Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow Computer, Possible Spyware :(


  • Please log in to reply
27 replies to this topic

#1 gossipgirl

gossipgirl

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 10 September 2007 - 07:00 PM

Hi everyone. Well, my computer is running very slow, and the internet is as well. Windows isn't detecting my mcafee virus protection, and I can't enable the real-time protection with it. Also, earlier my internet wasn't working at all (pages would not load), even though it was connected. I did a scan with Ad-aware and after a few seconds it found around 12 bad processes (trojans, I think they were) and suddenly a message came up saying my computer was being restarted in 1 minute (most likely because of spyware?) so I quickly ended the scan and attempted to stop the processes. However, Ad-aware said they couldn't be deleted because they were active or something, and would it would attempt to delete on reboot. So I restarted, and it scanned. No processes were found for some reason, although several registry entries were, which deleted fine. Oh and one for thing... in the task manager there's always several (at least 3!) processes called winmds.exe, which I googled and I think is malware?Thanks for any help!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:15 PM, on 10/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\wsusupd.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\crss7.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShareSearcher] C:\wsusupd.exe
O4 - HKLM\..\Run: [SvcManager] crss7.exe
O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] (User 'Default user')
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBE2EB50-9EAB-4076-9F69-17C7C8BC3FE8}: NameServer = 207.164.234.193 67.69.184.143
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7032 bytes

Edited by gossipgirl, 10 September 2007 - 07:15 PM.


BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 11 September 2007 - 05:06 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum gossipgirl :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 gossipgirl

gossipgirl
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 11 September 2007 - 06:19 PM

Hi there. :thumbsup: Thanks very much for the help. So I got up to the step where RunThis.bat was running, and it said that it was starting the removal or something, and that it was checking all running programs. It said this for about 7 minutes, so I decided to leave it running and come back. A couple of minutes later, I suddenly noticed that my computer was restarting itself, and I thought that it should've taken longer because I'd just started it a few minutes before. Anyways, windows loaded at the normal speed, and when I went to my account, it didn't even mention the fixtool at all, and it didn't say finished or anything, so somehow maybe it crashed?? My computer seems to be a bit faster though so I'm confused.

What should I do? Should I go back to safe mode and rerun the program? Thank you!

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 11 September 2007 - 07:07 PM

Ok,carry on at the Combofix instructions please.
Posted Image
Posted Image

#5 gossipgirl

gossipgirl
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 12 September 2007 - 03:18 PM

ComboFix 07-09-13.1 - "Gwen" 2007-09-13 16:12:01.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502 [GMT -4:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\Georgia\APPLIC~1\macromedia\Flash Player\#SharedObjects\5QSSHXG3\iforex.com
C:\DOCUME~1\Georgia\APPLIC~1\macromedia\Flash Player\#SharedObjects\5QSSHXG3\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\DOCUME~1\Georgia\APPLIC~1\macromedia\Flash Player\#SharedObjects\5QSSHXG3\www.broadcaster.com
C:\DOCUME~1\Georgia\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\DOCUME~1\Georgia\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\DOCUME~1\Georgia\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Georgia\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Common Files\microsoft shared\web folders\ibm00001.dll
C:\WINDOWS\system32\8_exception.nls
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\drivers\runtime2.sy_
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\rpcc.dll
C:\wsusupd.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_FWDRV.SYS
-------\LEGACY_NTMLSVC
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\fwdrv.sys
-------\runtime


((((((((((((((((((((((((( Files Created from 2007-08-13 to 2007-09-13 )))))))))))))))))))))))))))))))
.

2007-09-11 19:48 53,248 --a------ C:\WINDOWS\SYSTEM32\crss7.exe
2007-09-11 19:07 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-10 19:30 53,248 --a------ C:\WINDOWS\SYSTEM32\crss0.exe
2007-09-10 16:10 11,342 --a------ C:\WINDOWS\SYSTEM32\svcnet.exe
2007-09-10 16:00 35,115 --a------ C:\fnkyqnag.exe
2007-09-10 16:00 28,160 --a------ C:\teca.exe
2007-09-10 16:00 21,504 --a------ C:\uyrddf.exe
2007-09-08 22:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NVIDIA
2007-09-07 23:03 89,360 --a------ C:\WINDOWS\SYSTEM32\VB5DB.DLL
2007-09-07 23:03 446,464 -ra------ C:\WINDOWS\SYSTEM32\hhactivex.dll
2007-09-07 23:03 176,128 --a------ C:\WINDOWS\SYSTEM32\RcdScan.dll
2007-08-14 15:03 15,950 --a------ C:\WINDOWS\SYSTEM32\winmds.exe
2007-08-14 14:51 26,176 --a------ C:\WINDOWS\SYSTEM32\0mrr1tpv.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-07 23:03 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-22 19:55 --------- d-------- C:\Program Files\QuickTime
2007-08-22 19:55 --------- d-------- C:\Program Files\iTunes
2007-08-12 21:17 --------- d-------- C:\Program Files\Sony Setup
2007-08-12 20:51 --------- d-------- C:\DOCUME~1\Gwen\APPLIC~1\Sony
2007-08-12 20:51 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony
2007-08-12 20:45 --------- d-------- C:\Program Files\Sony
2007-08-07 17:14 --------- d-------- C:\Program Files\LimeWire
2007-08-05 15:17 --------- d-------- C:\Program Files\MUSICMATCH
2007-06-17 00:11 51200 --a------ C:\WINDOWS\nircmd.exe
2004-10-07 16:24 69 --a------ C:\DOCUME~1\Georgia\APPLIC~1\tvmcwrd.dll
2004-10-07 09:15 225465 --a------ C:\DOCUME~1\Chris\APPLIC~1\tvmknwrd.dll
2004-10-06 20:46 225465 --a------ C:\DOCUME~1\Georgia\APPLIC~1\tvmknwrd.dll
2004-10-04 17:13 224644 --a------ C:\DOCUME~1\Gwen\APPLIC~1\tvmknwrd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" []
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2007-08-22 19:53]
"POINTER"="point32.exe" []
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\SYSTEM32\nwiz.exe]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-08-22 19:53]
"Motive SmartBridge"="C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe" [2007-08-22 19:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-08-22 19:53]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2007-08-22 19:53]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22]
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-22 19:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-01-24 15:37]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
AOL 7.0 Tray Icon.lnk - C:\Program Files\AOL 7.0\aoltray.exe [2003-06-02 21:48:51]
DESKTOP.INI [2002-09-03 10:00:00]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2004-12-29 19:29:37]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2003-06-17 17:00:11]

C:\DOCUME~1\Chris\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]

C:\DOCUME~1\Georgia\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]

C:\DOCUME~1\Gwen\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]

C:\DOCUME~1\Yvonne\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 NaiFiltr;NaiFiltr;C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-11 21:45:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-08-14 18:51:51 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\0mrr1tpv.exe
"2007-08-31 13:02:11 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\0mrr1tpv.exe
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At100.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At101.job"
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At102.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At103.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At104.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At105.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At106.job"
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At107.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At108.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-11 20:16:33 C:\WINDOWS\Tasks\At109.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-06 14:02:03 C:\WINDOWS\Tasks\At11.job"
"2007-09-12 19:56:38 C:\WINDOWS\Tasks\At110.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-12 19:56:38 C:\WINDOWS\Tasks\At111.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At112.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-12 20:02:56 C:\WINDOWS\Tasks\At113.job"
"2007-09-11 21:01:39 C:\WINDOWS\Tasks\At114.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-11 22:50:18 C:\WINDOWS\Tasks\At115.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-11 23:04:24 C:\WINDOWS\Tasks\At116.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-11 00:25:48 C:\WINDOWS\Tasks\At117.job"
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At118.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At119.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-08-30 15:01:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\0mrr1tpv.exe
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At120.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-11 16:02:16 C:\WINDOWS\Tasks\At13.job"
"2007-09-12 17:02:15 C:\WINDOWS\Tasks\At14.job"
"2007-09-12 18:01:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\0mrr1tpv.exe
"2007-09-08 19:02:19 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\0mrr1tpv.exe
"2007-09-12 20:02:56 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\0mrr1tpv.exe
"2007-09-11 21:01:39 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\0mrr1tpv.exe
"2007-09-11 22:02:21 C:\WINDOWS\Tasks\At19.job"
"2007-08-14 18:51:51 C:\WINDOWS\Tasks\At2.job"
"2007-09-11 23:02:27 C:\WINDOWS\Tasks\At20.job"
"2007-09-11 00:02:12 C:\WINDOWS\Tasks\At21.job"
"2007-09-10 01:01:00 C:\WINDOWS\Tasks\At22.job"
"2007-09-10 02:01:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\0mrr1tpv.exe
"2007-09-10 03:01:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\0mrr1tpv.exe
"2007-08-14 19:03:10 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-14 19:03:10 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-14 19:03:10 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-14 19:03:10 C:\WINDOWS\Tasks\At28.job"
"2007-08-14 19:03:10 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-14 18:51:51 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\0mrr1tpv.exe
"2007-08-14 19:03:10 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-14 19:03:10 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-14 19:03:10 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-18 14:50:27 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-31 16:23:09 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-06 17:22:17 C:\WINDOWS\Tasks\At35.job"
"2007-08-30 18:17:56 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-11 20:16:33 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-12 19:56:38 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-12 19:56:38 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-14 18:51:51 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\0mrr1tpv.exe
"2007-09-08 23:26:14 C:\WINDOWS\Tasks\At40.job"
"2007-09-12 20:02:56 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-11 21:01:40 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-11 22:50:18 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-11 23:04:24 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-11 00:25:48 C:\WINDOWS\Tasks\At45.job"
"2007-09-10 19:43:59 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-10 19:43:59 C:\WINDOWS\Tasks\At47.job"
"2007-09-10 19:43:59 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-19 14:56:44 C:\WINDOWS\Tasks\At49.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-14 18:51:51 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\0mrr1tpv.exe
"2007-08-19 14:56:44 C:\WINDOWS\Tasks\At50.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-19 14:56:44 C:\WINDOWS\Tasks\At51.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-19 14:56:44 C:\WINDOWS\Tasks\At52.job"
"2007-08-19 14:56:44 C:\WINDOWS\Tasks\At53.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-19 14:56:44 C:\WINDOWS\Tasks\At54.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-19 14:56:44 C:\WINDOWS\Tasks\At55.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-19 14:56:44 C:\WINDOWS\Tasks\At56.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-19 14:56:44 C:\WINDOWS\Tasks\At57.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-31 16:23:09 C:\WINDOWS\Tasks\At58.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-06 17:22:17 C:\WINDOWS\Tasks\At59.job"
"2007-08-14 18:51:51 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\0mrr1tpv.exe
"2007-08-30 18:17:56 C:\WINDOWS\Tasks\At60.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-11 20:16:33 C:\WINDOWS\Tasks\At61.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-12 19:56:38 C:\WINDOWS\Tasks\At62.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-12 19:56:38 C:\WINDOWS\Tasks\At63.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-08 23:26:14 C:\WINDOWS\Tasks\At64.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-12 20:02:56 C:\WINDOWS\Tasks\At65.job"
"2007-09-11 21:01:40 C:\WINDOWS\Tasks\At66.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-11 22:50:18 C:\WINDOWS\Tasks\At67.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-11 23:04:24 C:\WINDOWS\Tasks\At68.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-11 00:25:48 C:\WINDOWS\Tasks\At69.job"
"2007-08-14 18:51:51 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\0mrr1tpv.exe
"2007-09-10 19:43:59 C:\WINDOWS\Tasks\At70.job"
"2007-09-10 19:43:59 C:\WINDOWS\Tasks\At71.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-10 19:43:59 C:\WINDOWS\Tasks\At72.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-22 20:12:59 C:\WINDOWS\Tasks\At73.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-22 20:12:59 C:\WINDOWS\Tasks\At74.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-22 20:12:59 C:\WINDOWS\Tasks\At75.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-22 20:12:59 C:\WINDOWS\Tasks\At76.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-22 20:12:59 C:\WINDOWS\Tasks\At77.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-22 20:12:59 C:\WINDOWS\Tasks\At78.job"
"2007-08-22 20:12:59 C:\WINDOWS\Tasks\At79.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-14 18:51:51 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\0mrr1tpv.exe
"2007-08-22 20:12:59 C:\WINDOWS\Tasks\At80.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-22 20:12:59 C:\WINDOWS\Tasks\At81.job"
"2007-08-31 16:23:09 C:\WINDOWS\Tasks\At82.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-06 17:22:17 C:\WINDOWS\Tasks\At83.job"
"2007-08-30 18:17:56 C:\WINDOWS\Tasks\At84.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-11 20:16:33 C:\WINDOWS\Tasks\At85.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-12 19:56:38 C:\WINDOWS\Tasks\At86.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-12 19:56:38 C:\WINDOWS\Tasks\At87.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-08 23:26:14 C:\WINDOWS\Tasks\At88.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-12 20:02:56 C:\WINDOWS\Tasks\At89.job"
- C:\WINDOWS\system32\winmds.exe
"2007-08-18 12:01:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\0mrr1tpv.exe
"2007-09-11 21:01:40 C:\WINDOWS\Tasks\At90.job"
"2007-09-11 22:50:18 C:\WINDOWS\Tasks\At91.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-11 23:04:24 C:\WINDOWS\Tasks\At92.job"
"2007-09-11 00:25:48 C:\WINDOWS\Tasks\At93.job"
"2007-09-10 19:43:59 C:\WINDOWS\Tasks\At94.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-10 19:43:59 C:\WINDOWS\Tasks\At95.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-10 19:43:59 C:\WINDOWS\Tasks\At96.job"
- C:\WINDOWS\system32\winmds.exe
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At97.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At98.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At99.job"
- C:\WINDOWS\system32\svcnet.exe
"2003-06-06 20:35:43 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
"2003-06-06 20:35:43 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
"2003-06-06 20:35:43 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
"2007-09-13 20:19:03 C:\WINDOWS\Tasks\McAfee.com Update Check (D8VQYV21-Owner).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
"2007-09-13 20:15:00 C:\WINDOWS\Tasks\McAfee.com Update Check (D----Chris).job"
- C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
"2007-09-13 20:12:00 C:\WINDOWS\Tasks\McAfee.com Update Check (D----Georgia).job"
- C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
"2007-09-13 20:16:07 C:\WINDOWS\Tasks\McAfee.com Update Check (D----Gwen).job"
- C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
"2007-09-13 20:12:00 C:\WINDOWS\Tasks\McAfee.com Update Check (D----Yvonne).job"
- C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-13 16:19:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-13 16:20:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-13 16:20
C:\ComboFix2.txt ... 2007-06-12 09:21
C:\ComboFix3.txt ... 2007-06-10 16:33
.
--- E O F ---

Edited by gossipgirl, 12 September 2007 - 03:18 PM.


#6 gossipgirl

gossipgirl
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 12 September 2007 - 03:20 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:05 PM, on 13/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\bak\McUpdate.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] (User 'Default user')
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBE2EB50-9EAB-4076-9F69-17C7C8BC3FE8}: NameServer = 207.164.234.193 67.69.184.143
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6828 bytes

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 12 September 2007 - 05:46 PM

Svcnet.exe - Trojan/Backdoor W32.Tibick is present on your pc,as well as several other nasties.
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

They are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files, or spreading to other networked machines.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one,if not an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.

Since your computer was compromised read:
How to report ID theft, fraud, drive-by installs, hijacking and malware:
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall:
http://www.dslreports.com/faq/10063

If you want us to go ahead and clean up your system then let me know what you want to do in your next reply.
Posted Image
Posted Image

#8 gossipgirl

gossipgirl
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 12 September 2007 - 07:16 PM

Omg, I didn't know it was that bad. :flowers: Luckily, noone in my family uses online banking or buys anything online on this computer. I suppose you can go ahead and clean up my system? Will that require anything drastic, like reinstalling windows? :thumbsup:

#9 gossipgirl

gossipgirl
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 12 September 2007 - 07:28 PM

Also, would just killing the process svcnet.exe do anything? Or deleting that file?

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 12 September 2007 - 07:28 PM

Download OTMoveIt by OldTimer,and save it to your desktop,don't do anything else with it yet:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Download SmitfraudFix (by S!Ri),to your desktop.
Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Double click on Smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt
Post the Smitfraudfix report into your next reply.


Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\SYSTEM32\crss7.exe
C:\WINDOWS\SYSTEM32\crss0.exe
C:\WINDOWS\SYSTEM32\svcnet.exe
C:\fnkyqnag.exe
C:\teca.exe
C:\uyrddf.exe
C:\WINDOWS\SYSTEM32\winmds.exe
C:\WINDOWS\SYSTEM32\0mrr1tpv.exe


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image.

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Also post a new Hijackthis log.

Edited by RichieUK, 12 September 2007 - 07:29 PM.

Posted Image
Posted Image

#11 gossipgirl

gossipgirl
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 12 September 2007 - 07:30 PM

Thanks very much! I will get to that in a little while.

#12 gossipgirl

gossipgirl
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 12 September 2007 - 08:19 PM

SmitFraudFix v2.223

Scan done at 21:16:24.78, 13/09/2007
Run from C:\Documents and Settings\Gwen\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{CBE2EB50-9EAB-4076-9F69-17C7C8BC3FE8}: NameServer=207.164.234.193 67.69.184.143
HKLM\SYSTEM\CS3\Services\Tcpip\..\{CBE2EB50-9EAB-4076-9F69-17C7C8BC3FE8}: NameServer=207.164.234.193 67.69.184.143


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End





C:\WINDOWS\SYSTEM32\crss7.exe moved successfully.
C:\WINDOWS\SYSTEM32\crss0.exe moved successfully.
C:\WINDOWS\SYSTEM32\svcnet.exe moved successfully.
C:\fnkyqnag.exe moved successfully.
C:\teca.exe moved successfully.
C:\uyrddf.exe moved successfully.
C:\WINDOWS\SYSTEM32\winmds.exe moved successfully.
C:\WINDOWS\SYSTEM32\0mrr1tpv.exe moved successfully.

Created on 09/13/2007 21:22:07

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:38 PM, on 13/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\bak\McUpdate.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] (User 'Default user')
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBE2EB50-9EAB-4076-9F69-17C7C8BC3FE8}: NameServer = 207.164.234.193 67.69.184.143
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6666 bytes

#13 gossipgirl

gossipgirl
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 12 September 2007 - 08:23 PM

Both programs ran properly, but with SmitFraud, after I said yes to cleaning the registry, I didn't realize that it was supposed to do so so fast, so I reran it by pressing 2 afterwards, which created the log that I posted. I don't think I can get the previous log back, but it said that it deleted 2 infected files which looked like "2007-09-11 20:16:33 C:\WINDOWS\Tasks\At61.job." (That's just an example, not exactly what it said. But it was something like At--.job.)

Edited by gossipgirl, 12 September 2007 - 08:23 PM.


#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 13 September 2007 - 04:28 AM

Double click on Combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Posted Image
Posted Image

#15 gossipgirl

gossipgirl
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 13 September 2007 - 03:27 PM

ComboFix 07-09-13.1 - "Gwen" 2007-09-14 16:24:07.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.499 [GMT -4:00]
.

((((((((((((((((((((((((( Files Created from 2007-08-14 to 2007-09-14 )))))))))))))))))))))))))))))))
.

2007-09-13 21:14 2,754 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-09-11 19:07 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-08 22:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NVIDIA
2007-09-07 23:03 89,360 --a------ C:\WINDOWS\SYSTEM32\VB5DB.DLL
2007-09-07 23:03 446,464 -ra------ C:\WINDOWS\SYSTEM32\hhactivex.dll
2007-09-07 23:03 176,128 --a------ C:\WINDOWS\SYSTEM32\RcdScan.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-07 23:03 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-22 19:55 --------- d-------- C:\Program Files\QuickTime
2007-08-22 19:55 --------- d-------- C:\Program Files\iTunes
2007-08-12 21:17 --------- d-------- C:\Program Files\Sony Setup
2007-08-12 20:51 --------- d-------- C:\DOCUME~1\Gwen\APPLIC~1\Sony
2007-08-12 20:51 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony
2007-08-12 20:45 --------- d-------- C:\Program Files\Sony
2007-08-07 17:14 --------- d-------- C:\Program Files\LimeWire
2007-08-05 15:17 --------- d-------- C:\Program Files\MUSICMATCH
2007-06-17 00:11 51200 --a------ C:\WINDOWS\nircmd.exe
2005-05-11 23:36 12288 --a------ C:\WINDOWS\Fonts\RandFont.dll
2004-10-07 16:24 69 --a------ C:\DOCUME~1\Georgia\APPLIC~1\tvmcwrd.dll
2004-10-07 09:15 225465 --a------ C:\DOCUME~1\Chris\APPLIC~1\tvmknwrd.dll
2004-10-06 20:46 225465 --a------ C:\DOCUME~1\Georgia\APPLIC~1\tvmknwrd.dll
2004-10-04 17:13 224644 --a------ C:\DOCUME~1\Gwen\APPLIC~1\tvmknwrd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" []
"MCUpdateExe"="C:\PROGRA~1\McAfee.com\Agent\bak\McUpdate.exe" [2003-08-04 18:25]
"POINTER"="point32.exe" []
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\SYSTEM32\nwiz.exe]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-08-22 19:53]
"Motive SmartBridge"="C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe" [2007-08-22 19:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-08-22 19:53]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2007-08-22 19:53]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22]
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-22 19:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-01-24 15:37]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
AOL 7.0 Tray Icon.lnk - C:\Program Files\AOL 7.0\aoltray.exe [2003-06-02 21:48:51]
DESKTOP.INI [2002-09-03 10:00:00]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2004-12-29 19:29:37]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2003-06-17 17:00:11]

C:\DOCUME~1\Chris\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]

C:\DOCUME~1\Georgia\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]

C:\DOCUME~1\Gwen\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]

C:\DOCUME~1\Yvonne\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 NaiFiltr;NaiFiltr;C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-11 21:45:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At100.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At101.job"
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At102.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At103.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At104.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-14 12:00:00 C:\WINDOWS\Tasks\At105.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At106.job"
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At107.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At108.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-11 20:16:33 C:\WINDOWS\Tasks\At109.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-12 19:56:38 C:\WINDOWS\Tasks\At110.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-12 19:56:38 C:\WINDOWS\Tasks\At111.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At112.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-14 20:00:00 C:\WINDOWS\Tasks\At113.job"
"2007-09-13 22:12:45 C:\WINDOWS\Tasks\At114.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-13 22:12:45 C:\WINDOWS\Tasks\At115.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-14 01:18:51 C:\WINDOWS\Tasks\At116.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-14 01:18:51 C:\WINDOWS\Tasks\At117.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-14 01:18:51 C:\WINDOWS\Tasks\At118.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-14 02:00:00 C:\WINDOWS\Tasks\At119.job"
- C:\WINDOWS\system32\svcnet.exe
"2007-09-10 20:10:42 C:\WINDOWS\Tasks\At120.job"
- C:\WINDOWS\system32\svcnet.exe
"2003-06-06 20:35:43 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
"2003-06-06 20:35:43 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
"2003-06-06 20:35:43 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
"2007-09-14 20:24:00 C:\WINDOWS\Tasks\McAfee.com Update Check (D8VQYV21-Owner).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
"2007-09-14 20:25:00 C:\WINDOWS\Tasks\McAfee.com Update Check (--Chris).job"
- C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
"2007-09-14 20:27:00 C:\WINDOWS\Tasks\McAfee.com Update Check (--Georgia).job"
- C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
"2007-09-14 20:26:00 C:\WINDOWS\Tasks\McAfee.com Update Check (--Gwen).job"
- C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
"2007-09-14 20:27:00 C:\WINDOWS\Tasks\McAfee.com Update Check (D-Yvonne).job"
- C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-14 16:27:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-14 16:28:38
C:\ComboFix-quarantined-files.txt ... 2007-09-14 16:28
C:\ComboFix2.txt ... 2007-09-13 16:20
C:\ComboFix3.txt ... 2007-06-12 09:21
.
--- E O F ---




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users