Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware, Viruses And My Hijack Log


  • This topic is locked This topic is locked
23 replies to this topic

#1 jsaklas

jsaklas

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 27 August 2007 - 06:05 PM

I must have a virus/spyware problem.

First, I am running XP Home. Secondly, I run NO games other than MS's minesweeper, solitaire etc.

Symptoms:

1. MS Internet Explorer randomly opens with an error message that the URL for which it is looking is unavailable (It is looking for http://svxela.com, http://89,188.16.10/50/...., and others.). [Note: I am a Mozilla Firefox user and only open IE on the very rare occasion that Firefox can not read some parts of some web pages.] Firefox randomly opens up seeking various anti-spyware web pages.

2. I get an error message that says:

Microsoft Visual C++ Runtime Library
Runtime Error
Program C\Windows\Explorer.exe
Error loading C:\Windows\system32\fdrokhpb.dll
This Application has requested the Runtime to terminate it in an unusual way. Please contact the applications support team for more information

If I do NOT click on it and continue working, all is fine. However, if I click on the OK button, then I lose my Taskbar and all Desktop Icons (My desktop, however, remains.).


3. The machine is unusually slow booting up.

4. I can no longer run or install any 16 bit DOS programs. (This is a big problem for me.)

5. The machine may be a bit slower than usual. It is difficult to measure this.


I run Norton Antivirus from Norton Systemworks weekly. It has caught some viruses, but there is at least one that it reports some error in attempting to delete.

I also run AVG Anti-Spyware 7.5 weekly. It always removes something.

I NEED HELP!

I followed your instructions and ran Ad-Adware SE, Spybot, Housecall, Panda and Bit Defender. I also ran McAfee Stinger and then reran Norton AV. I have not yet installed a firewall.

The problem of losing my Taskbar and desktop icons occurred only after I ran these programs. Obviously, in eliminating a virus, something else was lost.

You, know, sometimes I long for DOS and the configsys and autoexec.bat. Things were so much simpler then.

Thanks for your time.



Below is my Hijack this file:

Logfile of HijackThis v1.99.1
Scan saved at 1:57:10 AM, on 8/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\jdtxktta.dll",forkonce
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.2\webbuying.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159922600968
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B590F5BC-5774-47D8-859E-727E25E017AA} (DriverDetectiveMembers.members) - http://www.drivershq.com/files/cab/member/...Detective-m.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 28 August 2007 - 04:35 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum jsaklas :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Click Start/Contol Panel/Add or Remove Programs and remove/uninstall Web Buying if present,then restart your pc.

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Now go to:
C:\HJT\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 jsaklas

jsaklas
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 28 August 2007 - 06:45 PM

RichieUK,

Much thanks for the help. The problem is on my home computer so I will be communicating with you at about this time every evening.

I followed your instructions. As you indicated there was one file (c:\windows\system32\uvjhyyyp.dll) that Vundo could not fix on the first scan, but, indeed, fixed it upon bootup.

Below are the two logs you requested.

-----------------------------


First from VundoFix:


VundoFix V6.1.5

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.6

Scan started at 11:11:20 PM 9/19/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 7:05:28 PM 8/28/2007

Listing files found while scanning....

C:\windows\system32\gilbgwnt.ini
C:\WINDOWS\system32\hjllm.bak1
C:\WINDOWS\system32\hjllm.bak2
C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\hjllm.ini2
C:\WINDOWS\system32\hjllm.tmp
C:\WINDOWS\system32\mlljh.dll
C:\windows\system32\pyyyhjvu.ini
C:\WINDOWS\system32\swsbpubq.dll
C:\windows\system32\tnwgblig.dll
C:\WINDOWS\system32\uvjhyyyp.dll

Beginning removal...

Attempting to delete C:\windows\system32\gilbgwnt.ini
C:\windows\system32\gilbgwnt.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjllm.bak1
C:\WINDOWS\system32\hjllm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjllm.bak2
C:\WINDOWS\system32\hjllm.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\hjllm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjllm.ini2
C:\WINDOWS\system32\hjllm.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjllm.tmp
C:\WINDOWS\system32\hjllm.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\mlljh.dll Has been deleted!

Attempting to delete C:\windows\system32\pyyyhjvu.ini
C:\windows\system32\pyyyhjvu.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\swsbpubq.dll
C:\WINDOWS\system32\swsbpubq.dll Has been deleted!

Attempting to delete C:\windows\system32\tnwgblig.dll
C:\windows\system32\tnwgblig.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uvjhyyyp.dll
C:\WINDOWS\system32\uvjhyyyp.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\uvjhyyyp.dll
C:\WINDOWS\system32\uvjhyyyp.dll Has been deleted!

Performing Repairs to the registry.
Done!

----------------------------------------



and now the Hijack log:


Logfile of HijackThis v1.99.1
Scan saved at 7:37:09 PM, on 8/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {a98cf055-f7e1-4015-9821-fce34f93e161} - C:\WINDOWS\system32\rngmewb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C84D8A0A-E708-42B6-90CA-9C30956A87C6} - C:\WINDOWS\system32\opnkige.dll
O2 - BHO: (no name) - {D9A13134-8671-4C89-BCD9-B759D66C17B1} - C:\WINDOWS\system32\mlljh.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.2\webbuying.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159922600968
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B590F5BC-5774-47D8-859E-727E25E017AA} (DriverDetectiveMembers.members) - http://www.drivershq.com/files/cab/member/...Detective-m.cab
O20 - Winlogon Notify: opnkige - C:\WINDOWS\SYSTEM32\opnkige.dll
O20 - Winlogon Notify: pktdll - C:\WINDOWS\SYSTEM32\pktdll.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\rdtmmctk.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 29 August 2007 - 04:21 AM

Download Systemscan and save it to your desktop.
Double-click on Systemscan.exe to run the tool.
A warning box will appear. Please read and click Ok.
When SystemScan opens, click the "Unselect all" button.
Important: under "Make your choice and than click..." check the boxes next to:

PC accounts
Recent files (60 days)
Hidden Objects


Everything else should be unchecked.
Click "Scan Now".
Another warning box will appear. Please follow the instructions and click Ok.
Systemscan will scan your computer and create a folder at C:\suspectfile to save the log files. Please be patient while the scan is in progress.
When the scan is complete, Notepad will automatically open a log file named report.txt.
This log file will show a list of all user accounts, all files/folders created in the last 60 days and any Hidden files that were found.
Copy and paste the contents of report.txt in your next reply.
Posted Image
Posted Image

#5 jsaklas

jsaklas
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 29 August 2007 - 05:24 PM

RichieUK,

Here is the Systemscan report file:

SystemScan - www.suspectfile.com - ver. 3.2.0

Running on: Windows XP HOME Edition, Service Pack 2 (2600.5.1)
System directory: C:\WINDOWS

Date: 8/29/2007
Time: 6:07:18 PM

Output limited to:
-Recent files
-PC accounts
-Hidden objects

===================== Accounts on this PC =====================


Users on this computer:
Is Admin? | Username
------------------
Yes | Administrator
Yes | Ariadne Saklas
| Danae Saklas
| Guest (Disabled)
| HelpAssistant (Disabled)
Yes | James Saklas
Yes | Rosalia Saklas
| SUPPORT_388945a0 (Disabled)

### users folders

02/09/2005 01:29:14 (DIR) 0 byte 726 days old -- Danae Saklas
30/08/2005 21:06:24 (DIR) 0 byte 729 days old -- All Users
30/08/2005 21:06:24 (DIR) 0 byte 729 days old -- Default User
30/08/2005 21:19:40 (DIR) 0 byte 729 days old -- NetworkService
30/08/2005 21:19:46 (DIR) 0 byte 729 days old -- LocalService
30/08/2005 21:23:52 (DIR) 0 byte 729 days old -- James Saklas
23/10/2005 13:20:24 (DIR) 0 byte 675 days old -- Ariadne Saklas
23/10/2005 14:26:00 (DIR) 0 byte 675 days old -- Rosalia Saklas
17/10/2006 20:40:46 (DIR) 0 byte 316 days old -- Administrator

===================== Recent files (60 days old)=====================

----- recent files in C:\
02/08/2007 11:45:26 2577 byte 27 days old -- CONFIG.NT
02/08/2007 11:48:02 1688 byte 27 days old -- AUTOEXEC.NT
19/07/2007 03:13:12 384 byte 41 days old -- rootkit.log
19/07/2007 03:13:28 1244 byte 41 days old -- haxlog.txt
26/08/2007 21:06:44 13030 byte 3 days old -- PDOXUSRS.NET
28/08/2007 19:32:48 2575 byte 1 days old -- VundoFix.txt
29/08/2007 17:56:20 (DIR)805306368 byte 0 days old -- pagefile.sys
29/08/2007 18:07:18 (DIR) 0 byte 0 days old -- suspectfile
09/08/2007 18:22:04 (DIR) 0 byte 20 days old -- Media
12/08/2007 08:29:18 (DIR) 0 byte 17 days old -- FOUND.004
12/08/2007 17:26:34 (DIR) 0 byte 17 days old -- QuickTime

----- recent files in C:\WINDOWS\
01/07/2007 12:50:02 787510 byte 59 days old -- leigh.bmp
04/08/2007 13:49:36 787482 byte 25 days old -- lake4.bmp
14/07/2007 01:15:42 787510 byte 46 days old -- lamour2.bmp
19/07/2007 02:46:28 9623 byte 41 days old -- system.ini
19/07/2007 03:36:20 92752 byte 41 days old -- ntbtlog.txt
19/07/2007 03:37:44 267 byte 41 days old -- EXCEL.XLB
21/07/2007 14:23:44 787510 byte 39 days old -- lamarr1.bmp
21/07/2007 14:28:44 787510 byte 39 days old -- LAKE1.bmp
21/07/2007 14:31:06 787510 byte 39 days old -- LAKE2.bmp
21/07/2007 14:36:16 786842 byte 39 days old -- lamarr2.BMP
08/07/2007 11:56:18 787482 byte 52 days old -- lebrock1.bmp
15/08/2007 19:14:28 (DIR) 0 byte 14 days old -- $NtUninstallKB936782_WMP11$
15/08/2007 19:14:36 6101 byte 14 days old -- KB936782.log
15/08/2007 19:14:42 289734 byte 14 days old -- msxml4-KB936181-enu.LOG
15/08/2007 19:14:52 (DIR) 0 byte 14 days old -- $NtUninstallKB937143$
15/08/2007 19:15:00 33647 byte 14 days old -- KB937143.log
15/08/2007 19:15:04 (DIR) 0 byte 14 days old -- $NtUninstallKB938127$
15/08/2007 19:15:08 15307 byte 14 days old -- KB938127.log
15/08/2007 19:16:16 (DIR) 0 byte 14 days old -- $NtUninstallKB938829$
15/08/2007 19:16:20 15532 byte 14 days old -- KB938829.log
15/08/2007 19:16:24 (DIR) 0 byte 14 days old -- $NtUninstallKB921503$
15/08/2007 19:16:28 15740 byte 14 days old -- KB921503.log
15/08/2007 19:16:32 (DIR) 0 byte 14 days old -- $NtUninstallKB938828$
15/08/2007 19:16:36 15593 byte 14 days old -- KB938828.log
15/08/2007 19:16:40 (DIR) 0 byte 14 days old -- $NtUninstallKB936021$
15/08/2007 19:16:42 5059 byte 14 days old -- updspapi.log
15/08/2007 19:16:44 1374 byte 14 days old -- imsins.BAK
15/08/2007 19:16:44 16401 byte 14 days old -- KB936021.log
15/08/2007 19:25:22 922 byte 14 days old -- spupdsvc.log
22/08/2007 00:44:46 1409 byte 7 days old -- QTFont.for
24/08/2007 22:50:28 116 byte 5 days old -- NeroDigital.ini
24/08/2007 22:50:32 1391166 byte 5 days old -- Thumbs.db
26/08/2007 12:59:42 60 byte 3 days old -- setupact.log
26/08/2007 17:11:44 163 byte 3 days old -- wininit.ini
26/08/2007 20:15:22 1242 byte 3 days old -- win.ini
26/08/2007 21:23:10 (DIR) 0 byte 3 days old -- BDOSCAN8
27/08/2007 23:45:20 54156 byte 2 days old -- QTFont.qfn
28/08/2007 01:28:12 7570 byte 1 days old -- wmsetup.log
28/08/2007 18:54:42 277 byte 1 days old -- cookies.ini
29/08/2007 00:52:54 (DIR) 0 byte 0 days old -- $NtUninstallKB933360$
29/08/2007 00:53:02 30667 byte 0 days old -- tsoc.log
29/08/2007 00:53:02 26632 byte 0 days old -- comsetup.log
29/08/2007 00:53:02 22984 byte 0 days old -- KB933360.log
29/08/2007 00:53:02 37908 byte 0 days old -- ocgen.log
29/08/2007 00:53:02 12940 byte 0 days old -- iis6.log
29/08/2007 00:53:02 80379 byte 0 days old -- FaxSetup.log
29/08/2007 00:53:02 122711 byte 0 days old -- setupapi.log
29/08/2007 00:53:02 1374 byte 0 days old -- imsins.log
29/08/2007 00:53:02 4446 byte 0 days old -- ocmsn.log
29/08/2007 00:53:02 16185 byte 0 days old -- ntdtcsetup.log
29/08/2007 00:53:02 4017 byte 0 days old -- msgsocm.log
29/08/2007 17:55:12 49 byte 0 days old -- wiaservc.log
29/08/2007 17:55:14 32564 byte 0 days old -- SchedLgU.Txt
29/08/2007 17:56:22 2048 byte 0 days old -- bootstat.dat
29/08/2007 17:58:06 159 byte 0 days old -- wiadebug.log
29/08/2007 17:59:46 0 byte 0 days old -- 0.log
29/08/2007 18:00:20 1587455 byte 0 days old -- WindowsUpdate.log
10/07/2007 22:14:50 (DIR) 0 byte 50 days old -- $NtUninstallKB936357$
10/07/2007 22:14:54 11849 byte 50 days old -- KB936357.log
11/08/2007 01:20:28 787510 byte 18 days old -- knightley2.bmp
12/08/2007 00:56:40 787510 byte 17 days old -- saklas-pritsos.bmp

----- recent files in C:\WINDOWS\Downloaded Program Files\

----- recent files in C:\WINDOWS\system\

----- recent files in C:\WINDOWS\system32\
03/08/2007 00:34:10 16789464 byte 26 days old -- MRT.exe
04/08/2007 02:07:30 4768 byte 25 days old -- himem.sys
04/08/2007 02:07:36 1688 byte 25 days old -- AUTOEXEC.NT
04/08/2007 02:07:42 2577 byte 25 days old -- CONFIG.NT
18/07/2007 08:42:22 60416 byte 42 days old -- tzchange.exe
19/07/2007 00:11:52 4937 byte 41 days old -- jupdate-1.6.0_02-b06.log
30/07/2007 19:18:14 20312 byte 30 days old -- wuaueng.dll.mui
30/07/2007 19:18:40 33624 byte 30 days old -- wups.dll
30/07/2007 19:18:44 34136 byte 30 days old -- wucltui.dll.mui
30/07/2007 19:19:02 30072 byte 30 days old -- mucltui.dll.mui
30/07/2007 19:19:02 25944 byte 30 days old -- wuapi.dll.mui
30/07/2007 19:19:04 207736 byte 30 days old -- muweb.dll
30/07/2007 19:19:10 271224 byte 30 days old -- mucltui.dll
30/07/2007 19:19:12 43352 byte 30 days old -- wups2.dll
30/07/2007 19:19:16 53080 byte 30 days old -- wuauclt.exe
30/07/2007 19:19:20 92504 byte 30 days old -- cdm.dll
30/07/2007 19:19:28 216408 byte 30 days old -- wuaucpl.cpl
30/07/2007 19:19:28 203096 byte 30 days old -- wuweb.dll
30/07/2007 19:19:32 25944 byte 30 days old -- wuaucpl.cpl.mui
30/07/2007 19:19:32 325976 byte 30 days old -- wucltui.dll
30/07/2007 19:19:36 549720 byte 30 days old -- wuapi.dll
30/07/2007 19:19:42 1712984 byte 30 days old -- wuaueng.dll
08/07/2007 11:55:48 5120 byte 52 days old -- Thumbs.db
23/08/2007 02:00:06 (DIR) 0 byte 6 days old -- f10WtR
23/08/2007 02:00:12 (DIR) 0 byte 6 days old -- IBD4
23/08/2007 02:00:12 (DIR) 0 byte 6 days old -- temps1
23/08/2007 02:00:12 (DIR) 0 byte 6 days old -- cofig32
23/08/2007 02:00:12 (DIR) 0 byte 6 days old -- dllz1
23/08/2007 02:00:18 171520 byte 6 days old -- rngmewb.dll
23/08/2007 02:00:46 43542 byte 6 days old -- opnkige.dll
24/08/2007 22:13:34 1263548 byte 5 days old -- pwqvfuih.ini
25/08/2007 13:24:06 1263729 byte 4 days old -- rpshroew.ini
26/08/2007 11:38:00 1263857 byte 3 days old -- yljahgas.ini
26/08/2007 14:33:54 1263978 byte 3 days old -- hkocwdwq.ini
26/08/2007 17:15:10 1419613 byte 3 days old -- plhosjrf.ini
26/08/2007 17:47:48 1418638 byte 3 days old -- bphkordf.ini
26/08/2007 20:05:32 (DIR) 0 byte 3 days old -- ActiveScan
26/08/2007 20:08:02 30590 byte 3 days old -- pavas.ico
26/08/2007 20:08:50 1406 byte 3 days old -- Help.ico
26/08/2007 20:08:50 2550 byte 3 days old -- Uninstall.ico
26/08/2007 20:22:06 0 byte 3 days old -- asfiles.txt
27/08/2007 01:56:38 0 byte 2 days old -- mcrh.tmp
27/08/2007 17:48:00 1255519 byte 2 days old -- attkxtdj.ini
28/08/2007 17:41:06 1246765 byte 1 days old -- goscaywf.ini
28/08/2007 18:14:34 75328 byte 1 days old -- ugamvvrn.exe
28/08/2007 19:36:38 13646 byte 1 days old -- wpa.dbl
28/08/2007 19:39:38 298080 byte 1 days old -- ssttu.dll
28/08/2007 19:39:46 6488 byte 1 days old -- uttss.bak1
29/08/2007 00:52:54 250464 byte 0 days old -- TZLog.log
29/08/2007 09:06:34 1629115 byte 0 days old -- uttss.bak2
29/08/2007 18:07:12 1639374 byte 0 days old -- uttss.ini
29/08/2007 18:07:20 0 byte 0 days old -- uttss.tmp
12/07/2007 01:22:00 135168 byte 48 days old -- java.exe
12/07/2007 01:22:04 135168 byte 48 days old -- javaw.exe
12/07/2007 02:22:36 69632 byte 48 days old -- javacpl.cpl
12/07/2007 02:22:38 139264 byte 48 days old -- javaws.exe

----- recent files in C:\WINDOWS\system32\drivers\
26/08/2007 14:30:26 8320 byte 3 days old -- AWRTRD.sys
26/08/2007 14:30:28 9344 byte 3 days old -- NSDriver.sys

----- recent files in C:\WINDOWS\temp\
26/08/2007 20:22:06 (DIR) 0 byte 3 days old -- ASHeuristic
28/08/2007 19:36:40 409 byte 1 days old -- WGANotify.settings
29/08/2007 17:56:38 255 byte 0 days old -- WGAErrLog.txt

----- recent files in C:\Program Files\
02/07/2007 22:30:30 (DIR) 0 byte 58 days old -- Apple Software Update
19/07/2007 03:11:46 (DIR) 0 byte 41 days old -- HaxFix
26/08/2007 13:03:22 (DIR) 0 byte 3 days old -- Lavasoft
26/08/2007 15:45:26 (DIR) 0 byte 3 days old -- Spybot - Search & Destroy

----- recent files in C:\Program Files\Common Files\

----- recent files in C:\Documents and Settings\James Saklas\Application Data\

----- recent files in C:\DOCUME~1\JAMESS~1\LOCALS~1\Temp\
23/08/2007 20:49:18 (DIR) 0 byte 6 days old -- FromCamera2952-1-2007-8-24-0-49-16-968
24/08/2007 01:37:26 79 byte 5 days old -- D1B5B4F1.TMP
27/08/2007 18:40:38 (DIR) 0 byte 2 days old -- {AF19F291-F22F-4798-9662-525305AE9E48}_54042
28/08/2007 00:50:12 0 byte 1 days old -- 3nbBE.tmp
28/08/2007 00:50:16 0 byte 1 days old -- 12gBF.tmp
28/08/2007 01:04:14 0 byte 1 days old -- 6m5C0.tmp
28/08/2007 01:05:02 0 byte 1 days old -- m9gC1.tmp
28/08/2007 01:20:52 0 byte 1 days old -- un8C9.tmp
28/08/2007 19:05:24 32768 byte 1 days old -- ~DF76E7.tmp
28/08/2007 19:30:38 32768 byte 1 days old -- ~DF783C.tmp
29/08/2007 17:56:48 (DIR) 0 byte 0 days old -- WPDNSE
29/08/2007 18:01:48 519 byte 0 days old -- jusched.log
29/08/2007 18:05:24 (DIR) 0 byte 0 days old -- nsy2.tmp
29/08/2007 18:05:40 16384 byte 0 days old -- ~DFF6E7.tmp

===================== Hidden Objects =====================

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-29 18:08:22
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


===================== Checking Rustock rootkit =====================



==========================================
Scan completed in 2.1 minutes
End of report

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 29 August 2007 - 05:27 PM

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Posted Image
Posted Image

#7 jsaklas

jsaklas
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 29 August 2007 - 07:08 PM

RichieUK,

I can not save ComboFix.exe

I click on your link and I am prompted with the usual window asking if I want to save the file. I click YES and then nothing happens.

Jim

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 29 August 2007 - 07:33 PM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\cofig32
C:\WINDOWS\system32\f10WtR
C:\WINDOWS\system32\rngmewb.dll
C:\WINDOWS\system32\opnkige.dll
C:\WINDOWS\system32\pwqvfuih.ini
C:\WINDOWS\system32\rpshroew.ini
C:\WINDOWS\system32\yljahgas.ini
C:\WINDOWS\system32\hkocwdwq.ini
C:\WINDOWS\system32\plhosjrf.ini
C:\WINDOWS\system32\bphkordf.ini
C:\WINDOWS\system32\attkxtdj.ini
C:\WINDOWS\system32\goscaywf.ini
C:\WINDOWS\system32\ugamvvrn.exe
C:\WINDOWS\system32\ssttu.dll
C:\WINDOWS\system32\uttss.bak1
C:\WINDOWS\system32\uttss.bak2
C:\WINDOWS\system32\uttss.ini
C:\WINDOWS\system32\uttss.tmp


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image.

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Restart your pc if you was not prompted to restart by OTMoveIt.
Post a new Hijackthis log in your next reply.
Posted Image
Posted Image

#9 jsaklas

jsaklas
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 29 August 2007 - 10:09 PM

RichieUK,

A few strange things happened. First, as I said my previous reply, I could not run ComboFix because it could not be saved to the desktop or anywhere else. I did run OTMoveIt as instructed. However, not all files could be moved and I was asked to reboot the machine. I said Yes, but I did not copy to the clipboard the list you requested. Consequently, after re-booting, I again ran OTMoveIt, but this time I did NOT click Yes to the reboot question and thereby could copy the log file you requested, and past it as shown below.

The next strange thing was that HiJackthis was no longer on my machine. The folder was there, but the executable file was not (The Uninstall executable file was there, but no other.). I had saved the installation progam I downloaded last year and I reinstalled HJT and ran it; the log is immediately below the OTMoveIt file.

Richie, I am an idiot. I just remembered, after I reloaded and ran HJT, that we changed the name to abc.bat

I hope this error does not sabotage your efforts. In any case the HJT log file is below.

-------------------------------------

File/Folder C:\WINDOWS\system32\cofig32 not found.
File/Folder C:\WINDOWS\system32\f10WtR not found.
File/Folder C:\WINDOWS\system32\rngmewb.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\opnkige.dll
C:\WINDOWS\system32\opnkige.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\opnkige.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\pwqvfuih.ini not found.
File/Folder C:\WINDOWS\system32\rpshroew.ini not found.
File/Folder C:\WINDOWS\system32\yljahgas.ini not found.
File/Folder C:\WINDOWS\system32\hkocwdwq.ini not found.
File/Folder C:\WINDOWS\system32\plhosjrf.ini not found.
File/Folder C:\WINDOWS\system32\bphkordf.ini not found.
File/Folder C:\WINDOWS\system32\attkxtdj.ini not found.
File/Folder C:\WINDOWS\system32\goscaywf.ini not found.
File/Folder C:\WINDOWS\system32\ugamvvrn.exe not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ssttu.dll
C:\WINDOWS\system32\ssttu.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\ssttu.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\uttss.bak1 not found.
File/Folder C:\WINDOWS\system32\uttss.bak2 not found.
C:\WINDOWS\system32\uttss.ini moved successfully.
File/Folder C:\WINDOWS\system32\uttss.tmp not found.


----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:43:06 PM, on 8/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Documents and Settings\James Saklas\Desktop\OTMoveIt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\cqabkmnj.dll",forkonce
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.2\webbuying.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159922600968
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B590F5BC-5774-47D8-859E-727E25E017AA} (DriverDetectiveMembers.members) - http://www.drivershq.com/files/cab/member/...Detective-m.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\rdtmmctk.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edited by jsaklas, 29 August 2007 - 11:35 PM.


#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 30 August 2007 - 04:16 AM

Double-click on Systemscan.exe again to run the tool.
A warning box will appear. Please read and click Ok.
When SystemScan opens, click the "Unselect all" button.
Important: under "Make your choice and than click..." check the boxes next to:

PC accounts
Recent files (60 days)
Hidden Objects

Everything else should be unchecked.
Click "Scan Now".
Another warning box will appear. Please follow the instructions and click Ok.
Systemscan will scan your computer and create a folder at C:\suspectfile to save the log files. Please be patient while the scan is in progress.
When the scan is complete, Notepad will automatically open a log file named report.txt.
This log file will show a list of all user accounts, all files/folders created in the last 60 days and any Hidden files that were found.
Copy and paste the contents of report.txt in your next reply.

Also post a new Hijackthis log.
Posted Image
Posted Image

#11 jsaklas

jsaklas
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 30 August 2007 - 07:40 AM

RichieUK,

I am working at home today, so I can respond to you at a much earlier time.

First, when booting up this morning I received a NORTON pop-up that said that its Anti-Virus was turned off. It automatically enabled itself shortly thereafter.

Below are the results of the Systemscan and HJT runs.

Jim


-----------------------------


SystemScan - www.suspectfile.com - ver. 3.2.0

Running on: Windows XP HOME Edition, Service Pack 2 (2600.5.1)
System directory: C:\WINDOWS

Date: 8/30/2007
Time: 8:32:01 AM

Output limited to:
-Recent files
-PC accounts
-Hidden objects

===================== Accounts on this PC =====================


Users on this computer:
Is Admin? | Username
------------------
Yes | Administrator
Yes | Ariadne Saklas
| Danae Saklas
| Guest (Disabled)
| HelpAssistant (Disabled)
Yes | James Saklas
Yes | Rosalia Saklas
| SUPPORT_388945a0 (Disabled)

### users folders

02/09/2005 01:29:14 (DIR) 0 byte 727 days old -- Danae Saklas
30/08/2005 21:06:24 (DIR) 0 byte 730 days old -- All Users
30/08/2005 21:06:24 (DIR) 0 byte 730 days old -- Default User
30/08/2005 21:19:40 (DIR) 0 byte 730 days old -- NetworkService
30/08/2005 21:19:46 (DIR) 0 byte 730 days old -- LocalService
30/08/2005 21:23:52 (DIR) 0 byte 730 days old -- James Saklas
23/10/2005 13:20:24 (DIR) 0 byte 676 days old -- Ariadne Saklas
23/10/2005 14:26:00 (DIR) 0 byte 676 days old -- Rosalia Saklas
17/10/2006 20:40:46 (DIR) 0 byte 317 days old -- Administrator

===================== Recent files (60 days old)=====================

----- recent files in C:\
02/08/2007 11:45:26 2577 byte 28 days old -- CONFIG.NT
02/08/2007 11:48:02 1688 byte 28 days old -- AUTOEXEC.NT
19/07/2007 03:13:12 384 byte 42 days old -- rootkit.log
19/07/2007 03:13:28 1244 byte 42 days old -- haxlog.txt
26/08/2007 21:06:44 13030 byte 4 days old -- PDOXUSRS.NET
28/08/2007 19:32:48 2575 byte 2 days old -- VundoFix.txt
29/08/2007 18:07:18 (DIR) 0 byte 1 days old -- suspectfile
29/08/2007 22:24:16 (DIR) 0 byte 1 days old -- _OTMoveIt
30/08/2007 08:06:12 (DIR)805306368 byte 0 days old -- pagefile.sys
09/08/2007 18:22:04 (DIR) 0 byte 21 days old -- Media
12/08/2007 08:29:18 (DIR) 0 byte 18 days old -- FOUND.004
12/08/2007 17:26:34 (DIR) 0 byte 18 days old -- QuickTime

----- recent files in C:\WINDOWS\
04/08/2007 13:49:36 787482 byte 26 days old -- lake4.bmp
14/07/2007 01:15:42 787510 byte 47 days old -- lamour2.bmp
19/07/2007 02:46:28 9623 byte 42 days old -- system.ini
19/07/2007 03:36:20 92752 byte 42 days old -- ntbtlog.txt
19/07/2007 03:37:44 267 byte 42 days old -- EXCEL.XLB
21/07/2007 14:23:44 787510 byte 40 days old -- lamarr1.bmp
21/07/2007 14:28:44 787510 byte 40 days old -- LAKE1.bmp
21/07/2007 14:31:06 787510 byte 40 days old -- LAKE2.bmp
21/07/2007 14:36:16 786842 byte 40 days old -- lamarr2.BMP
08/07/2007 11:56:18 787482 byte 53 days old -- lebrock1.bmp
15/08/2007 19:14:28 (DIR) 0 byte 15 days old -- $NtUninstallKB936782_WMP11$
15/08/2007 19:14:36 6101 byte 15 days old -- KB936782.log
15/08/2007 19:14:42 289734 byte 15 days old -- msxml4-KB936181-enu.LOG
15/08/2007 19:14:52 (DIR) 0 byte 15 days old -- $NtUninstallKB937143$
15/08/2007 19:15:00 33647 byte 15 days old -- KB937143.log
15/08/2007 19:15:04 (DIR) 0 byte 15 days old -- $NtUninstallKB938127$
15/08/2007 19:15:08 15307 byte 15 days old -- KB938127.log
15/08/2007 19:16:16 (DIR) 0 byte 15 days old -- $NtUninstallKB938829$
15/08/2007 19:16:20 15532 byte 15 days old -- KB938829.log
15/08/2007 19:16:24 (DIR) 0 byte 15 days old -- $NtUninstallKB921503$
15/08/2007 19:16:28 15740 byte 15 days old -- KB921503.log
15/08/2007 19:16:32 (DIR) 0 byte 15 days old -- $NtUninstallKB938828$
15/08/2007 19:16:36 15593 byte 15 days old -- KB938828.log
15/08/2007 19:16:40 (DIR) 0 byte 15 days old -- $NtUninstallKB936021$
15/08/2007 19:16:42 5059 byte 15 days old -- updspapi.log
15/08/2007 19:16:44 1374 byte 15 days old -- imsins.BAK
15/08/2007 19:16:44 16401 byte 15 days old -- KB936021.log
15/08/2007 19:25:22 922 byte 15 days old -- spupdsvc.log
22/08/2007 00:44:46 1409 byte 8 days old -- QTFont.for
24/08/2007 22:50:28 116 byte 6 days old -- NeroDigital.ini
24/08/2007 22:50:32 1391166 byte 6 days old -- Thumbs.db
26/08/2007 12:59:42 60 byte 4 days old -- setupact.log
26/08/2007 17:11:44 163 byte 4 days old -- wininit.ini
26/08/2007 20:15:22 1242 byte 4 days old -- win.ini
26/08/2007 21:23:10 (DIR) 0 byte 4 days old -- BDOSCAN8
27/08/2007 23:45:20 54156 byte 3 days old -- QTFont.qfn
28/08/2007 18:54:42 277 byte 2 days old -- cookies.ini
29/08/2007 00:52:54 (DIR) 0 byte 1 days old -- $NtUninstallKB933360$
29/08/2007 00:53:02 16185 byte 1 days old -- ntdtcsetup.log
29/08/2007 00:53:02 22984 byte 1 days old -- KB933360.log
29/08/2007 00:53:02 1374 byte 1 days old -- imsins.log
29/08/2007 00:53:02 4446 byte 1 days old -- ocmsn.log
29/08/2007 00:53:02 122711 byte 1 days old -- setupapi.log
29/08/2007 00:53:02 37908 byte 1 days old -- ocgen.log
29/08/2007 00:53:02 26632 byte 1 days old -- comsetup.log
29/08/2007 00:53:02 80379 byte 1 days old -- FaxSetup.log
29/08/2007 00:53:02 30667 byte 1 days old -- tsoc.log
29/08/2007 00:53:02 12940 byte 1 days old -- iis6.log
29/08/2007 00:53:02 4017 byte 1 days old -- msgsocm.log
30/08/2007 01:42:00 7973 byte 0 days old -- wmsetup.log
30/08/2007 08:04:56 1646235 byte 0 days old -- WindowsUpdate.log
30/08/2007 08:05:04 49 byte 0 days old -- wiaservc.log
30/08/2007 08:05:08 32564 byte 0 days old -- SchedLgU.Txt
30/08/2007 08:06:16 2048 byte 0 days old -- bootstat.dat
30/08/2007 08:07:00 159 byte 0 days old -- wiadebug.log
30/08/2007 08:08:30 0 byte 0 days old -- 0.log
10/07/2007 22:14:50 (DIR) 0 byte 51 days old -- $NtUninstallKB936357$
10/07/2007 22:14:54 11849 byte 51 days old -- KB936357.log
11/08/2007 01:20:28 787510 byte 19 days old -- knightley2.bmp
12/08/2007 00:56:40 787510 byte 18 days old -- saklas-pritsos.bmp

----- recent files in C:\WINDOWS\Downloaded Program Files\

----- recent files in C:\WINDOWS\system\

----- recent files in C:\WINDOWS\system32\
03/08/2007 00:34:10 16789464 byte 27 days old -- MRT.exe
04/08/2007 02:07:30 4768 byte 26 days old -- himem.sys
04/08/2007 02:07:36 1688 byte 26 days old -- AUTOEXEC.NT
04/08/2007 02:07:42 2577 byte 26 days old -- CONFIG.NT
18/07/2007 08:42:22 60416 byte 43 days old -- tzchange.exe
19/07/2007 00:11:52 4937 byte 42 days old -- jupdate-1.6.0_02-b06.log
30/07/2007 19:18:14 20312 byte 31 days old -- wuaueng.dll.mui
30/07/2007 19:18:40 33624 byte 31 days old -- wups.dll
30/07/2007 19:18:44 34136 byte 31 days old -- wucltui.dll.mui
30/07/2007 19:19:02 25944 byte 31 days old -- wuapi.dll.mui
30/07/2007 19:19:02 30072 byte 31 days old -- mucltui.dll.mui
30/07/2007 19:19:04 207736 byte 31 days old -- muweb.dll
30/07/2007 19:19:10 271224 byte 31 days old -- mucltui.dll
30/07/2007 19:19:12 43352 byte 31 days old -- wups2.dll
30/07/2007 19:19:16 53080 byte 31 days old -- wuauclt.exe
30/07/2007 19:19:20 92504 byte 31 days old -- cdm.dll
30/07/2007 19:19:28 216408 byte 31 days old -- wuaucpl.cpl
30/07/2007 19:19:28 203096 byte 31 days old -- wuweb.dll
30/07/2007 19:19:32 25944 byte 31 days old -- wuaucpl.cpl.mui
30/07/2007 19:19:32 325976 byte 31 days old -- wucltui.dll
30/07/2007 19:19:36 549720 byte 31 days old -- wuapi.dll
30/07/2007 19:19:42 1712984 byte 31 days old -- wuaueng.dll
08/07/2007 11:55:48 5120 byte 53 days old -- Thumbs.db
23/08/2007 02:00:12 (DIR) 0 byte 7 days old -- dllz1
23/08/2007 02:00:12 (DIR) 0 byte 7 days old -- IBD4
23/08/2007 02:00:12 (DIR) 0 byte 7 days old -- temps1
23/08/2007 02:00:46 43542 byte 7 days old -- opnkige.dll
26/08/2007 20:05:32 (DIR) 0 byte 4 days old -- ActiveScan
26/08/2007 20:08:02 30590 byte 4 days old -- pavas.ico
26/08/2007 20:08:50 2550 byte 4 days old -- Uninstall.ico
26/08/2007 20:08:50 1406 byte 4 days old -- Help.ico
26/08/2007 20:22:06 0 byte 4 days old -- asfiles.txt
27/08/2007 01:56:38 0 byte 3 days old -- mcrh.tmp
28/08/2007 19:39:38 298080 byte 2 days old -- ssttu.dll
29/08/2007 00:52:54 250464 byte 1 days old -- TZLog.log
29/08/2007 21:58:14 75328 byte 1 days old -- yhdoynph.exe
29/08/2007 22:00:54 70208 byte 1 days old -- nbwpbljs.dll
29/08/2007 22:12:50 125504 byte 1 days old -- cqabkmnj.dll
29/08/2007 22:27:48 1711514 byte 1 days old -- uttss.ini2
30/08/2007 08:10:44 13646 byte 0 days old -- wpa.dbl
30/08/2007 08:12:10 526 byte 0 days old -- jnmkbaqc.ini
30/08/2007 08:32:02 1745405 byte 0 days old -- uttss.ini
12/07/2007 01:22:00 135168 byte 49 days old -- java.exe
12/07/2007 01:22:04 135168 byte 49 days old -- javaw.exe
12/07/2007 02:22:36 69632 byte 49 days old -- javacpl.cpl
12/07/2007 02:22:38 139264 byte 49 days old -- javaws.exe

----- recent files in C:\WINDOWS\system32\drivers\
26/08/2007 14:30:26 8320 byte 4 days old -- AWRTRD.sys
26/08/2007 14:30:28 9344 byte 4 days old -- NSDriver.sys

----- recent files in C:\WINDOWS\temp\
26/08/2007 20:22:06 (DIR) 0 byte 4 days old -- ASHeuristic
30/08/2007 08:10:34 255 byte 0 days old -- WGAErrLog.txt
30/08/2007 08:10:52 409 byte 0 days old -- WGANotify.settings

----- recent files in C:\Program Files\
02/07/2007 22:30:30 (DIR) 0 byte 59 days old -- Apple Software Update
19/07/2007 03:11:46 (DIR) 0 byte 42 days old -- HaxFix
26/08/2007 13:03:22 (DIR) 0 byte 4 days old -- Lavasoft
26/08/2007 15:45:26 (DIR) 0 byte 4 days old -- Spybot - Search & Destroy
29/08/2007 22:42:52 (DIR) 0 byte 1 days old -- Hijackthis

----- recent files in C:\Program Files\Common Files\

----- recent files in C:\Documents and Settings\James Saklas\Application Data\

----- recent files in C:\DOCUME~1\JAMESS~1\LOCALS~1\Temp\
23/08/2007 20:49:18 (DIR) 0 byte 7 days old -- FromCamera2952-1-2007-8-24-0-49-16-968
24/08/2007 01:37:26 79 byte 6 days old -- D1B5B4F1.TMP
27/08/2007 18:40:38 (DIR) 0 byte 3 days old -- {AF19F291-F22F-4798-9662-525305AE9E48}_54042
28/08/2007 00:50:12 0 byte 2 days old -- 3nbBE.tmp
28/08/2007 00:50:16 0 byte 2 days old -- 12gBF.tmp
28/08/2007 01:04:14 0 byte 2 days old -- 6m5C0.tmp
28/08/2007 01:05:02 0 byte 2 days old -- m9gC1.tmp
28/08/2007 01:20:52 0 byte 2 days old -- un8C9.tmp
28/08/2007 19:05:24 32768 byte 2 days old -- ~DF76E7.tmp
28/08/2007 19:30:38 32768 byte 2 days old -- ~DF783C.tmp
29/08/2007 20:03:40 317748 byte 1 days old -- 69qtqzlp.exe
29/08/2007 20:04:22 920030 byte 1 days old -- tgcl15zh.exe
29/08/2007 20:06:06 1468370 byte 1 days old -- 1u1wi1bd.exe
29/08/2007 20:25:06 1468370 byte 1 days old -- mceazfb6.exe
29/08/2007 23:20:22 0 byte 1 days old -- qu32.tmp
30/08/2007 00:26:28 0 byte 0 days old -- uzp3.tmp
30/08/2007 00:56:12 0 byte 0 days old -- 0n219.tmp
30/08/2007 00:59:46 1431552 byte 0 days old -- 121.avi
30/08/2007 01:20:14 0 byte 0 days old -- 8o81A.tmp
30/08/2007 08:10:50 (DIR) 0 byte 0 days old -- WPDNSE
30/08/2007 08:16:02 1038 byte 0 days old -- jusched.log
30/08/2007 08:31:04 (DIR) 0 byte 0 days old -- nsw20.tmp
30/08/2007 08:31:10 16384 byte 0 days old -- ~DFE926.tmp

===================== Hidden Objects =====================

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-30 08:33:04
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


===================== Checking Rustock rootkit =====================



==========================================
Scan completed in 2.1 minutes
End of report


--------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 8:35:51 AM, on 8/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\James Saklas\Desktop\sys90110.exe
C:\DOCUME~1\JAMESS~1\LOCALS~1\Temp\nsw20.tmp\runme.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BF63C843-23A5-43EF-8F83-B6000F581CAB} - C:\WINDOWS\system32\ssttu.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\nbwpbljs.dll
O2 - BHO: (no name) - {C84D8A0A-E708-42B6-90CA-9C30956A87C6} - C:\WINDOWS\system32\opnkige.dll
O2 - BHO: (no name) - {D9A13134-8671-4C89-BCD9-B759D66C17B1} - C:\WINDOWS\system32\mlljh.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\cqabkmnj.dll",forkonce
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.2\webbuying.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159922600968
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B590F5BC-5774-47D8-859E-727E25E017AA} (DriverDetectiveMembers.members) - http://www.drivershq.com/files/cab/member/...Detective-m.cab
O20 - Winlogon Notify: opnkige - C:\WINDOWS\SYSTEM32\opnkige.dll
O20 - Winlogon Notify: pktdll - C:\WINDOWS\SYSTEM32\pktdll.dll
O20 - Winlogon Notify: ssttu - C:\WINDOWS\system32\ssttu.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\rdtmmctk.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 30 August 2007 - 08:15 AM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following blue text inside the quote box below:

Files to delete:
C:\WINDOWS\system32\opnkige.dll
C:\WINDOWS\system32\ssttu.dll
C:\WINDOWS\system32\uttss.ini2
C:\WINDOWS\system32\uttss.ini
C:\WINDOWS\system32\yhdoynph.exe
C:\WINDOWS\system32\nbwpbljs.dll
C:\WINDOWS\system32\cqabkmnj.dll
C:\WINDOWS\system32\jnmkbaqc.ini

Folders to delete:
C:\WINDOWS\system32\IBD4
C:\WINDOWS\system32\dllz1
C:\WINDOWS\system32\temps1

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Also post a new Hijackthis log.
Posted Image
Posted Image

#13 jsaklas

jsaklas
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 30 August 2007 - 08:53 AM

RichieUK,

The avenger.txt file was not in its folder. Avenger automatically opened Notepad and it put the .txt file in notepad.

Below are the avenger and HJK logs'

-------------------------------

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\rqstlcun

*******************

Script file located at: \??\C:\Documents and Settings\qkpsww^t.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\opnkige.dll deleted successfully.
File C:\WINDOWS\system32\ssttu.dll deleted successfully.
File C:\WINDOWS\system32\uttss.ini2 deleted successfully.
File C:\WINDOWS\system32\uttss.ini deleted successfully.
File C:\WINDOWS\system32\yhdoynph.exe deleted successfully.
File C:\WINDOWS\system32\nbwpbljs.dll deleted successfully.
File C:\WINDOWS\system32\cqabkmnj.dll deleted successfully.
File C:\WINDOWS\system32\jnmkbaqc.ini deleted successfully.
Folder C:\WINDOWS\system32\IBD4 deleted successfully.
Folder C:\WINDOWS\system32\dllz1 deleted successfully.
Folder C:\WINDOWS\system32\temps1 deleted successfully.

Completed script processing.

*******************

-------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:52:43 AM, on 8/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BF63C843-23A5-43EF-8F83-B6000F581CAB} - C:\WINDOWS\system32\ssttu.dll (file missing)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\nbwpbljs.dll (file missing)
O2 - BHO: (no name) - {C84D8A0A-E708-42B6-90CA-9C30956A87C6} - C:\WINDOWS\system32\opnkige.dll (file missing)
O2 - BHO: (no name) - {D9A13134-8671-4C89-BCD9-B759D66C17B1} - C:\WINDOWS\system32\mlljh.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\cqabkmnj.dll",forkonce
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.2\webbuying.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159922600968
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B590F5BC-5774-47D8-859E-727E25E017AA} (DriverDetectiveMembers.members) - http://www.drivershq.com/files/cab/member/...Detective-m.cab
O20 - Winlogon Notify: opnkige - opnkige.dll (file missing)
O20 - Winlogon Notify: pktdll - C:\WINDOWS\SYSTEM32\pktdll.dll
O20 - Winlogon Notify: ssttu - C:\WINDOWS\system32\ssttu.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\rdtmmctk.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



Finished! Terminate.

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 30 August 2007 - 09:10 AM

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.exe
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:
C:\WINDOWS\SYSTEM32\pktdll.dll
Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktopPosted Image
You'll see a black screen flash,thats normal.

@echo off
sc stop DomainService
sc delete DomainService

Restart your pc.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {BF63C843-23A5-43EF-8F83-B6000F581CAB} - C:\WINDOWS\system32\ssttu.dll (file missing)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\nbwpbljs.dll (file missing)
O2 - BHO: (no name) - {C84D8A0A-E708-42B6-90CA-9C30956A87C6} - C:\WINDOWS\system32\opnkige.dll (file missing)
O2 - BHO: (no name) - {D9A13134-8671-4C89-BCD9-B759D66C17B1} - C:\WINDOWS\system32\mlljh.dll (file missing)
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\cqabkmnj.dll",forkonce
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.2\webbuying.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O20 - Winlogon Notify: opnkige - opnkige.dll (file missing)
O20 - Winlogon Notify: pktdll - C:\WINDOWS\SYSTEM32\pktdll.dll
O20 - Winlogon Notify: ssttu - C:\WINDOWS\system32\ssttu.dll (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\rdtmmctk.exe (file missing)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#15 jsaklas

jsaklas
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 30 August 2007 - 11:44 AM

RichieUK,

First, for not the most recent reboot, but for the 2 preceding ones I got the message:

RUNDLL

Error Loading:

C:\windows\system32\cqabkmnj.dll

The specified module could not be found.


Secondly, while SuperAntiSpyware was scanning Norton AV reported the finding of a virus with the Object name of: c:\.....F10WTR1099.EXE and
Virus Name: Downloader

Thirdly, I tested 2 of my 16-bit programs and they both loaded and ran - THANK YOU.

I will report later about other aspects of how my machine is running.

Lastly, can you tell me exactly what caused the loss of my ability to load and run DOS programs?



Now, below is the SuperAntiSpyware log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/30/2007 at 12:12 PM

Application Version : 3.9.1008

Core Rules Database Version : 3296
Trace Rules Database Version: 1305

Scan type : Complete Scan
Total Scan Time : 00:38:54

Memory items scanned : 366
Memory threats detected : 0
Registry items scanned : 6549
Registry threats detected : 2
File items scanned : 36430
File threats detected : 12

Adware.Vundo Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{C84D8A0A-E708-42B6-90CA-9C30956A87C6}

Adware.Tracking Cookie
C:\Documents and Settings\James Saklas\Cookies\james saklas@adultbouncer[1].txt
C:\Documents and Settings\Danae Saklas\Cookies\danae saklas@icc.intellisrv[2].txt
C:\Documents and Settings\Ariadne Saklas\Cookies\ariadne saklas@atwola[1].txt
C:\Documents and Settings\Ariadne Saklas\Cookies\ariadne saklas@icc.intellisrv[2].txt
C:\Documents and Settings\Rosalia Saklas\Cookies\rosalia saklas@www.pesttrap[1].txt
C:\Documents and Settings\Rosalia Saklas\Cookies\rosalia saklas@go.drivecleaner[1].txt
C:\Documents and Settings\Rosalia Saklas\Cookies\rosalia saklas@www.drivecleaner[1].txt
C:\Documents and Settings\Rosalia Saklas\Cookies\rosalia saklas@drivecleaner[1].txt
C:\Documents and Settings\Rosalia Saklas\Cookies\rosalia saklas@stats.drivecleaner[2].txt

Adware.Web Buying
HKU\S-1-5-21-1202660629-448539723-725345543-1004\Software\WebBuying

Trojan.Downloader-Gen/HitItQuitIt
C:\RECYCLED\NPROTECT\00116760.DLL

Adware.eZula
C:\RECYCLED\NPROTECT\00116764.EXE
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\UGAMVVRN.EXE

-------------------------------------------------------

and the HJK this log is:



Logfile of HijackThis v1.99.1
Scan saved at 12:41:14 PM, on 8/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\sol.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ntvdm.exe
C:\HJT\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159922600968
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B590F5BC-5774-47D8-859E-727E25E017AA} (DriverDetectiveMembers.members) - http://www.drivershq.com/files/cab/member/...Detective-m.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users