Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Msn Messenger Spyware Automatic File Transfers


  • Please log in to reply
8 replies to this topic

#1 DiGGyDoG

DiGGyDoG

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 20 September 2007 - 07:11 PM

Hi, my MSN Messenger seems to be automatically sending random pictures to people, I think it's a virus, and my anti-virus/anti-spyware scanners did not catch it, also it will talk to your cantacts then send it (ex. Hey is this a pic of you?).

Here is my HijackThis log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:19 PM, on 9/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\STacSV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sttray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LiveProtect\LiveProtect.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\WINDOWS\system32\ICROSO~1\services.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\wkssvc.exe
C:\Documents and Settings\Bryan\My Documents\?ystem\w?nspool.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\DOCUME~1\Bryan\LOCALS~1\Temp\~e5.0001
C:\DOCUME~1\Bryan\LOCALS~1\Temp\~e5.0001
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Bryan\LOCALS~1\Temp\Rar$EX00.281\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\xucsffjvvc\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\xucsffjvvc\csrss.exe
O1 - Hosts: 1.1.1.1 f-secure.com
O1 - Hosts: 1.1.1.1 www.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.sophos.com
O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
O1 - Hosts: 1.1.1.1 customer.symantec.com
O1 - Hosts: 1.1.1.1 dispatch.mcafee.com
O1 - Hosts: 1.1.1.1 download.mcafee.com
O1 - Hosts: 1.1.1.1 rads.mcafee.com
O1 - Hosts: 1.1.1.1 mast.mcafee.com
O1 - Hosts: 1.1.1.1 my-etrust.com
O1 - Hosts: 1.1.1.1 www.my-etrust.com
O1 - Hosts: 1.1.1.1 nai.com
O1 - Hosts: 1.1.1.1 www.nai.com
O1 - Hosts: 1.1.1.1 networkassociates.com
O1 - Hosts: 1.1.1.1 secure.nai.com
O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
O1 - Hosts: 1.1.1.1 service1.symantec.com
O1 - Hosts: 1.1.1.1 sophos.com
O1 - Hosts: 1.1.1.1 www.sophos.com
O1 - Hosts: 1.1.1.1 support.microsoft.com
O1 - Hosts: 1.1.1.1 symantec.com
O1 - Hosts: 1.1.1.1 www.symantec.com
O1 - Hosts: 1.1.1.1 update.symantec.com
O1 - Hosts: 1.1.1.1 updates.symantec.com
O1 - Hosts: 1.1.1.1 us.mcafee.com
O1 - Hosts: 1.1.1.1 vil.nai.com
O1 - Hosts: 1.1.1.1 viruslist.com
O1 - Hosts: 1.1.1.1 www.viruslist.com
O1 - Hosts: 1.1.1.1 grisoft.com
O1 - Hosts: 1.1.1.1 www.grisoft.com
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 trendmicro.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 www.trendmicro.com
O1 - Hosts: 1.1.1.1 pandasoftware.com
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 virusscan.jotti.org
O1 - Hosts: 1.1.1.1 services.google.com
O1 - Hosts: 1.1.1.1 www.webroot.com
O1 - Hosts: 1.1.1.1 webroot.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10C5AB10-44DE-4527-F64D-1AE33E92A9BD} - C:\WINDOWS\system32\iodui.dll (file missing)
O2 - BHO: (no name) - {6A1F18AB-A162-FD99-4B16-FF8DB850D0BA} - C:\WINDOWS\system32\etjqpfo.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7A1C8989-301D-3FB4-6721-3C71B704C6BA} - C:\WINDOWS\system32\fmufooau.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu32.exe 61A847B5BBF72811308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SvcManager] lsass2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LiveProtect] "C:\Program Files\LiveProtect\LiveProtect.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft Spooler] wkssvc.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [Sbcc] "C:\WINDOWS\system32\ICROSO~1\services.exe" -vt ndrv
O4 - HKCU\..\Run: [Jchymipk] "C:\Program Files\?icrosoft.NET\m?hta.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Wku] C:\WINDOWS\system32\F?nts\s?ool32.exe
O4 - HKCU\..\Run: [Hwvjaps] "C:\Program Files\?dobe\l?ass.exe"
O4 - HKCU\..\Run: [DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Wfwcwrz] "C:\Program Files\Common Files\F?nts\r?gedit.exe"
O4 - HKCU\..\Run: [Fwcqhuz] "C:\Documents and Settings\Bryan\Application Data\s?mbols\s?chost.exe"
O4 - HKCU\..\Run: [Rakcqv] "C:\Program Files\Common Files\??sks\l?ass.exe"
O4 - HKCU\..\Run: [Zbmqt] C:\WINDOWS\F?nts\w?auclt.exe
O4 - HKCU\..\Run: [Usm] C:\WINDOWS\??crosoft\w?crtupd.exe
O4 - HKCU\..\Run: [Rvd] "C:\Documents and Settings\Bryan\Application Data\?ymantec\r?gedit.exe"
O4 - HKCU\..\Run: [Eylie] "C:\Documents and Settings\Bryan\My Documents\?ystem\w?nspool.exe"
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [Ciz] "C:\Program Files\Common Files\??stem32\w?nspool.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-21-436374069-1229272821-682003330-1004\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'Derek')
O4 - HKUS\S-1-5-21-436374069-1229272821-682003330-1004\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime (User 'Derek')
O4 - HKUS\S-1-5-21-436374069-1229272821-682003330-1004\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Derek')
O4 - HKUS\S-1-5-21-436374069-1229272821-682003330-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Derek')
O4 - HKUS\S-1-5-21-436374069-1229272821-682003330-1006\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Trevor')
O4 - Startup: csrss.lnk = ?
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n031p/EN/install/gtdownlr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by129fd.bay129.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{59164F49-169B-4570-9E28-72D1D3473700}: NameServer = 64.59.144.92,64.59.144.93
O17 - HKLM\System\CS1\Services\Tcpip\..\{59164F49-169B-4570-9E28-72D1D3473700}: NameServer = 64.59.144.92,64.59.144.93
O17 - HKLM\System\CS2\Services\Tcpip\..\{59164F49-169B-4570-9E28-72D1D3473700}: NameServer = 64.59.144.92,64.59.144.93
O17 - HKLM\System\CS3\Services\Tcpip\..\{59164F49-169B-4570-9E28-72D1D3473700}: NameServer = 64.59.144.92,64.59.144.93
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Li4\command.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

--
End of file - 15211 bytes

BC AdBot (Login to Remove)

 


m

#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:11:27 AM

Posted 20 September 2007 - 07:39 PM

Please download to the Desktop: MsnVirRem.exe
  • Close any other programs running as the tool requires a reboot to complete the removal process.
  • Double click MsnVirRem.exe to run the tool
  • Click the button labeled Search and Destroy to scan for infected files.
  • When the scanning is complete you are prompted to reboot/restart the machine ONLY if infected.
  • Click "OK" if this is the case and then click the "REBOOT" Button.
  • After the reboot, you receive "file not found" error messages (usually 4). Please acknowledge these error messages and continue.
  • A Message should then popup from MsnVirRem. If not, double click the program again for it to finish.
The tool creates a log file of it's removal process located at C:\msnvirrem.log

~~~~
Now, download ComboFix
Save it to the Desktop

Double-click combofix.exe to run the program
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to stall.)

When finished, a log, ComboFix.txt, is produced.

~~~~
Run HijackThis once again to obtain a new log.

~~~~
Please post the C:\msnvirrem.log, the ComboFix.txt, and a new HijackThis log in your reply.

Old duck...


#3 DiGGyDoG

DiGGyDoG
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 20 September 2007 - 11:55 PM

ok...

msnvirrem log:

MsnVirRem Log by Skate_Punk_21

Please Note: any existing old logs will have now been renamed to msnvirremOLD.log

Fix running from: C:\Documents and Settings\Bryan\Desktop
9/20/2007
9:21:26 PM

Combofix log:

ComboFix 07-09-21 - "Bryan" 2007-09-20 21:26:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1415 [GMT -7:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Avenger
C:\DOCUME~1\Bryan\APPLIC~1\macromedia\Flash Player\#SharedObjects\TL7PQU6Y\www.broadcaster.com
C:\DOCUME~1\Bryan\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Bryan\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\Bryan\APPLIC~1\MCROSO~1
C:\DOCUME~1\Bryan\APPLIC~1\MCROSO~1\w?auclt.exe
C:\DOCUME~1\Bryan\APPLIC~1\SMBOLS~1
C:\DOCUME~1\Bryan\APPLIC~1\YMANTE~1
C:\DOCUME~1\Bryan\Desktop\System Live Protect.lnk
C:\DOCUME~1\Bryan\MYDOCU~1\YSTEM~1
C:\DOCUME~1\Bryan\STARTM~1\Programs\Outerinfo
C:\DOCUME~1\Bryan\STARTM~1\Programs\Outerinfo\Terms.lnk
C:\DOCUME~1\Bryan\STARTM~1\Programs\Outerinfo\Uninstall.lnk
C:\DOCUME~1\Bryan\STARTM~1\Programs\System Live Protect
C:\DOCUME~1\Bryan\STARTM~1\Programs\System Live Protect\System Live Protect Web site.url
C:\DOCUME~1\Bryan\STARTM~1\Programs\System Live Protect\System Live Protect.lnk
C:\DOCUME~1\Bryan\STARTM~1\Programs\System Live Protect\Uninstall.lnk
C:\Program Files\Common Files\asembl~1
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\fnts~2
C:\Program Files\Common Files\fnts~2\r?gedit.exe
C:\Program Files\Common Files\mantec~1
C:\Program Files\Common Files\microsoft shared\web folders\ibm00001.dll
C:\Program Files\Common Files\sks~1
C:\Program Files\Common Files\sks~2
C:\Program Files\Common Files\stem32~1
C:\Program Files\Common Files\stem32~1\w?nspool.exe
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\curity~1
C:\Program Files\dobe~1
C:\Program Files\fnts~1
C:\Program Files\icroso~1.net
C:\Program Files\ipwindows
C:\Program Files\ipwindows\ipwins.dll
C:\Program Files\ipwindows\ipwins.exe~
C:\Program Files\ipwindows\UnInstall.exe
C:\Program Files\LiveProtect
C:\Program Files\LiveProtect\config.ini
C:\Program Files\LiveProtect\LiveProtect.exe
C:\Program Files\LiveProtect\uninstall.exe
C:\Program Files\LiveProtect\VDB.DAT
C:\Program Files\LiveProtect\VDB2.DAT
C:\Program Files\LiveProtect\VDB3.DAT
C:\Program Files\LiveProtect\VDB4.DAT
C:\Program Files\LiveProtect\VDB5.DAT
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\asembl~1
C:\WINDOWS\b104.exe
C:\WINDOWS\b116.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b129.exe
C:\WINDOWS\crosof~1
C:\WINDOWS\ecurit~1
C:\WINDOWS\fnts~1
C:\WINDOWS\icroso~1.net
C:\WINDOWS\Li4\asappsrv.dll
C:\WINDOWS\mcroso~1
C:\WINDOWS\retadpu.exe
C:\WINDOWS\smbols~1
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\fmufooau.dll
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\icroso~1
C:\WINDOWS\system32\icroso~1\?icrosoft\
C:\WINDOWS\system32\icroso~1\services.exe
C:\WINDOWS\system32\icroso~1\services.exe~
C:\WINDOWS\system32\LiveProtectSetup.exe
C:\WINDOWS\system32\lsass2.exe
C:\WINDOWS\system32\wtssvtr.exe
C:\WINDOWS\wr.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NTMLSVC
-------\cmdService
-------\NtmlSvc


((((((((((((((((((((((((( Files Created from 2007-08-21 to 2007-09-21 )))))))))))))))))))))))))))))))
.

2007-09-20 21:25 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-18 21:11 <DIR> d-------- C:\Hijackthis
2007-09-18 12:01 51,200 -r-hs---- C:\WINDOWS\system32\wkssvc.exe
2007-09-18 00:10 53,025 --a------ C:\WINDOWS\system32\EQclhXxD.exe
2007-09-10 18:23 22,328 --a------ C:\DOCUME~1\Bryan\APPLIC~1\PnkBstrK.sys
2007-09-10 18:20 <DIR> d-------- C:\Program Files\id Software
2007-09-07 20:25 <DIR> d-------- C:\DOCUME~1\PAUL\APPLIC~1\Apple Computer
2007-08-22 21:32 <DIR> d-------- C:\Program Files\Kutchka
2007-08-22 21:32 <DIR> d-------- C:\DOCUME~1\Bryan\APPLIC~1\Kutchka
2007-08-20 17:06 <DIR> d-------- C:\Program Files\Ventrilo
2007-08-20 17:06 <DIR> d-------- C:\DOCUME~1\Bryan\APPLIC~1\Ventrilo
2007-08-20 17:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-20 21:34 --------- d-------- C:\Program Files\Steam
2007-09-20 21:34 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-20 13:27 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-09-19 23:04 --------- d-------- C:\Program Files\LimeWire
2007-09-18 20:52 --------- d---s---- C:\Program Files\Xfire
2007-09-18 08:53 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-18 08:53 --------- d-------- C:\Program Files\Electronic Arts
2007-09-18 08:52 --------- d-------- C:\DOCUME~1\Bryan\APPLIC~1\Xfire
2007-09-17 23:34 --------- d-------- C:\Program Files\MSN Messenger
2007-09-17 23:33 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-09-17 18:28 22328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-09-13 04:45 --------- d-------- C:\DOCUME~1\Bryan\APPLIC~1\BitTorrent
2007-09-08 23:57 --------- d-------- C:\DOCUME~1\Bryan\APPLIC~1\Apple Computer
2007-08-30 11:05 --------- d-------- C:\Program Files\Gpotato
2007-08-29 22:02 --------- d-------- C:\Program Files\Tales of Pirates Online
2007-08-25 14:39 --------- d-------- C:\Program Files\Warcraft III
2007-08-15 20:51 --------- d-------- C:\Program Files\GameSpy Arcade
2007-08-15 20:48 --------- d-------- C:\Program Files\Microsoft Games
2007-08-14 15:32 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-12 21:37 --------- d-------- C:\Program Files\BitTorrent
2007-08-12 21:36 --------- d-------- C:\DOCUME~1\Bryan\APPLIC~1\uTorrent
2007-08-11 12:42 --------- d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Xfire
2007-08-10 18:01 --------- d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Xfire
2007-08-03 10:46 --------- d-------- C:\DOCUME~1\Bryan\APPLIC~1\LimeWire
2007-07-25 21:08 --------- d-------- C:\Program Files\GameSpy
2007-07-23 23:31 --------- d-------- C:\Program Files\Guild Wars
2007-07-21 12:29 --------- d-------- C:\DOCUME~1\Melissa\APPLIC~1\Google
2004-10-01 15:00 40960 --a------ C:\Program Files\Uninstall_CDS.exe
2005-08-02 23:58:38 293,888 --sha-r C:\WINDOWS\Li4\command.exe~
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\Li4\M2b.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10C5AB10-44DE-4527-F64D-1AE33E92A9BD}]
C:\WINDOWS\system32\iodui.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A1F18AB-A162-FD99-4B16-FF8DB850D0BA}]
C:\WINDOWS\system32\etjqpfo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43]
"SigmatelSysTrayApp"="sttray.exe" [2006-05-26 07:58 C:\WINDOWS\sttray.exe]
"nwiz"="nwiz.exe" [2006-08-11 21:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 21:43]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 22:23]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 22:22]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-25 15:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Microsoft Spooler"="wkssvc.exe" [2007-09-18 12:01 C:\WINDOWS\system32\wkssvc.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-15 10:22]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-06-19 20:28]
"Sbcc"="C:\WINDOWS\system32\ICROSO~1\services.exe" []
"Jchymipk"="C:\Program Files\?icrosoft.NET\m?hta.exe" []
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-06-27 20:28]
"Wku"="C:\WINDOWS\system32\F?nts\s?ool32.exe" []
"Hwvjaps"="C:\Program Files\?dobe\l?ass.exe" []
"DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" []
"Wfwcwrz"="C:\Program Files\Common Files\F?nts\r?gedit.exe" []
"Fwcqhuz"="C:\Documents and Settings\Bryan\Application Data\s?mbols\s?chost.exe" []
"Rakcqv"="C:\Program Files\Common Files\??sks\l?ass.exe" []
"Zbmqt"="C:\WINDOWS\F?nts\w?auclt.exe" []
"Usm"="C:\WINDOWS\??crosoft\w?crtupd.exe" []
"Rvd"="C:\Documents and Settings\Bryan\Application Data\?ymantec\r?gedit.exe" []
"Eylie"="C:\Documents and Settings\Bryan\My Documents\?ystem\w?nspool.exe" []
"EA Core"="C:\Program Files\Electronic Arts\EADM\Core.exe" [2007-09-14 19:06]
"Ciz"="C:\Program Files\Common Files\??stem32\w?nspool.exe" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]

C:\DOCUME~1\Bryan\STARTM~1\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2007-09-12 15:25:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL


.
Contents of the 'Scheduled Tasks' folder
"2007-09-21 01:17:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-14 15:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exe
"2007-09-21 04:34:51 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-20 21:34:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ????????????l?@?l?@?D??????w???????????????wl?@?l?@????? ??????????????w???w???????w?m?wx????????m?w???????? ??????????????|x???0????????????n?????w????????????????X[??????R???????l?@?l?@????????w????t?@?????l?@?8?@?l?@?3??s????????????????????8?@?_??s8?@?8?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-20 21:47:28 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-20 21:47
.
--- E O F ---

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:04 PM, on 9/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sttray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\wkssvc.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Bryan\LOCALS~1\Temp\Rar$EX00.031\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/firefox
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10C5AB10-44DE-4527-F64D-1AE33E92A9BD} - C:\WINDOWS\system32\iodui.dll (file missing)
O2 - BHO: (no name) - {6A1F18AB-A162-FD99-4B16-FF8DB850D0BA} - C:\WINDOWS\system32\etjqpfo.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft Spooler] wkssvc.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Sbcc] "C:\WINDOWS\system32\ICROSO~1\services.exe" -vt ndrv
O4 - HKCU\..\Run: [Jchymipk] "C:\Program Files\?icrosoft.NET\m?hta.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Wku] C:\WINDOWS\system32\F?nts\s?ool32.exe
O4 - HKCU\..\Run: [Hwvjaps] "C:\Program Files\?dobe\l?ass.exe"
O4 - HKCU\..\Run: [DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Wfwcwrz] "C:\Program Files\Common Files\F?nts\r?gedit.exe"
O4 - HKCU\..\Run: [Fwcqhuz] "C:\Documents and Settings\Bryan\Application Data\s?mbols\s?chost.exe"
O4 - HKCU\..\Run: [Rakcqv] "C:\Program Files\Common Files\??sks\l?ass.exe"
O4 - HKCU\..\Run: [Zbmqt] C:\WINDOWS\F?nts\w?auclt.exe
O4 - HKCU\..\Run: [Usm] C:\WINDOWS\??crosoft\w?crtupd.exe
O4 - HKCU\..\Run: [Rvd] "C:\Documents and Settings\Bryan\Application Data\?ymantec\r?gedit.exe"
O4 - HKCU\..\Run: [Eylie] "C:\Documents and Settings\Bryan\My Documents\?ystem\w?nspool.exe"
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [Ciz] "C:\Program Files\Common Files\??stem32\w?nspool.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n031p/EN/install/gtdownlr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by129fd.bay129.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{59164F49-169B-4570-9E28-72D1D3473700}: NameServer = 64.59.144.92,64.59.144.93
O17 - HKLM\System\CS1\Services\Tcpip\..\{59164F49-169B-4570-9E28-72D1D3473700}: NameServer = 64.59.144.92,64.59.144.93
O17 - HKLM\System\CS2\Services\Tcpip\..\{59164F49-169B-4570-9E28-72D1D3473700}: NameServer = 64.59.144.92,64.59.144.93
O17 - HKLM\System\CS3\Services\Tcpip\..\{59164F49-169B-4570-9E28-72D1D3473700}: NameServer = 64.59.144.92,64.59.144.93
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

--
End of file - 11043 bytes

#4 DiGGyDoG

DiGGyDoG
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 21 September 2007 - 12:05 AM

THANK YOU SOO MUCH, ITS GONE :blink: :wacko: :) :) :thumbsup: :)

#5 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:11:27 AM

Posted 21 September 2007 - 08:43 AM

:thumbsup:

Still have a few things to take care of...

Please open Notepad (Start > Run > in the Open field type: notepad)
Click: OK

Copy/ paste the blue text below to Notepad:

File::
C:\WINDOWS\system32\wkssvc.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10C5AB10-44DE-4527-F64D-1AE33E92A9BD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A1F18AB-A162-FD99-4B16-FF8DB850D0BA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]


Save as CFScript.txt <-Important!!
Change the Save as type to: All Files
Save it to the Desktop.

Posted Image


Referring to the screenshot above, drag CFScript.txt >>> into >>> ComboFix.exe
ComboFix runs a scan on your system, and may reboot when it finishes. This is normal.

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced: ComboFix.txt

~~~~
Run HijackThis, Scan
Check box for (if still present):

O2 - BHO: (no name) - {10C5AB10-44DE-4527-F64D-1AE33E92A9BD} - C:\WINDOWS\system32\iodui.dll (file missing)
O2 - BHO: (no name) - {6A1F18AB-A162-FD99-4B16-FF8DB850D0BA} - C:\WINDOWS\system32\etjqpfo.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [Microsoft Spooler] wkssvc.exe
O4 - HKCU\..\Run: [Sbcc] "C:\WINDOWS\system32\ICROSO~1\services.exe" -vt ndrv
O4 - HKCU\..\Run: [Jchymipk] "C:\Program Files\?icrosoft.NET\m?hta.exe"
O4 - HKCU\..\Run: [Wku] C:\WINDOWS\system32\F?nts\s?ool32.exe
O4 - HKCU\..\Run: [Hwvjaps] "C:\Program Files\?dobe\l?ass.exe"
O4 - HKCU\..\Run: [Wfwcwrz] "C:\Program Files\Common Files\F?nts\r?gedit.exe"
O4 - HKCU\..\Run: [Fwcqhuz] "C:\Documents and Settings\Bryan\Application Data\s?mbols\s?chost.exe"
O4 - HKCU\..\Run: [Rakcqv] "C:\Program Files\Common Files\??sks\l?ass.exe"
O4 - HKCU\..\Run: [Zbmqt] C:\WINDOWS\F?nts\w?auclt.exe
O4 - HKCU\..\Run: [Usm] C:\WINDOWS\??crosoft\w?crtupd.exe
O4 - HKCU\..\Run: [Rvd] "C:\Documents and Settings\Bryan\Application Data\?ymantec\r?gedit.exe"
O4 - HKCU\..\Run: [Eylie] "C:\Documents and Settings\Bryan\My Documents\?ystem\w?nspool.exe"
O4 - HKCU\..\Run: [Ciz] "C:\Program Files\Common Files\??stem32\w?nspool.exe"

Select: Fix checked

~~~~
Run HijackThis once again to obtain a new log.

~~~~
Please provide the contents of the new ComboFix.txt in your next reply, as well as the new HijackThis log.

Old duck...


#6 DiGGyDoG

DiGGyDoG
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 21 September 2007 - 05:54 PM

combfix log:

ComboFix 07-09-21 - "Bryan" 2007-09-21 15:40:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1266 [GMT -7:00]
Command switches used :: C:\Documents and Settings\Bryan\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\wkssvc.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\wkssvc.exe

.
((((((((((((((((((((((((( Files Created from 2007-08-21 to 2007-09-21 )))))))))))))))))))))))))))))))
.

2007-09-20 21:25 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-18 21:11 <DIR> d-------- C:\Hijackthis
2007-09-18 00:10 53,025 --a------ C:\WINDOWS\system32\EQclhXxD.exe
2007-09-10 18:23 22,328 --a------ C:\DOCUME~1\Bryan\APPLIC~1\PnkBstrK.sys
2007-09-10 18:20 <DIR> d-------- C:\Program Files\id Software
2007-09-07 20:25 <DIR> d-------- C:\DOCUME~1\PAUL\APPLIC~1\Apple Computer
2007-08-22 21:32 <DIR> d-------- C:\Program Files\Kutchka
2007-08-22 21:32 <DIR> d-------- C:\DOCUME~1\Bryan\APPLIC~1\Kutchka

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-21 14:27 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-09-21 12:59 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-20 21:35 --------- d-------- C:\Program Files\Steam
2007-09-19 23:04 --------- d-------- C:\Program Files\LimeWire
2007-09-18 20:52 --------- d---s---- C:\Program Files\Xfire
2007-09-18 08:53 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-18 08:53 --------- d-------- C:\Program Files\Electronic Arts
2007-09-18 08:52 --------- d-------- C:\DOCUME~1\Bryan\APPLIC~1\Xfire
2007-09-17 23:34 --------- d-------- C:\Program Files\MSN Messenger
2007-09-17 23:33 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-09-17 18:28 22328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-09-17 18:27 103736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-09-13 04:45 --------- d-------- C:\DOCUME~1\Bryan\APPLIC~1\BitTorrent
2007-09-10 18:35 66872 --a------ C:\WINDOWS\system32\pnkbstra.exe
2007-09-08 23:57 --------- d-------- C:\DOCUME~1\Bryan\APPLIC~1\Apple Computer
2007-08-30 11:05 --------- d-------- C:\Program Files\Gpotato
2007-08-29 22:02 --------- d-------- C:\Program Files\Tales of Pirates Online
2007-08-25 14:39 --------- d-------- C:\Program Files\Warcraft III
2007-08-21 16:07 --------- d-------- C:\DOCUME~1\Bryan\APPLIC~1\Ventrilo
2007-08-20 17:06 --------- d-------- C:\Program Files\Ventrilo
2007-08-20 17:05 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-15 20:51 --------- d-------- C:\Program Files\GameSpy Arcade
2007-08-15 20:48 --------- d-------- C:\Program Files\Microsoft Games
2007-08-14 15:32 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-12 21:37 --------- d-------- C:\Program Files\BitTorrent
2007-08-12 21:36 --------- d-------- C:\DOCUME~1\Bryan\APPLIC~1\uTorrent
2007-08-11 12:42 --------- d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Xfire
2007-08-10 18:01 --------- d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Xfire
2007-08-03 10:46 --------- d-------- C:\DOCUME~1\Bryan\APPLIC~1\LimeWire
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-25 21:08 --------- d-------- C:\Program Files\GameSpy
2007-07-23 23:31 --------- d-------- C:\Program Files\Guild Wars
2007-07-21 12:29 --------- d-------- C:\DOCUME~1\Melissa\APPLIC~1\Google
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2004-10-01 15:00 40960 --a------ C:\Program Files\Uninstall_CDS.exe
2005-08-02 23:58:38 293,888 --sha-r C:\WINDOWS\Li4\command.exe~
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\Li4\M2b.vbs
.

((((((((((((((((((((((((((((( snapshot_2007-09-20_213540.21 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 16,384 2007-09-21 21:27:10 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-09-21 21:27:10 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-09-21 21:27:10 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
----a-w 16,384 2007-09-20 20:27:07 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-09-20 20:27:07 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-09-20 20:27:07 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43]
"SigmatelSysTrayApp"="sttray.exe" [2006-05-26 07:58 C:\WINDOWS\sttray.exe]
"nwiz"="nwiz.exe" [2006-08-11 21:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 21:43]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 22:23]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 22:22]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-25 15:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Microsoft Spooler"="wkssvc.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-15 10:22]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-06-19 20:28]
"Sbcc"="C:\WINDOWS\system32\ICROSO~1\services.exe" []
"Jchymipk"="C:\Program Files\?icrosoft.NET\m?hta.exe" []
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-06-27 20:28]
"Wku"="C:\WINDOWS\system32\F?nts\s?ool32.exe" []
"Hwvjaps"="C:\Program Files\?dobe\l?ass.exe" []
"DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" []
"Wfwcwrz"="C:\Program Files\Common Files\F?nts\r?gedit.exe" []
"Fwcqhuz"="C:\Documents and Settings\Bryan\Application Data\s?mbols\s?chost.exe" []
"Rakcqv"="C:\Program Files\Common Files\??sks\l?ass.exe" []
"Zbmqt"="C:\WINDOWS\F?nts\w?auclt.exe" []
"Usm"="C:\WINDOWS\??crosoft\w?crtupd.exe" []
"Rvd"="C:\Documents and Settings\Bryan\Application Data\?ymantec\r?gedit.exe" []
"Eylie"="C:\Documents and Settings\Bryan\My Documents\?ystem\w?nspool.exe" []
"EA Core"="C:\Program Files\Electronic Arts\EADM\Core.exe" [2007-09-14 19:06]
"Ciz"="C:\Program Files\Common Files\??stem32\w?nspool.exe" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-04-15 10:22:11]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-04-04 03:29:06]

C:\DOCUME~1\Bryan\STARTM~1\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2007-09-12 15:25:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL


.
Contents of the 'Scheduled Tasks' folder
"2007-09-21 01:17:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-21 15:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exe
"2007-09-21 20:34:11 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-21 15:43:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ????????????l?@?l?@?D??????w???????????????wl?@?l?@????? ??????????????w???w???????w?m?wx????????m?w???????? ??????????????|x???0????????????n?????w????????????????X[??????R???????l?@?l?@????????w????t?@?????l?@?8?@?l?@?3??s????????????????????8?@?_??s8?@?8?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-21 15:43:58
C:\ComboFix-quarantined-files.txt ... 2007-09-21 15:43
C:\ComboFix2.txt ... 2007-09-20 21:47
.
--- E O F ---


Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:52:01 PM, on 9/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\DOCUME~1\Bryan\LOCALS~1\Temp\Rar$EX00.594\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/firefox
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-21-436374069-1229272821-682003330-1004\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'Derek')
O4 - HKUS\S-1-5-21-436374069-1229272821-682003330-1004\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime (User 'Derek')
O4 - HKUS\S-1-5-21-436374069-1229272821-682003330-1004\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Derek')
O4 - HKUS\S-1-5-21-436374069-1229272821-682003330-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Derek')
O4 - HKUS\S-1-5-21-436374069-1229272821-682003330-1006\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Trevor')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n031p/EN/install/gtdownlr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by129fd.bay129.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{59164F49-169B-4570-9E28-72D1D3473700}: NameServer = 64.59.144.92,64.59.144.93
O17 - HKLM\System\CS1\Services\Tcpip\..\{59164F49-169B-4570-9E28-72D1D3473700}: NameServer = 64.59.144.92,64.59.144.93
O17 - HKLM\System\CS2\Services\Tcpip\..\{59164F49-169B-4570-9E28-72D1D3473700}: NameServer = 64.59.144.92,64.59.144.93
O17 - HKLM\System\CS3\Services\Tcpip\..\{59164F49-169B-4570-9E28-72D1D3473700}: NameServer = 64.59.144.92,64.59.144.93
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

--
End of file - 10605 bytes

#7 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:11:27 AM

Posted 21 September 2007 - 07:47 PM

The HijackThis log looks OK.

Are you still having malware problems?

Old duck...


#8 DiGGyDoG

DiGGyDoG
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 22 September 2007 - 11:15 PM

not on my file... but my brothers file seems to have it still

#9 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:11:27 AM

Posted 23 September 2007 - 11:47 AM

Log in to your brother's User account (Desktop), and do the following:

Download the HijackThis Installer
Save to the Desktop.
Double-click on HJTInstall.exe to install the program.
A prompt appears showing that, by default, it installs to C:\Program Files\Trend Micro\HijackThis
Click: Install

At the main screen of the program, click on: Do a system scan and save a log file
When done scanning, click Save log

Save to an easy to find location, and post the HijackThis log for your brother's User account in your reply.

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users