Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With The Spyware-secure


  • This topic is locked This topic is locked
18 replies to this topic

#1 el_paraiso

el_paraiso

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 15 September 2007 - 05:36 AM

Hi,

When i open my browser window (IE or Mozilla doesn't matter) after few seconds pop-ups security alerts warnings that my computer is infected and i should try spyware-secure to remove them. I never download that bleep programme, but i don't know how to fix it. I try Norton Internet Security 2008, adaware 2007, spybot-search and destroy, avg-antyspyware, a-squared, McAfee AVERT Stinger 3.8.0 but nothing. I also try windows update and restore point...No good!
Thanks for your time...
Hope you can help me...

P.S. I include with the logfile of HjackThis and the logfile of Reglooks v0.972. In Reglooks in the middle of operation it says me that "The system cannot find the file tempi2.txt.". I stop it then and i paste the log of results as it is untill then.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:32:31, on 15/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Ashampoo\ASHAMP~3\bin\DEFRAG~3.EXE
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\Ashampoo\ASHAMP~3\bin\defragActivityMonitor.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\MessengerSkinner\MessengerSkinner.exe
C:\Program Files\SAGEM\CONN-X SAGEM Fast 800\dslmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: 88.87.7.3 L2authd.lineage2.com
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: Systran40premi.IEPlugIn - {CFB25594-4D5F-11D6-AB7B-00B0D094B576} - C:\Program Files\Systran\4_0\Premium\IEPlugIn.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT LGE] C:\Program Files\Portrait Displays\forteManager\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DefragTaskBar] "C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [acuyivw] c:\windows\system32\acuyivw.exe acuyivw
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [messengerskinner] C:\Program Files\MessengerSkinner\MessengerSkinner.exe
O4 - HKCU\..\Run: [azkbqobuy] c:\windows\system32\azkbqobuy.exe azkbqobuy
O4 - HKCU\..\Run: [nddgnvnyr] c:\windows\system32\nddgnvnyr.exe nddgnvnyr
O4 - HKCU\..\Run: [smndapjo] c:\windows\system32\smndapjo.exe smndapjo
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\CONN-X SAGEM Fast 800\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: Λήψη όλων με το FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Λήψη με χρήση του FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} (CamfrogWEB Advanced Unicode Control) - http://activex.camfrogweb.com/advanced/2.0..._instmodule.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/gr/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1174557543531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174579446078
O17 - HKLM\System\CCS\Services\Tcpip\..\{204461D1-A6BA-46BC-8FF4-21282CD13058}: NameServer = 195.170.0.1,195.170.2.2
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 14556 bytes


REGLOOKS logfile

version 0.972
15/09/2007 18:40:44,42
running from: "C:\Documents and Settings\PYTHAGORAS\Desktop"

--- SSODL regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}" FILE ="C:\\WINDOWS\\system32\\upnpui.dll"


--- STS regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
only standard or legit regkeys found


--- USERINIT regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"


--- SHELL regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell"="Explorer.exe"


--- SYSTEM regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"System"=""


--- APPINIT_DLLS regkey ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs"=""


--- NOTIFY regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
only standard or legit regkeys found


--- RUN / LOAD regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
"load"=""


--- BOOTEXECUTE regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
BootExecute= autocheck autochk *\0lsdelete\0\0


--- PENDINGFILERENAMEOPERATIONS regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
Pendingfilerenameoperations= \??\C:\DOCUME~1\PYTHAG~1\LOCALS~1\Temp\symlcsv1.exe\0\0\0


--- SHELLEXECUTEHOOKS regkey ---

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"


--- AUTORUN regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
"AutoRun"=""


--- HKLM\Run regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"MsmqIntCert"="regsvr32 /s mqrt.dll"
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"IAAnotif"="\"C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\Iaanotif.exe\""
"NVRTCLK"="C:\\WINDOWS\\system32\\NVRTCLK\\NVRTClk.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"LanguageShortcut"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\""
"PivotSoftware"="\"C:\\Program Files\\Portrait Displays\\Pivot Software\\wpctrl.exe\""
"DT LGE"="C:\\Program Files\\Portrait Displays\\forteManager\\DTHtml.exe -startup_folder"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"SoundMan"="SOUNDMAN.EXE"
"DefragTaskBar"="\"C:\\Program Files\\Ashampoo\\Ashampoo Magical Defrag 2\\bin\\defragTaskBar.exe\""
"AlcWzrd"="ALCWZRD.EXE"
"Alcmtr"="ALCMTR.EXE"
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"PCLEPCI"="C:\\PROGRA~1\\Pinnacle\\PPE\\PPE.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"acuyivw"="c:\\windows\\system32\\acuyivw.exe acuyivw"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
[Run\not active]
[Run\OptionalComponents]
[Run\OptionalComponents\IMAIL]
"Installed"="1"
[Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[Run\OptionalComponents\MSFS]
"Installed"="1"


--- HKLM\RunOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
no HKLM RunOnce keys found


--- HKLM\RunOnceEx regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
no HKLM RunOnceEx keys found


--- HKLM\RunServices regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
no HKLM RunServices keys found


--- HKLM\RunServicesOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
regkey does not exist


--- HKCU\Run regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"messengerskinner"="C:\\Program Files\\MessengerSkinner\\MessengerSkinner.exe"
"azkbqobuy"="c:\\windows\\system32\\azkbqobuy.exe azkbqobuy"
"nddgnvnyr"="c:\\windows\\system32\\nddgnvnyr.exe nddgnvnyr"
"smndapjo"="c:\\windows\\system32\\smndapjo.exe smndapjo"
"uikeuwvjo"="c:\\windows\\system32\\uikeuwvjo.exe uikeuwvjo"


--- HKCU\RunOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
no HKCU RunOnce keys found


--- HKCU\RunOnceEx regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
regkey does not exist


--- HKCU\RunServices regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
regkey does not exist


--- HKCU\RunServicesOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
regkey does not exist


--- HKU\.DEFAULT\Run regkeys ---

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"


--- HKU\S-1-5-18\Run regkeys ---

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"


--- HKU\S-1-5-19\Run regkeys ---

HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"


--- HKU\S-1-5-20\Run regkeys ---

HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"


--- HKLM\Explorer\Run regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
no HKLM Explorer\Run keys found


--- HKCU\Explorer\Run regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
regkey does not exist


--- Image File Execution regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
no debuggers found


--- BROWSER HELPER OBJECTS regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
"{00C6482D-C502-44C8-8409-FCE54AD9C208}" FILE ="C:\\Program Files\\TechSmith\\SnagIt 8\\SnagItBHO.dll"
"{02478D38-C3F9-4efb-9B51-7695ECA05670}" regkey not found (ERROR)
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" FILE ="C:\\Program Files\\Adobe\\Acrobat 7.0\\ActiveX\\AcroIEHelper.dll"
"{31FF080D-12A3-439A-A2EF-4BA95A3148E8}" FILE ="C:\\Program Files\\GetRight\\xx2gr.dll"
"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" FILE ="C:\\PROGRA~1\\MEGAUP~1\\MEGAUP~1.DLL"
"{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}" FILE ="C:\\Program Files\\Yahoo!\\Common\\yiesrvc.dll"
"{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}" FILE ="C:\\Program Files\\Common Files\\Symantec Shared\\coShared\\Browser\\2.0\\coIEPlg.dll"
"{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" FILE ="C:\\PROGRA~1\\COMMON~1\\SYMANT~1\\IDS\\IPSBHO.dll"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" FILE ="C:\\Program Files\\Java\\jre1.6.0_02\\bin\\ssv.dll"
"{7E853D72-626A-48EC-A868-BA8D5E23E045}" regkey not found (ERROR)
"{A5366673-E8CA-11D3-9CD9-0090271D075B}" FILE ="C:\\PROGRA~1\\FlashGet\\jccatch.dll"


--- TOOLBAR regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
"{CFB25594-4D5F-11D6-AB7B-00B0D094B576}" FILE ="C:\\Program Files\\Systran\\4_0\\Premium\\IEPlugIn.dll"
"{E0E899AB-F487-11D5-8D29-0050BA6940E3}" FILE ="C:\\PROGRA~1\\FlashGet\\fgiebar.dll"
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" FILE ="C:\\Program Files\\TechSmith\\SnagIt 8\\SnagItIEAddin.dll"
"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" FILE ="C:\\PROGRA~1\\MEGAUP~1\\MEGAUP~1.DLL"
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" FILE ="C:\\Program Files\\Common Files\\Symantec Shared\\coShared\\Browser\\2.0\\CoIEPlg.dll"


--- URLSEARCHHOOKS regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
only standard regkeys found


--- CONTEXTMENUHANDLERS regkeys ---

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
"7-Zip" CLSID ={23170F69-40C1-278A-1000-000100020000} FILE ="C:\\Program Files\\7-Zip\\7-zip.dll"
"AVG Anti-Spyware" CLSID ={8934FCEF-F5B8-468f-951F-78A921CD3920} FILE ="C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\context.dll"
"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll
"Open With" CLSID ={09799AFB-AD67-11d1-ABCD-00C04FC30936} FILE =%SystemRoot%\system32\SHELL32.dll
"Open With EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll
"SnagItMainShellExt" CLSID ={CF74B903-3389-469c-B3B6-0204D204FCBD} FILE ="C:\\Program Files\\TechSmith\\SnagIt 8\\SnagItShellExt.dll"
"Symantec.Norton.Antivirus.IEContextMenu" CLSID ={FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} FILE ="C:\\PROGRA~1\\NORTON~2\\NORTON~1\\NavShExt.dll"
"WinRAR" CLSID ={B41DB860-8EE4-11D2-9906-E49FADC173CA} FILE ="C:\\Program Files\\WinRAR\\rarext.dll"
"WinZip" CLSID ={E0D79304-84BE-11CE-9641-444553540000} FILE ="C:\\PROGRA~1\\WINZIP\\WZSHLSTB.DLL"
"Yahoo! Mail" CLSID ={5464D816-CF16-4784-B9F3-75C0DB52B499} FILE ="C:\\PROGRA~1\\Yahoo!\\Common\\ymmapi.dll"
"{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" Start Menu Pin FILE =%SystemRoot%\system32\SHELL32.dll

HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers
"7-Zip" CLSID ={23170F69-40C1-278A-1000-000100020000} FILE ="C:\\Program Files\\7-Zip\\7-zip.dll"
"AVG Anti-Spyware" CLSID ={8934FCEF-F5B8-468f-951F-78A921CD3920} FILE ="C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\context.dll"
"EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll
"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll
"Sharing" CLSID ={f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} FILE ="ntshrui.dll"
"SnagItMainShellExt" CLSID ={CF74B903-3389-469c-B3B6-0204D204FCBD} FILE ="C:\\Program Files\\TechSmith\\SnagIt 8\\SnagItShellExt.dll"
"WinRAR" CLSID ={B41DB860-8EE4-11D2-9906-E49FADC173CA} FILE ="C:\\Program Files\\WinRAR\\rarext.dll"
"WinZip" CLSID ={E0D79304-84BE-11CE-9641-444553540000} FILE ="C:\\PROGRA~1\\WINZIP\\WZSHLSTB.DLL"

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers
"a-squared Free Shell Extension" CLSID ={A155339D-CCCD-4714-85EB-3754B804C9DF} FILE ="C:\\Program Files\\a-squared Free\\a2freecontmenu.dll"
"Symantec.Norton.Antivirus.IEContextMenu" CLSID ={FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} FILE ="C:\\PROGRA~1\\NORTON~2\\NORTON~1\\NavShExt.dll"
"WinRAR" CLSID ={B41DB860-8EE4-11D2-9906-E49FADC173CA} FILE ="C:\\Program Files\\WinRAR\\rarext.dll"
"WinZip" CLSID ={E0D79304-84BE-11CE-9641-444553540000} FILE ="C:\\PROGRA~1\\WINZIP\\WZSHLSTB.DLL"


--- ALTERNATESHELL regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
"AlternateShell"="cmd.exe"


--- SAFEBOOT MINIMAL SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
aawservice
AVG Anti-Spyware Driver
AVG Anti-Spyware Guard


--- SAFEBOOT NETWORK SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
aawservice
AVG Anti-Spyware Driver
AVG Anti-Spyware Guard


--- SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4
"DisplayName"="IPv6 Helper Service"
%SystemRoot%\system32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\a2free
"DisplayName"="a-squared Free Service"
"C:\Program Files\a-squared Free\a2service.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ADILOADER
"DisplayName"="General Purpose USB Driver (adildr.sys)"
System32\Drivers\adildr.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\adiusbaw
"DisplayName"="USB ADSL WAN Adapter"
system32\DRIVERS\adiusbaw.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\APLMp50
"DisplayName"="APLMp50 NDIS Protocol Driver"
System32\Drivers\APLMp50.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AshampooDefragService
"DisplayName"="AshampooDefragService"
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ASP
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Automatic LiveUpdate Scheduler
"DisplayName"="Automatic LiveUpdate Scheduler"
"C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVG Anti-Spyware Driver
"DisplayName"="AVG Anti-Spyware Driver"
\??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AvgAsCln
"DisplayName"="AVG Anti-Spyware Clean Driver"
System32\DRIVERS\AvgAsCln.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\b57w2k
"DisplayName"="Broadcom NetXtreme Gigabit Ethernet"
system32\DRIVERS\b57xp32.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\C-DillaCdaC11BA
"DisplayName"="C-DillaCdaC11BA"
C:\WINDOWS\system32\drivers\CDAC11BA.EXE

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CdaC15BA
"DisplayName"="CdaC15BA"

Edited by el_paraiso, 15 September 2007 - 10:52 AM.


BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 15 September 2007 - 11:18 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum el_paraiso :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please download Navilog1 by IL-MAFIOSO:
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip

* Extract its contents to the desktop.
* Double click on navilog1.exe to install it on your computer.
* When the installation is complete, the tool will start automatically.
* If it doesn't start automatically, please double click on Navilog1 shortcut on your desktop to run it.
* Press E for English from the language Menu.
* Type 1 in the next Menu to select Search and press Enter.
* Wait for the Scan to finish (It may take a reasonable amount of time)
* Press any key as requested .
* A new document will be produced: fixnavi.txt.
* Please copy/paste the contents of this report in your next reply.

The report is also saved in the root of the directory, "%SystemDrive%\fixnavi.txt". (usually C:\fixnavi.txt)
Posted Image
Posted Image

#3 el_paraiso

el_paraiso
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 15 September 2007 - 12:05 PM

Hi Richie,
I'm so glad that you wish to help me :thumbsup: I'm George from Greece and i appreciate all the help you can give me. So here is the log you ask me for ...

P.S. Excuse me if my English have some faults, i hope there aren't so obvious ...


Search Navipromo version 3.0.3 began on 15/09/2007 at 19:47:40,28

!!! Warning, this report may include legitimate files/programs !!!
!!! Post this report on the forum you are being helped !!!
!!! Don't continue with removal unless instructed by an authorized helper !!!
Fix running from C:\Program Files\navilog1
Updated on 14.09.2007 at 13h00 by IL-MAFIOSO

Microsoft Windows XP [Version 5.1.2600]
Version Internet Explorer : 7.0.5730.11

Done in normal mode

*** Searching for installed Software ***


MessengerSkinner


*** Search folders in C:\WINDOWS ***



*** Search folders in C:\Program Files ***

C:\Program Files\MessengerSkinner found !


*** Search folders in C:\Documents and Settings\All Users\Application Data ***




*** Search folders in C:\Documents and Settings\PYTHAGORAS\Application Data ***

...\Application Data\MessengerSkinner found !

*** Search with BlackLight Engine/F-secure ***
BlackLight Engine is a product of F-secure, for more info:
http://www.f-secure.com/blacklight/blacklight_help.html

Hidden(s) file(s) in C:\WINDOWS\system32 :

c:\WINDOWS\system32\uikeuwvjo.dat
C:\windows\system32\uikeuwvjo.exe
c:\WINDOWS\system32\uikeuwvjo_nav.dat
c:\WINDOWS\system32\uikeuwvjo_navps.dat

Hidden(s) Process in C:\WINDOWS\system32 :

C:\windows\system32\uikeuwvjo.exe


*** Search with GenericNaviSearch ***
!!! Possibility of legitims files in the result !!!
!!! To be always checked before manually deleting !!!

* Scan C:\WINDOWS\system32 *

Files found :

bnddpnusq.exe found !
cwckot.exe found !

Suspicious Files :

No Suspicious File found !



*** Search files ***


C:\WINDOWS\pack.epk found !
C:\WINDOWS\system32\nvs2.inf found !
C:\WINDOWS\prefetch\MESSENGERSKINNER.EXE-0EE2A110.pf found !
C:\WINDOWS\prefetch\MESSENGERSKINNER.EXE-36BCFAB1.pf found !


*** Search registry keys ***

HKEY_CURRENT_USER\Software\Lanconfig found !
HKEY_USERS\S-1-5-21-515967899-1454471165-682003330-1003\Software\Lanconfig found !


*** Complementary Search ***
(Search specifics files)

1)Search known files:

2)Heuristic Search :

C:\WINDOWS\system32\acuyivw.dat found !
C:\WINDOWS\system32\azkbqobuy.dat found !
C:\WINDOWS\system32\cchahbllg.dat found !
C:\WINDOWS\system32\ckqgxnqdj.dat found !
C:\WINDOWS\system32\dneurz.dat found !
C:\WINDOWS\system32\hgrhuzeg.dat found !
C:\WINDOWS\system32\lqpxmqkplh.dat found !
C:\WINDOWS\system32\nddgnvnyr.dat found !
C:\WINDOWS\system32\sfamxuflpc.dat found !
C:\WINDOWS\system32\uikeuwvjo.dat found !
C:\WINDOWS\system32\vpqdrl.dat found !
C:\WINDOWS\system32\zvzcazr.dat found !
C:\WINDOWS\system32\acuyivw_navps.dat found !
C:\WINDOWS\system32\azkbqobuy_navps.dat found !
C:\WINDOWS\system32\cchahbllg_navps.dat found !
C:\WINDOWS\system32\ckqgxnqdj_navps.dat found !
C:\WINDOWS\system32\dneurz_navps.dat found !
C:\WINDOWS\system32\hgrhuzeg_navps.dat found !
C:\WINDOWS\system32\lqpxmqkplh_navps.dat found !
C:\WINDOWS\system32\nddgnvnyr_navps.dat found !
C:\WINDOWS\system32\sfamxuflpc_navps.dat found !
C:\WINDOWS\system32\smndapjo_navps.dat found !
C:\WINDOWS\system32\uikeuwvjo_navps.dat found !
C:\WINDOWS\system32\vpqdrl_navps.dat found !
C:\WINDOWS\system32\zvzcazr_navps.dat found !
C:\WINDOWS\system32\acuyivw_nav.dat found !
C:\WINDOWS\system32\azkbqobuy_nav.dat found !
C:\WINDOWS\system32\cchahbllg_nav.dat found !
C:\WINDOWS\system32\ckqgxnqdj_nav.dat found !
C:\WINDOWS\system32\dneurz_nav.dat found !
C:\WINDOWS\system32\hgrhuzeg_nav.dat found !
C:\WINDOWS\system32\lqpxmqkplh_nav.dat found !
C:\WINDOWS\system32\nddgnvnyr_nav.dat found !
C:\WINDOWS\system32\sfamxuflpc_nav.dat found !
C:\WINDOWS\system32\smndapjo_nav.dat found !
C:\WINDOWS\system32\uikeuwvjo_nav.dat found !
C:\WINDOWS\system32\vpqdrl_nav.dat found !
C:\WINDOWS\system32\zvzcazr_nav.dat found !





3)Certificates Search :

Certificate Egroup found !


*** Search completed on 15/09/2007 at 19:57:21,67 ***

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 15 September 2007 - 12:19 PM

* Double click on Navilog1 shortcut icon on your desktop to run it.
* Press E for English from the language Menu.
* Type 3 in the next Menu and press Enter.
* The tool will then advise you that it will restart your computer.
* Close all open windows and save personnal documents, if open, too.
* If your computer doesn't restart automatically, restart it manually.
* Choose your usual session.
* Wait for the *** Clean finished the ... *** message (It may take some time so please be patient).
* A new document will be produced.
* Please copy/paste the contents of this report in your next reply.
* Your desktop will now appear.

Note:
In the event you lose your desktop, press CTRL+ALT+Delete and run Explorer.exe as a new task.

The report is also saved in the root directory, %SystemDrive%\cleannavi.txt.. (usually C:\cleannavi.txt)
Also post a new HijackThis log.
Posted Image
Posted Image

#5 el_paraiso

el_paraiso
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 15 September 2007 - 12:41 PM

Here they are Richie... thanks again

Navipromo Removal version 3.0.3 started on 15/09/2007 at 20:29:34,37

Fix running from C:\Program Files\navilog1
Updated on 14.09.2007 at 13h00 by IL-MAFIOSO


Microsoft Windows XP [Version 5.1.2600]
Internet Explorer : 7.0.5730.11

Automatic removal
without Blacklight results and GNS



*** Deleting folders in C:\WINDOWS ***


*** Deleting folders in C:\Program Files ***

C:\Program Files\MessengerSkinner ...deleting...
C:\Program Files\MessengerSkinner deleted !


*** Deleting folders in C:\Documents and Settings\All Users\Application Data ***


*** Deleting folders in C:\Documents and Settings\PYTHAGORAS\Application Data ***

...\Application Data\MessengerSkinner ...deleting...
...\Application Data\MessengerSkinner deleted !



*** Deleting files ***

C:\WINDOWS\pack.epk deleted !
C:\WINDOWS\system32\nvs2.inf deleted !
C:\WINDOWS\prefetch\MESSENGERSKINNER.EXE-0EE2A110.pf deleted !
C:\WINDOWS\prefetch\MESSENGERSKINNER.EXE-36BCFAB1.pf deleted !

*** Deleting temporary files ***

Cleanning C:\WINDOWS\Temp done !
Cleanning C:\Documents and Settings\PYTHAGORAS\Local Settings\Temp done !

*** Complementary Search ***
(Search specifics files)

1)Search known files:





2)Searching and deleting Heuristics :

C:\WINDOWS\System32\acuyivw.dat found !
Copy C:\WINDOWS\system32\acuyivw.dat done !
C:\WINDOWS\system32\acuyivw.dat deleted !

C:\WINDOWS\System32\azkbqobuy.dat found !
Copy C:\WINDOWS\system32\azkbqobuy.dat done !
C:\WINDOWS\system32\azkbqobuy.dat deleted !

C:\WINDOWS\System32\cchahbllg.dat found !
Copy C:\WINDOWS\system32\cchahbllg.dat done !
C:\WINDOWS\system32\cchahbllg.dat deleted !

C:\WINDOWS\System32\ckqgxnqdj.dat found !
Copy C:\WINDOWS\system32\ckqgxnqdj.dat done !
C:\WINDOWS\system32\ckqgxnqdj.dat deleted !

C:\WINDOWS\System32\dneurz.dat found !
Copy C:\WINDOWS\system32\dneurz.dat done !
C:\WINDOWS\system32\dneurz.dat deleted !

C:\WINDOWS\System32\hgrhuzeg.dat found !
Copy C:\WINDOWS\system32\hgrhuzeg.dat done !
C:\WINDOWS\system32\hgrhuzeg.dat deleted !

C:\WINDOWS\System32\lqpxmqkplh.dat found !
Copy C:\WINDOWS\system32\lqpxmqkplh.dat done !
C:\WINDOWS\system32\lqpxmqkplh.dat deleted !

C:\WINDOWS\System32\nddgnvnyr.dat found !
Copy C:\WINDOWS\system32\nddgnvnyr.dat done !
C:\WINDOWS\system32\nddgnvnyr.dat deleted !

C:\WINDOWS\System32\sfamxuflpc.dat found !
Copy C:\WINDOWS\system32\sfamxuflpc.dat done !
C:\WINDOWS\system32\sfamxuflpc.dat deleted !

C:\WINDOWS\System32\uikeuwvjo.dat found !
Copy C:\WINDOWS\system32\uikeuwvjo.dat done !
C:\WINDOWS\system32\uikeuwvjo.dat deleted !

C:\WINDOWS\System32\vpqdrl.dat found !
Copy C:\WINDOWS\system32\vpqdrl.dat done !
C:\WINDOWS\system32\vpqdrl.dat deleted !

C:\WINDOWS\System32\zvzcazr.dat found !
Copy C:\WINDOWS\system32\zvzcazr.dat done !
C:\WINDOWS\system32\zvzcazr.dat deleted !

C:\WINDOWS\System32\acuyivw_navps.dat found !
Copy C:\WINDOWS\system32\acuyivw_navps.dat done !
C:\WINDOWS\system32\acuyivw_navps.dat deleted !

C:\WINDOWS\System32\azkbqobuy_navps.dat found !
Copy C:\WINDOWS\system32\azkbqobuy_navps.dat done !
C:\WINDOWS\system32\azkbqobuy_navps.dat deleted !

C:\WINDOWS\System32\cchahbllg_navps.dat found !
Copy C:\WINDOWS\system32\cchahbllg_navps.dat done !
C:\WINDOWS\system32\cchahbllg_navps.dat deleted !

C:\WINDOWS\System32\ckqgxnqdj_navps.dat found !
Copy C:\WINDOWS\system32\ckqgxnqdj_navps.dat done !
C:\WINDOWS\system32\ckqgxnqdj_navps.dat deleted !

C:\WINDOWS\System32\dneurz_navps.dat found !
Copy C:\WINDOWS\system32\dneurz_navps.dat done !
C:\WINDOWS\system32\dneurz_navps.dat deleted !

C:\WINDOWS\System32\hgrhuzeg_navps.dat found !
Copy C:\WINDOWS\system32\hgrhuzeg_navps.dat done !
C:\WINDOWS\system32\hgrhuzeg_navps.dat deleted !

C:\WINDOWS\System32\lqpxmqkplh_navps.dat found !
Copy C:\WINDOWS\system32\lqpxmqkplh_navps.dat done !
C:\WINDOWS\system32\lqpxmqkplh_navps.dat deleted !

C:\WINDOWS\System32\nddgnvnyr_navps.dat found !
Copy C:\WINDOWS\system32\nddgnvnyr_navps.dat done !
C:\WINDOWS\system32\nddgnvnyr_navps.dat deleted !

C:\WINDOWS\System32\sfamxuflpc_navps.dat found !
Copy C:\WINDOWS\system32\sfamxuflpc_navps.dat done !
C:\WINDOWS\system32\sfamxuflpc_navps.dat deleted !

C:\WINDOWS\System32\smndapjo_navps.dat found !
Copy C:\WINDOWS\system32\smndapjo_navps.dat done !
C:\WINDOWS\system32\smndapjo_navps.dat deleted !

C:\WINDOWS\System32\uikeuwvjo_navps.dat found !
Copy C:\WINDOWS\system32\uikeuwvjo_navps.dat done !
C:\WINDOWS\system32\uikeuwvjo_navps.dat deleted !

C:\WINDOWS\System32\vpqdrl_navps.dat found !
Copy C:\WINDOWS\system32\vpqdrl_navps.dat done !
C:\WINDOWS\system32\vpqdrl_navps.dat deleted !

C:\WINDOWS\System32\zvzcazr_navps.dat found !
Copy C:\WINDOWS\system32\zvzcazr_navps.dat done !
C:\WINDOWS\system32\zvzcazr_navps.dat deleted !

C:\WINDOWS\System32\acuyivw_nav.dat found !
Copy C:\WINDOWS\system32\acuyivw_nav.dat done !
C:\WINDOWS\system32\acuyivw_nav.dat deleted !

C:\WINDOWS\System32\azkbqobuy_nav.dat found !
Copy C:\WINDOWS\system32\azkbqobuy_nav.dat done !
C:\WINDOWS\system32\azkbqobuy_nav.dat deleted !

C:\WINDOWS\System32\cchahbllg_nav.dat found !
Copy C:\WINDOWS\system32\cchahbllg_nav.dat done !
C:\WINDOWS\system32\cchahbllg_nav.dat deleted !

C:\WINDOWS\System32\ckqgxnqdj_nav.dat found !
Copy C:\WINDOWS\system32\ckqgxnqdj_nav.dat done !
C:\WINDOWS\system32\ckqgxnqdj_nav.dat deleted !

C:\WINDOWS\System32\dneurz_nav.dat found !
Copy C:\WINDOWS\system32\dneurz_nav.dat done !
C:\WINDOWS\system32\dneurz_nav.dat deleted !

C:\WINDOWS\System32\hgrhuzeg_nav.dat found !
Copy C:\WINDOWS\system32\hgrhuzeg_nav.dat done !
C:\WINDOWS\system32\hgrhuzeg_nav.dat deleted !

C:\WINDOWS\System32\lqpxmqkplh_nav.dat found !
Copy C:\WINDOWS\system32\lqpxmqkplh_nav.dat done !
C:\WINDOWS\system32\lqpxmqkplh_nav.dat deleted !

C:\WINDOWS\System32\nddgnvnyr_nav.dat found !
Copy C:\WINDOWS\system32\nddgnvnyr_nav.dat done !
C:\WINDOWS\system32\nddgnvnyr_nav.dat deleted !

C:\WINDOWS\System32\sfamxuflpc_nav.dat found !
Copy C:\WINDOWS\system32\sfamxuflpc_nav.dat done !
C:\WINDOWS\system32\sfamxuflpc_nav.dat deleted !

C:\WINDOWS\System32\smndapjo_nav.dat found !
Copy C:\WINDOWS\system32\smndapjo_nav.dat done !
C:\WINDOWS\system32\smndapjo_nav.dat deleted !

C:\WINDOWS\System32\uikeuwvjo_nav.dat found !
Copy C:\WINDOWS\system32\uikeuwvjo_nav.dat done !
C:\WINDOWS\system32\uikeuwvjo_nav.dat deleted !

C:\WINDOWS\System32\vpqdrl_nav.dat found !
Copy C:\WINDOWS\system32\vpqdrl_nav.dat done !
C:\WINDOWS\system32\vpqdrl_nav.dat deleted !

C:\WINDOWS\System32\zvzcazr_nav.dat found !
Copy C:\WINDOWS\system32\zvzcazr_nav.dat done !
C:\WINDOWS\system32\zvzcazr_nav.dat deleted !

C:\WINDOWS\system32\uikeuwvjo.exe found !
Copy C:\WINDOWS\system32\uikeuwvjo.exe done !
C:\WINDOWS\system32\uikeuwvjo.exe deleted !


*** Copy registry to Backupnavi folder ***

Backing up registry done !

*** Clean registry ***


Error on cleaning registry

Registry is not cleaned !


*** Certificates ***

Egroup Certificate deleted !

*** Suspicious Files not deleted by Navilog1 ***
!! possible legitims files, to check before deleting !!

C:\WINDOWS\system32\bnddpnusq.exe found !
C:\WINDOWS\system32\cwckot.exe found !

*** Cleaning stage complete 15/09/2007 at 20:34:32,78 ***


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:38:29, on 15/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\Ashampoo\ASHAMP~3\bin\DEFRAG~3.EXE
C:\PROGRA~1\Ashampoo\ASHAMP~3\bin\defragActivityMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Portrait Displays\forteManager\DTHtml.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: 88.87.7.3 L2authd.lineage2.com
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: Systran40premi.IEPlugIn - {CFB25594-4D5F-11D6-AB7B-00B0D094B576} - C:\Program Files\Systran\4_0\Premium\IEPlugIn.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT LGE] C:\Program Files\Portrait Displays\forteManager\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DefragTaskBar] "C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\CONN-X SAGEM Fast 800\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: Λήψη όλων με το FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Λήψη με χρήση του FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} (CamfrogWEB Advanced Unicode Control) - http://activex.camfrogweb.com/advanced/2.0..._instmodule.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/gr/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1174557543531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174579446078
O17 - HKLM\System\CCS\Services\Tcpip\..\{204461D1-A6BA-46BC-8FF4-21282CD13058}: NameServer = 195.170.0.1,195.170.2.2
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 13968 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 15 September 2007 - 12:44 PM

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Posted Image
Posted Image

#7 el_paraiso

el_paraiso
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 15 September 2007 - 01:05 PM

There it is Richie...


ComboFix 07-09-14.2 - "PYTHAGORAS" 2007-09-15 20:50:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1253.1.1033.18.468 [GMT 3:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\PYTHAG~1\APPLIC~1\macromedia\Flash Player\#SharedObjects\5L6VFLHX\www.broadcaster.com
C:\DOCUME~1\PYTHAG~1\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\PYTHAG~1\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\PYTHAG~1\STARTM~1\Programs\MessengerSkinner
C:\DOCUME~1\PYTHAG~1\STARTM~1\Programs\MessengerSkinner\MessengerSkinner.lnk
C:\DOCUME~1\PYTHAG~1\STARTM~1\Programs\MessengerSkinner\Privacy Policy.lnk
C:\DOCUME~1\PYTHAG~1\STARTM~1\Programs\MessengerSkinner\Terms and conditions.lnk
C:\DOCUME~1\PYTHAG~1\STARTM~1\Programs\MessengerSkinner\Website.lnk
C:\WINDOWS\DOWNLO~1.\Quarantine

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_IPRIP
-------\Iprip
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-08-15 to 2007-09-15 )))))))))))))))))))))))))))))))
.

2007-09-15 20:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-15 19:42 <DIR> d-------- C:\Program Files\Navilog1
2007-09-15 18:04 335,360 --a------ C:\WINDOWS\system32\lxlbcqb.exe
2007-09-15 12:14 333,824 --a------ C:\WINDOWS\system32\lpjowcn.exe
2007-09-15 11:00 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-15 11:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-15 10:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-15 09:42 332,800 --a------ C:\WINDOWS\system32\bnddpnusq.exe
2007-09-14 23:39 326,656 --a------ C:\WINDOWS\system32\hfwmtopkl.exe
2007-09-14 19:03 <DIR> d-------- C:\Program Files\PicaLoader
2007-09-14 18:56 <DIR> d-------- C:\Program Files\Gabest
2007-09-14 18:10 331,776 --a------ C:\WINDOWS\system32\loepbtxru.exe
2007-09-14 07:46 350,720 --a------ C:\WINDOWS\system32\hizmxfcj.exe
2007-09-13 21:25 334,336 --a------ C:\WINDOWS\system32\svcbhrrnht.exe
2007-09-13 20:44 <DIR> d-------- C:\Program Files\KVS2007
2007-09-11 21:34 <DIR> d-------- C:\Program Files\a-squared Free
2007-09-11 20:29 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-10 20:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\vsosdk
2007-09-10 18:24 <DIR> d-------- C:\Program Files\coverXP
2007-09-10 18:21 87,608 --a------ C:\DOCUME~1\PYTHAG~1\APPLIC~1\inst.exe
2007-09-10 18:21 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-09-10 18:21 47,360 --a------ C:\DOCUME~1\PYTHAG~1\APPLIC~1\pcouffin.sys
2007-09-10 18:21 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2007-09-10 18:21 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2007-09-10 18:21 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2007-09-10 18:21 <DIR> d-------- C:\Program Files\VSO
2007-09-10 18:21 <DIR> d-------- C:\DOCUME~1\PYTHAG~1\APPLIC~1\Vso
2007-09-09 20:04 <DIR> d-------- C:\Program Files\Crystal Player
2007-09-09 20:04 <DIR> d-------- C:\DOCUME~1\PYTHAG~1\APPLIC~1\Crystal Player
2007-09-09 19:53 31,232 --a------ C:\WINDOWS\system\vdremote.dll
2007-09-09 19:53 25,088 --a------ C:\WINDOWS\system\vdsvrlnk.dll
2007-09-09 19:47 <DIR> d-------- C:\Program Files\DirectVobSub
2007-09-08 14:36 <DIR> d-------- C:\Program Files\iTunes
2007-09-08 14:36 <DIR> d-------- C:\Program Files\iPod
2007-09-07 20:42 <DIR> d--hs---- C:\WINDOWS\system32\28463
2007-09-07 20:34 <DIR> d-------- C:\Program Files\Windows Sidebar
2007-09-07 20:33 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-09-07 20:32 60,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-09-07 20:32 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-09-07 19:38 4,751 --a------ C:\WINDOWS\system32\smndapjo.dat
2007-09-05 19:25 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-09-05 18:55 <DIR> d-------- C:\Program Files\EA GAMES
2007-09-01 18:18 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-09-01 11:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-08-29 07:46 338,944 --a------ C:\WINDOWS\system32\cwckot.exe
2007-08-26 13:58 <DIR> d-------- C:\DOCUME~1\PYTHAG~1\APPLIC~1\Symantec
2007-08-26 13:05 <DIR> d-------- C:\Program Files\Norton 360
2007-08-26 00:04 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-08-26 00:03 <DIR> d-------- C:\Program Files\Real
2007-08-26 00:03 <DIR> d-------- C:\Program Files\Common Files\Real
2007-08-26 00:03 <DIR> d-------- C:\DOCUME~1\PYTHAG~1\APPLIC~1\Real
2007-08-24 02:57 577,928 --a------ C:\WINDOWS\system32\SymNeti.dll
2007-08-24 02:57 207,240 --a------ C:\WINDOWS\system32\SymRedir.dll
2007-08-21 20:34 <DIR> d-------- C:\Program Files\DivX
2007-08-19 18:25 <DIR> d-------- C:\Program Files\Lineage II C4
2007-08-19 12:42 <DIR> d-------- C:\Program Files\Symantec
2007-08-18 19:54 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-08-18 19:34 <DIR> d-------- C:\Program Files\7-Zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-15 20:40 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-15 20:36 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-09-15 14:20 --------- d-------- C:\Program Files\Apple Software Update
2007-09-15 10:59 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-14 19:02 --------- d-------- C:\Program Files\FlashGet
2007-09-13 21:00 --------- d-------- C:\Program Files\KVS
2007-09-12 18:38 --------- d-------- C:\DOCUME~1\PYTHAG~1\APPLIC~1\uTorrent
2007-09-11 23:49 --------- d-------- C:\Program Files\CEDP Stealer 6.0 for Messenger
2007-09-09 09:27 --------- d-------- C:\Program Files\mIRC
2007-09-07 20:35 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-09-07 20:35 10652 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-09-06 19:11 --------- d-------- C:\Program Files\Yahoo!
2007-09-06 18:32 --------- d-------- C:\Program Files\AV Vcs 4.0 DIAMOND
2007-09-05 19:21 685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-09-05 17:48 --------- d-------- C:\DOCUME~1\PYTHAG~1\APPLIC~1\GrabIt
2007-09-01 11:25 --------- d-------- C:\DOCUME~1\PYTHAG~1\APPLIC~1\MegauploadToolbar
2007-08-30 18:21 --------- d-------- C:\Program Files\Webshots
2007-08-26 12:56 --------- d-------- C:\Program Files\Ashampoo
2007-08-24 18:18 --------- d-------- C:\Program Files\Replay AV 8
2007-08-21 08:36 --------- d-------- C:\Program Files\uTorrent
2007-08-19 12:07 274748 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-19 12:07 20176160 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-19 12:07 1925920 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-08-19 12:07 185036 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-18 12:31 512 --a------ C:\ScanSectorLog.dat
2007-08-15 03:46 13206 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2007-08-13 23:50 96432 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2007-08-13 23:50 41008 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2007-08-13 23:50 38576 --a------ C:\WINDOWS\system32\drivers\symids.sys
2007-08-13 23:50 37424 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2007-08-13 23:50 22320 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2007-08-13 23:50 188464 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2007-08-13 23:50 1613 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2007-08-13 23:50 13616 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2007-08-13 21:46 --------- d-------- C:\Program Files\MegauploadToolbar
2007-08-11 14:45 --------- d-------- C:\DOCUME~1\PYTHAG~1\APPLIC~1\Apple Computer
2007-08-11 14:45 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-11 14:44 --------- d-------- C:\Program Files\Common Files\Apple
2007-08-11 14:44 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-11 14:28 --------- d-------- C:\Program Files\QuickTime
2007-08-10 03:27 31280 --a------ C:\WINDOWS\system32\drivers\SymIM.sys
2007-08-10 02:05 10638 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-08-10 02:05 10638 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-08-10 02:05 10634 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-08-09 17:32 10588 -ra------ C:\WINDOWS\system32\drivers\co_mon.cat
2007-08-09 02:39 36056 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-08-09 02:26 550 -ra------ C:\WINDOWS\system32\drivers\CO_Mon.inf
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-04 19:01 --------- d-------- C:\Program Files\LoveChess Age Of Egypt
2007-08-04 09:21 --------- d-------- C:\Program Files\WoW-FE
2007-08-04 09:03 --------- d-------- C:\Program Files\PrivateServerWoW
2007-08-02 20:40 --------- d-------- C:\DOCUME~1\PYTHAG~1\APPLIC~1\AdobeUM
2007-08-02 20:37 --------- d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-07-31 09:43 43696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-07-31 09:43 317616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-07-31 09:43 278576 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-07-31 09:43 1431 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-07-31 09:43 1422 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-07-31 09:43 1416 --a------ C:\WINDOWS\system32\drivers\srtsp.inf
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-27 02:06 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-27 02:06 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-06-26 09:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 16:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-16 22:29 21840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2007-06-16 22:29 17212 --a------ C:\WINDOWS\system32\SIntf32.dll
2007-06-16 22:29 12067 --a------ C:\WINDOWS\system32\SIntf16.dll
2007-03-24 23:26 4471804 --a------ C:\DOCUME~1\PYTHAG~1\TRACE_BOOT+DRIVERS_1_1.BIN
2005-07-14 19:31:20 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-25 06:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-09-07 20:34 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-25 06:51 316784]

[HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 12:39]
"NVRTCLK"="C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 12:44]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 02:51]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 19:37]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 23:55]
"PivotSoftware"="C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-01-12 15:39]
"DT LGE"="C:\Program Files\Portrait Displays\forteManager\DTHtml.exe" [2007-02-01 15:07]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 01:50]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 C:\WINDOWS\system32\nvmctray.dll]
"SoundMan"="SOUNDMAN.EXE" [2006-07-21 16:14 C:\WINDOWS\SoundMan.exe]
"DefragTaskBar"="C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe" [2007-02-12 12:57]
"AlcWzrd"="ALCWZRD.EXE" [2006-05-04 16:26 C:\WINDOWS\alcwzrd.exe]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2004-12-27 22:14]
"PCLEPCI"="C:\PROGRA~1\Pinnacle\PPE\PPE.EXE" [2004-02-03 15:13]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-25 08:07]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 07:53]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-09-11 20:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 15:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 17:25]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
DSLMON.lnk - C:\Program Files\SAGEM\CONN-X SAGEM Fast 800\dslmon.exe [2007-04-06 19:58:41]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]
Pinnacle Scheduler.lnk - C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe [2007-05-30 18:32:18]

C:\DOCUME~1\PYTHAG~1\STARTM~1\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50]
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-03-17 13:51:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"=0 (0x0)
"NoPropertiesMyComputer"=0 (0x0)
"NoFileAssociate"=0 (0x0)
"NoSMHelp"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoTrayItemsDisplay"=0 (0x0)

R1 Pivot;Pivot;C:\WINDOWS\system32\drivers\pivot.sys
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\C:\Program Files\CyberLink\PowerDVD\000.fcl
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
R2 MSMQ;Message Queuing;C:\WINDOWS\system32\mqsvc.exe
R2 MSMQTriggers;Message Queuing Triggers;C:\WINDOWS\system32\mqtgsvc.exe
R2 ROB_A;Pinnacle WDM PCTV Audio Capture;C:\WINDOWS\system32\DRIVERS\rob_a.sys
R2 ROB_V;Pinnacle WDM PCTV Video Capture;C:\WINDOWS\system32\drivers\rob_v.sys
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
R2 Vcs;Vcs support;\??\C:\WINDOWS\system32\Drivers\Vcs.sys
R3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys
R3 MQAC;Message Queuing access control;\??\C:\WINDOWS\system32\drivers\mqac.sys
R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys
R3 PdiPorts;Portrait Displays low level device driver;C:\WINDOWS\system32\Drivers\PdiPorts.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\system32\DRIVERS\point32.sys
R3 RMCAST;Reliable Multicast Protocol driver;\??\C:\WINDOWS\system32\drivers\RMCast.sys
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys
S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\system32\Drivers\COH_Mon.sys
S3 GVTDrv;GVTDrv;\??\C:\WINDOWS\system32\Drivers\GVTDrv.sys
S3 MarkFun_NT;MarkFun_NT;\??\C:\Program Files\Gigabyte\ET5\markfun.w32
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PavSRK.sys;PavSRK.sys;\??\C:\WINDOWS\system32\PavSRK.sys
S3 PavTPK.sys;PavTPK.sys;\??\C:\WINDOWS\system32\PavTPK.sys
S3 pdiddcci;DDC/CI monitor;C:\WINDOWS\system32\DRIVERS\pdiddcci.sys
S3 pivotmou;Pivot Mouse/Pointers Filter Driver;\??\C:\WINDOWS\system32\drivers\pivotmou.sys
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-09-15 11:20:29 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-09-10 18:00:22 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - PYTHAGORAS.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-15 20:55:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-15 20:58:28 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-15 20:58
.
--- E O F ---

#8 el_paraiso

el_paraiso
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 15 September 2007 - 01:34 PM

Till now i have no pop-up advertise window. You think its resolved? What was the problem? I see deletion of messenger skinner and Macromedia flash. I don't care about skinner, but macromedia? Thanks a lot man...

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 15 September 2007 - 01:40 PM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\lxlbcqb.exe
C:\WINDOWS\system32\lpjowcn.exe
C:\WINDOWS\system32\bnddpnusq.exe
C:\WINDOWS\system32\hfwmtopkl.exe
C:\WINDOWS\system32\loepbtxru.exe
C:\WINDOWS\system32\hizmxfcj.exe
C:\WINDOWS\system32\svcbhrrnht.exe
C:\WINDOWS\system32\smndapjo.dat
C:\WINDOWS\system32\cwckot.exe


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#10 el_paraiso

el_paraiso
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 15 September 2007 - 01:51 PM

And i thought i'm done :thumbsup: there you go...


C:\WINDOWS\system32\lxlbcqb.exe moved successfully.
C:\WINDOWS\system32\lpjowcn.exe moved successfully.
C:\WINDOWS\system32\bnddpnusq.exe moved successfully.
C:\WINDOWS\system32\hfwmtopkl.exe moved successfully.
C:\WINDOWS\system32\loepbtxru.exe moved successfully.
C:\WINDOWS\system32\hizmxfcj.exe moved successfully.
C:\WINDOWS\system32\svcbhrrnht.exe moved successfully.
C:\WINDOWS\system32\smndapjo.dat moved successfully.
C:\WINDOWS\system32\cwckot.exe moved successfully.

Created on 09/15/2007 21:48:26


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:50:36, on 15/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\Ashampoo\ASHAMP~3\bin\DEFRAG~3.EXE
C:\PROGRA~1\Ashampoo\ASHAMP~3\bin\defragActivityMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Portrait Displays\forteManager\DTHtml.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\SAGEM\CONN-X SAGEM Fast 800\dslmon.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: Systran40premi.IEPlugIn - {CFB25594-4D5F-11D6-AB7B-00B0D094B576} - C:\Program Files\Systran\4_0\Premium\IEPlugIn.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT LGE] C:\Program Files\Portrait Displays\forteManager\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DefragTaskBar] "C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\CONN-X SAGEM Fast 800\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: Λήψη όλων με το FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Λήψη με χρήση του FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} (CamfrogWEB Advanced Unicode Control) - http://activex.camfrogweb.com/advanced/2.0..._instmodule.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/gr/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1174557543531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174579446078
O17 - HKLM\System\CCS\Services\Tcpip\..\{204461D1-A6BA-46BC-8FF4-21282CD13058}: NameServer = 195.170.0.1,195.170.2.2
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 13873 bytes

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 15 September 2007 - 02:08 PM

Nearly done now,you're doing great :thumbsup:

Download and install CCleaner:
http://www.ccleaner.com/download/builds/downloading-slim

Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
*Note*
Do not use the Issues block to clean anything with this program.
It is for experts only and it is risky.

Select Cleaner Settings.
Check Internet Explorer, Windows Explorer, and System so that all items are checked.
In the Advanced section,have a check only on Old PreFetch Data.

Click on the Options block on the left.
Select Advanced.
Uncheck "Only delete files in Windows Temp folders older than 48 hours".

Set Cookie Retention.
Click on the Options block on the left, then choose Cookies.
Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.

Run Cleaning Scan.
Click on the Cleaner block on the left.
Choose the Windows tab.
Click the Run Cleaner button.
This process could take a while.
When CCleaner shows how much has been removed,cleaning is finished.


Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#12 el_paraiso

el_paraiso
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 15 September 2007 - 03:42 PM

SUPERAntiSpyware didn't find any infection. I send you the relative log. What ever magic kind you do it works perfect i thing. No pop-up andvertises anymore :flowers: What do you thing? It was awfull ( :thumbsup: ) my system?


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/15/2007 at 11:38 PM

Application Version : 3.9.1008

Core Rules Database Version : 3307
Trace Rules Database Version: 1313

Scan type : Complete Scan
Total Scan Time : 01:05:02

Memory items scanned : 690
Memory threats detected : 0
Registry items scanned : 6809
Registry threats detected : 0
File items scanned : 81118
File threats detected : 0



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:40:45, on 15/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\Ashampoo\ASHAMP~3\bin\DEFRAG~3.EXE
C:\PROGRA~1\Ashampoo\ASHAMP~3\bin\defragActivityMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Portrait Displays\forteManager\DTHtml.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\SAGEM\CONN-X SAGEM Fast 800\dslmon.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Systran\4_0\Premium\SYSTRA~1.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Firehand Technologies\Ember\Ember.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: Systran40premi.IEPlugIn - {CFB25594-4D5F-11D6-AB7B-00B0D094B576} - C:\Program Files\Systran\4_0\Premium\IEPlugIn.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT LGE] C:\Program Files\Portrait Displays\forteManager\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DefragTaskBar] "C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\CONN-X SAGEM Fast 800\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: Λήψη όλων με το FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Λήψη με χρήση του FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} (CamfrogWEB Advanced Unicode Control) - http://activex.camfrogweb.com/advanced/2.0..._instmodule.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/gr/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1174557543531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174579446078
O17 - HKLM\System\CCS\Services\Tcpip\..\{204461D1-A6BA-46BC-8FF4-21282CD13058}: NameServer = 195.170.0.1,195.170.2.2
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 13903 bytes

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 16 September 2007 - 07:08 AM

Run 'ESET Online Scanner' using Internet Explorer:
http://www.eset.com/onlinescan/
Place a check in the box 'YES,I accept the 'Terms of Use' after reading.
Then click 'Start'.
Allow the activex control to install.
Then click 'Start' on the 'ESET Online Scanner' window.
Place a check in the box 'Remove found threats'.
Leave the box 'Scan unwanted applications' blank.
Then press 'Scan'.
The scan will take up some time so please be patient.
Once the scan has finished,post the entire contents of the logfile:
C:\Program Files\EsetOnlineScanner\log.txt


Please run this online virus scan:Activescan using Internet Explorer.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes,click the See Report button, then Save Report, and save it to your desktop.
Post the Activescan report into your next reply.
Posted Image
Posted Image

#14 el_paraiso

el_paraiso
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 17 September 2007 - 01:45 PM

Hello Richie,
How are you? Sorry for my delayed response to your help but i run with my job a lot the lasts days.
So, we didn't finish with the health of my pc :thumbsup: ... I did as you told me, i run the tools from within the internet explorer and here are the results. Thanks again, i appreciate very much the help you give me.


Eset Online Scanner
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2534 (20070917)
# vers_arch_module=1.058 (20070906)
# vers_adv_heur_module=1.065 (20070802)
# EOSSerial=898959c823056047b6d2b56c504efd49
# end=finished
# remove_checked=true
# unwanted_checked=false
# utc_time=2007-09-17 04:06:51
# local_time=2007-09-17 07:06:51 (+0200, GTB Daylight Time)
# country="Greece"
# osver=5.1.2600 NT Service Pack 2
# scanned=406211
# found=0
# scan_time=5459

Panda

Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\PYTHAGORAS\Application Data\Mozilla\Firefox\Profiles\n1x44n49.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\PYTHAGORAS\Application Data\Mozilla\Firefox\Profiles\n1x44n49.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\PYTHAGORAS\Application Data\Mozilla\Firefox\Profiles\n1x44n49.default\cookies.txt[.sexlist.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\PYTHAGORAS\Application Data\Mozilla\Firefox\Profiles\n1x44n49.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\PYTHAGORAS\Application Data\Mozilla\Firefox\Profiles\n1x44n49.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\PYTHAGORAS\Application Data\Mozilla\Firefox\Profiles\n1x44n49.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\PYTHAGORAS\Application Data\Mozilla\Firefox\Profiles\n1x44n49.default\cookies.txt[.com.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\PYTHAGORAS\Application Data\Mozilla\Firefox\Profiles\n1x44n49.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Xiti Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\pythagoras@xiti[1].txt.dat[Documents and Settings/PYTHAGORAS/Cookies/pythagoras@xiti[1].txt]
Virus:Generic Malware Disinfected C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.2.9_Patch1.exe
Virus:Generic Malware Disinfected C:\Program Files\Enigma Software Group\SpyHunter\spyhunter.2.9_Patch2.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Virus:Generic Malware Disinfected D:\Safety-Files\SpyHunter\sh9_ByMechoDownload\SpyHunter.2.9\Patch After Upgarding\spyhunter.2.9_Patch2.exe
Virus:Generic Malware Disinfected D:\Safety-Files\SpyHunter\sh9_ByMechoDownload\SpyHunter.2.9\SpyHunter.2.9_Patch1.exe

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 17 September 2007 - 02:17 PM

Clean out your temporary internet files:
Close all open windows before you start.
Go to Start>Control Panel>Internet Options>General tab.
Click the Delete Cookies button.
Next to it, click the Delete Files button.
When prompted, place a check in: 'Delete all offline content', click OK

If you have Firefox installed,you need to clean out these temporary files as well:
Go to Tools>Options.
Click Privacy.
Press the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to finish, before closing it.
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Now clean other temporary files and your Recycle Bin:
Go to Start>Run,type: cleanmgr then press OK.
Let it scan your system for files to remove.
Make sure 'Temporary Files', 'Temporary Internet Files', and 'Recycle Bin' are the only things checked.
Press OK to remove them.

Restart your pc.
Post a new Hijackthis log.
Let me know how its running now.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users