Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan:win32/virtumonde.o


  • Please log in to reply
3 replies to this topic

#1 umee

umee

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mumbai,India
  • Local time:02:55 PM

Posted 21 August 2007 - 02:28 AM

Hello,


My laptop has infected with trojan:win32/virtumonde.O virus.I have windows defender but its not able to remove it.I also have symantec antivirus but no luck.
I have joined this forum with grate hope that you willhelp me to remove this virus.

I have run hijack this and below is the log...pls help me.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:52, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Program Files\ProtectTools\Embedded Security Software\SpTna.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTServs.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\TEMP\win198.tmp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.in
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 57.4.130.2 sindas01
O1 - Hosts: 57.250.245.246 sra-lon.sita.aero
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3C96F040-6F8D-4AB2-939C-151758E32BD6} - C:\WINDOWS\system32\awtqo.dll (file missing)
O2 - BHO: (no name) - {449F9C36-E591-4394-B44A-44EDA68F6517} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {862A1415-5062-4626-BFF0-952962CBFDFD} - C:\WINDOWS\system32\mljgg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O2 - BHO: (no name) - {E4EEFFED-93CD-4CF0-A0F3-50D139121FEE} - C:\WINDOWS\system32\vturstr.dll
O2 - BHO: (no name) - {EBB9FA49-C3C6-48C8-8CF0-2419C56D3C20} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win198.tmp.exe
O4 - HKLM\..\Run: [NI.UWA7P_0001_N91M0809] "C:\Documents and Settings\Administrator\Desktop\WinAntiVirusPro2007FreeInstall.exe" -nag
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\D on ADS_UMESH\dektop\iridium.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = sita.int,sita.aero
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = sita.int,sita.aero
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = sita.int,sita.aero
O20 - Winlogon Notify: awtqo - C:\WINDOWS\system32\awtqo.dll (file missing)
O20 - Winlogon Notify: awtss - C:\WINDOWS\system32\awtss.dll (file missing)
O20 - Winlogon Notify: awvtu - C:\WINDOWS\system32\awvtu.dll (file missing)
O20 - Winlogon Notify: mljgg - C:\WINDOWS\system32\mljgg.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O20 - Winlogon Notify: vturstr - C:\WINDOWS\SYSTEM32\vturstr.dll
O20 - Winlogon Notify: wineak32 - C:\WINDOWS\SYSTEM32\wineak32.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 11850 bytes

BC AdBot (Login to Remove)

 


#2 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:25 AM

Posted 21 August 2007 - 06:00 AM

Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

\Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Ipwindows / ipwins
Oin
Outerinfo
Yazzle by Oin
YazzleActiveX By OIN
Purityscan by Oin
MediaTickets by OIN
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it.


If OIN not listed, download and run this uninstaller.

Reboot when done! Really important!

-----------------------

Download the HostsXpert 3.7 - Hosts File Manager.
  • Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such as C:\HostsXpert
  • Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Microsoft's Hosts file and then click OK.
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
-----------------------

Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

#3 umee

umee
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mumbai,India
  • Local time:02:55 PM

Posted 22 August 2007 - 12:31 AM

Thanks,

I executed oiuninstaller,hostsxpert and combofix

Below is the log of combofix...

ComboFix 07-08-17.2 - "Admin" 2007-08-22 10:54:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.556 [GMT 5.5:30]


((((((((((((((((((((((((( Files Created from 2007-07-22 to 2007-08-22 )))))))))))))))))))))))))))))))


2007-08-21 13:20 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-21 10:03 627,722 --ahs---- C:\WINDOWS\system32\ggjlm.bak2
2007-08-20 17:00 6,473 --ahs---- C:\WINDOWS\system32\ggjlm.bak1
2007-08-20 16:59 298,080 --a------ C:\WINDOWS\system32\mljgg.dll
2007-08-20 15:00 6,473 --ahs---- C:\WINDOWS\system32\utvwa.bak1
2007-08-20 13:44 <DIR> d-------- C:\Program Files\BillP Studios
2007-08-20 13:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\WinPatrol
2007-08-20 13:22 6,473 --ahs---- C:\WINDOWS\system32\oqtwa.bak1
2007-08-20 12:16 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-08-20 12:16 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-08-20 11:08 <DIR> d-------- C:\DOCUME~1\umesh\APPLIC~1\Real
2007-08-20 11:00 786,432 --ah----- C:\DOCUME~1\umesh\NTUSER.DAT
2007-08-20 11:00 <DIR> d-------- C:\DOCUME~1\umesh\APPLIC~1\SampleView
2007-08-20 11:00 <DIR> d-------- C:\DOCUME~1\umesh\APPLIC~1\Infineon
2007-08-17 11:03 43,542 --a------ C:\WINDOWS\system32\mljiffe.dll
2007-08-17 11:03 15,360 --a------ C:\WINDOWS\system32\drvwucr.dll
2007-08-16 10:57 596,332 --ahs---- C:\WINDOWS\system32\sstwa.bak2
2007-08-14 13:29 <DIR> d-------- C:\sita
2007-08-14 12:51 <DIR> d-------- C:\Program Files\System Center Management Packs
2007-08-14 12:01 <DIR> d-------- C:\bak
2007-08-14 11:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-08-14 11:26 6,421 --ahs---- C:\WINDOWS\system32\sstwa.bak1
2007-08-14 09:59 6,421 --ahs---- C:\WINDOWS\system32\xyadd.bak1
2007-08-13 16:59 6,421 --ahs---- C:\WINDOWS\system32\accdd.bak1
2007-08-13 16:18 <DIR> d-------- C:\Program Files\AuthenTec
2007-08-13 15:58 6,461 --ahs---- C:\WINDOWS\system32\wybeg.bak1
2007-08-13 15:54 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb
2007-08-13 15:14 <DIR> d-------- C:\Program Files\Digital Locker Assistant
2007-08-13 14:46 6,461 --ahs---- C:\WINDOWS\system32\ffhkj.bak1
2007-08-13 13:45 6,421 --ahs---- C:\WINDOWS\system32\bbadd.bak1
2007-08-13 12:30 6,461 --ahs---- C:\WINDOWS\system32\qqtss.bak1
2007-08-13 11:21 6,461 --ahs---- C:\WINDOWS\system32\qqstv.bak1
2007-08-13 09:49 6,421 --ahs---- C:\WINDOWS\system32\ehhkj.bak1
2007-08-10 17:15 6,421 --ahs---- C:\WINDOWS\system32\pqtwa.bak1
2007-08-10 16:03 6,421 --ahs---- C:\WINDOWS\system32\jjllm.bak1
2007-08-09 17:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Ahead
2007-08-09 17:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-08-09 17:19 <DIR> d-------- C:\Program Files\Nero
2007-08-09 17:19 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-08-09 17:14 <DIR> d-------- C:\Program Files\AskTBar
2007-08-08 16:56 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-08 16:56 <DIR> d-------- C:\Program Files\SpeedOptimizer
2007-08-08 16:56 <DIR> d-------- C:\Program Files\AskPBar
2007-08-08 16:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SpeedBit
2007-08-08 16:56 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SpeedBit
2007-08-08 16:51 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2007-08-08 16:51 <DIR> d-------- C:\Program Files\DAP
2007-08-06 11:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-08-06 11:02 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-08-01 10:09 <DIR> d-------- C:\photo
2007-07-30 12:17 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-30 12:17 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Talkback
2007-07-30 12:13 3,941 --a------ C:\WINDOWS\mozver.dat
2007-07-30 12:13 <DIR> d-------- C:\Program Files\Real
2007-07-30 12:13 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-07-30 12:13 <DIR> d-------- C:\Program Files\Common Files\Real
2007-07-30 12:12 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-07-24 09:56 21,504 --a------ C:\WINDOWS\jestertb.dll
2007-07-23 11:58 <DIR> d-------- C:\Program Files\Common Files\Lotus
2007-07-23 11:55 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-22 10:52 --------- d-------- C:\Program Files\Symantec AntiVirus
2007-08-20 12:28 0 --a------ C:\WINDOWS\system32\drivers\is-G5622.tmp
2007-08-16 10:44 --------- d-------- C:\Program Files\Nortel Networks
2007-08-14 15:07 --------- d-------- C:\Program Files\Microsoft SQL Server
2007-08-14 11:26 --------- d-------- C:\Program Files\Microsoft.NET
2007-08-13 16:12 --------- dr-h----- C:\DOCUME~1\ADMINI~1\APPLIC~1\yahoo!
2007-08-13 16:10 --------- d-------- C:\Program Files\Yahoo!
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-30 12:13 --------- d-------- C:\Program Files\Google
2007-07-23 11:55 --------- d-------- C:\Program Files\lotus
2007-07-16 12:07 --------- d-------- C:\Program Files\Windows Defender
2007-07-13 18:38 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-13 18:33 --------- d-------- C:\Program Files\RSA Security
2007-07-02 15:37 --------- d-------- C:\Program Files\MSXML 6.0
2007-07-02 15:36 --------- d-------- C:\Program Files\MSBuild
2007-07-02 15:33 --------- d-------- C:\Program Files\Reference Assemblies
2007-07-02 15:32 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-07-02 15:31 --------- d-------- C:\Program Files\Windows Media Connect
2007-06-29 10:23 --------- d-------- C:\Program Files\Ac Browser Plus
2007-06-29 10:23 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Konrad Papala
2007-06-27 17:57 --------- d-------- C:\Program Files\Dialer
2007-06-26 20:43 851968 --------- C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 20:05 665600 --------- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 11:38 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 11:38 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 19:01 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 19:01 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-15 13:42 96256 --------- C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-15 13:42 616960 --------- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-15 13:42 55808 --------- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-15 13:42 532480 --------- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-15 13:42 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-15 13:42 449024 --------- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-15 13:42 39424 --------- C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-15 13:42 357888 --------- C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-15 13:42 3064320 --------- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-15 13:42 251904 --------- C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-15 13:42 205824 --------- C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-15 13:42 16384 --------- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-15 13:42 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-15 13:42 1498112 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-15 13:42 146432 --------- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-15 13:42 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-15 13:42 1022976 --------- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 16:02 18432 --------- C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 15:53 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 15:53 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-11 23:51 10834944 --a------ C:\WINDOWS\system32\dllcache\wmp.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C96F040-6F8D-4AB2-939C-151758E32BD6}]
C:\WINDOWS\system32\awtqo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{449F9C36-E591-4394-B44A-44EDA68F6517}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{862A1415-5062-4626-BFF0-952962CBFDFD}]
2007-08-20 16:59 298080 --a------ C:\WINDOWS\system32\mljgg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EBB9FA49-C3C6-48C8-8CF0-2419C56D3C20}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-05-06 14:06]
"AccelerometerSysTrayApplet"="C:\WINDOWS\system32\AccelerometerSt.exe" [2006-01-17 10:31]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 22:16]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-03 04:09]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-02-22 08:03]
"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-21 04:21]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2006-03-10 05:08]
"Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-08-02 21:00]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-08-18 12:50]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 13:41]
"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.exe" [2006-02-14 11:56]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 17:47]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 17:43]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 17:47]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"CognizanceTS"="C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 23:42]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-08-31 05:20]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 10:49]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 11:59]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-30 12:13]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:30]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-18 14:23]
"IridiumTimeWizard"="C:\D on ADS_UMESH\dektop\iridium.exe" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-11 18:16]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-02-27 17:02:06]
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2007-05-08 19:12:42]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqo]
C:\WINDOWS\system32\awtqo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtss]
C:\WINDOWS\system32\awtss.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvtu]
C:\WINDOWS\system32\awvtu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
IfxWlxEN.dll 2005-08-19 19:22 389120 C:\WINDOWS\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljgg]
C:\WINDOWS\system32\mljgg.dll 2007-08-20 16:59 298080 C:\WINDOWS\system32\mljgg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll 2005-07-26 00:11 40960 C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli AsWlnPkg

R0 hpdskflt;HP Disk Filter Driver;C:\WINDOWS\system32\DRIVERS\hpdskflt.sys
R1 PersonalSecureDrive;PersonalSecureDrive;C:\WINDOWS\system32\drivers\psd.sys
R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe -k Cognizance
R2 MSMQ;Message Queuing;C:\WINDOWS\system32\mqsvc.exe
R2 MSMQTriggers;Message Queuing Triggers;C:\WINDOWS\system32\mqtgsvc.exe
R2 SQLBrowser;SQL Server Browser;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
R3 Accelerometer;Accelerometer;C:\WINDOWS\system32\DRIVERS\Accelerometer.sys
R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys
R3 ATSWPDRV;AuthenTec TruePrint USB Driver (AES2500);C:\WINDOWS\system32\DRIVERS\ATSwpDrv.sys
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys
R3 HBtnKey;HBtnKey;C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
R3 MQAC;Message Queuing access control;\??\C:\WINDOWS\system32\drivers\mqac.sys
R3 RMCAST;Reliable Multicast Protocol driver;\??\C:\WINDOWS\system32\drivers\RMCast.sys
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys
S3 MSSQL$MYSQL2K5;SQL Server (MYSQL2K5);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMYSQL2K5
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance ASChannel


Contents of the 'Scheduled Tasks' folder
2007-08-22 05:24:19 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-22 10:56:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????d??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-22 10:56:51
C:\ComboFix-quarantined-files.txt ... 2007-08-22 10:56
C:\ComboFix2.txt ... 2007-08-21 13:28

--- E O F ---

log of hikackthis....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:59, on 8/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Program Files\ProtectTools\Embedded Security Software\SpTna.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTServs.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3C96F040-6F8D-4AB2-939C-151758E32BD6} - C:\WINDOWS\system32\awtqo.dll (file missing)
O2 - BHO: (no name) - {449F9C36-E591-4394-B44A-44EDA68F6517} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {862A1415-5062-4626-BFF0-952962CBFDFD} - C:\WINDOWS\system32\mljgg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O2 - BHO: (no name) - {EBB9FA49-C3C6-48C8-8CF0-2419C56D3C20} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\D on ADS_UMESH\dektop\iridium.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = sita.int,sita.aero
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = sita.int,sita.aero
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = sita.int,sita.aero
O20 - Winlogon Notify: awtqo - C:\WINDOWS\system32\awtqo.dll (file missing)
O20 - Winlogon Notify: awtss - C:\WINDOWS\system32\awtss.dll (file missing)
O20 - Winlogon Notify: awvtu - C:\WINDOWS\system32\awvtu.dll (file missing)
O20 - Winlogon Notify: mljgg - C:\WINDOWS\system32\mljgg.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 11073 bytes

#4 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:25 AM

Posted 22 August 2007 - 04:18 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Scan again with HijackThis and check the following items:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {3C96F040-6F8D-4AB2-939C-151758E32BD6} - C:\WINDOWS\system32\awtqo.dll (file missing)
O2 - BHO: (no name) - {449F9C36-E591-4394-B44A-44EDA68F6517} - (no file)
O2 - BHO: (no name) - {862A1415-5062-4626-BFF0-952962CBFDFD} - C:\WINDOWS\system32\mljgg.dll
O2 - BHO: (no name) - {EBB9FA49-C3C6-48C8-8CF0-2419C56D3C20} - (no file)

O20 - Winlogon Notify: awtqo - C:\WINDOWS\system32\awtqo.dll (file missing)
O20 - Winlogon Notify: awtss - C:\WINDOWS\system32\awtss.dll (file missing)
O20 - Winlogon Notify: awvtu - C:\WINDOWS\system32\awvtu.dll (file missing)
O20 - Winlogon Notify: mljgg - C:\WINDOWS\system32\mljgg.dll

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Step #2

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

File::
C:\WINDOWS\system32\ggjlm.bak2
C:\WINDOWS\system32\ggjlm.bak1
C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\utvwa.bak1
C:\WINDOWS\system32\oqtwa.bak1
C:\WINDOWS\system32\mljiffe.dll
C:\WINDOWS\system32\drvwucr.dll
C:\WINDOWS\system32\sstwa.bak2
C:\WINDOWS\system32\sstwa.bak1
C:\WINDOWS\system32\xyadd.bak1
C:\WINDOWS\system32\accdd.bak1
C:\WINDOWS\system32\wybeg.bak1
C:\WINDOWS\system32\ffhkj.bak1
C:\WINDOWS\system32\bbadd.bak1
C:\WINDOWS\system32\qqtss.bak1
C:\WINDOWS\system32\qqstv.bak1
C:\WINDOWS\system32\ehhkj.bak1
C:\WINDOWS\system32\pqtwa.bak1
C:\WINDOWS\system32\jjllm.bak1

Folder::
C:\Program Files\Dialer
C:\Program Files\AskTBar


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


Posted Image


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Step #3
  • Make sure all hidden files are showing
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\system32\drivers\is-G5622.tmp
  • Click on the submit button
  • Do the same for this file:
    • C:\WINDOWS\jestertb.dll
  • Please post the results in your next reply.
Step #4

Can you also tell me what is inside these folders and if you are familiar with them:

C:\sita
C:\bak
C:\photo

Copy and paste the contents of the combofix log in your next reply along with a fresh HijacThis log and the Jotti scan results.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users