte.com.au
O15 - Trusted Zone: http://portal.byte.com.au
O15 - Trusted Zone: http://*.pdmsprod01
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.microsoftvirtuallabs.com/virtua...iveXClient1.cab
O16 - DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} (Photosynth Class) - http://media.labs.live.com/all/ps/_code_/Photosynth.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179468040664
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179467964568
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://knowledge.opentext.com/knowledgesup...ppro/isetup.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {F53270D3-0E32-48B7-B63B-159E33210F70} (Livelink ActiveX Control) - https://knowledge.opentext.com/knowledgesup...bexp/lledit.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = inside.byte.com.au
O17 - HKLM\Software\..\Telephony: DomainName = inside.byte.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = inside.byte.com.au
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: awvtutr - C:\WINDOWS\SYSTEM32\awvtutr.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/stewartw/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.jpg
O24 - Desktop Component 2: (no name) - \\stewartslaptop\DownloadsOrdered
O24 - Desktop Component 3: (no name) - \\stewartslaptop\Resources
O24 - Desktop Component 4: (no name) - c:\Resources

--
End of file - 12065 bytes

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 21 August 2007 - 03:37 AM

Copy and paste ALL the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\drvjow.dll
C:\WINDOWS\system32\tussqno.dll
C:\WINDOWS\system32\drvjowr.dll
C:\WINDOWS\system32\sstwa.bak1
C:\WINDOWS\system32\drvwet.dll
C:\WINDOWS\system32\awvtutr.dll
C:\WINDOWS\system32\drvwetr.dll
C:\WINDOWS\system32\gfhkj.bak1
C:\WINDOWS\system32\ddcyy.dll.vir
C:\WINDOWS\system32\kjjlm.bak1
C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\jjkmp.bak1
C:\WINDOWS\system32\jlkkj.bak1
C:\WINDOWS\system32\drvril.dll
C:\WINDOWS\system32\drvrilr.dll
C:\WINDOWS\system32\pmnommj.dll.vir
C:\WINDOWS\system32\hggdedb.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8DC13F33-719B-46C9-A590-6FA097E0570F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8DC13F33-719B-46C9-A590-6FA097E0570F}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvtutr]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#6 walkerstewart

walkerstewart
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 21 August 2007 - 07:00 PM

Here we go, ComboFix Report

ComboFix 07-08-17.2 - "stewartw" 2007-08-22 9:39:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1054 [GMT 10:00]
Command switches used :: C:\Documents and Settings\stewartw\Desktop\CFScript.txt

FILE::
C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\drvjow.dll
C:\WINDOWS\system32\tussqno.dll
C:\WINDOWS\system32\drvjowr.dll
C:\WINDOWS\system32\sstwa.bak1
C:\WINDOWS\system32\drvwet.dll
C:\WINDOWS\system32\awvtutr.dll
C:\WINDOWS\system32\drvwetr.dll
C:\WINDOWS\system32\gfhkj.bak1
C:\WINDOWS\system32\ddcyy.dll.vir
C:\WINDOWS\system32\kjjlm.bak1
C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\jjkmp.bak1
C:\WINDOWS\system32\jlkkj.bak1
C:\WINDOWS\system32\drvril.dll
C:\WINDOWS\system32\drvrilr.dll
C:\WINDOWS\system32\pmnommj.dll.vir
C:\WINDOWS\system32\hggdedb.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\awvtutr.dll
C:\WINDOWS\system32\ddcyy.dll.vir
C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\drvjow.dll
C:\WINDOWS\system32\drvjowr.dll
C:\WINDOWS\system32\drvril.dll
C:\WINDOWS\system32\drvrilr.dll
C:\WINDOWS\system32\drvwet.dll
C:\WINDOWS\system32\drvwetr.dll
C:\WINDOWS\system32\gfhkj.bak1
C:\WINDOWS\system32\hggdedb.dll
C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\jjkmp.bak1
C:\WINDOWS\system32\jlkkj.bak1
C:\WINDOWS\system32\kjjlm.bak1
C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\mmllm.bak1
C:\WINDOWS\system32\mmllm.ini
C:\WINDOWS\system32\pmnommj.dll.vir
C:\WINDOWS\system32\sstwa.bak1
C:\WINDOWS\system32\tussqno.dll


((((((((((((((((((((((((( Files Created from 2007-07-21 to 2007-08-21 )))))))))))))))))))))))))))))))


2007-08-21 18:03 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-20 13:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-20 11:37 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-20 11:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-20 11:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-20 11:08 <DIR> d-------- C:\DOCUME~1\ADMINI~1.BIT\APPLIC~1\Talkback
2007-08-20 09:26 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-08-17 10:25 <DIR> d-------- C:\VundoFix Backups
2007-08-17 10:16 <DIR> d-------- C:\DOCUME~1\stewartw\APPLIC~1\Uniblue
2007-08-17 09:16 <DIR> d-------- C:\Temp\Digital.Film.Tools.55mm.v7.5.for.Adobe.Photoshop-SCOTCH
2007-08-17 08:42 <DIR> d-------- C:\DOCUME~1\stewartw\APPLIC~1\RegClean
2007-08-16 17:45 3,046 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-16 17:08 <DIR> d-------- C:\Program Files\Windows Defender
2007-08-16 15:50 <DIR> d-------- C:\Program Files\Bonjour
2007-08-16 15:12 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-16 15:02 <DIR> d-------- C:\Temp\Adobe CS3
2007-08-06 11:25 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-03 16:48 <DIR> d-------- C:\Program Files\Advanced Batch Converter
2007-07-26 10:18 <DIR> d-------- C:\Temp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-21 15:59 --------- d-------- C:\Program Files\Trend Micro
2007-08-20 11:53 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-20 11:53 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-17 14:23 --------- d-------- C:\DOCUME~1\stewartw\APPLIC~1\Skype
2007-08-15 10:10 --------- d-------- C:\Program Files\Microsoft Virtual PC
2007-07-26 09:46 --------- d-------- C:\DOCUME~1\stewartw\APPLIC~1\nView_Wallpaper
2007-07-13 17:27 --------- d-------- C:\DOCUME~1\stewartw\APPLIC~1\DameWare Development
2007-07-13 17:22 --------- d-------- C:\Program Files\DameWare Development
2007-07-06 08:51 --------- d-------- C:\Program Files\Trial123FileConvert
2007-07-05 11:35 --------- d-------- C:\Program Files\PDF Ripper
2007-07-05 11:23 --------- d-------- C:\Program Files\Universal Document Converter
2007-07-04 10:06 --------- d-------- C:\DOCUME~1\stewartw\APPLIC~1\LinkedIn
2007-07-04 10:05 --------- d-------- C:\Program Files\LinkedIn
2007-07-03 13:13 --------- d-------- C:\DOCUME~1\stewartw\APPLIC~1\Apple Computer
2007-07-03 11:43 --------- d-------- C:\Program Files\iTunes
2007-07-03 11:43 --------- d-------- C:\Program Files\iPod
2007-07-03 11:42 --------- d-------- C:\Program Files\Apple Software Update
2007-07-03 11:41 --------- d-------- C:\Program Files\Common Files\Apple
2007-06-26 16:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-22 17:11 204848 --a------ C:\WINDOWS\system32\gswin32c.exe
2007-06-22 17:11 196608 --a------ C:\WINDOWS\system32\Utility.dll
2007-06-22 17:11 151552 --a------ C:\WINDOWS\system32\scrrun.dll
2007-06-19 23:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 20:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-04-13 17:20 3024 --a------ C:\Program Files\Common Files\cfgbak.tgb
2006-07-05 14:21 880159 --a------ C:\Program Files\ndoc-bin-1.3.1-v15.zip


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-12 12:19]
"nwiz"="nwiz.exe" [2006-07-12 12:19 C:\WINDOWS\system32\nwiz.exe]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2007-03-29 08:10]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-06-10 19:21]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 16:38]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\stewartw\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2006-05-31 15:57:25]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-10-19 13:55:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"=1 (0x1)
"ProfileQuotaMessage"=You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage.
"MaxProfileSize"=30000 (0x7530)
"WarnUser"=1 (0x1)
"WarnUserTimeout"=15 (0xf)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
Source= c:\Resources
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^stewartw^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=C:\Documents and Settings\stewartw\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=C:\WINDOWS\pss\Microsoft Office Groove.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\G6FTP Server Tray Monitor]
"C:\Program Files\Gene6 FTP Server\G6FTPTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnfolioStorage]
"C:\Program Files\Onfolio\onfserv.exe" nosignal

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UDC Integration]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"ufad-p2v"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"IXOS - Document Priority Calculator"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"spkrmon"=2 (0x2)

R1 vcdrom;Virtual CD-ROM Device Driver;\??\C:\WINDOWS\system32\drivers\VCdRom.sys
R2 ntrtscan;Trend Micro Client/Server Security Agent RealTime Scan;C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
R2 SQLBrowser;SQL Server Browser;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
R2 tmlisten;Trend Micro Client/Server Security Agent Listener;C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
R2 TmPreFilter;Trend Micro PreFilter;\??\C:\Program Files\Trend Micro\Client Server Security Agent\TmPreFlt.sys
R2 vstor2-p2v30;Vstor2 P2V30 Virtual Storage Driver;\??\C:\Program Files\VMware\VMware Converter\vstor2-p2v30.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\system32\DRIVERS\point32.sys
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS
S4 IXOS - Document Priority Calculator;IXOS - Document Priority Calculator;c:\dehworkflowintegration\pdmspriorityupdate\bin\pdmspriorityupdate.exe
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80
S4 ufad-p2v;VMware Converter Service;"C:\Program Files\VMware\VMware Converter\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Converter\\" -s ufad-p2v.xml

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-22 09:52:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-22 9:55:13 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-22 09:55
C:\ComboFix2.txt ... 2007-08-21 18:20

--- E O F ---


And the Hijack This report


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00, on 2007-08-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\SearchIndexer.exe
\?\C:\IISDebugTools\_IISCHAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\proquota.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\TEMP\KQ14D8.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.byte.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxyserver:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: IE DevToolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Capture Page to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddLinkEntryFromDocument.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ninemsn Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll/search.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Capt&ure Target to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: Capture &Snippet to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentSelection.html
O8 - Extra context menu item: Capture Ima&ge to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: Capture Page and Selected &Links to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddSiteSnippetFromDocumentSelection.html
O8 - Extra context menu item: Capture Selected Ite&ms to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddMultipleEntriesFromDocumentSelection.html
O8 - Extra context menu item: Capture Site to &Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddSiteFromDocument.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-au\msntabres.dll/229?576ddffc36d74536b0655eb68574d051
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-au\msntabres.dll/230?576ddffc36d74536b0655eb68574d051
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet.byte.com.au
O15 - Trusted Zone: http://development.byte.com.au
O15 - Trusted Zone: http://intranet.byte.com.au
O15 - Trusted Zone: http://portal.byte.com.au
O15 - Trusted Zone: http://*.pdmsprod01
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.microsoftvirtuallabs.com/virtua...iveXClient1.cab
O16 - DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} (Photosynth Class) - http://media.labs.live.com/all/ps/_code_/Photosynth.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179468040664
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179467964568
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://knowledge.opentext.com/knowledgesup...ppro/isetup.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {F53270D3-0E32-48B7-B63B-159E33210F70} (Livelink ActiveX Control) - https://knowledge.opentext.com/knowledgesup...bexp/lledit.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = inside.byte.com.au
O17 - HKLM\Software\..\Telephony: DomainName = inside.byte.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = inside.byte.com.au
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/stewartw/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.jpg
O24 - Desktop Component 2: (no name) - \\stewartslaptop\DownloadsOrdered
O24 - Desktop Component 3: (no name) - \\stewartslaptop\Resources
O24 - Desktop Component 4: (no name) - c:\Resources

--
End of file - 12181 bytes

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 22 August 2007 - 03:42 AM

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#8 walkerstewart

walkerstewart
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 22 August 2007 - 10:15 PM

OK, Have updated Java and removed old versions.

My PC seemed to be running much happier after my last post, however the SuperAntiSpyware pretty much only found cookies

SUPERAntiSpyware Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/23/2007 at 10:20 AM

Application Version : 3.9.1008

Core Rules Database Version : 3290
Trace Rules Database Version: 1301

Scan type : Complete Scan
Total Scan Time : 01:01:39

Memory items scanned : 606
Memory threats detected : 0
Registry items scanned : 10035
Registry threats detected : 0
File items scanned : 104339
File threats detected : 177

Adware.Tracking Cookie
C:\Documents and Settings\stewartw\Cookies\stewartw@2o7[1].txt
C:\Documents and Settings\stewartw\Cookies\stewartw@msnportal.112.2o7[1].txt
C:\Documents and Settings\stewartw\Cookies\stewartw@statse.webtrendslive[2].txt
C:\Documents and Settings\stewartw\Cookies\stewartw@perf.overture[1].txt
C:\Documents and Settings\stewartw\Cookies\stewartw@atdmt[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@atdmt[1].txt
C:\Documents and Settings\glennt\Cookies\glennt@imrworldwide[2].txt
C:\Documents and Settings\glennt\Cookies\glennt@xiti[1].txt
C:\Documents and Settings\nicholask\Cookies\nicholask@ehg.hitbox[2].txt
C:\Documents and Settings\nicholask\Cookies\nicholask@hitbox[2].txt
C:\Documents and Settings\nicholask\Cookies\nicholask@tacoda[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@2o7[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@2o7[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@2o7[4].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@acvs.mediaonenetwork[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@ad.yieldmanager[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@adopt.euroclick[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@adrevolver[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@ads.as4x.tmcs.ticketmaster[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@adtech[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@adtech[3].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@advertising[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@advertising[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@advertising[3].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@adverts.digitalspy.co[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@apmebf[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@apmebf[3].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@as-us.falkag[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@as-us.falkag[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@as-us.falkag[3].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@atdmt[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@atdmt[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@azjmp[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@bs.serving-sys[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@bs.serving-sys[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@bs.serving-sys[3].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@bs.serving-sys[4].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@bs.serving-sys[5].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@bs.serving-sys[7].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@burstnet[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@burstnet[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@c.enhance[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@campaign.indieclick[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@casalemedia[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@casalemedia[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@casalemedia[3].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@casalemedia[4].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@casalemedia[5].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@data1.perf.overture[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@doubleclick[10].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@doubleclick[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@doubleclick[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@doubleclick[3].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@doubleclick[4].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@doubleclick[5].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@doubleclick[6].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@doubleclick[7].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@doubleclick[8].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@doubleclick[9].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@eb.adbureau[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@edge.ru4[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@edge.ru4[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@ehg-alkemi.hitbox[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@ehg-foxmovies.hitbox[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@ehg-foxmovies.hitbox[3].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@ehg-melbourneit.hitbox[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@ehg-melbourneit.hitbox[3].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@ehg-nokiafin.hitbox[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@ehg-suite101.hitbox[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@fastclick[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@fastclick[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@fastclick[3].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@focalex[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@focusin.ads.targetnet[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@hitbox[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@hitbox[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@hitbox[3].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@hitbox[5].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@maxserving[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@maxserving[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@media.adrevolver[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@media.drive.com[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@media.drive.com[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@media.drive.com[3].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@media.fastclick[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@media.sensis.com[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@media.sensis.com[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@media.sensis.com[3].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@media.sensis.com[4].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@media.sensis.com[6].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@media.theage.com[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@media.theage.com[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@media.theage.com[3].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@media.theage.com[4].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@media.theage.com[5].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@mediametrics.mpsa[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@mediaonenetwork[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@mediaplex[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@mediaplex[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@mediaservices.myspace[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@mediaservices.myspace[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@metacafe.122.2o7[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@microsofteup.112.2o7[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@microsofteup.112.2o7[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@overture[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@overture[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@overture[3].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@overture[4].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@overture[5].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@overture[7].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@paypal.112.2o7[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@qantasairways.122.2o7[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@qksrv[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@qksrv[3].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@questionmarket[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@questionmarket[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@questionmarket[4].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@realmedia[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@revenue[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@revenue[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@revenue[3].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@revenue[4].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@revsci[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@revsci[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@roiservice[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@rotator.adjuggler[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@sales.liveperson[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@sdc.okistats[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@servedby.advertising[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@servedby.advertising[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@servedby.advertising[3].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@server.iad.liveperson[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@serving-sys[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@serving-sys[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@serving-sys[4].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@serving-sys[5].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@sonymediasoftware.122.2o7[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@statcounter[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@statcounter[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@statcounter[3].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@statcounter[4].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@statcounter[5].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@statse.webtrendslive[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@statse.webtrendslive[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@statse.webtrendslive[3].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@statse.webtrendslive[4].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@stpetersburgtimes.122.2o7[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@tacoda[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@tacoda[3].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@targetnet[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@tradedoubler[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@tribalfusion[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@tribalfusion[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@tribalfusion[3].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@web4.realtracker[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@windowsmedia[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@wotifcom.112.2o7[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@www.0stats[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@www.cibleclick[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@www.googleadservices[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@www.googleadservices[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@www.sonymediasoftware[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@www3.addfreestats[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@xiti[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@xxxtoolbar[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@z1.adserver[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@zedo[1].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@zedo[2].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@zedo[3].txt
C:\Documents and Settings\ruthr\Cookies\ruthr@zedo[4].txt
C:\Documents and Settings\shohrem\Cookies\shohrem@adinterax[2].txt
C:\Documents and Settings\shohrem\Cookies\shohrem@imrworldwide[2].txt
C:\Documents and Settings\stewartw\Cookies\stewartw@ads.ookla[2].txt
C:\Documents and Settings\stewartw\Cookies\stewartw@imrworldwide[1].txt
C:\Documents and Settings\stewartw\Cookies\stewartw@msnportal.112.2o7[2].txt
C:\Documents and Settings\stewartw\Cookies\stewartw@msnservices.112.2o7[2].txt
C:\Documents and Settings\stewartw\Cookies\stewartw@winantivirus[1].txt

#9 walkerstewart

walkerstewart
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 22 August 2007 - 10:16 PM

And the latest HiJack This report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:15, on 2007-08-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
\?\C:\IISDebugTools\_IISCHAgent.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\proquota.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\TEMP\JPEDD.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.byte.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxyserver:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: IE DevToolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Capture Page to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddLinkEntryFromDocument.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ninemsn Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll/search.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Capt&ure Target to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: Capture &Snippet to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentSelection.html
O8 - Extra context menu item: Capture Ima&ge to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: Capture Page and Selected &Links to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddSiteSnippetFromDocumentSelection.html
O8 - Extra context menu item: Capture Selected Ite&ms to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddMultipleEntriesFromDocumentSelection.html
O8 - Extra context menu item: Capture Site to &Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddSiteFromDocument.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-au\msntabres.dll/229?576ddffc36d74536b0655eb68574d051
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-au\msntabres.dll/230?576ddffc36d74536b0655eb68574d051
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet.byte.com.au
O15 - Trusted Zone: http://development.byte.com.au
O15 - Trusted Zone: http://intranet.byte.com.au
O15 - Trusted Zone: http://portal.byte.com.au
O15 - Trusted Zone: http://*.pdmsprod01
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.microsoftvirtuallabs.com/virtua...iveXClient1.cab
O16 - DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} (Photosynth Class) - http://media.labs.live.com/all/ps/_code_/Photosynth.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179468040664
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179467964568
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://knowledge.opentext.com/knowledgesup...ppro/isetup.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {F53270D3-0E32-48B7-B63B-159E33210F70} (Livelink ActiveX Control) - https://knowledge.opentext.com/knowledgesup...bexp/lledit.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = inside.byte.com.au
O17 - HKLM\Software\..\Telephony: DomainName = inside.byte.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = inside.byte.com.au
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/stewartw/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.jpg
O24 - Desktop Component 2: (no name) - \\stewartslaptop\DownloadsOrdered
O24 - Desktop Component 3: (no name) - \\stewartslaptop\Resources
O24 - Desktop Component 4: (no name) - c:\Resources

--
End of file - 12597 bytes

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 23 August 2007 - 08:23 AM

Have you any idea what this file is,if not carry on below:
C:\WINDOWS\TEMP\JPEDD.EXE

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\WINDOWS\TEMP\JPEDD.EXE
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply.

If Jotti's too busy,try here:
http://www.virustotal.com/en/virustotalf.html
Click on the 'Analysis' tab.
Using the 'Browse' button,browse to:
C:\WINDOWS\TEMP\JPEDD.EXE
Then click on 'Send File'.
Post the results into your next reply.

Also post a new Hijackthis log.
Posted Image
Posted Image

#11 walkerstewart

walkerstewart
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 23 August 2007 - 06:24 PM

Hi Richie,

That file is the runninf service for the VeriSign CC gateway.

Everytime the PC starts a different exe is created so that the connection from servers cannot be targetted (much as a virus or malware would).

This has been running on my PC since I installed it and I tend to use it every couple of months (web development).

The exe you mentioned has been removed (since I shutdown my PC last night), howver the new exe was scanned and no problems where found.

I have attached the logs as requested below.

I think that my PC is pretty close to clean now, MS Defender and SpyBot haven't reported anything for the last day or so.


Antivirus scan:

A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


HiJack This log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:22, on 2007-08-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
\?\C:\IISDebugTools\_IISCHAgent.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\proquota.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\TEMP\VYF3C2.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.byte.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxyserver:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: IE DevToolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Capture Page to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddLinkEntryFromDocument.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ninemsn Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll/search.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Capt&ure Target to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: Capture &Snippet to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentSelection.html
O8 - Extra context menu item: Capture Ima&ge to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: Capture Page and Selected &Links to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddSiteSnippetFromDocumentSelection.html
O8 - Extra context menu item: Capture Selected Ite&ms to Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddMultipleEntriesFromDocumentSelection.html
O8 - Extra context menu item: Capture Site to &Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddSiteFromDocument.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-au\msntabres.dll/229?576ddffc36d74536b0655eb68574d051
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-au\msntabres.dll/230?576ddffc36d74536b0655eb68574d051
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet.byte.com.au
O15 - Trusted Zone: http://development.byte.com.au
O15 - Trusted Zone: http://intranet.byte.com.au
O15 - Trusted Zone: http://portal.byte.com.au
O15 - Trusted Zone: http://*.pdmsprod01
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.microsoftvirtuallabs.com/virtua...iveXClient1.cab
O16 - DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} (Photosynth Class) - http://media.labs.live.com/all/ps/_code_/Photosynth.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179468040664
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179467964568
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://knowledge.opentext.com/knowledgesup...ppro/isetup.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {F53270D3-0E32-48B7-B63B-159E33210F70} (Livelink ActiveX Control) - https://knowledge.opentext.com/knowledgesup...bexp/lledit.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = inside.byte.com.au
O17 - HKLM\Software\..\Telephony: DomainName = inside.byte.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = inside.byte.com.au
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/stewartw/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.jpg
O24 - Desktop Component 2: (no name) - \\stewartslaptop\DownloadsOrdered
O24 - Desktop Component 3: (no name) - \\stewartslaptop\Resources
O24 - Desktop Component 4: (no name) - c:\Resources

--
End of file - 12541 bytes

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 23 August 2007 - 06:56 PM

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
Combofix.exe
C:\VundoFix Backups
C:\Qoobox

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.


Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#13 walkerstewart

walkerstewart
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 23 August 2007 - 07:17 PM

Hi Richie,

Thanks for all your help. I'm not exactly sure on how this got on my PC, I tend to be quite careful when adding things.

The other day someone else used my PC so it could be that they dropped Virtumondo on my PC.

Anyway, Thanks again.

Kind Regards,

Stewart Walker

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 23 August 2007 - 07:54 PM

You're most welcome Stewart :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users